Jooske I have not tried to download TDS3 back into my system because I have a driver that I downloaded that needs to be removed and a dialer that insists on automatically trying to connect me upon boot up. Do you think you can give me some insight on that? Thank you
Hi Judith, Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log as a .txt file, and copy and paste its contents into your next post. Most of what it lists will be harmless, so do not fix anything yet. And could you tell us what driver exactly you need removed? Regards, Pieter
Please do immediately what Pieter advices as it doesn't sound good at all! Looking forward to your posting. Try to remember where you got that dialer from. (email?) And you might like to get Port Explorer with which we can see where it is dialing to. But first of all get that hijackthis log as Pieter adviced!
Logfile of HijackThis v1.97.3 Scan saved at 8:09:50 AM, on 10/28/03 Platform: Windows 98 Gold (Win9x 4.10.199 MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr/*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com O1 - Hosts: 64.14.40.138 www.searchscout.com O1 - Hosts: 64.14.40.138 www.letssearch.com O1 - Hosts: 64.14.40.138 www.searchex.com O1 - Hosts: 64.14.40.138 srch.lop.com O1 - Hosts: 64.14.40.138 www.searchresult.net O1 - Hosts: 64.14.40.138 www.xupiter.com O1 - Hosts: 64.14.40.138 runonce.msn.com O1 - Hosts: 64.14.40.148 auto.search.msn.com O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM) O9 - Extra 'Tools' menuitem: Search the Internet (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Searchalot (HKCU) O9 - Extra button: Downloads (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5594791667 O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr/*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com O1 - Hosts: 64.14.40.138 www.searchscout.com O1 - Hosts: 64.14.40.138 www.letssearch.com O1 - Hosts: 64.14.40.138 www.searchex.com O1 - Hosts: 64.14.40.138 srch.lop.com O1 - Hosts: 64.14.40.138 www.searchresult.net O1 - Hosts: 64.14.40.138 www.xupiter.com O1 - Hosts: 64.14.40.138 runonce.msn.com O1 - Hosts: 64.14.40.148 auto.search.msn.com O9 - Extra button: Searchalot (HKCU) O9 - Extra button: Downloads (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com Then reboot. No sign of a dialer though. Regards, Pieter
The information on the driver came from my system Information checker, and I can no longer get in there, the driver name I think, is vfwwdm32.dll , but I have searched for it and can not locate it. The Dialer, was set up via , a phone conversation with a young man at Earthlink, and they are now trying to promote, Accelerater, so I have no Idea what he had me do. My machine is probably to old for that. And I have a really strange attachment to this old computer.
MM, did you do what Pieter asked you to do, did you reboot after it and please tell if everything is now back normal? You might like to post another hijackthis log from the current situation after the cleaning Pieter instructed.
Jooskie I just got done and ran a scandisk and defrag. It seems to have freed up my computer, I did lose my origianl Yahoo Web page and have to key it in, and One good thing about the loss of my backup is, whatever was in control isn't any longer. I was constantly getting missdirected or stopped from web sites. I will run it again and see what happens . Thank you so much.
Logfile of HijackThis v1.97.3 Scan saved at 11:33:39 AM, on 10/28/03 Platform: Windows 98 Gold (Win9x 4.10.199 MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM) O9 - Extra 'Tools' menuitem: Search the Internet (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5594791667 O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab I have a good many backups in Hijacker , is that what it is supposed to do?
Hi MercyMe, Your log is clear now. How is the computer behaving? You can delete the backups HijackThis made after a while (a week or a few reboots), just to make sure nothing you needed was disabled. Regards, Pieter
Pieter Thank you, things are much better now. I only wish I could figure out what Earthlink did to my dialer. My machine shuts down better also. Much Thanks
My pleasure. Could you try and describe exactly how that dialer manifests itself? Maybe we can solve that one as well. Regards, Pieter
Hi Pieter. I was reading thru this thread. A thought here, Mercyme mentions Earthlink and Accelerator. Could she be talking about the modem/dialup connection? I tried a few internet accelerators and there is a program called Accelerator or Web Accelerator.
Hi the Tester, Could be, but I have a hard time imagining why it would be hidden and, if so, where. Can you recall where it started up from? Regards, Pieter
The dialer appears like the older one with Windows 95. It appears when I boot and if I try to update Norton it will pop up, but I do not see it in Systrey, and do not have a Icon for it , I only have one connection in my Network, and I set that one up myself. The one that Earthlink helped me do is the one coming up, but I had deleted the dialer in the Control Panel, under Network hoping it would stop coming up.
Somehow ever my connection icon (the small two screens) disappeared from the systray after some security update and i never did bother to look somewhere at my settings to have it back there again. Might be this is the one MM means? Since i am on ADSL i don't bother being online or not. For several people i changed their settings in the browser: Internet Explorer > Tools > Options > Connection > click the standard dialup connection and set it to "NEVER dial this connection" which saves you from a popup dialer after reboot or opening IE or outlook express or other standard email client. Make sure to have the dialer icon on your desktop, so you can open IE or OE all quietly and do other things before you connect to internet, which saves you if you are on dialup. This is the only thing i can imagine. If the two little blinking screens icon is not in the systray, you can click the dialer icon on the desktop and it will tell you about your connection and you can close it there just as easy. But for dialup i would prefer the blinking icons, to remind you to close it at a certain time. If this is the one and solves your problem, i hope, it has nothing to do with any trojan, it is just normal IE / connection behavior from your standard dialer to your own ISP.