Global Dialer - Hijack This log

Discussion in 'adware, spyware & hijack cleaning' started by Zidane, Dec 7, 2003.

Thread Status:
Not open for further replies.
  1. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Stupid BF of my sis was surfing and there is Global Dialer in my comp... I removed it from programs on my computer, I ran Ad-Aware and cleaned what AA had found and now Step 2 :)

    Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:52:45, on 7.12.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Overnet\overnet.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ICQ\icq.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ABC~1.ABC\LOCALS~1\Temp\Rar$EX00.864\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mrkvosoft Infernet Exprdel
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.clnet.cz:3128
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.idgsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.idgsearch.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O1 - Hosts: 69.56.223.196 t.rack.cc
    O1 - Hosts: 69.56.223.196 www.alfa-search.com
    O1 - Hosts: 69.56.223.196 webcoolsearch.com
    O1 - Hosts: 69.56.223.196 in.webcounter.cc
    O1 - Hosts: 69.56.223.196 i-lookup.com
    O1 - Hosts: 69.56.223.196 www.hand-book.com
    O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
    O1 - Hosts: 69.56.223.196 allneedsearch.com
    O1 - Hosts: 69.56.223.196 nativehardcore.com
    O1 - Hosts: 69.56.223.196 teen-biz.com
    O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
    O1 - Hosts: 69.56.223.196 best.royalsearch.net
    O1 - Hosts: 69.56.223.196 default-homepage-network.com
    O1 - Hosts: 69.56.223.196 xwebsearch.biz
    O1 - Hosts: 69.56.223.196 www.rightfinder.net
    O1 - Hosts: 69.56.223.196 www.search-1.net
    O1 - Hosts: 69.56.223.196 www.searchv.com
    O1 - Hosts: 69.56.223.196 www.websearch.com
    O1 - Hosts: 69.56.223.196 mysearchnow.com
    O1 - Hosts: 69.56.223.196 www.therealsearch.com
    O1 - Hosts: 69.56.223.196 www.find-itnow.com
    O1 - Hosts: 69.56.223.196 find.microgirls.com
    O1 - Hosts: 69.56.223.196 super-spider.com
    O1 - Hosts: 69.56.223.196 www.searching-the-net.com
    O1 - Hosts: 69.56.223.196 www.firstbookmark.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - C:\DOCUME~1\ABC~1.ABC\DATAAP~1\MICROS~1\Office\Excel10.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Čisticí programy\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00170\svchost.exe -remove
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O15 - Trusted Zone: *.teensguru.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11


    I think I need to remove:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.idgsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.idgsearch.com/

    All 01´s

    Weird thing is O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - C:\DOCUME~1\ABC~1.ABC\DATAAP~1\MICROS~1\Office\Excel10.dll - what is this about? I have Excel on my comp, but this was never in the log before... I smell something fishy here :rolleyes:

    I think I have to remove too:
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00170\svchost.exe -remove
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: *.teensguru.com

    That is what I think has to be removed, could anybody check the log and tell me if I was right, if I have to remove something else or if I had "too big eyes" and something from the things I selected to remove is good and dont need to be removed?

    Thanks for your help :)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Zidane,

    Download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
    That will take care of the idgsearch hijack including the hosts file hijack.

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00170\svchost.exe -remove
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: *.teensguru.com

    Then reboot and delete:
    c:\program files\GlobalDialer <= entire folder

    And you should go out and get the latest updates for IE.

    Regards,

    Pieter
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I did as you adviced me, all is OK except the CWS didnt delete the O1 - Hosts, I had to delete them manually - I thought after running CWS it will be deleted, but no - the O1´s were there... but they are deleted, I will try to reboot and see what happens :)

    Thanks for your advice ;)

    And I knew that the 02 - BHO - ... "Excel.dll" was something fishy - I was not using Excel at the time and it was in the HJ log never before - and after running CWS it is gone too :)

    Thanks :) *THUMBS UP*
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good for you. The Excel10.dll is indeed a CWS file, so you were right on the mark there. :)
    I thought the Hosts entries would be removed as well. Will have to remember to check that. Thanks.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.