HELP 1on1 highjack dialer problem complements of Edvan Solutions

Discussion in 'adware, spyware & hijack cleaning' started by sprog, May 5, 2004.

Thread Status:
Not open for further replies.
  1. sprog

    sprog Registered Member

    Joined:
    May 5, 2004
    Posts:
    1
    I have picked up the 1on1 dailer/xxxserver whilst being connected to the net which charges my tel. with premium rate calls and as yet I have not been able to get rid of it. I have investigated this on the net and performed the following tasks:
    1. Cleaned my registry, searching for 1on1, uk3.exe, uk5.exe, uk7.exe sysdaemg.exe, sysinf.exe, Svchost.exe, Isass.exe, csrss.exe (not the good ms program in system32)
    2. Checked and deleted same files in c:
    3. Downloaded and run Spybot Search & Destroy
    4. Downloaded and run Adaware
    5. Download and run Hijackthis (below is the Log file from this)

    Logfile of HijackThis v1.97.7
    Scan saved at 10:08:35 PM, on 5/5/04
    Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\s3hksrv.exe
    C:\WINNT\system32\Hotkey.exe
    C:\WINNT\system32\spoolss.exe
    C:\PROGRA~1\NETWOR~1\DRSOLO~1\AMGRSRVC.EXE
    C:\WINNT\system32\CPQAlert.exe
    C:\WINNT\System32\hibserv.exe
    C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\DRSOLO~1\VSTSKMGR.EXE
    C:\WINNT\system32\RpcSs.exe
    C:\WINNT\system32\tapisrv.exe
    C:\WINNT\system32\rasman.exe
    C:\WINNT\System32\esserver.exe
    C:\WINNT\System32\pstores.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\SENS.EXE
    C:\WINNT\System32\nddeagnt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\SysTray.Exe
    C:\WINNT\cpqwin\ntspd\pwricon.exe
    C:\Program Files\COMPAQ\Programmable Keys NT\CPQKL.EXE
    C:\Program Files\COMPAQ\Programmable Keys NT\cpqkt.exe
    C:\WINNT\System32\CHKADMIN.EXE
    C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\SHSTAT.EXE
    C:\WINNT\System32\qttask.exe
    C:\WINNT\System32\spool\drivers\w32x86\hpztsb05.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\TEMP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/welcome/0,8492,,00.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
    F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
    O1 - Hosts: 57.198.80.61 lonxsn01
    O1 - Hosts: 57.198.80.62 lonxsn02
    O1 - Hosts: 57.198.80.63 lonxsn03
    O1 - Hosts: 57.198.80.172 lonxsn06
    O1 - Hosts: 66.40.16.227 www.yahoo.org
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PwrIcon] C:\WINNT\cpqwin\ntspd\pwricon.exe
    O4 - HKLM\..\Run: [Compaq_PK_Daemon] C:\Program Files\COMPAQ\Programmable Keys NT\CPQKL.EXE
    O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys NT\cpqkt.exe
    O4 - HKLM\..\Run: [ChkAdmin] CHKADMIN.EXE
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [WebInstall2] C:\TEMP\ins8.tmp /R /A
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb05.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: ICWStart.bat
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: GoHip! - http://www.gohip.com/
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4025.cab


    Please can anyone confirm what files from this log I should also delete in order to resolve my problem (and just clean up my pc).

    Thks Sprog
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi sprog,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [WebInstall2] C:\TEMP\ins8.tmp /R /A

    O8 - Extra context menu item: GoHip! - http://www.gohip.com/
    O13 - WWW. Prefix: http://

    Then reboot and use DiskCleanup to empty out all your Temp files.

    Also have a look here:
    http://www.wilders.org/firewalls.htm
    and here:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.