HELP 1on1 highjack dialer problem complements of Edvan Solutions

Discussion in 'adware, spyware & hijack cleaning' started by sprog, May 5, 2004.

Thread Status:
Not open for further replies.
  1. sprog

    sprog Registered Member

    Joined:
    May 5, 2004
    Posts:
    1
    I have picked up the 1on1 dailer/xxxserver whilst being connected to the net which charges my tel. with premium rate calls and as yet I have not been able to get rid of it. I have investigated this on the net and performed the following tasks:
    1. Cleaned my registry, searching for 1on1, uk3.exe, uk5.exe, uk7.exe sysdaemg.exe, sysinf.exe, Svchost.exe, Isass.exe, csrss.exe (not the good ms program in system32)
    2. Checked and deleted same files in c:
    3. Downloaded and run Spybot Search & Destroy
    4. Downloaded and run Adaware
    5. Download and run Hijackthis (below is the Log file from this)

    Logfile of HijackThis v1.97.7
    Scan saved at 10:08:35 PM, on 5/5/04
    Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\s3hksrv.exe
    C:\WINNT\system32\Hotkey.exe
    C:\WINNT\system32\spoolss.exe
    C:\PROGRA~1\NETWOR~1\DRSOLO~1\AMGRSRVC.EXE
    C:\WINNT\system32\CPQAlert.exe
    C:\WINNT\System32\hibserv.exe
    C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\DRSOLO~1\VSTSKMGR.EXE
    C:\WINNT\system32\RpcSs.exe
    C:\WINNT\system32\tapisrv.exe
    C:\WINNT\system32\rasman.exe
    C:\WINNT\System32\esserver.exe
    C:\WINNT\System32\pstores.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\SENS.EXE
    C:\WINNT\System32\nddeagnt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\SysTray.Exe
    C:\WINNT\cpqwin\ntspd\pwricon.exe
    C:\Program Files\COMPAQ\Programmable Keys NT\CPQKL.EXE
    C:\Program Files\COMPAQ\Programmable Keys NT\cpqkt.exe
    C:\WINNT\System32\CHKADMIN.EXE
    C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\SHSTAT.EXE
    C:\WINNT\System32\qttask.exe
    C:\WINNT\System32\spool\drivers\w32x86\hpztsb05.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\TEMP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/welcome/0,8492,,00.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
    F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
    O1 - Hosts: 57.198.80.61 lonxsn01
    O1 - Hosts: 57.198.80.62 lonxsn02
    O1 - Hosts: 57.198.80.63 lonxsn03
    O1 - Hosts: 57.198.80.172 lonxsn06
    O1 - Hosts: 66.40.16.227 www.yahoo.org
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PwrIcon] C:\WINNT\cpqwin\ntspd\pwricon.exe
    O4 - HKLM\..\Run: [Compaq_PK_Daemon] C:\Program Files\COMPAQ\Programmable Keys NT\CPQKL.EXE
    O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys NT\cpqkt.exe
    O4 - HKLM\..\Run: [ChkAdmin] CHKADMIN.EXE
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\Dr Solomon's VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [WebInstall2] C:\TEMP\ins8.tmp /R /A
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb05.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: ICWStart.bat
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: GoHip! - http://www.gohip.com/
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4025.cab


    Please can anyone confirm what files from this log I should also delete in order to resolve my problem (and just clean up my pc).

    Thks Sprog
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,439
    Location:
    Netherlands
    Hi sprog,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [WebInstall2] C:\TEMP\ins8.tmp /R /A

    O8 - Extra context menu item: GoHip! - http://www.gohip.com/
    O13 - WWW. Prefix: http://

    Then reboot and use DiskCleanup to empty out all your Temp files.

    Also have a look here:
    http://www.wilders.org/firewalls.htm
    and here:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.