hijacked and Ghost dialer

Discussion in 'adware, spyware & hijack cleaning' started by gallan, Mar 14, 2004.

Thread Status:
Not open for further replies.
  1. gallan

    gallan Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    3
    Greetings.

    Ad Aware and SpyBot removed a large number of vermin but the following problems (1 and 2) persist.
    #3 (ghost dialer) was an intermittent event so it remains to be seen if has been eliminated.......and no longer appears to be a factor.


    PROBLEMS:

    1) Hijacked browser (that can't be corrected via simple internet options correction) SEE R1 to to R3. C:WINDOWS\secure.html is the problem still lurking(as homepage address) but their page NO LONGER pop up. However, home page is blank despite google being listed/shown as official homepage.

    2) Postage stamp size "window" whenever new window is opened on desktop, but it can be easily be enlarged to conventional size. This is the SAME problem that developed last time I had browser dislodged.

    3) Ghost Dialer (EPS systems dialer maker) was spotted by Ad-Aware and/or Spybot. I also removed strange/bogus entry (internet options/connections/dial up) that appears to have solved the problem of a random dialer that would dial "00" at any time.

    4) Dll missing/ warning box every time I boot up but haven't noticed any negative impact from whatever is gone.



    I've printed out the tutorial on HiJackThis and anxiously await input. What is the best preventative method to prevent hijacking......except being extremely cautious about where you surf.

    FOR NOVICES: I fell for a bogus "norton virus detection warning" that is undoubtedly responsible for some of these problems. A milli-second after authorizing corrective action I saw the brief flash of a surreptitious download.


    In the event anyone has the spare time to send* (or post) a tutorial on how to reformat this drive (or link to informative site) I would be most appreciative. That is a project/task I have been contemplating since 1998, but always end up going to the shop. W98SE. This was just done a month ago and already I have a corrputed file that wants my wizard to install some ghost firewire, which locks up the box. Same problem surfaced before recent reformat so maybe this gigabyte mother board isn't totally compatible with W98.

    t-you



    LOG

    Logfile of HijackThis v1.97.7
    Scan saved at 6:30:44 PM, on 3/14/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\SMARTDISK\FLASH MEDIA READER\SHWICON.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SZCHOST.EXE
    C:\WINDOWS\DL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.smartdisk.com/EmailSignUp.asp
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [ShowIcon_SmartDisk Corporation_SmartDisk Flash Media Reader Support 2.1] "C:\Program Files\SmartDisk\Flash Media Reader\shwicon.exe" -t"SmartDisk Corporation\SmartDisk Flash Media Reader Support 2.1"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [bbkpjyfg] C:\WINDOWS\SYSTEM\kiisvgvl.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38060.307337963



    removed email addy to hide it from harvesters and email bots- snowbound
     
  2. gallan

    gallan Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    3
    follow up on ghost dialer........IT IS STILL HERE, much to my surprise.

    If I am online it will disconnect my ISP line and dial out to operator. If I off line it can dial out at any time, so must keep phone jack out.

    "Connector Object" appears in the task bar whenever it starts up. EPS systems dialer maker WAS removed by spybot or Adware.
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi gallan :)

    Welcome to Wilders.

    First i removed your email addy to protect it from Harvesters and Email Bots. ;)

    Also please put HijackThis in it's own folder. Where u have it now(desktop) is not advisable.


    Iam not an expert but i know u can fix the following entries,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    R3 - Default URLSearchHook is missing

    Then reboot and delete:
    C:\WINDOWS\secure.html

    This should take care of your #1 problem.

    Also i see u have Spykiller installed. IMHO this is a very questionable app.

    See this link,

    http://cybercoyote.org/security/spyware.htm

    if u want to uninstall it here is how,

    http://mycusthelp.com/SPYKILLER/supportkbitem.asp?sSessionID=&Inc=9&sFilA=Categories&sFilB=&sFilC=&FA=-1&FB=-1&FC=-1

    There could be more entries to fix so make sure u refer back to this thread for further recommendations from the experts.

    Thanks.


    snowbound
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    you will have to get rid of these items if you want to stop that dialer..


    C:\WINDOWS\SZCHOST.EXE
    C:\WINDOWS\DL.EXE


    O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe



    but you have lots more junk on that PC.

    i will see if someone can look at your entire log.
     
  5. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Ok, just one other entry was missed so to make it easier, here are all the items to fix.

    Check the following items in HijackThis.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.smartdisk.com/EmailSignUp.asp
    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [bbkpjyfg] C:\WINDOWS\SYSTEM\kiisvgvl.exe


    Close all windows except HijackThis and click Fix checked:

    Reboot into safe mode and delete the following: **
    C:\WINDOWS\szchost.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\SYSTEM\kiisvgvl.exe

    **Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

    Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

    Reboot.

    Post another HiJackThis log in this thread for final review.

    Also, you are missing several Critical updates to Internet Explorer. Please go to Windows Update and bring your system current with all missing Critical Updates.
     
Thread Status:
Not open for further replies.