hijackthis log- dialers!!

Discussion in 'malware problems & news' started by jeelo, Sep 14, 2003.

Thread Status:
Not open for further replies.
  1. jeelo

    jeelo Guest

    I have some questions.
    How good is hijackthis in detecting dialers?
    Can some expert please check my hijackthis log.
    And check SPECIFICALLY for dialers...and tell me if there is one...
    If there is no dialers in the "log"...
    does that mean there is 0% chance there are dialers is my comp?

    thanks so much!

    Logfile of HijackThis v1.96.4
    Scan saved at 7:16:01 AM, on 9/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\System32\CTSVCCDA.EXE
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    D:\WINDOWS\Explorer.EXE
    D:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe
    D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    D:\WINDOWS\essspk.exe
    D:\WINDOWS\Mixer.exe
    D:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
    D:\Program Files\Creative\ShareDLL\CtNotify.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    D:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\program files\altnet\points manager\points manager.exe
    D:\Program Files\Creative\ShareDLL\MediaDet.exe
    D:\Program Files\Winamp3\winampa.exe
    D:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    F:\Program Files\Crazy Browser\Crazy Browser.exe
    D:\Documents and Settings\EJ\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\System32\shdoclc.dll/navcancl.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8b21ea72-6b8a-4e7a-bf24-d930020ab1d7} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: tbrfrfjssgl - {730b06f6-69e4-4302-a430-cd492680d5a9} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
    O4 - HKLM\..\Run: [Goldensoft_MndlSvr] d:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe
    O4 - HKLM\..\Run: [VCDTower] d:\PROGRA~1\GOLDEN~1\CDGHOS~1\VCDTower.exe
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] D:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [WebScan] D:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa251\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [WZCG] D:\WINDOWS\WZCG.exe
    O4 - HKLM\..\Run: [JPWAHO] D:\WINDOWS\JPWAHO.exe
    O4 - HKLM\..\Run: [winactive] D:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: BJ Status Monitor Canon i320.lnk = D:\Documents and Settings\EJ\cnmss Canon i320 (Local).exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7F2707-66E3-42CB-BFFE-55E6869421F7}: NameServer = 203.134.64.66 203.134.65.66

    remember to check SPECIFICALLY for dialers..first..

    thanks very very much!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi jeelo aka jeffies,

    You received excellent advise here: http://forums.techguy.org/showthread.php?s=&threadid=163183

    Regards,

    Pieter aka Metallica
     
  3. jeelo

    jeelo Guest

    How did you know...o_O :D

    anyway..I'm was little paranoid about those dialers..
    i was just getting a sceond opinion.

    thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Don't ask me why, but I recognized the log. ;)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {8b21ea72-6b8a-4e7a-bf24-d930020ab1d7} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: tbrfrfjssgl - {730b06f6-69e4-4302-a430-cd492680d5a9} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
    O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa251\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [WZCG] D:\WINDOWS\WZCG.exe
    O4 - HKLM\..\Run: [JPWAHO] D:\WINDOWS\JPWAHO.exe
    O4 - HKLM\..\Run: [winactive] D:\Program Files\Window Active\winactive.exe

    Then reboot and delete:
    D:\Program Files\Window Active

    KaZaa will keep working this way, but you can start it when you want to.
    No need for kit to gobble resources and bandwith straight from boot.

    Regards,

    Pieter
     
  5. jeelo

    jeelo Guest

    ok..cool! :rolleyes:

    one more little question...pleazzee.

    was there dialer/s?
    I'm worried that if there was..it might have dialed out...already o_O o_O
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Some versions of lop.com are/include dialers. I'm not sure about the Windows Active variant.

    Some info:
    http://www.safersite.com/PestInfo/l/lop.com_adware.asp
    http://www.doxdesk.com/parasite/lop.html
    http://www.spywareinfoforum.com/articles/lop/

    Regards,

    Pieter
     
  7. jeelo

    jeelo Guest

    hmmm..

    I thought the hijackthis log shows exactly if there are dialers in my computer... o_O

    So lop.com can be dialers?
    Do I have lop.com in my computer? :'(
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Yes, you do. That is if you still haven't followed my advise.
    No other dialers in your log, anyway.

    Regards,

    Pieter
     
  9. jeelo

    jeelo Guest

    yep..I took them out already.. :D

    Is there anyway of knowing if it has dialed out?
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    It most likely didn't. I asked around for you and the Winactive variant has not been reported to be a dialer.

    Regards,

    Pieter
     
  11. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    If u r worried about dialers get spybot S&D, it has a database of dialers it will remove. U can get it from the link in my signature.
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    and get them javacool programs(spywareguard and -blaster) to prevent this **** from ever installing... also at least kaspersky av(X-files) and trojan hunter have dialer defs in their signatures
     
  13. Silver_lexus

    Silver_lexus Guest

    Check your system to see if you have a file called dialler.exe rather than the windows dialer .exe (only one l). I had this on my system and it dialled several times before I cought it .Luckilly BT let me off the bill. But they will only block one premium rate number!! So I've disconnected my tel line and now just use Broadband.
     
Thread Status:
Not open for further replies.