hijackthis log- dialers!!

I have some questions.
How good is hijackthis in detecting dialers?
Can some expert please check my hijackthis log.
And check SPECIFICALLY for dialers...and tell me if there is one...
If there is no dialers in the "log"...
does that mean there is 0% chance there are dialers is my comp?

thanks so much!

Logfile of HijackThis v1.96.4
Scan saved at 7:16:01 AM, on 9/14/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTSVCCDA.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe
D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
D:\WINDOWS\essspk.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
D:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
D:\Program Files\Creative\ShareDLL\MediaDet.exe
D:\Program Files\Winamp3\winampa.exe
D:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
F:\Program Files\Crazy Browser\Crazy Browser.exe
D:\Documents and Settings\EJ\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\System32\shdoclc.dll/navcancl.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8b21ea72-6b8a-4e7a-bf24-d930020ab1d7} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: tbrfrfjssgl - {730b06f6-69e4-4302-a430-cd492680d5a9} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
O4 - HKLM\..\Run: [Goldensoft_MndlSvr] d:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe
O4 - HKLM\..\Run: [VCDTower] d:\PROGRA~1\GOLDEN~1\CDGHOS~1\VCDTower.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WebScan] D:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa251\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WZCG] D:\WINDOWS\WZCG.exe
O4 - HKLM\..\Run: [JPWAHO] D:\WINDOWS\JPWAHO.exe
O4 - HKLM\..\Run: [winactive] D:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BJ Status Monitor Canon i320.lnk = D:\Documents and Settings\EJ\cnmss Canon i320 (Local).exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7F2707-66E3-42CB-BFFE-55E6869421F7}: NameServer = 203.134.64.66 203.134.65.66

remember to check SPECIFICALLY for dialers..first..

thanks very very much!

 

Hi jeelo aka jeffies,

You received excellent advise here: http://forums.techguy.org/showthread.php?s=&threadid=163183

Regards,

Pieter aka Metallica

 

How did you know...

anyway..I'm was little paranoid about those dialers..
i was just getting a sceond opinion.

thanks

 

Don't ask me why, but I recognized the log.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {8b21ea72-6b8a-4e7a-bf24-d930020ab1d7} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: tbrfrfjssgl - {730b06f6-69e4-4302-a430-cd492680d5a9} - D:\DOCUME~1\Children\APPLIC~1\ghstfyoaa.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa251\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WZCG] D:\WINDOWS\WZCG.exe
O4 - HKLM\..\Run: [JPWAHO] D:\WINDOWS\JPWAHO.exe
O4 - HKLM\..\Run: [winactive] D:\Program Files\Window Active\winactive.exe

Then reboot and delete:
D:\Program Files\Window Active

KaZaa will keep working this way, but you can start it when you want to.
No need for kit to gobble resources and bandwith straight from boot.

Regards,

Pieter

 

ok..cool!

one more little question...pleazzee.

was there dialer/s?
I'm worried that if there was..it might have dialed out...already

 

Some versions of lop.com are/include dialers. I'm not sure about the Windows Active variant.

Some info:
http://www.safersite.com/PestInfo/l/lop.com_adware.asp
http://www.doxdesk.com/parasite/lop.html
http://www.spywareinfoforum.com/articles/lop/

Regards,

Pieter

 

hmmm..

I thought the hijackthis log shows exactly if there are dialers in my computer...

So lop.com can be dialers?
Do I have lop.com in my computer?

 

Yes, you do. That is if you still haven't followed my advise.
No other dialers in your log, anyway.

Regards,

Pieter

 

yep..I took them out already..

Is there anyway of knowing if it has dialed out?

 

It most likely didn't. I asked around for you and the Winactive variant has not been reported to be a dialer.

Regards,

Pieter

 

If u r worried about dialers get spybot S&D, it has a database of dialers it will remove. U can get it from the link in my signature.

 

and get them javacool programs(spywareguard and -blaster) to prevent this **** from ever installing... also at least kaspersky av(X-files) and trojan hunter have dialer defs in their signatures

 

Check your system to see if you have a file called dialler.exe rather than the windows dialer .exe (only one l). I had this on my system and it dialled several times before I cought it .Luckilly BT let me off the bill. But they will only block one premium rate number!! So I've disconnected my tel line and now just use Broadband.