Hi, I've been having trouble getting rid of the 1on1 dialler/XXXServer which seems to have installed itself on my PC. Having read advice on another forum I have downloaded and run Ad-aware and Spybot S&D. Here is my HijackThis log: Logfile of HijackThis v1.97.7 Scan saved at 13:38:21, on 09/06/04 Platform: Windows 98 Gold (Win9x 4.10.199 MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\MSREXE.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE C:\WINDOWS\SYSTEM\IRUN4.EXE C:\ESM2\STMS.EXE C:\TBRIDGE\FLATBED.EXE C:\ESM2\EBRR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> F1 - win.ini: load=c:\windows\system\system.exe F1 - win.ini: run=MSREXE.exe O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe O4 - HKLM\..\Run: [Atikey] Atitask.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h O4 - HKLM\..\Run: [WinLoader] MSREXE.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm O9 - Extra button: Real.com (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Any help would be much appreciated. Thanks, Graham Toyne. removed
Hi gmt1, Please download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download and update it following the instructions here: http://tds.diamondcs.com.au/index.php?page=update Then click System Testing > Full System scan. When it is done rightclick one of the entries in the bottom screen and choose save as txt. Post the content of that file. To make it easier to remove the trojans and worm, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: F1 - win.ini: load=c:\windows\system\system.exe F1 - win.ini: run=MSREXE.exe O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file) O4 - HKLM\..\Run: [WinLoader] MSREXE.exe O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe Then reboot. Regards, Pieter
Re: My HijackThis log - FAO Pieter Hi Pieter, Thanks for your reply. I have been unsucessful in running TDS-3. I've downloaded and installed the program without any problems however when I double-click the icon on my desktop to run TDS-3 an error message appears: TDS-3 has performed an illegal operation and will be shutdown. 2 or 3 times I've uninstalled the program and downloaded it again but the same occurs. I've downloaded and am running a firewall called ZoneAlarm and this seems to be keeping out intrusions - I'm not sure who from though! I've also run latest versions of Ad-aware and Spybot S&D and here is the current HijackThis log: Logfile of HijackThis v1.97.7 Scan saved at 21:35:12, on 09/06/04 Platform: Windows 98 Gold (Win9x 4.10.199 MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE C:\ESM2\STMS.EXE C:\TBRIDGE\FLATBED.EXE C:\ESM2\EBRR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe O4 - HKLM\..\Run: [Atikey] Atitask.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm O9 - Extra button: Real.com (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38147.3100347222 Any other ideas? Thanks again, Graham.
Hi Graham, Your log is clean. I'll move this thread to te DCS forum to see if they can sort out your problems with running TDS. The trojans are dormant or your system and I would feel lots better if they were removed. And who know what else TDS finds. Regards, Pieter
Hi, Please go to this page http://tds.diamondcs.com.au/index.php?page=files Download the MSVB6 Runtime SP6 and run it Once its extracted, run the file contained within, which will install the update Then reboot and try running TDS-3 again, if you get a crash, what does the error message give ? please paste the contents of the details..
I've noticed a few times that this worm C:\WINDOWS\SYSTEM\irun4.exe will affect alot of security programs in 98/ME systems we stopped it running before but the actual, file needs to be deleted from a 98 system boot into safe mode and delete C:\WINDOWS\SYSTEM\irun4.exe then see if TDS will run
Hi Gavin and dvk01, I've followed all your advice but when I try to run TDS-3 I still get: "This program has performed an illegal operation and will be shut down." Here is a copy of the details: TDS-3 caused an invalid page fault in module CW3220MT.DLL at 0177:02304a89. Registers: EAX=bff89dac CS=0177 EIP=02304a89 EFLGS=00010292 EBX=0089e29c SS=017f ESP=007a0098 EBP=007a00d8 ECX=008a0000 DS=017f ESI=816802c8 FS=2187 EDX=388b5708 ES=017f EDI=022d7bb0 GS=0000 Bytes at CS:EIP: 83 3a 00 74 63 e8 39 10 00 00 64 8b 0d 04 00 00 Stack dump: 007a01a8 816802c8 0089e29c 00000000 00000000 00000000 00000000 00000000 00000000 0089e264 0089e2e8 00000000 0001001f 007a01c4 0089e29c 007a01a8 Graham.
Hi Graham, during install of TDS, did you have all other programs closed, especially anti-virus scanners etc? And did you reboot after install? I'm not familiar with the file from the error message, don't know where it belongs, googling for it did not give a real answer yet. Is that file on your system?
Hi Jooske, All other programs were closed as far as I know although the ZoneAlarm firewall I installed starts automatically on start-up. Have also downloaded Ad-aware, Spybot S&D, and Spyware Blaster. Not really sure how I should be using Spyware Blaster - is this a program that runs automatically? Yes, did reboot after install of TDS-3. I'm a bit of a novice so can't tell you much about the file CW3220MT.DLL however I did a search and it lives in the folder: C:\ViaVoice\tts\eloq I don't use ViaVoice so maybe I could just delete the file? Graham.
answer here, http://www.javacoolsoftware.info/kb/idx/0/005/article/ I'll leave your other enquiry to the TDS experts. Hope this helps. snowbound
ViaVoice and its components should not be a problem, so don't delete it yet. Did you also grab the speechpack for TDS from it's downloadpage? In that is among others the spchapi.exe file, which adds existing speech engines on your system to TDS. After installing TDS and extracting that speechpack, run the spchapi.exe in the TDS directory and give it another try with TDS. Let us know if that solved the problem please.
Hi Jooske, I downloaded and ran the spchapi.exe as you suggested but still get the same error message appear when I try to run TDS. I'm going on holiday for a week now but will get back on here as soon as I'm home as I'd like to clean-up my system as much as possible. Thanks for all your help so far. Graham.
Hi all, I know you're probably fed up with me by now but I'm back! Any other ideas on how I can get TDS-3 to run? Graham.
Was hoping in the meantime you checked all the required system files and had the other programs down wiht installing TDs, including your spywareblaster etc and all resident protection registry protection, scanners, etc. Think FanK would advice to open your taskmanager and to close everything except systray and explorer before installing TDS or any other program, reboot and gtry to run it. The dll you mentioned -- i've never seen it making any trouble, first time in akll those years i saw it mentioned, so not sure if that other program got corrupt somehow, maybe because of some infection or removing a file you needed. Did an online scan find anything illigal on your system, like at http://housecall.antivirus.com for isntance? If you run viavoice, does that run well? Not sure if you installed TDS somwwhere in program files and if you tried to install it for instance in c:\ Can't imagine the speech part from TDS and viavoice would not cooperate: look at www.microsoft.com/msagent and the third parties software pages they point to: -- the speech technology used in TDS is part of msagent. The only part i can imagine, go into the windows control panel, speech console, disable there the speech controls and only choose the SAPI4 speech engine. Now try TDS again.