need help removing a dialer (merged)

need help removing a dialer

hey guys,

ewido security suit just found a dialer on my machine, would like help on removing it.. not sure if all of it is gone. btw how good ewido on detecting dialers and removing them?

My ewido scan log:



ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:10:44 PM, 6/15/2004
+ Report-Checksum: 54FBD60A

+ Date of database: 6/15/2004
+ Version of scan engine: v1.1

+ Duration: 28 min
+ Scanned Files: 77044
+ Speed: 44.69 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 25
+ Files that could not be cleaned: 0

+ Ignore extension: Yes
+ Binder: Yes
+ Crypter: Yes
+ Memory: No
+ Archives: No
+ Heuristic: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened
C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
C:\Documents and Settings\NetworkService\NTUSER.DAT -> File could not be opened
C:\Documents and Settings\NetworkService\ntuser.dat.LOG -> File could not be opened
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\imnogjjt.slt\parent.lock -> File could not be opened
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\588 -> File could not be opened
C:\Documents and Settings\Owner\ntuser.dat -> File could not be opened
C:\Documents and Settings\Owner\ntuser.dat.LOG -> File could not be opened
C:\pagefile.sys -> File could not be opened
C:\WINDOWS\system32\config\default -> File could not be opened
C:\WINDOWS\system32\config\default.LOG -> File could not be opened
C:\WINDOWS\system32\config\SAM -> File could not be opened
C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened
C:\WINDOWS\system32\config\SECURITY -> File could not be opened
C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened
C:\WINDOWS\system32\config\software -> File could not be opened
C:\WINDOWS\system32\config\software.LOG -> File could not be opened
C:\WINDOWS\system32\config\system -> File could not be opened
C:\WINDOWS\system32\config\system.LOG -> File could not be opened
C:\WINDOWS\system32\WBDBV32I.DLL -> Dialer.Generic -> Cleaned with backup


::Report End

 

Re: need help removing a dialer

Hi YODA,

Could you follow ALL the steps and instructions in this link:
https://www.wilderssecurity.com/showthread.php?t=15913

Then post your hijackthis log here in this thread.

Thank you,

snap

 

HiJACKEDthis LOGFILE!

hey guys,

Hp jacked up my browser, need instructions in cleaning up...

Logfile of HijackThis v1.97.7
Scan saved at 2:15:01 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38154.5339351852

 

Re: HiJACKED!

uhhh.. need help plz

 

Hi YODA,

Sorry for the late reply.

Before you begin, please create a new, permanent folder on your C: drive (not the desktop or temp folders) and move HijackThis.exe off the desktop and into the new folder. Hijackthis creates backups in the folder it is ran from, so it would get pretty messy on the desktop, and you may want those backups if you should need to put anything back.

Then place a check beside the following items in Hijackthis.
Close ALL browsers and any other open applications, except HijackThis, and click *Fix checked:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

From Pacman's Startup List:

Then reboot your computer.

Regards,

snap