need help removing a dialer (merged)

Discussion in 'adware, spyware & hijack cleaning' started by YODA, Jun 15, 2004.

Thread Status:
Not open for further replies.
  1. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    need help removing a dialer

    hey guys,

    ewido security suit just found a dialer on my machine, would like help on removing it.. not sure if all of it is gone. btw how good ewido on detecting dialers and removing them?

    My ewido scan log:



    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 2:10:44 PM, 6/15/2004
    + Report-Checksum: 54FBD60A

    + Date of database: 6/15/2004
    + Version of scan engine: v1.1

    + Duration: 28 min
    + Scanned Files: 77044
    + Speed: 44.69 Files/Second
    + Infected files: 1
    + Removed files: 1
    + Files put in quarantine: 1
    + Files that could not be opened: 25
    + Files that could not be cleaned: 0

    + Ignore extension: Yes
    + Binder: Yes
    + Crypter: Yes
    + Memory: No
    + Archives: No
    + Heuristic: No

    + Scanned items:
    C:\

    + Scan result:
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
    C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened
    C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
    C:\Documents and Settings\NetworkService\NTUSER.DAT -> File could not be opened
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG -> File could not be opened
    C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\imnogjjt.slt\parent.lock -> File could not be opened
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened
    C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\588 -> File could not be opened
    C:\Documents and Settings\Owner\ntuser.dat -> File could not be opened
    C:\Documents and Settings\Owner\ntuser.dat.LOG -> File could not be opened
    C:\pagefile.sys -> File could not be opened
    C:\WINDOWS\system32\config\default -> File could not be opened
    C:\WINDOWS\system32\config\default.LOG -> File could not be opened
    C:\WINDOWS\system32\config\SAM -> File could not be opened
    C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened
    C:\WINDOWS\system32\config\SECURITY -> File could not be opened
    C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened
    C:\WINDOWS\system32\config\software -> File could not be opened
    C:\WINDOWS\system32\config\software.LOG -> File could not be opened
    C:\WINDOWS\system32\config\system -> File could not be opened
    C:\WINDOWS\system32\config\system.LOG -> File could not be opened
    C:\WINDOWS\system32\WBDBV32I.DLL -> Dialer.Generic -> Cleaned with backup


    ::Report End
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  3. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    HiJACKEDthis LOGFILE!

    hey guys,

    Hp jacked up my browser, need instructions in cleaning up...

    Logfile of HijackThis v1.97.7
    Scan saved at 2:15:01 PM, on 6/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38154.5339351852
     
    Last edited: Jun 16, 2004
  4. YODA

    YODA Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    100
    Re: HiJACKED!

    o_O uhhh.. need help plz
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi YODA,

    Sorry for the late reply.

    Before you begin, please create a new, permanent folder on your C: drive (not the desktop or temp folders) and move HijackThis.exe off the desktop and into the new folder. Hijackthis creates backups in the folder it is ran from, so it would get pretty messy on the desktop, and you may want those backups if you should need to put anything back.

    Then place a check beside the following items in Hijackthis.
    Close ALL browsers and any other open applications, except HijackThis, and click *Fix checked:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    From Pacman's Startup List:
    Then reboot your computer.

    Regards,

    snap
     
    Last edited: Jun 22, 2004
Thread Status:
Not open for further replies.