1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Members Area.exe

Discussion in 'Windows - Virus and spyware problems' started by Flacian, Mar 14, 2006.

  1. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    First of all, hello AfterDawn, long time fan of all your tutorials. But now I need some help. Recently I picked up this annoying dialer and it keeps reappearing on my desktop every half hour, I've located the source and deleted it but it keeps returning.

    Here is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 00:34:05, on 15/03/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\HHVcdV7Sys\VC7SecS.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\HHVcdV7Sys\VC7Play.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\Virtual CD v7\System\VC7Tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    Z:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
    O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
    O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
    O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe
    O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe

    If somebody can help me remove this stupid dialer I would be extremely grateful.

    Thanks in advance.

    Flacian.
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi Flacian, and yes you got some infections.

    You have two antivirus programs running. This can cause problems.
    Go to Control Panel -> Add or remove programs-> Remove AVG OR Norton
    (I suggest that you remove AVG especially if you have a paid lisence to Norton)

    Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/

    Cleaning instructions:

    Move HijackThis.exe to its own folder, for example C:\HJT

    Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)

    O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing)
    O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
    O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
    O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
    O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe
    O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe
    O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
    O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll

    Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)

    Make your hidden files visible:
    ->On the Tools menu in Windows Explorer, click Folder Options.
    ->Click the View tab.
    ->Under Hidden files and folders, click Show hidden files and folders.

    Delete this folder if found:
    C:\PROGRA~1\COMMON~1\-->fofo

    Delete these files if found:

    C:\WINDOWS\System32\-->qgfdh.dll
    C:\WINDOWS\-->iccontrol.exe
    C:\WINDOWS\SYSTEM32\-->wineak32.dll

    Use the Windows "search" function (make sure that you search from hidden files and folders and from system folders too)
    Search for this and delete if found: p6.exe

    Empty the Recycle Bin

    Make your hidden files invisible again:
    ->On the Tools menu in Windows Explorer, click Folder Options.
    ->Click the View tab.
    ->Under Hidden files and folders, click Do not show hidden files and folders.

    Scan yor computer with Ewido and save the log file.

    Restart your computer normally.

    Post a fresh HijackThis log and Ewido's log to here so we can see if your computer is now clean.
     
    Last edited: Mar 14, 2006
  3. rav009

    rav009 Active member

    Joined:
    Nov 14, 2005
    Messages:
    2,204
    Likes Received:
    0
    Trophy Points:
    66
    EDITED...because it was rudely ignored... :p
     
    Last edited: Mar 15, 2006
  4. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Thanks you very much JaPK your help got rid of that dialer and I've left my PC running for 2 hours while I was away and nothing has returned. I still think there are a couple of threats that remain but anyways here's the HJT and Ewido logs after fixing.

    HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:04:39, on 15/03/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\HHVcdV7Sys\VC7Play.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HHVcdV7Sys\VC7SecS.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Virtual CD v7\System\VC7Tray.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    Z:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe

    Ewido:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 13:31:04, 15/03/2006
    + Report-Checksum: 86C03736

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
    [892] C:\WINDOWS\system32\wineak32.dll -> Downloader.Small.cml : Error during cleaning
    C:\WINDOWS\system32\__delete_on_reboot__wineak32.dll -> Downloader.Small.cml : Cleaned with backup
    C:\WINDOWS\Temp\win34.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
    C:\WINDOWS\Temp\win770.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
    C:\WINDOWS\Temp\win663.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
    C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup

    C:\Documents and Settings\Kirby\Local Settings\Temporary Internet Files\Content.IE5\CFRBIS1L\WinFixer2005FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@ilead.itrack[1].txt -> TrackingCookie.Itrack : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned with backup


    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP410\A0069679.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069687.exe -> Trojan.Pakes : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069688.exe -> Downloader.IstBar.er : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069689.exe -> Downloader.PurityScan.bt : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070743.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070796.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070799.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070805.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070807.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070809.exe -> Downloader.PurityScan.by : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070823.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070829.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070837.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070841.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070842.exe -> Dialer.GBDialer.d : Cleaned with backup
    C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070852.exe -> Dialer.GBDialer.d : Cleaned with backup


    ::Report End

    I deliberately edited the Ewido log since they were mostly Firefox Tracking Cookies, the ones shown are the ones which seem to be threatening.
     
  5. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, almost clean.

    Fix this entry with HijackThis.

    O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)


    You can fix these entries with HijackThis if you want to make your computer (especially the startup) faster.

    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    Post a new HijackThis log.

     
    Last edited: Mar 15, 2006
  6. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Ah nuts it came back, although it's been a good 5 hours, I've used HJT to locate the line and deleted it, along with wineak32.dll plus all the others you've listed to improve system performance.

    Here is he new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:05:23, on 15/03/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\HHVcdV7Sys\VC7SecS.exe
    C:\Program Files\Virtual CD v7\System\VC7Tray.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\BitComet\BitComet.exe
    Z:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
     
  7. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, log looks clean now.

    But to make sure that you are clean, lets try this:

    Download eScan from here and save it to your desktop -> http://www.spywareinfo.dk/download/mwav.exe

    Doubleclick to file mwaw.exe (on your desktop) and unzip the program to its default location (C:\Kaspersky)

    Close the eScan window.

    Then go to the folder C:\Kaspersky and run a file called kavupd.exe. It will update the program. (If firewall alerts about connections to this program, allow those)

    When kavupd.exe has finished go to the folder C:\Downloads and press CTRL+A (Select all files) then press CTRL+C (Copy) and go to the folder C:\Kaspersky and press CTRL+V (Paste), overwrite files when asked.

    Then go to the folder C:\Kaspersky and run a file named mwavscan. Check these options:
    Memory, Registry, Startup Folders, System Folders, Services, Drive -> All Local drives, Scan all files

    Then press Scan Clean button. (scanning may take some time)

    When scan has finished, copy the results from the field in the scan window. Just copy those with your mouse and paste and save those with the Notepad to your desktop. Name it to viruslog.txt

    Post the eScan's results (viruslog.txt) to here.
     
    Last edited: Mar 15, 2006
  8. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    File C:\WINDOWS\Temp\win37.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted.

    File C:\WINDOWS\Temp\win3CD.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted.

    File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.

    File C:\Program Files\Norton AntiVirus\Quarantine\33B8323D.exe tagged as not-a-virus:porn-Dialer.Win32.GBDialer.d. No Action Taken.

    File C:\Program Files\Norton AntiVirus\Quarantine\33BB5C39.exe tagged as not-a-virus:porn-Dialer.Win32.GBDialer.d. No Action Taken.

    File C:\Program Files\Norton AntiVirus\Quarantine\053048EA.exe tagged as not-a-virus:porn-Dialer.Win32.GBDialer.d. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070720.EXE tagged as not-a-virus:porn-Dialer.Win32.Agent.z. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070721.EXE infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070722.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070723.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070724.EXE infected by "Backdoor.Win32.Rbot.sh" Virus. Action Taken: File Renamed.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070725.EXE tagged as not-a-virus:porn-Dialer.Win32.GBDialer.d. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070726.EXE infected by "Trojan-Downloader.Win32.PurityScan.bt" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070727.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070728.EXE infected by "P2P-Worm.Win32.VB.ca" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070729.COM infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070730.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070731.EXE infected by "Trojan.Win32.Pakes" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070732.EXE infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070733.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.b. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070734.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.c. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070735.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.b. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070792.dll tagged as not-a-virus:AdWare.Win32.PurityScan.ak. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070810.exe tagged as not-a-virus:AdWare.Win32.PurityScan.bu. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070962.exe tagged as not-a-virus:AdWare.Win32.MediaTickets.u. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070969.exe tagged as not-a-virus:porn-Dialer.Win32.GBDialer.d. No Action Taken.

    File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070976.dll infected by "Trojan-Downloader.Win32.Small.cml" Virus. Action Taken: File Deleted.

    File C:\Installation Files\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.

    Its been almost 3 hours since the last time the dialer showed up, however I'm not gonna get over confident over it, wineak32.dll seems to regenerate itself whenever the PC is restarted, I have turned to using HJT every once in a while to keep control should the dialer and the .dll return but would be nice if they were one once and for all, hopefully with eScan they should be gone for good.
     
  9. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok. It is still coming back, right? Post me a dirty HijackThis log (don't clean it yourself) because I need to know exact files and entries that are coming back.

    So post me a new HijackThis log and don't remove eScan from your computer just yet.
     
    Last edited: Mar 15, 2006
  10. rav009

    rav009 Active member

    Joined:
    Nov 14, 2005
    Messages:
    2,204
    Likes Received:
    0
    Trophy Points:
    66
    Like i said before, its in the start upi think..uncheck it from msconfig...this will stop it appearing but it wil stil be on your system...
     
    Last edited: Mar 15, 2006
  11. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Nah, msconfig shows nothing.

    It looks fine now, the dialer hasn't returned for about 8 hours of PC runtime, wineak32.dll didn't regenerate itself when I ran HJT first thing I switched the PC on this morning and eScan purged the rest of the threatening files that Ewido didn't. If anything comes up I'll stick a new HJT log but right now it's pretty much the same one you said was clean JaPK
     
  12. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, good but eScan couldn't clean everything because some of the files were in the system restore.

    To get rid of those files, do this:

    -> Disable system restore, instructions here -> http://service1.symantec.com/support/tsgeninfo.nsf/docid/2001111912274039
    -> Run eScan again

    ->Post eScan's findings to here the same way you did earlier.
    ->Enable system restore

    ->If everything is clean, then the next step is to update your windows....but post the eScan's findings first....
     
    Last edited: Mar 16, 2006
  13. Flacian

    Flacian Member

    Joined:
    Mar 14, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Disabled system restore, ran eScan again, nothing came up. Looks clean now, been over 12 hours of PC runtime and not a trace of the dialer, but i'll update windows and check HJT once in a while to keep my PC in check. Thanks very much for all the help JaPK.
     
  14. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, that is great to hear. If problems occur then just post here and we help you.

    And yes, update your windows and internet explorer -> http://windowsupdate.microsoft.com/

    You are welcome =)
     
  15. aasimn

    aasimn Member

    Joined:
    Mar 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    16
    can u please guide me thru this again PLEASE PLEASE

    I HAVE THE SAME PROBLEM !

    CAN U PLEASE MAKE IT EASIR??

    THANKS AAAAA LOTTT !!!
     
  16. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Last edited: Mar 24, 2006
  17. aasimn

    aasimn Member

    Joined:
    Mar 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    16
    hey .... i cant get thru the hijack this ? it dloads then doesnt open
     
  18. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, lets try again.

    Download HijackThis from here -> http://koti.mbnet.fi/pattaya1/lataus/hijackthis_self.exe
    Save it to your desktop.

    The go to your desktop and doubleclick the file
    hijackthis_self.exe

    Press OK button. [Don't mind the Finnish text =)]
    Then press Unzip button.
    Then press OK button.

    IF HijackThis doesn't open automatically, go to C:\HJT and doubleclick the file hijackthis.exe

    Then (in hijackthis) press Do a system scan and save a log file button.
    Wait when it creates the log.
    When it is ready, log opens in a Notepad window.
    Go to this document, select all text with your mouse and copy it.

    Then paste the log to your new thread.
     
    Last edited: Mar 25, 2006

Share This Page