First of all, hello AfterDawn, long time fan of all your tutorials. But now I need some help. Recently I picked up this annoying dialer and it keeps reappearing on my desktop every half hour, I've located the source and deleted it but it keeps returning. Here is my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 00:34:05, on 15/03/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\HHVcdV7Sys\VC7SecS.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ICQLite\ICQLite.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\HHVcdV7Sys\VC7Play.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Belkin\Bluetooth Software\BTTray.exe C:\Program Files\Virtual CD v7\System\VC7Tray.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe Z:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing) O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing) O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe If somebody can help me remove this stupid dialer I would be extremely grateful. Thanks in advance. Flacian.
Hi Flacian, and yes you got some infections. You have two antivirus programs running. This can cause problems. Go to Control Panel -> Add or remove programs-> Remove AVG OR Norton (I suggest that you remove AVG especially if you have a paid lisence to Norton) Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/ Cleaning instructions: Move HijackThis.exe to its own folder, for example C:\HJT Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked) O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing) O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing) O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing) O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode) Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. Delete this folder if found: C:\PROGRA~1\COMMON~1\-->fofo Delete these files if found: C:\WINDOWS\System32\-->qgfdh.dll C:\WINDOWS\-->iccontrol.exe C:\WINDOWS\SYSTEM32\-->wineak32.dll Use the Windows "search" function (make sure that you search from hidden files and folders and from system folders too) Search for this and delete if found: p6.exe Empty the Recycle Bin Make your hidden files invisible again: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Do not show hidden files and folders. Scan yor computer with Ewido and save the log file. Restart your computer normally. Post a fresh HijackThis log and Ewido's log to here so we can see if your computer is now clean.
Thanks you very much JaPK your help got rid of that dialer and I've left my PC running for 2 hours while I was away and nothing has returned. I still think there are a couple of threats that remain but anyways here's the HJT and Ewido logs after fixing. HJT: Logfile of HijackThis v1.99.1 Scan saved at 10:04:39, on 15/03/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\ICQLite\ICQLite.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\HHVcdV7Sys\VC7Play.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HHVcdV7Sys\VC7SecS.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Virtual CD v7\System\VC7Tray.exe C:\Program Files\Belkin\Bluetooth Software\BTTray.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe Z:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe Ewido: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 13:31:04, 15/03/2006 + Report-Checksum: 86C03736 + Scan result: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup [892] C:\WINDOWS\system32\wineak32.dll -> Downloader.Small.cml : Error during cleaning C:\WINDOWS\system32\__delete_on_reboot__wineak32.dll -> Downloader.Small.cml : Cleaned with backup C:\WINDOWS\Temp\win34.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup C:\WINDOWS\Temp\win770.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup C:\WINDOWS\Temp\win663.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup C:\Documents and Settings\Kirby\Local Settings\Temporary Internet Files\Content.IE5\CFRBIS1L\WinFixer2005FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@ilead.itrack[1].txt -> TrackingCookie.Itrack : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP410\A0069679.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069687.exe -> Trojan.Pakes : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069688.exe -> Downloader.IstBar.er : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069689.exe -> Downloader.PurityScan.bt : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070743.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070796.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070799.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070805.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070807.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070809.exe -> Downloader.PurityScan.by : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070823.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070829.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070837.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070841.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070842.exe -> Dialer.GBDialer.d : Cleaned with backup C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070852.exe -> Dialer.GBDialer.d : Cleaned with backup ::Report End I deliberately edited the Ewido log since they were mostly Firefox Tracking Cookies, the ones shown are the ones which seem to be threatening.
Ok, almost clean. Fix this entry with HijackThis. O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing) You can fix these entries with HijackThis if you want to make your computer (especially the startup) faster. O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Post a new HijackThis log.
Ah nuts it came back, although it's been a good 5 hours, I've used HJT to locate the line and deleted it, along with wineak32.dll plus all the others you've listed to improve system performance. Here is he new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 19:05:23, on 15/03/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\HHVcdV7Sys\VC7SecS.exe C:\Program Files\Virtual CD v7\System\VC7Tray.exe C:\Program Files\Belkin\Bluetooth Software\BTTray.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BitComet\BitComet.exe Z:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
Ok, log looks clean now. But to make sure that you are clean, lets try this: Download eScan from here and save it to your desktop -> http://www.spywareinfo.dk/download/mwav.exe Doubleclick to file mwaw.exe (on your desktop) and unzip the program to its default location (C:\Kaspersky) Close the eScan window. Then go to the folder C:\Kaspersky and run a file called kavupd.exe. It will update the program. (If firewall alerts about connections to this program, allow those) When kavupd.exe has finished go to the folder C:\Downloads and press CTRL+A (Select all files) then press CTRL+C (Copy) and go to the folder C:\Kaspersky and press CTRL+V (Paste), overwrite files when asked. Then go to the folder C:\Kaspersky and run a file named mwavscan. Check these options: Memory, Registry, Startup Folders, System Folders, Services, Drive -> All Local drives, Scan all files Then press Scan Clean button. (scanning may take some time) When scan has finished, copy the results from the field in the scan window. Just copy those with your mouse and paste and save those with the Notepad to your desktop. Name it to viruslog.txt Post the eScan's results (viruslog.txt) to here.
File C:\WINDOWS\Temp\win37.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted. File C:\WINDOWS\Temp\win3CD.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted. File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. File C:\Program Files\Norton AntiVirus\Quarantine\33B8323D.exe tagged as not-a-virusorn-Dialer.Win32.GBDialer.d. No Action Taken. File C:\Program Files\Norton AntiVirus\Quarantine\33BB5C39.exe tagged as not-a-virusorn-Dialer.Win32.GBDialer.d. No Action Taken. File C:\Program Files\Norton AntiVirus\Quarantine\053048EA.exe tagged as not-a-virusorn-Dialer.Win32.GBDialer.d. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070720.EXE tagged as not-a-virusorn-Dialer.Win32.Agent.z. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070721.EXE infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070722.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070723.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070724.EXE infected by "Backdoor.Win32.Rbot.sh" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070725.EXE tagged as not-a-virusorn-Dialer.Win32.GBDialer.d. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070726.EXE infected by "Trojan-Downloader.Win32.PurityScan.bt" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070727.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070728.EXE infected by "P2P-Worm.Win32.VB.ca" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070729.COM infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070730.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070731.EXE infected by "Trojan.Win32.Pakes" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070732.EXE infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070733.EXE tagged as not-a-virusownloader.Win32.WinFixer.b. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070734.EXE tagged as not-a-virusownloader.Win32.WinFixer.c. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070735.EXE tagged as not-a-virusownloader.Win32.WinFixer.b. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070792.dll tagged as not-a-virus:AdWare.Win32.PurityScan.ak. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070810.exe tagged as not-a-virus:AdWare.Win32.PurityScan.bu. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070962.exe tagged as not-a-virus:AdWare.Win32.MediaTickets.u. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070969.exe tagged as not-a-virusorn-Dialer.Win32.GBDialer.d. No Action Taken. File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070976.dll infected by "Trojan-Downloader.Win32.Small.cml" Virus. Action Taken: File Deleted. File C:\Installation Files\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Its been almost 3 hours since the last time the dialer showed up, however I'm not gonna get over confident over it, wineak32.dll seems to regenerate itself whenever the PC is restarted, I have turned to using HJT every once in a while to keep control should the dialer and the .dll return but would be nice if they were one once and for all, hopefully with eScan they should be gone for good.
Ok. It is still coming back, right? Post me a dirty HijackThis log (don't clean it yourself) because I need to know exact files and entries that are coming back. So post me a new HijackThis log and don't remove eScan from your computer just yet.
Like i said before, its in the start upi think..uncheck it from msconfig...this will stop it appearing but it wil stil be on your system...
Nah, msconfig shows nothing. It looks fine now, the dialer hasn't returned for about 8 hours of PC runtime, wineak32.dll didn't regenerate itself when I ran HJT first thing I switched the PC on this morning and eScan purged the rest of the threatening files that Ewido didn't. If anything comes up I'll stick a new HJT log but right now it's pretty much the same one you said was clean JaPK
Ok, good but eScan couldn't clean everything because some of the files were in the system restore. To get rid of those files, do this: -> Disable system restore, instructions here -> http://service1.symantec.com/support/tsgeninfo.nsf/docid/2001111912274039 -> Run eScan again ->Post eScan's findings to here the same way you did earlier. ->Enable system restore ->If everything is clean, then the next step is to update your windows....but post the eScan's findings first....
Disabled system restore, ran eScan again, nothing came up. Looks clean now, been over 12 hours of PC runtime and not a trace of the dialer, but i'll update windows and check HJT once in a while to keep my PC in check. Thanks very much for all the help JaPK.
Ok, that is great to hear. If problems occur then just post here and we help you. And yes, update your windows and internet explorer -> http://windowsupdate.microsoft.com/ You are welcome =)
can u please guide me thru this again PLEASE PLEASE I HAVE THE SAME PROBLEM ! CAN U PLEASE MAKE IT EASIR?? THANKS AAAAA LOTTT !!!
Hi aasimn. And yes we can help you out =) At first, create a NEW thread for your problem and post a HijackThis log to there. Just follow these instructions -> http://forums.afterdawn.com/thread_view.cfm/263784 (steps 3,4,5)
Ok, lets try again. Download HijackThis from here -> http://koti.mbnet.fi/pattaya1/lataus/hijackthis_self.exe Save it to your desktop. The go to your desktop and doubleclick the file hijackthis_self.exe Press OK button. [Don't mind the Finnish text =)] Then press Unzip button. Then press OK button. IF HijackThis doesn't open automatically, go to C:\HJT and doubleclick the file hijackthis.exe Then (in hijackthis) press Do a system scan and save a log file button. Wait when it creates the log. When it is ready, log opens in a Notepad window. Go to this document, select all text with your mouse and copy it. Then paste the log to your new thread.
