|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-10-2005, 08:03 AM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
spyware downloader?
You all are the best! I don't know what I would do without you. Here's a quirky computer that is perpetuating adware/spyware. I have run all scans according to "Please read this before posting". Spybot found rapid blaster, wild tangent, access.exe, emusic, IEAccess3.inf, various evil tracking cookies, and e-group. I let it fix what it could, but I know it is not clean. Log created with Hi-Jack Analyzer follows:
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\AdSubtract\adsub.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 10:03:06 AM, on 4/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKEN3\billmind.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: CorelCENTRAL 10.lnk = ? O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN3\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKEN3\QWDLLS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-do...ard3.0.4.3.cab O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/154924628a1301a...zip/RdxIE6.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100539434015 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/store/executables/ie/IDA.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - http://usa-download.strip-player.com...up_minsize.cab End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-11-2005, 10:06 AM
|
#2 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Hello and Welcome to TSF
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HJT. Please Download the newer version HiJackThis 1.99.1. Delete the outdated one and use this newer one for your fix. Run this if you haven't already Download / Install / Update / and Run: Adaware SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Scan your pc with one of these free online scanners: Panda ActiveScan RAV AntiVirus Housecall. Be sure to put a check the box beside AutoClean. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! ( Alternate Link if main link don't work) and install it. You will use this later. Go to My Computer >Tools >View >Folder Options tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Webdialer MarketBrowser Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/ O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-d...zard3.0.4.3.cab O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/154924628a1301...tzip/RdxIE6.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/store/executables/ie/IDA.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared...,16/mcgdmgr.cab O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - http://usa-download.strip-player.co...tup_minsize.cab Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\program files\Webdialer C:\Program Files\MarketBrowser Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean.
__________________
 .jpg) Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!! 
Last edited by Geekgirl; 04-11-2005 at 10:25 AM. |
|
|
|
|
04-11-2005, 12:58 PM
|
#3 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
Here's my new log
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\AdSubtract\adsub.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:53:24 PM, on 4/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKEN3\billmind.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: CorelCENTRAL 10.lnk = ? O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN3\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKEN3\QWDLLS.EXE O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} - O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100539434015 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: Winkmla - Unknown owner - C:\WINDOWS\System32\Winkmla.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-11-2005, 01:12 PM
|
#4 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Hello again
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Please disable Spybot'sTeaTimer before continuing with the ifx. Go to My Computer >Tools >View >Folder Options tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs if they exist: Webdialer Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} - O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - O23 - Service: Winkmla - Unknown owner - C:\WINDOWS\System32\Winkmla.exe (file missing) Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\program files\Webdialer C:\WINDOWS\System32\Winkmla.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
04-11-2005, 06:29 PM
|
#5 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
web dialer is still there
Here's the new log. I don't know how webdialer can still be there. It didn't show as a program I could delete, and I was able to select it in HJT.
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\AdSubtract\adsub.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:23:50 PM, on 4/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKEN3\billmind.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: CorelCENTRAL 10.lnk = ? O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN3\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKEN3\QWDLLS.EXE O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100539434015 O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. |
|
|
|
|
04-12-2005, 05:34 AM
|
#6 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Download Killbox
Paste the full file path in the box and click on "Delete on Reboot". Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" c:\program files\Webdialer\li-domid00063[1].exe -m Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m Please remember to close all other windows, including browsers then click Fix checked. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
04-12-2005, 08:43 AM
|
#7 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
No luck with lidomid00063[1].exe -m
I have repeated the killbox/HJT process + cleanup etc. multiple times and have failed to remove the webdialer, which, by the way does not seem to exist anywhere in program files. I'm stumped.
New HJT log from analyzer: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\AdSubtract\adsub.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:35:54 AM, on 4/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe O4 - HKCU\..\Run: [li-domid00063] c:\program files\Webdialer\li-domid00063[1].exe -m O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKEN3\billmind.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: CorelCENTRAL 10.lnk = ? O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN3\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKEN3\QWDLLS.EXE O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100539434015 O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-12-2005, 10:43 AM
|
#8 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
STARTDRECK
Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
04-12-2005, 03:04 PM
|
#9 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
Log after running startdreck
You are being very patient....thanks. Dreck log:
StartDreck (build 2.1.7 public stable) - 2005-04-12 @ 17:01:32 (GMT -04:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Owner at KEN »Registry »Run Keys »Current User »Run *Microsoft Works Update Detection=c:\Program Files\Microsoft Works\WkDetect.exe *McAfee.InstantUpdate.Monitor="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor *li-domid00063=c:\program files\Webdialer\li-domid00063[1].exe -m »RunOnce »Default User »Run »RunOnce »Local Machine »Run *hpsysdrv=c:\windows\system\hpsysdrv.exe *hp Silent Service=C:\Windows\system32\HpSrvUI.exe *PreloadApp=c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d *KBD=C:\HP\KBD\KBD.EXE *Recguard=C:\WINDOWS\SMINST\RECGUARD.EXE *NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize *IgfxTray=C:\WINDOWS\System32\igfxtray.exe *HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe *PS2=C:\WINDOWS\system32\ps2.exe *ADUserMon=C:\Program Files\Iomega\AutoDisk\ADUserMon.exe *Iomega Startup Options=C:\Program Files\Iomega\Common\ImgStart.exe *Iomega Drive Icons=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe *Deskup=C:\Program Files\Iomega\DriveIcons\deskup.exe *MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe *MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe *VirusScan Online="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" *VSOCheckTask="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask *FLMOFFICE4DMOUSE=C:\Program Files\Browser MOUSE\mouse32a.exe *RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime *PostCopy=C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Microsoft Web Publishing Wizard 1.52/{44BBA851-CC51-11CF-AAFA-00AA00B6015C} *StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} *StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe +Fax/{8b15971b-5355-4c82-8c07-7e181ea07608} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx »Internet Explorer »Current User *Local Page=C:\WINDOWS\system32\blank.htm *Start Page=http://www.google.com/ +SearchUrl *provider= »Default User *Default_Page_URL=http://us4.hpwis.com/ *Default_Search_URL=http://srch-us4.hpwis.com/ *Search Bar=http://srch-us4.hpwis.com/ *Search Page=http://srch-us4.hpwis.com/ *Start Page=http://us4.hpwis.com/ »Local Machine *Local Page=%SystemRoot%\system32\blank.htm *Start Page=about:blank *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm +SearchUrl »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=Explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Billminder.lnk *C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Introducing Media Manager.lnk *C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Quicken Startup.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdSubtract.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 10.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FlashPath Monitor.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=Explorer.exe »Text Files *C:\boot.ini `[boot loader] `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn *C:\msdos.sys *C:\config.sys *C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 *C:\WINDOWS\wininit.ini `[Rename] `NUL= `NUL= *C:\WINDOWS\system32\drivers\etc\hosts `127.0.0.1 localhost `127.0.0.1 AdSubtract # Added by AdSubtract for auto-dial. `127.0.0.1 ie3.proxy.aol.com # Added by AdSubtract for AOL support. »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\system32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\notepad.exe *C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\ps2.EXE *C:\WINDOWS\system32\ps2.bat +C:\WINDOWS\system32\slrundll.exe *C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\taskman.exe *C:\WINDOWS\taskman.exe +C:\WINDOWS\system32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
04-13-2005, 06:36 AM
|
#10 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Did you Look for WebDialer in the Add/Remove Programs?
Try and do a search for the file on your system, let me know the results
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
04-13-2005, 04:50 PM
|
#11 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 71
OS: several computers:xp,2000,98se,ME,linux
|
results of my search
I searched for webdialer and domid00063[1].exe -m without luck, however I found some information on Trend Micro's web site that makes me think I had files remaining from Troj_Dialer.B. A scan did not find the trojan, however I did follow their manual removal suggestions and found one registry entry I could delete. After that I rebooted, ran HJT and made another log from the analyzer. Looks to me like it's gone. Break out the champagne?
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\AdSubtract\adsub.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 6:41:49 PM, on 4/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKEN3\billmind.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: CorelCENTRAL 10.lnk = ? O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN3\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKEN3\QWDLLS.EXE O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100539434015 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-13-2005, 06:37 PM
|
#12 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,171
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
I'll bring the glasses
 Your log is clean. Are you having any problems? If not, your set to go. It would probably be a good idea to set a "new" system restore point. Follow these instructions: Turn off System Restore by doing the following: Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Then you can go head and Enable again. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial Anti-Spyware Tutorial and use the tools provided.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
| Thread Tools | |
|
|
