HJT log can someone please help?

[jrwestham]

Adaware has found 2 "Dialers" in the registery:-

Vendorialer
Categoryialer
Object Type:RegValue
Size:1 Bytes
Location:.DEFAULT\software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited

Vendorialer
Categoryialer
Object Type:RegValue
Size:1 Bytes
Location:software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I have run HJT so can someone please have a look as I cant seem to get rid
of them.

Logfile of HijackThis v1.99.1
Scan saved at 11:35:50, on 08/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EPSON\SAGENT95.EXE
C:\PROGRAM FILES\EPSON\EBRR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BT YAHOO! HELP\SMARTBRIDGE\BTHELPNOTIFIER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\EPSON\STMS.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/oldbeals/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SAgent95ExePath] c:\program files\Epson\SAgent95.exe
O4 - Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\Epson\Stms.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIE.DLL
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIE.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/motivedocs/BTYahoo!Help/PreQual/files/MotivePreQual.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

many thanks
JR

 

[khazars]

hi, welcome to TSG.


If your comfortable editing the registry you can manually uninstall it? you'll need to find which keys the pest resides, your log above doesn't say but it will probably be either htose 2 below or both of them.


If your not comfortable just run the tools and scanners.


hkey local machine
hkey current user


you can back up the registry first in case anything goes wrong.


Export registry subkeys
You can follow these steps to export a registry subkey before you edit it.

Note Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead.
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then click the subkey that contains the value that you want to edit.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, and then click Save.


go to start\run\type regedit\click ok\navigate to
hkey local machine\software\microsoft\windows\currentversion\run click run and you will see entries in the left hand side, right click and delete the entry which looks suspicious, their should be legitimate entries in there!


do the same for this reg key

hkey current user\software\microsoft\windows\currentversion\run


download ccleaner

http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.


Click on the Issues tab, uncheck both boxes Registry Integrity and File
Integrity
Click the Applications tab, scroll down to the Multimedia section and uncheck
Macromedia Flash Player.



Download adaware Se 1.6 and update it.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.



Also update spybot's search and destroy, make sure you have the newer version of 1.4
and run a full scan



Now run ccleaner.


Run an online antivirus check from

http://www.kaspersky.com/beta?product=161744315

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS
SAFE to do so LET IT FIX WHATEVER IT FINDS

 

[khazars]

oops can't adaware clean them, just click on the reg keys in adaware and doesn't it take you to the keys and then delete them? don't delete the keys, I mean the entries in the keys.

 

[jrwestham]

Khazars,
Adaware finds them I select them and it says they have been deleted
but if you run Adaware again it finds them again

 

[khazars]

did you try editing the registry your self and run those progs I told you to?

 

[jrwestham]

I have downloaded and run the programs you said. Only Adaware found the 2
Dialers still:-

Vendorialer
Categoryialer
Object Type:RegValue
Size:1 Bytes
Location:.DEFAULT\software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I'm not to happy about manually deleting the registery enteries

 

[khazars]

what is the name of the programme that adaware is finding?

 

[khazars]

ok, I've asked a mod to come and have a look at this, they will no doubt run a reg fix for this for ya!

 

[jrwestham]

Vendorialer
Categoryialer
Object Type:RegValue
Size:1 Bytes
Location:software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I have managed to find 1 of them but the one above keeps
coming up when I run Adaware

 

[Cookiegal]

Panda Active Scan. Be sure to save the log it creates and post it here please.

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

Generic Dialer

Copy and paste the results here as well.

 

[jrwestham]

Cookie,
the Panda active scan found this:-

Incident Status Location

Adware:Adware/Tibs No disinfected C:\lo-?????????.exe
Adware:Adware/Tibs No disinfected C:\lo-749008211.exe
But the other program found nothing for a Generic dialer

thanks JR

 

[jrwestham]

I deleted the files that the Pandasoft active scan found but Adaware still showed a registery problem ???? I have only just noticed that the Adaware was not the latest version 1.06. I have updated and run Adaware again and everything looks ok. Thanks for all your help
JR

 

[Cookiegal]

You're welcome.

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.


Read here for info on how to tighten your security.