HJT log can someone please help?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
Adaware has found 2 "Dialers" in the registery:-

Vendor:Dialer
Category:Dialer
Object Type:RegValue
Size:1 Bytes
Location:.DEFAULT\software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited

Vendor:Dialer
Category:Dialer
Object Type:RegValue
Size:1 Bytes
Location:software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I have run HJT so can someone please have a look as I cant seem to get rid
of them.

Logfile of HijackThis v1.99.1
Scan saved at 11:35:50, on 08/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EPSON\SAGENT95.EXE
C:\PROGRAM FILES\EPSON\EBRR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BT YAHOO! HELP\SMARTBRIDGE\BTHELPNOTIFIER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\EPSON\STMS.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/oldbeals/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SAgent95ExePath] c:\program files\Epson\SAgent95.exe
O4 - Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\Epson\Stms.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIE.DLL
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIE.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/motivedocs/BTYahoo!Help/PreQual/files/MotivePreQual.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

many thanks
JR
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.


If your comfortable editing the registry you can manually uninstall it? you'll need to find which keys the pest resides, your log above doesn't say but it will probably be either htose 2 below or both of them.


If your not comfortable just run the tools and scanners.


hkey local machine
hkey current user


you can back up the registry first in case anything goes wrong.


Export registry subkeys
You can follow these steps to export a registry subkey before you edit it.

Note Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead.
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then click the subkey that contains the value that you want to edit.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, and then click Save.


go to start\run\type regedit\click ok\navigate to
hkey local machine\software\microsoft\windows\currentversion\run click run and you will see entries in the left hand side, right click and delete the entry which looks suspicious, their should be legitimate entries in there!


do the same for this reg key

hkey current user\software\microsoft\windows\currentversion\run


download ccleaner

http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.


Click on the Issues tab, uncheck both boxes Registry Integrity and File
Integrity
Click the Applications tab, scroll down to the Multimedia section and uncheck
Macromedia Flash Player.



Download adaware Se 1.6 and update it.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.



Also update spybot's search and destroy, make sure you have the newer version of 1.4
and run a full scan



Now run ccleaner.


Run an online antivirus check from

http://www.kaspersky.com/beta?product=161744315

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS
SAFE to do so LET IT FIX WHATEVER IT FINDS
 
Joined
Feb 15, 2004
Messages
12,302
oops can't adaware clean them, just click on the reg keys in adaware and doesn't it take you to the keys and then delete them? don't delete the keys, I mean the entries in the keys.
 

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
Khazars,
Adaware finds them I select them and it says they have been deleted
but if you run Adaware again it finds them again
 
Joined
Feb 15, 2004
Messages
12,302
did you try editing the registry your self and run those progs I told you to?
 

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
I have downloaded and run the programs you said. Only Adaware found the 2
Dialers still:-

Vendor:Dialer
Category:Dialer
Object Type:RegValue
Size:1 Bytes
Location:.DEFAULT\software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I'm not to happy about manually deleting the registery enteries
 
Joined
Feb 15, 2004
Messages
12,302
ok, I've asked a mod to come and have a look at this, they will no doubt run a reg fix for this for ya!
 

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
Vendor:Dialer
Category:Dialer
Object Type:RegValue
Size:1 Bytes
Location:software\microsoft\windows\currentversion\run ""
Last Activity:08-07-05
Risk Level:Low
TAC index:5
Comment:""
Description:Generic dialer, installed unsolicited.

I have managed to find 1 of them but the one above keeps
coming up when I run Adaware
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,109
Panda Active Scan. Be sure to save the log it creates and post it here please.

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

Generic Dialer

Copy and paste the results here as well.
 

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
Cookie,
the Panda active scan found this:-

Incident Status Location

Adware:Adware/Tibs No disinfected C:\lo-?????????.exe
Adware:Adware/Tibs No disinfected C:\lo-749008211.exe
But the other program found nothing for a Generic dialer

thanks JR
 

jrwestham

Thread Starter
Joined
Dec 3, 2003
Messages
83
I deleted the files that the Pandasoft active scan found but Adaware still showed a registery problem ???? I have only just noticed that the Adaware was not the latest version 1.06. I have updated and run Adaware again and everything looks ok. Thanks for all your help
JR
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Top