Author Topic: cant remove all win32:dialer-1026 after boots time scan  (Read 130732 times)

0 Members and 1 Guest are viewing this topic.

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #60 on: September 14, 2007, 05:23:30 PM »
hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:06 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\WinClamAVShield\sp_clamsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bitcomet.com/client/install-finish/?l=en_us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [%FP%TM Net fts.exe] "C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Storm Codec\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: Download URL in selection with Download Manager - tbr:iemenudownsel
O8 - Extra context menu item: Download URL with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.gomtv.com/gom/GomWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC7128B-89DD-482E-9BAB-F1114D458B8F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8180 bytes

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #61 on: September 14, 2007, 05:32:27 PM »
Review this list of scheduled tasks - have you put these there?

Quote
Contents of the 'Scheduled Tasks' folder
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At1.job"
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At10.job"
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-08-30 04:15:12 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:00 C:\WINDOWS\Tasks\At108.job"
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-13 02:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 03:00:01 C:\WINDOWS\Tasks\At12.job"
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At13.job"
"2007-09-02 05:00:00 C:\WINDOWS\Tasks\At14.job"
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-12 07:00:00 C:\WINDOWS\Tasks\At16.job"
"2007-09-12 08:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-09-12 09:00:00 C:\WINDOWS\Tasks\At18.job"
"2007-09-12 10:00:00 C:\WINDOWS\Tasks\At19.job"
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At2.job"
"2007-09-09 11:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-09-12 12:00:00 C:\WINDOWS\Tasks\At21.job"
"2007-09-12 13:00:00 C:\WINDOWS\Tasks\At22.job"
"2007-09-12 14:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 15:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 19:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-31 20:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 16:01:00 C:\WINDOWS\Tasks\At73.job"
"2007-09-12 17:01:00 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 18:01:00 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 19:01:00 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-31 20:01:00 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At78.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-01 06:40:41 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At80.job"
"2007-08-11 13:35:52 C:\WINDOWS\Tasks\At81.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-08 01:02:02 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-13 02:02:10 C:\WINDOWS\Tasks\At83.job"
"2007-09-12 03:02:06 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 04:02:08 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-02 05:03:00 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-10 06:02:09 C:\WINDOWS\Tasks\At87.job"
"2007-09-12 07:02:03 C:\WINDOWS\Tasks\At88.job"
"2007-09-12 08:01:00 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-08-09 00:00:30 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\p1gkLQOH.exe
"2007-09-12 09:01:00 C:\WINDOWS\Tasks\At90.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 10:01:00 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-09 11:03:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 12:01:54 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 13:01:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 14:02:04 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 15:01:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At98.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\010M3X7k.exe

[/quote]

what is this means??

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #62 on: September 14, 2007, 05:33:37 PM »
C:\WINDOWS\system32\msavpw1.dll

result:

Antivirus Version Last Update Result
AhnLab-V3 2007.9.14.0 2007.09.14 -
AntiVir 7.6.0.10 2007.09.14 TR/Spy.Gen
Authentium 4.93.8 2007.09.14 -
Avast 4.7.1043.0 2007.09.14 -
AVG 7.5.0.485 2007.09.14 PSW.OnlineGames.FLV
BitDefender 7.2 2007.09.14 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 9.00 2007.09.14 -
ClamAV 0.91.2 2007.09.14 -
DrWeb 4.33 2007.09.14 BACKDOOR.Trojan
eSafe 7.0.15.0 2007.09.13 -
eTrust-Vet 31.1.5135 2007.09.14 Win32/Inhoo!generic
Ewido 4.0 2007.09.14 -
FileAdvisor 1 2007.09.14 -
Fortinet 3.11.0.0 2007.09.14 W32/Small.CD48!tr
F-Prot 4.3.2.48 2007.09.13 -
F-Secure 6.70.13030.0 2007.09.14 W32/Malware.AFEA
Ikarus T3.1.1.12 2007.09.14 BehavesLikeWin32.ExplorerHijack
Kaspersky 4.0.2.24 2007.09.14 -
McAfee 5119 2007.09.13 -
Microsoft 1.2803 2007.09.14 -
NOD32v2 2530 2007.09.14 probably a variant of Win32/Genetik
Norman 5.80.02 2007.09.14 W32/Malware.AFEA
Panda 9.0.0.4 2007.09.14 Generic Trojan
Prevx1 V2 2007.09.14 -
Rising 19.40.42.00 2007.09.14 Trojan.PSW.Win32.OnlineGames.xuf
Sophos 4.21.0 2007.09.14 Mal/Behav-010
Sunbelt 2.2.907.0 2007.09.13 Win32.ExplorerHijack
Symantec 10 2007.09.14 Infostealer.Gampass
TheHacker 6.2.5.059 2007.09.14 -
VBA32 3.12.2.4 2007.09.14 suspected of Trojan-PSW.Game.58 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.09.14 -
Webwasher-Gateway 6.0.1 2007.09.14 Trojan.Spy.Gen
Additional information
File size: 27136 bytes
MD5: df2b99ae949759f752b89191fc5244ba
SHA1: 20d01f5f661b54062c81f4cba1d617e2a464d3ad

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #63 on: September 14, 2007, 05:40:58 PM »
below is some files that i feel may b it is thread also then i send to virustotal scan. below is result:

C:\WINDOWS\system32\msavpw0.dll


Antivirus Version Last Update Result
AhnLab-V3 2007.9.14.0 2007.09.14 -
AntiVir 7.6.0.10 2007.09.14 TR/Spy.Gen
Authentium 4.93.8 2007.09.14 -
Avast 4.7.1043.0 2007.09.14 -
AVG 7.5.0.485 2007.09.14 PSW.OnlineGames.FLV
BitDefender 7.2 2007.09.14 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 9.00 2007.09.14 -
ClamAV 0.91.2 2007.09.14 -
DrWeb 4.33 2007.09.14 BACKDOOR.Trojan
eSafe 7.0.15.0 2007.09.13 -
eTrust-Vet 31.1.5135 2007.09.14 Win32/Inhoo!generic
Ewido 4.0 2007.09.14 -
FileAdvisor 1 2007.09.14 -
Fortinet 3.11.0.0 2007.09.14 W32/Small.CD48!tr
F-Prot 4.3.2.48 2007.09.13 -
F-Secure 6.70.13030.0 2007.09.14 W32/Malware.AFEA
Ikarus T3.1.1.12 2007.09.14 BehavesLikeWin32.ExplorerHijack
Kaspersky 4.0.2.24 2007.09.14 -
McAfee 5119 2007.09.13 -
Microsoft 1.2803 2007.09.14 -
NOD32v2 2530 2007.09.14 probably a variant of Win32/Genetik
Norman 5.80.02 2007.09.14 W32/Malware.AFEA
Panda 9.0.0.4 2007.09.14 Generic Trojan
Prevx1 V2 2007.09.14 -
Rising 19.40.42.00 2007.09.14 Trojan.PSW.Win32.OnlineGames.xuf
Sophos 4.21.0 2007.09.14 Mal/Behav-010
Sunbelt 2.2.907.0 2007.09.13 Win32.ExplorerHijack
Symantec 10 2007.09.14 Infostealer.Gampass
TheHacker 6.2.5.059 2007.09.14 -
VBA32 3.12.2.4 2007.09.14 suspected of Trojan-PSW.Game.58 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.09.14 -
Webwasher-Gateway 6.0.1 2007.09.14 Trojan.Spy.Gen
Additional information
File size: 27136 bytes
MD5: df2b99ae949759f752b89191fc5244ba
SHA1: 20d01f5f661b54062c81f4cba1d617e2a464d3ad


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #64 on: September 14, 2007, 05:42:49 PM »
Review this list of scheduled tasks - have you put these there?

Quote
Contents of the 'Scheduled Tasks' folder
<snip>
"2007-09-09 11:03:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 12:01:54 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 13:01:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 14:02:04 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 15:01:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-09-12 16:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\010M3X7k.exe
"2007-09-12 17:00:00 C:\WINDOWS\Tasks\At98.job"
"2007-09-12 18:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\010M3X7k.exe
what is this means??

It means that these have scheduled task entries to run the files listed and you will no doubt have noticed that these match files detected as infected so I doubt you created the scheduled tasks but the malware created these to ensure your continued infected status.

You should also send the msavpw1.dll and msavpw0.dll files to virus @ avast.com (without the spaces), zipped and password protected.
« Last Edit: September 14, 2007, 05:44:54 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #65 on: September 14, 2007, 05:56:28 PM »
C:\WINDOWS\system32\msxml4.dll result:

Antivirus Version Last Update Result
AhnLab-V3 2007.9.14.0 2007.09.14 -
AntiVir 7.6.0.10 2007.09.14 -
Authentium 4.93.8 2007.09.14 -
Avast 4.7.1043.0 2007.09.14 -
AVG 7.5.0.485 2007.09.14 -
BitDefender 7.2 2007.09.14 -
CAT-QuickHeal 9.00 2007.09.14 -
ClamAV 0.91.2 2007.09.14 -
DrWeb 4.33 2007.09.14 -
eSafe 7.0.15.0 2007.09.13 -
eTrust-Vet 31.1.5135 2007.09.14 -
Ewido 4.0 2007.09.14 -
FileAdvisor 1 2007.09.14 No threat detected, but known vulnerabilities exist
Fortinet 3.11.0.0 2007.09.14 -
F-Prot 4.3.2.48 2007.09.13 -
F-Secure 6.70.13030.0 2007.09.14 -
Ikarus T3.1.1.12 2007.09.14 -
Kaspersky 4.0.2.24 2007.09.14 -
McAfee 5119 2007.09.13 -
Microsoft 1.2803 2007.09.14 -
NOD32v2 2530 2007.09.14 -
Norman 5.80.02 2007.09.14 -
Panda 9.0.0.4 2007.09.14 -
Prevx1 V2 2007.09.14 -
Rising 19.40.42.00 2007.09.14 -
Sophos 4.21.0 2007.09.14 -
Sunbelt 2.2.907.0 2007.09.13 -
Symantec 10 2007.09.14 -
TheHacker 6.2.5.059 2007.09.14 -
VBA32 3.12.2.4 2007.09.14 -
VirusBuster 4.3.26:9 2007.09.14 -
Webwasher-Gateway 6.0.1 2007.09.14 -
Additional information
File size: 1233920 bytes
MD5: 44e45bd9327abc0540593e809b32f3ca
SHA1: 1e7b38866279ae11c74d37da14d701995d6de689
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=44e45bd9327abc0540593e809b32f3ca

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #66 on: September 14, 2007, 06:13:26 PM »
i never create the task. And i find a very strange folder, name catroot and catroot2.
Location is at C:\WINDOWS\system32\CatRoot2 and C:\WINDOWS\system32\CatRoot.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #67 on: September 14, 2007, 07:26:49 PM »
That is why it asks you created them as a motivation to check if you did and if not to remove the scheduled tasks.

See this link re Catroot folders, http://support.microsoft.com/kb/822798.
« Last Edit: September 14, 2007, 07:28:23 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #68 on: September 14, 2007, 08:47:34 PM »
i never create the task.
This is why WinPatrol could protect you against this malware behavior (creation of tasks).
www.winpatrol.com
The best things in life are free.

mauserme

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #69 on: September 14, 2007, 08:54:33 PM »
We're making progress.  Just a little more and we should be done (I hope  :D).

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      <list of options>
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #70 on: September 15, 2007, 06:55:13 AM »
i never create the task.
This is why WinPatrol could protect you against this malware behavior (creation of tasks).
www.winpatrol.com

Then which in the task i should remove it??

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #71 on: September 15, 2007, 07:09:23 AM »
WinPFind3 logfile created on: 9/15/2007 12:57:53 PM
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\Calciver\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
 
1022.42 Mb Total Physical Memory | 566.99 Mb Available Physical Memory | 55.46% Memory free
2.40 Gb Paging File | 1.93 Gb Available in Paging File | 80.24% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 135.31 Gb Free Space | 90.78% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: HOME-E8AEAB07C2
Current User Name: Calciver
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 6:06:10 PM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 6:05:42 PM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 6:06:04 PM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 6:04:44 PM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 5:54:58 PM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4152 | Size = 430080 bytes | Modified Date = 11/22/2006 11:18:36 AM | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4152 | Size = 430080 bytes | Modified Date = 11/22/2006 11:18:36 AM | Attr =    ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 9/25/2006 9:12:20 AM | Attr =    ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 9/25/2006 9:12:20 AM | Attr =    ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 9/25/2006 9:12:20 AM | Attr =    ]
cmdagent.exe -> %ProgramFiles%\Comodo\Firewall\cmdagent.exe -> COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 8/20/2007 6:10:56 PM | Attr =    ]
cpf.exe -> %ProgramFiles%\Comodo\Firewall\cpf.exe -> COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 8/20/2007 6:10:56 PM | Attr =    ]
ctoolbar.exe -> %ProgramFiles%\Crawler\Toolbar\CToolbar.exe -> Crawler.com [Ver = 5.0.0.90 | Size = 1862144 bytes | Modified Date = 9/6/2007 4:44:26 AM | Attr =    ]
fts.exe -> %ProgramFiles%\TM Net\tmnet streamyx dialer\fts.exe -> Friendly Technologies [Ver = 3, 0, 0, 0 | Size = 77312 bytes | Modified Date = 1/7/2004 2:37:52 PM | Attr =    ]
fwportal.exe -> %ProgramFiles%\TM Net\tmnet streamyx dialer\FWPortal.exe -> Friendly Technologies [Ver = 3.0.0.9 | Size = 800256 bytes | Modified Date = 2/3/2005 2:32:48 PM | Attr =    ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 9/3/2007 10:37:50 PM | Attr =    ]
nbservice.exe -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 10, 3, 2 | Size = 800040 bytes | Modified Date = 6/29/2007 7:16:56 PM | Attr =    ]
nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 2,0,16,0 | Size = 152872 bytes | Modified Date = 6/27/2007 7:03:40 PM | Attr =    ]
nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,16,0 | Size = 279848 bytes | Modified Date = 6/27/2007 7:04:00 PM | Attr =    ]
nmindexstoresvr.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 2,0,16,0 | Size = 1213736 bytes | Modified Date = 6/27/2007 7:04:00 PM | Attr =    ]
soundman.exe -> %SystemRoot%\soundman.exe -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 8/3/2006 5:12:36 AM | Attr =    ]
sp_rsser.exe -> %ProgramFiles%\Spyware Terminator\sp_rsser.exe -> Crawler.com [Ver = 2.0.0.181 | Size = 966656 bytes | Modified Date = 9/13/2007 11:54:36 PM | Attr =    ]
spywareterminatorshield.exe -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 2.0.0.175 | Size = 2778112 bytes | Modified Date = 9/13/2007 11:50:44 PM | Attr =    ]
stserver.exe -> %ProgramFiles%\Spyware Terminator\STServer.Exe -> Crawler.com [Ver = 2.0.0.52 | Size = 915968 bytes | Modified Date = 9/13/2007 11:48:22 PM | Attr =    ]
tmnet connect.exe -> %ProgramFiles%\TM Net\Diagnostic Tool\tmnet connect.exe ->  [Ver = 1, 0, 0, 1 | Size = 122880 bytes | Modified Date = 4/4/2005 12:43:32 PM | Attr =    ]
winpatrol.exe -> %ProgramFiles%\BillP Studios\WinPatrol\WinPatrol.exe -> BillP Studios [Ver = 12, 0, 2007, 6 | Size = 292152 bytes | Modified Date = 9/14/2007 5:00:34 AM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 5:54:58 PM | Attr =    ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4152 | Size = 430080 bytes | Modified Date = 11/22/2006 11:18:36 AM | Attr =    ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe ->  [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 11/22/2006 10:52:00 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 6:06:04 PM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 6:05:42 PM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 6:04:44 PM | Attr =    ]
(CmdAgent) Comodo Application Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Comodo\Firewall\cmdagent.exe -> COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 8/20/2007 6:10:56 PM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 8:56:50 AM | Attr =    ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 8/31/2007 1:49:44 AM | Attr =    ]
(NBService) NBService [Win32_Own | Auto | Running] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 10, 3, 2 | Size = 800040 bytes | Modified Date = 6/29/2007 7:16:56 PM | Attr =    ]
(NMIndexingService) NMIndexingService [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,16,0 | Size = 279848 bytes | Modified Date = 6/27/2007 7:04:00 PM | Attr =    ]
(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinPcap\rpcapd.exe ->  [Ver =  | Size = 77824 bytes | Modified Date = 4/4/2003 2:54:50 PM | Attr =    ]
(sp_clamsrv) Spyware Terminator Clam Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinClamAVShield\sp_clamsrv.exe -> Crawler.com [Ver = 1.1.0.14 | Size = 320000 bytes | Modified Date = 6/19/2007 6:53:08 AM | Attr =    ]
(sp_rssrv) Spyware Terminator Realtime Shield Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Terminator\sp_rsser.exe -> Crawler.com [Ver = 2.0.0.181 | Size = 966656 bytes | Modified Date = 9/13/2007 11:54:36 PM | Attr =    ]

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #72 on: September 15, 2007, 07:12:20 AM »
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
%FP%TM Net fts.exe -> %ProgramFiles%\TM Net\tmnet streamyx dialer\fts.exe -> Friendly Technologies [Ver = 3, 0, 0, 0 | Size = 77312 bytes | Modified Date = 1/7/2004 2:37:52 PM | Attr =    ]
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLIStart.exe ->  [Ver =  | Size = 90112 bytes | Modified Date = 9/25/2006 9:12:20 AM | Attr =    ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 6:06:10 PM | Attr =    ]
COMODO Firewall Pro -> %ProgramFiles%\Comodo\Firewall\cpf.exe -> COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 8/20/2007 6:10:56 PM | Attr =    ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 3/1/2007 3:57:24 PM | Attr =    ]
QuickTime Task -> %ProgramFiles%\Storm Codec\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 6:24:52 AM | Attr =    ]
SoundMan -> %SystemRoot%\soundman.exe -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 8/3/2006 5:12:36 AM | Attr =    ]
SpywareTerminator -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 2.0.0.175 | Size = 2778112 bytes | Modified Date = 9/13/2007 11:50:44 PM | Attr =    ]
StormCodec_Helper -> %ProgramFiles%\Storm Codec\StormSet.exe ->  [Ver =  | Size = 97357 bytes | Modified Date = 11/27/2006 2:30:28 AM | Attr =    ]
WinPatrol -> %ProgramFiles%\BillP Studios\WinPatrol\winpatrol.exe -> BillP Studios [Ver = 12, 0, 2007, 6 | Size = 292152 bytes | Modified Date = 9/14/2007 5:00:34 AM | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #73 on: September 15, 2007, 07:13:10 AM »
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 2,0,16,0 | Size = 152872 bytes | Modified Date = 6/27/2007 7:03:40 PM | Attr =    ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 9/3/2007 10:37:50 PM | Attr =    ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 12/14/2004 4:44:06 AM | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{0EA66AD2-CF26-2E23-532B-B292E22F3266} [HKLM] -> Reg Data - Value does not exist [] -> File not found
{759AFD5B-159F-ACD8-954C-ACD545FA6587} [HKLM] -> Reg Data - Value does not exist [jzgpri.dll] -> File not found
{86AAC8D7-BA19-48AC-9269-3C76A52642EC} [HKLM] -> %System32%\msavpw1.dll [Extr rising hook MS] ->  [Ver =  | Size = 27136 bytes | Modified Date = 8/4/2004 8:56:50 AM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4152 | Size = 90112 bytes | Modified Date = 11/22/2006 11:19:40 AM | Attr =    ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->

calciver

  • Guest
Re: cant remove all win32:dialer-1026 after boots time scan
« Reply #74 on: September 15, 2007, 07:14:38 AM »
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 1:56:50 AM | Attr =    ]
{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} [HKLM] -> %ProgramFiles%\Crawler\Toolbar\ctbr.dll [] -> Crawler.com [Ver = 5.0.0.119 | Size = 1122816 bytes | Modified Date = 9/6/2007 4:44:20 AM | Attr =    ]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} [HKLM] -> %ProgramFiles%\BitComet\tools\BitCometBHO_1.1.7.4.dll [BitComet Helper] -> BitComet [Ver = 20070704 | Size = 513336 bytes | Modified Date = 7/5/2007 12:28:28 AM | Attr =    ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 8/31/2007 1:49:42 AM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 9/3/2007 10:37:50 PM | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 8/31/2007 1:49:42 AM | Attr = R  ]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} [HKLM] -> %ProgramFiles%\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar] -> Crawler.com [Ver = 5.0.0.119 | Size = 1122816 bytes | Modified Date = 9/6/2007 4:44:20 AM | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 8/31/2007 1:49:42 AM | Attr = R  ]
WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} [HKLM] -> %ProgramFiles%\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar] -> Crawler.com [Ver = 5.0.0.119 | Size = 1122816 bytes | Modified Date = 9/6/2007 4:44:20 AM | Attr =    ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{461CC20B-FB6E-4f16-8FE8-C29359DB100E} -> Reg Data - Value does not exist [ButtonText: BitComet Search] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&D&ownload &with BitComet -> %ProgramFiles%\BitComet\BitComet.exe\AddLink.htm -> File not found
&D&ownload all video with BitComet -> %ProgramFiles%\BitComet\BitComet.exe\AddVideo.htm -> File not found
&D&ownload all with BitComet -> %ProgramFiles%\BitComet\BitComet.exe\AddAllLink.htm -> File not found
Crawler Search ->  -> File not found
Download Image with Download Manager ->  -> File not found
Download URL in selection with Download Manager ->  -> File not found
Download URL with Download Manager ->  -> File not found
E&xport to Microsoft Excel ->  -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 ->  ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{BEBBDBC7-7013-4F5D-BA31-E3893A9E05B0} ->    (VIA Rhine II Fast Ethernet Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
tbr -> %ProgramFiles%\Crawler\Toolbar\ctbr.dll -> Crawler.com [Ver = 5.0.0.119 | Size = 1122816 bytes | Modified Date = 9/6/2007 4:44:20 AM | Attr =    ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -> FilePlanet Download Control Class - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab ->
{48884C41-EFAC-433D-958A-9FADAC41408E} -> EGamesPlugin Class - CodeBase = https://www.e-games.com.my/com/EGamesPlugin.cab ->
{5F5F9FB8-878E-4455-95E0-F64B2314288A} -> ijjiPlugin2 Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab ->
{7606693A-C18D-4567-AF85-6194FF70761E} -> GomWeb Control - CodeBase = http://app.gomtv.com/gom/GomWeb.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->