Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Dialer 6G

Posted on 2004-04-21
5
Medium Priority
?
802 Views
Last Modified: 2010-04-12
Two days ago AVG warned me I had the Trojan Dialer 6G. I let it remove the file to the virus vault and deleted it. I then used TZ Spyware remover to check for spyware and removed some cookies that it reported. Avg reported my system clean this morning. However about an hour ago it reported the same trojan. Can anyone help me remove this trojen from my windows 2k system?
0
Comment
Question by:Al_Shepstone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 10883455
Hi!

Download Hijack This from:
http://www.spywareinfo.com/%7Emerijn/downloads.html

Before you run it, install it in it's own folder, not in a temp file or on your Desktop.
Make sure you have all browser windows closed.
Run it and don't fix anything yet - post your log file here and we'll take a look at it.
Please be patient - we have a lot of these logs to look at!

Good luck!
0
 

Author Comment

by:Al_Shepstone
ID: 10886355
Logfile of HijackThis v1.97.7
Scan saved at 08:40:07, on 22/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ntvdm.exe
C:\Downloads\HiJack-Trojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9891/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9891/search/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\downloads\qt\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunOnce: [gi773292166] "C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\13A3NRVH\Setup\Resume.exe" "C:\Program Files\LabJack\DAQFactoryInstall\Setup.exe" /resume:"C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\13A3NRVH" "Please insert a first setup disk or map network drive with file C:\Program Files\LabJack\DAQFactoryInstall\Setup.exe" "DAQFactory"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
 
LVL 12

Accepted Solution

by:
rossfingal earned 200 total points
ID: 10887476
Hi!
You've got a few things that look suspicious.
The following entries should probably be fixed using Hijack This:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9891/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9891/search/search.html
R3 - Default URLSearchHook is missing

Not sure what this is, but usually it's a red flag when something is running from a temp file.
O4 - HKCU\..\RunOnce: [gi773292166] "C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\13A3NRVH\Setup\Resume.exe" "C:\Program Files\LabJack\DAQFactoryInstall\Setup.exe" /resume:"C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\13A3NRVH" "Please insert a first setup disk or map network drive with file C:\Program Files\LabJack\DAQFactoryInstall\Setup.exe" "DAQFactory"

After you ran a check for viruses, did you empty your recycle bin and clean out temp files - sometimes things like to hide there.
Don't see much else that looks bad, you have some services running that may not be necessary - check out the following site for some good info.:
http://www.blackviper.com/WIN2K/servicecfg.htm

Good luck!
0
 

Author Comment

by:Al_Shepstone
ID: 10916303
Thanks for your help - PC has been clear the past three days.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10918756
Hi!

Glad someone could help!

Thanks and good luck!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question