Dialer and problem with google

Hi,

I have a lot of problems with spyware and dialers. 2 Days ago, while the computer was booting, a dialer started to run asking me which country I was in and also a second window popped up showing a progress bar and telling that it was preparing a plug-in.I promptly opened windows task manager and shut down those two windows.In the processes windows I saw three files with tmp extension.Their name changes every time I boot the computer and the dialer starts up (like tmp2.tmp,tmp1a.tmp,etc)If I shut down those tmp files the dialer and the plug-in window disappear. I also noticed that in my startup menu there is a file named winupdate25230341[1].exe,which when executed is loading the dialer.When I tried to open Internet Explorer I saw that my homepage has changed to a porn site which cannot be corrected. I also saw that when I made a search using google, the first page always tells me it found 75.000.000 results,whatever the search topic is,and the search results are not correct.If I go to the second page and return to the first page again,this time the search results are normal.
So what I did was to scan my computer with adaware and then spybot.I had to run them a few times.Adaware found some spyware,cleaned them, and on consecutive scans it told me my computer was clean.However spybot found 3 files.Those were TIBS(C:\Program Files\WebSiteViewer), DSO Exploit (4 Entries) and Haxdoor-H (C:\Windows\System32\klogini.dll).When it tried to clean them it gave the error"The application or DLL c:\Windows\system32\klogini.dll is not a valid Windows image.Please check this against your installation diskette" so it failed to clean Haxdoor-H but told me the other files were cleaned.But on subsequent checks all of the files were detected again which means Spybot couldn't delete them at all.At this point I started to surf the internet forums and I was lucky to find this site. I read the topic "READ ME FIRST BEFORE ASKING FOR SUPPORT:Basic Spyware, Trojan And Virus Removal and applied everything told there until step 6. My present situation is as follows:I think all of the files found by Spybot are cleaned now beacuse it tells me my computer is clean.None of the softwares mentioned in the READ ME detected the winupdate file so I used msconfig to stop it loading in the startup.My computer boots without the dialer if I exclude it from startup.The porn site has disappeared and I can choose any site I want as startup page. But my problem with google's search results still continues, which is a real annoyance because first of all I cannot be sure that I cleaned every spyware possible and cannot be sure if my computer is secure , also I don't want to have to change pages a few times in google to see the real results.I know it has been a long post but I am trying to give as much detail as possible. So if there is anyone who could help me I'll be gratefull.

 

Please go ahead and send us a HijackThis Log from Normal Windows Boot. Please be sure to follow the instructions below:
Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

Hi,

Thank you very much for your interest.While examining the forum threads I saw that there were other people having problems with google fake page. As my HiJackThis log showed I had the same C:\WINDOWS\System32\DSMANA~1.DLL file I took the liberty of deleting it with killbox.Now google seems to work again.But i think I still need help with my HiJackThis log, so I didn't fix anything with it.Probably I'll have to remove those two missing file entries.But I have no idea about other entries so any help is appreciated. Also I'll need some guidance about removing the winupdate25230341[1].exe file from the startup to be able to boot whithout using msconfig to exclude it from loading.

Thanks again

 

Hi DrMaestro,

I will need the full path for that winupdate25230341[1].exe so that you can Copy&Paste and feed it to Pocket KillBox .

You'll need to temporarily uncheck it in MSConfig, reboot and then run HijackThis and select MiscTools and Generate Startup Log and then attach a copy of the Startup Log. Or, if you already know the full path, navigate to it in KillBox and select the option to Delete on Reboot and do so.

The HJT log entries I didn't like are these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.superonline.com
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL (file missing)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2F7EE5-4D50-492A-B29B-AC882CE0DED0}: NameServer = 10.0.0.2
I imagine these two entries to be work-related? Do you recognize the above and below to be legitimate and needed?
O23 - Service: Magicview300 - Unknown - C:\WINDOWS\System32\srvany.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

PP

 

Hi,

The full path for winupdate25230341[1].exe is C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe . Now, I think this is a problematic location because if I exclude it from msconfig, it directly deletes it from startup directory.If I recheck it, the file is created in this location again.That means:If I uncheck it in msconfig, pocket KillBox won't be able to delete it because it's not there.If I don't uncheck it KillBox may be able to delete it but there is a possibility that it will load himself before being deleted. What I did is to check it,then go to the directory, make a backup copy in case things go wrong,delete the file, uncheck it,then check it again.Now the file is not created anymore. But the reference to the file's location is still present in msconfig's startup window and I'd like to be able to delete it from there too.Any opinions or help will be appreciated.

In HiJackThis I fixed the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.superonline.com
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL (file missing)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

I didn't fix the following entries yet:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank-------- I set my hompage to be blank.Maybe this line is a reference to it.I can fix it if you think it may be a problem

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2F7EE5-4D50-492A-B29B-AC882CE0DED0}: NameServer = 10.0.0.2---- This IP is my ADSL modem's IP. Maybe this line is a reference to it so I'm reluctant to delete it.

O23 - Service: Magicview300 - Unknown - C:\WINDOWS\System32\srvany.exe---------It is work related

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab----- I am not sure about this entry.I did not create it.I tried to go to the adress mentioned but I am not allowed to enter to the site.I've searched google for activesecurity.cab and it is found in a lot of HiJackThis logs.Somtimes it is advised to be removed and somtimes it is not.Maybe it is part of an online virus or spyware scanner or maybe a malicious code.If you think it may cause a problem I can fix it.
Thank you very much again...

 

Hi DrMaestro,

Happy to help!

Pressed for time, so I'll be brief!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank OK if that's what you want

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2F7EE5-4D50-492A-B29B-AC882CE0DED0}: NameServer = 10.0.0.2 OK - That's what I suspected

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...curity.cab FIX this one - The way I see the 016 items, if it turns out to be something you need, just download it again

As far as this one goes: C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe
If you were able to delete it with KillBox, then I suppose we could go after it with Regedit and remove it from the registry. Let me know.

PP

 

Hi,

As you advised, I fixed O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...curity.cab with HiJackThis.Pocket KillBox deleted the C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe file.So I think the last thing to do will be to remove its entry from startup.So I would be gratefull If you could help me with that.(How am I going to find this entry with regedit?)

Thank you very much again.Without your help my computer could be in ruins now...

 

Hi DrMaestro,

Happy to try to help!

Please download this program and install it and then allow it to back up your registry (In case we make a mistake).

ERUNT

Also, I am a bit curious. . . Have seen a few cases like this lately and would like you to check something. Please download this tool:

Generic Detection Tool - NT/2000/XP

Please unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log.
I will check back as time permits.

PP

 

Hi PhilliePhan,

I used ERUNT to back up my registry.Then I used Generic Detection Tool to generate the output you asked.I am attaching it to this post.If there is anything else I can do please tell me.Thank you very much again...

 

I did not see what I thought I'd see in the output log . . . Which is good!

For removing the remnants of C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe , lets see if there is an easy way before hacking the registry.

Please RightClick START > select OPEN and navigate to the STARTUP Folder. See if you can find and DELETE the entry trying to load the missing file.

Should that fail, please open msconfig and CHECK the box for the entry so that it tries to load on startup. Then, please scan with HijackThis and look for that entry and FIX it in HJT. Reboot, Rescan, and attach that HJT log and we'll see if that does the trick!

I think regedit will be a last resort. . . .

PP

 

Hi PhilliePhan,

My startup folder was empty,so nothing to delete there.Using msconfig I checked the entry for C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe. It didn't create the file. I think that, if you put a file in the startup folder then you uncheck its entry, the file is first backed-up in a windows directory and deleted from startup directory.If you recheck it, it's created from this back-up file and then the back-up file is deleted.At this point, if you delete the file from the startup directory without unchecking it then the file is irreversibly deleted because no back-up file has been created to recreate it later (well,this my theory of course and I could be wrong).

After checking the file I did a HiJackThis scan and saw no reference to it in its log.So I rebooted as you told me.The dialer didn't show-up while booting.I ran a HiJackThis scan again.I was expecting to see a file missing entry but the log created,which is attached, was similar with the previous log. I ran msconfig again and here is the big surprise:The entry for C:\Documents and Settings\Artur\Start Menu\Programs\Startup\winupdate25230341[1].exe disappeared.Maybe files which are not found in the startup folder while booting are automatically removed from the list? So,now everything seems to be back to normal.


Thank you very much....

 

Hi Dr. Maestro,

I think your latter assumption is correct. Things in your HJT log look good!

I probably overreacted a bit with the troubling file because I've seen simialr that have been extremely difficult to remove. Yours seems to have gone peacefully! Keep an eye open, though, in case it returns - not too likely.

I figured that remnants would show in HijackThis - which, at its heart, is a registry editor - and could be addressed using HJT. At this point, I'd say you are in the clear! Please take a look at Chaslang's suggestions to help keep it that way: How to Protect yourself from malware!

Happy Computing!

PP