Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

International Dialer

Status
Not open for further replies.
TSSTechie

TSSTechie

Technical User
May 21, 2003
353
GB
Howdy folks,

I was wondering if someone would be good enough to have a look through this for me. The user of this computer has recieved a very large phone bill with lots of international calls on it. I have asked the user to install, update and run Adaware and Spybot followed by HiJackThis. Here is the log :

Logfile of HijackThis v1.98.0
Scan saved at 22:31:17, on 01/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE *
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE *
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\APVXDWIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MEDIALISTWARN\HOLDSUPPORTTHAT.EXE *
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\WINDOWS\TWAIN_32\600CU\WATCH.EXE
C:\PROGRAM FILES\MICROSOFT ENCARTA\ENCARTA WORLD ENGLISH DICTIONARY\QSHLFED.EXE
C:\PROGRAM FILES\SERIF\GRAPHICSPLUS\GPSTART.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\PAVPROXY.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DUPEPLUS] C:\PROGRA~1\MEDIAL~1\holdsupportthat.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\600CU\WATCH.exe
O4 - Startup: Encarta Dictionary Quickshelf.lnk = C:\Program Files\Microsoft Encarta\Encarta World English Dictionary\Qshlfed.exe
O4 - Startup: GraphicsPlus.lnk = C:\Program Files\Serif\GraphicsPlus\GpStart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PB Home - {367CEC00-90A0-11D3-A398-88E09A639735} - (file missing) (HKCU)
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\MSREF.DLL
O18 - Filter: text/html - {70244780-B659-11D8-A399-444553540000} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.15.DAT

Have Adaware and Spybot missed any nasties ??

Thanks in advance

TSSTechie

[lightsaber] May The Force Be With You [trooper] [yoda]
 
Sort by date Sort by votes
These don't look good, but you should research them before removal:

C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE *
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h

This one also raises my attention - anything called 'acceleration software' is usually bogus.
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
 
Upvote 0 Downvote
You want to Empty;
Temporary Internet Files/History/Recent/Temp folders .

funky Messenger? (which is loaded with spyware - anyway), but I'm not getting anything definitive yet.
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE *
This is the only thing I found - saying this;
"uninstall Messenger Plus (control panel, add/remove programs), it comes bundled with spyware."
see; though who knows,
it just might be Euro's version (as in REGION 3?) .....same with the GOOGLE stuff? ....so if you Kill Both GOOGLE3 and MESSENGER PLUS 3 Do it LAST
in other words WAIT a little while, to see if anything's still wrong (still oddities, weird behavior) after cleaning the others and more people post.
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

-Definitely - Don't Like the way this looks (nothing of use, comes up in a seach)
O4 - HKLM\..\Run: [DUPEPLUS] C:\PROGRA~1\MEDIAL~1\holdsupportthat.exe

-Here's that weird looking google stuff that a lot of hits came up on, BUT they are all Singular Hijack Logs with NO Answers/Replies.
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html

File Missing, must delete
O9 - Extra button: PB Home - {367CEC00-90A0-11D3-A398-88E09A639735} - (file missing) (HKCU)
--------------------------
Here's the MESSENGER ActiveX Gaming and Stats CABS...I guess leave it for a bit, if important to whomever.
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - ----------------------------
get rid of this crud...IMHO...more ActiveX Gaming - unless the User recognizes the sites...can't say for sure if you wan to keep
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
suspicious looking to me;
-edit;
Foreign translated page I found says;
Trojan:Win32/Dialui.A
O18 - Filter: text/html - {70244780-B659-11D8-A399-444553540000} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.15.DAT

REMOVE
Dialer.InstantAccess
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h


TT4U

Notification:
These are just my thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs
 
Upvote 0 Downvote
ola! Smah!
[smile]

TT4U

Notification:
These are just my thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs
 
Upvote 0 Downvote
Howdy

Thanks guys and sorry for the delay.

I will get the user to follow your suggestions.

Thanks again

TSSTechie

[lightsaber] May The Force Be With You [trooper] [yoda]
 
Upvote 0 Downvote
I thought textbridge was something related to scanner/ocr.
There is also a twain something or other which I think is scanner-not sure that textbridge line should go.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Hi diogenes10
It's that INSTANTACCESS.EXE File that's the prob
also notice the /h switch (Hide - I'd imagine)
and it's in a folder labeled BIN....so deleting just that entry from Hijack won't affect the whole folder

TT4U

Notification:
These are just my thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs
 
Upvote 0 Downvote
After a little more reading, I'm going to have to continue to disagree on this one.
I dont think it matched the location in the symantec link
This link shows it as xerox:
You can find several links to logs pronounced clean that include that file
And, although I never got it to work, the textbridge twain pattern is consistent with files from an old 300 dpi scanner I attempted to install once.

I would suggest Kaspersky scan, also just renaming and not deleting if uncertaintly reigns.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AmeunMandt
  • Locked
  • Question
Windows XP - NT Dialer - Harmful?
Replies
2
Views
70
linney
linney
sjkted
  • Locked
  • Question
Using Phone Dialer in Windows XP
Replies
1
Views
141
se2000
se2000
thenewa2x
  • Locked
  • Question
On tether auto-dialer?
Replies
2
Views
57
thenewa2x
thenewa2x
philrbert
  • Locked
  • Question
tried to uninstall AOL, Dialer keeps trying to start, help
Replies
4
Views
101
cyberspace
cyberspace
Rhombus65
  • Locked
  • Question
Problems with Phone Dialer and CD Player
Replies
6
Views
72
Rhombus65
Rhombus65

Part and Inventory Search

Sponsor

Back
Top