InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : Pesky dialer? |
|
Answer» Ok, here's one for the pros. I have spent a few hours cleaning out a bunch of crap from my Mom's Windows machine. It's running ME, and had previously been host to Kazaa and a lot of other junk. Fix: Yes it is the entire log. This is not my machine and yes there is a lot of crap on it. I hate this computer with a passion. Hmmmmm..........the funny thing about that is I already deleted that. I deleted about a dozen things, mostly BHOs and some 04s, and then re-ran HiJack and posted the new log, and those two things are back, and it just keeps coming back. I have also found in the C:\WINDOWS directory the following files: Buddy.exe CERES.DLL (obviously) Deleting them does nothing much since they are regenerated upon restart of the machine. The only real visible affects are that it dials constantly, and if someone uses IE you get a lot of "The Best Offers" adds. So, here's a run down of things I have tried so far, that have been in-effective in removing the dialing program(s): SpyBot AdAware Manual Deleting of various exes and dlls Hijack this Manual deleting of various registry entries (with the CLSID that shows up in the Hijack log, as well as HKCU\SOFTWARE\ceres and HKCU\SOFTWARE\TBONAS and a few more. Manual deletion of the CERES.DLL and Buddy.exe in safe mode. This one is baffling me, much as I hate to admit it. Anyone else had a direct problem with the "Best Offers" adds and CERES? Quote mox_PERL....Just had a look at your logfile and in addition to what has been suggested , I would be removing ........Done. Quote In your running processes I note ....... C:\WINDOWS\SYSTEM\WMIDHY.EXE if you know what it is leave it , however if you don't know what it is ..... use your task manager to shut it down .... ( Ctrl , Alt , Del) ........ once its been shut down ...... I left that one because 1> it can't be shut down with TaskManager and 2> I thought it to be a quirk in the Compaq version of WinME. I don't think that's the problem but you never know. I'll leave that for last. Thanks guys. Let us know if that fixes it. And when I said you got a lot of crap on it, I meant that you deleted a lot of crap (i.e. VIRUSES) off the system. You've got the cleanest Logfile I've seen in a while, normally HJT responses require essays! Maybe that clarification explains the "Excellent work" bit. mox_PERL..... This link is all about buddy and ceres http://www.webhelper4u.com/tnewswritigs/ceresbuddy_exe.html Have you done all the things outlined there ? ....... and its still comming back ? dl65 Yup, I did that. Did all that registry stuff, and even cleaned out a few other things while I was there, that were also malware. I got rid of that final process, the O4 - HKLM\..\Run: [wmidhy] c:\windows\system\wmidhy.exe The process could not be disabled in normal mode but in safe I deleted that and the buddy and CERES files for the final time. They haven't returned. this: O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - C:\PROGRAM FILES\FTK\FTK.DLL Also kept returning but I manually deleted the entire FTK folder and now it is gone. The problem is, it still dials. I am officially boggled now. Here is the most recent Hijack log: Logfile of HijackThis v1.99.1 Scan saved at 12:17:09 AM, on 4/22/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\PCTVOICE.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT2001.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe" O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab I am out of ideas. Maybe it's time to just take it out back and shoot it? Quote Let us know if that fixes it. And when I said you got a lot of crap on it, I meant that you deleted a lot of crap (i.e. viruses) off the system. You've got the cleanest Logfile I've seen in a while, normally HJT responses require essays! I thought you meant crap as in MS Office, Quickbooks, and other applications like that. There are a lot of little things like that on it. You should have seen this machine when I first when to work on it with SpyBot. I got literally 150+ red entries the first run. I am ok SKILL wise with Hijack and I took a bunch of stuff out already before I posted. Well, anyways, thanks guys.IE>Tools>Internet Options>Connections>---->Never dial a connection. mox_PERL....... Didnt you say that you deleted the complete FTK file ....... If you did mark this entry for removal....... O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe" dl65 Ok, final update. I got rid of that 04. I had previously left that one because I thought it to be legitimate. I should really know better. Finally, after this, deleting a few other files, and some more registry manipulation, the dialer is finally gone. Hallelujah!! Big thanks to Dilbert, dl65, and Fed for the help. |
|