Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dialer: C:\windows\explorer.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 Stripe

Stripe

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 01 June 2008 - 04:05 PM

Had installed a-squared Anti Dialer, and when I dial up my ISP[don't laugh :thumbsup: ], I
get a warning about C:\WINDOWS\EXPLORER.EXE. If I allow it, there is no problem. If
I check 'quarantine', all icons disappear from the desktop, and everything is frozen.

Is this a false alarm from a-squared Anti Dialer, or is an unwanted dialer installed?

My DSS/Hijack This logfile follows:

[COMODO Firewall Pro v3.0 was uninstalled 7MAY2008]

------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.70GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1279.48 MiB / 886.6 MiB
Pagefile Memory (total/avail): 1710.27 MiB / 1434.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 31.71 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: PC Tools Firewall Plus v3.0.0 (PC Tools)
FW: COMODO Firewall Pro v3.0 (COMODO)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-0F793C2BC4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\USER-0F793C2BC4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=USER-0F793C2BC4
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Dialer 3.0 --> "C:\Program Files\a-squared Anti-Dialer\unins000.exe"
a-squared HiJackFree 3.1 --> "C:\Program Files\a-squared HiJackFree\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Data Doctor Recovery NTFS (Demo) 3.0.1.5 --> C:\Program Files\Data Doctor Recovery NTFS (Demo)\Uninstall.exe
DRIP Wizard --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\dripwiz\ST6UNST.LOG"
DriverAgent Plugin for Netscape by TouchStone Software --> RunDll32.exe advpack.dll, LaunchINFSection driveragent_np.inf,TVICHW32Remove
Eraser 5.82 --> "C:\Program Files\Eraser\unins000.exe"
EVEREST Home Edition v1.51 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
HD Tune 2.54 --> "C:\Program Files\HD Tune\unins000.exe"
HDD Health v2.1 Beta --> "C:\Program Files\HDD Health\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers --> Prounstl.exe
ISO Recorder --> MsiExec.exe /I{0F6A7971-0F11-4A79-A0E9-133D0963A570}
IZArc 3.81 --> "C:\Program Files\IZArc\unins000.exe"
Lizardtech DjVu Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MozBackup 1.4.6 --> "C:\Program Files\MozBackup\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PC Tools Firewall Plus 3.0 --> C:\Program Files\PC Tools Firewall Plus\unins000.exe /LOG
SeaTools for Windows --> MsiExec.exe /I{98613C99-1399-416C-A07C-1EE1C585D872}
SmartClose 1.1 --> "C:\Program Files\SmartClose\unins000.exe"
Stay Live 2000 --> C:\WINDOWS\SDUnInst.exe c:\program files\software by design\staylive.uni
SyncBack --> "C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
TextCalc --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\RenderSoft Software and Web Publishing\Uninst.isu"
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type3451 / Warning
Event Submitted/Written: 06/01/2008 04:14:43 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3443 / Warning
Event Submitted/Written: 06/01/2008 03:35:03 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3438 / Warning
Event Submitted/Written: 06/01/2008 03:30:23 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3432 / Warning
Event Submitted/Written: 06/01/2008 01:02:24 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3427 / Warning
Event Submitted/Written: 06/01/2008 00:26:33 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17358 / Warning
Event Submitted/Written: 06/01/2008 04:37:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%USER-0F793C2BC427 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %USER-0F793C2BC427 can't undo changes that you allow.

For more information please see the following:
%USER-0F793C2BC4275

Scan ID: {E669ECF3-267D-42EE-B852-A7C915720054}

User: USER-0F793C2BC4\User

Name: %USER-0F793C2BC4271

ID: %USER-0F793C2BC4272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %USER-0F793C2BC4276

Alert Type: %USER-0F793C2BC4278

Detection Type: 1.1.1593.02

Event Record #/Type17357 / Warning
Event Submitted/Written: 06/01/2008 04:37:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%USER-0F793C2BC427 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %USER-0F793C2BC427 can't undo changes that you allow.

For more information please see the following:
%USER-0F793C2BC4275

Scan ID: {5933B0D2-2EA8-4E43-8FE2-52A5187A15FB}

User: USER-0F793C2BC4\User

Name: %USER-0F793C2BC4271

ID: %USER-0F793C2BC4272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %USER-0F793C2BC4276

Alert Type: %USER-0F793C2BC4278

Detection Type: 1.1.1593.02

Event Record #/Type17356 / Warning
Event Submitted/Written: 06/01/2008 04:37:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%USER-0F793C2BC427 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %USER-0F793C2BC427 can't undo changes that you allow.

For more information please see the following:
%USER-0F793C2BC4275

Scan ID: {3E6851CA-63B6-443E-AC95-6051FB45E5FE}

User: USER-0F793C2BC4\User

Name: %USER-0F793C2BC4271

ID: %USER-0F793C2BC4272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %USER-0F793C2BC4276

Alert Type: %USER-0F793C2BC4278

Detection Type: 1.1.1593.02

Event Record #/Type17355 / Warning
Event Submitted/Written: 06/01/2008 04:36:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%USER-0F793C2BC427 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %USER-0F793C2BC427 can't undo changes that you allow.

For more information please see the following:
%USER-0F793C2BC4275

Scan ID: {02454E85-D3FA-4182-81C5-478053D4A609}

User: USER-0F793C2BC4\User

Name: %USER-0F793C2BC4271

ID: %USER-0F793C2BC4272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %USER-0F793C2BC4276

Alert Type: %USER-0F793C2BC4278

Detection Type: 1.1.1593.02

Event Record #/Type17354 / Warning
Event Submitted/Written: 06/01/2008 04:36:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%USER-0F793C2BC427 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %USER-0F793C2BC427 can't undo changes that you allow.

For more information please see the following:
%USER-0F793C2BC4275

Scan ID: {48A850F9-F11A-4310-8ADC-3177036B1083}

User: USER-0F793C2BC4\User

Name: %USER-0F793C2BC4271

ID: %USER-0F793C2BC4272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %USER-0F793C2BC4276

Alert Type: %USER-0F793C2BC4278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-06-01 16:38:02 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:03 PM

Posted 30 June 2008 - 07:59 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please follow the directions below to post the correct log.


Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:03 PM

Posted 20 July 2008 - 09:39 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users