Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Dial/PecDial-B and 10 Additional Adware

  • This topic is locked This topic is locked
4 replies to this topic

#1 rw2938


  • Members
  • 2 posts
  • Local time:11:52 PM

Posted 06 March 2009 - 02:18 PM

Unit was running extremely slow, ran a scan came back with these results




gain - common components
internet washer

DDS (Ver_09-02-01.01) - NTFSx86
Run by Father Roy at 11:32:54.06 on Fri 03/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.500 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\Program Files\RDS\SOption.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RDS\ddsschednt.exe
C:\Program Files\Duplo Data AS\Ministry Scheduler\Server\LDS.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
F:\Malware\Utilities\Trend Micro\HijackThis\HIJACKTHIS V2.0.2.EXE
C:\Program Files\Safari\Safari.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: agcore.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
mURLSearchHooks: agcore.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: agcore.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll
BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CTypo Object: {dce80ca4-b555-44d8-b423-a75d6c345ee1} - c:\windows\system32\stype10.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
TB: Dictionary.com: {11359f4a-b191-42d7-905a-594f8cf0387b} - c:\windows\downloaded program files\lexbar.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: egreetings Toolbar: {9df9b682-9c18-4a01-bac3-a265ca7cd866} - mscoree.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startd~1.lnk - c:\program files\rds\DdsLaunch.exe
uPolicies-explorer: <NO NAME> =
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121980809327
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144945163310
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coke/Coupons.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.brightstreet.com/cif/download/bin/actxcab.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 nmconpid;nmconpid;c:\windows\system32\drivers\nmconpid.sys [2006-12-11 11625]
R2 AGCoreService;AG Core Services;c:\program files\agi\core\3.0\AGCoreService.exe [2009-2-13 40960]
R2 DdsSched;Dds Scheduler Deamon;c:\program files\rds\DdsSchedNT.exe [2006-8-14 36864]
R2 LDS;Ministry Scheduler Server;c:\program files\duplo data as\ministry scheduler\server\LDS.exe [2005-3-1 4025856]
R2 RsiSvc;Ridoc Server Information Service;c:\program files\rds\RsiSvc.exe [2006-8-14 65536]
R2 ScanRouterDriverV2;ScanRouterDriverV2;c:\program files\rds\SrScanDr.exe [2006-8-14 178688]
R2 SOption;SOption;c:\program files\rds\SOption.exe [2006-8-14 98304]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2008-12-23 28762]

=============== Created Last 30 ================

2009-03-06 11:25 92,528 a---h--- c:\windows\system32\mlfcache.dat
2009-03-04 20:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GameHouse
2009-03-04 20:48 <DIR> --d----- c:\program files\WildTangent
2009-03-04 12:57 <DIR> --d----- c:\docume~1\father~1\applic~1\Webroot
2009-03-04 12:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-03-04 12:48 <DIR> --d----- c:\program files\Bonjour
2009-02-27 14:29 244 a---h--- C:\sqmnoopt01.sqm
2009-02-27 14:29 232 a---h--- C:\sqmdata01.sqm
2009-02-27 13:38 244 a---h--- C:\sqmnoopt00.sqm
2009-02-27 13:38 232 a---h--- C:\sqmdata00.sqm
2009-02-13 13:43 <DIR> --d----- c:\program files\EG Toolbar
2009-02-13 13:43 <DIR> --d----- c:\program files\AGI
2009-02-13 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AGI

==================== Find3M ====================

2009-03-06 11:29 2,263,691 a------- c:\windows\typo.dat
2008-12-23 16:31 28,672 a------- c:\windows\system32\f3PSSavr.scr
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 11:03 6,268 a--sh--- c:\windows\system32\KGyGaAvL.sys
2006-07-01 19:48 768,778 ac------ c:\program files\Document4.wpd
2006-07-01 19:48 184,300 ac------ c:\program files\GUESS WHO.wpd
2006-03-02 14:51 1,215 ac--h--- c:\program files\hpothb07.dat
2006-02-01 13:09 65,519 ac--h--- c:\program files\hpothb07.tif
2003-10-31 15:00 39,149 ac------ c:\program files\bboys2_3cops.jpg
2003-10-11 21:01 16,251,072 ac------ c:\program files\AdbeRdr60_enu_full.exe
2003-10-10 10:25 7,610,622 ac------ c:\program files\ProPack.zip
2003-10-07 10:45 42,450 ac------ c:\program files\ShowLetter.htm
2003-10-06 10:38 53,461 ac------ c:\program files\marinefreed9.exe
2003-08-27 13:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll
2003-07-24 08:49 2,874,612 a------- c:\program files\Scan0014.tif
2002-07-08 10:53 1,000,480 ac------ c:\program files\mmssetup.exe
2002-06-12 12:46 122,368 ac------ c:\program files\sharing parishes.doc
2002-06-04 12:13 44,032 ac-sh--- c:\program files\Thumbs.db
2006-09-30 13:35 56 ---shr-- c:\windows\system32\150763E16A.sys
2003-07-24 12:11 56 ---shr-- c:\windows\system32\340554C1BE.sys

============= FINISH: 11:33:22.12 ===============

BC AdBot (Login to Remove)


#2 Jat90


  • Members
  • 1,515 posts
  • Gender:Male
  • Location:United Kingdom
  • Local time:05:52 AM

Posted 06 March 2009 - 03:26 PM

Hello, rw2938

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Jat90


  • Members
  • 1,515 posts
  • Gender:Male
  • Location:United Kingdom
  • Local time:05:52 AM

Posted 07 March 2009 - 06:55 AM


Install Antivirus

You are missing one important program on that computer: An antivirus.
I am not surprised you are infected. This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Please rescan with DDS and post DDS.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Jat90


  • Members
  • 1,515 posts
  • Gender:Male
  • Location:United Kingdom
  • Local time:05:52 AM

Posted 10 March 2009 - 03:07 AM


are you still there?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:12:52 AM

Posted 11 March 2009 - 05:37 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users