URGENT HELP NEEDED

[Huw]

i think that a dialler has been installed on my computer. it's called instant access and i presume it's a porn thing. i dunno if it has been activated or whatever, and i have to go onto the internet to uninstall it for some reason. anyways, how do i get rid of this?!! cheers.

 

here is my hijack this log if it helps:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 12:36:43, on 14/08/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\Program Files\Canon\BJCard\Bjmcmng.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\WINDOWS\System32\gearsec.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\PREVX\Prevx Home\PXAgent.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Canon\BJPV\TVMon.exe

C:\Program Files\Canon\BJCard\BJLaunch.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\mslagent\mslagent.exe

C:\Program Files\E-Color\Common\IconMgr.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\PREVX\Prevx Home\SAGUI.exe

C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Tim\Desktop\Huw\Apps\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe

O4 - HKLM\..\Run: [bJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess

O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe

O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/060fd34065efe5863d16/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

[Steve]

Hehe. I wonder what you've been looking at on the net?

 

Anyway, to kill it, run Hijack This! again, put a tick next to these items, close ALL browser windows then hit Fix Checked............

 

 

O4 - HKCU\..\Run: [instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess

 

 

Then reboot and delete this file.............

 

 

EGCOMSERVICE_1048.dll

 

 

If it won't delete, reboot into safe mode and do it.

[Steve]

BTW - I see you didn't remove the items I mentioned when you posted your log in the other bit. :72_72:

[Steve]

OH YEAH - before you delete the dll file you might need to unregister it. Click Start then Run and type this............

 

 

regsvr32 /u "path and file name"

 

 

Obviously putting the real path and file name in. You need to keep the quotation marks. Then hit Enter.

 

E.g. If it's in your System32 folder you would type this..........

 

regsvr32 /u "C:\Windows\System32\EGCOMSERVICE_1048.dll"

[Liam]

There is NO WAY to sure-fire remove a dialer. Trust me, they are very tricky pieces of software to remove.

 

The only way you will get even close is to remove all suspect articles running Windows in SAFE MODE.

 

Personally, I wouldn't bother. Nuke the drive. Put everything you need onto a second HD or CD's/DVD's, then flush the bastard with a military format. It really is the only sure way. Think 'Aliens' here.

 

If you don't, the dialer WILL cost you money. I don't live with my parents, in the two and a half years since I moved out, they've racked up hundreds of pounds in dialer bills, because they refuse to nuke the drive. I can't get rid of them, and I really know what I'm doing!

 

In the meantime, pull the plug

[Steve]

This dialler is only one file. It's a DLL file that binds itself to rundll32.exe. If you unregister it, remove the registry entry that makes it start up (i.e. Sort it with Hijack This!) and delete the file then it is gone. The only way it would come back is if there was a dodgy ActiveX component in your downloaded program files - those are the ones that start with 016 - DPF in Hijack This! All you have in there are some games, a couple of plugins and some antivirus stuff.

 

Don't nuke the drive over one file dood!

[Liam]

I would. Honestly.

 

I keep four partitions:

 

WINDOWS

GAMES

MUSIC

VIDEO

 

After installing, Windows, get all your essential apps on there, and tweak it how you like it. Then use a program like Nero to make a DRIVE IMAGE. Burn it to a DVD (or store it elsewhere on your PC if you have the room).

 

Whenever anything goes wrong, revert to the image in the space of a few minuites. You know it is completely clean and there is practically zero fuss.

 

All about strategy...

[Steve]

I agree that's a good strategy for partitioning but I certainly wouldn't wipe my drive over something like this that can be removed in about a minute. I'd add a partition for the swap file too.

[Liam]

I'd add a partition for the swap file too.

 

No need

 

second HD for that

 

But generally having a partition just for virtual memory is a huge waste of space when any partition will do the jub just as well and provide no speed decrease. Do it on your music drive and defrags are less of an issue as most files will be sub 5MB

[Huw]

cheers for the help. i don't think it has been activated to be honest, when i clicked on it this morning, i didn't click agree or anything. also, i just did a system restore and half of the file has gone, so i think it has been neautralised. it also doesn't appear on my internet conncections box, which someone told me it does when it has been activated. anyways, i'll try and delete the fucker, don't really know how to reboot a drive properly, so i best leave it for now. besides, if it does cost me anything, it was a mate who downloaded it i think, so i'll rinse him for all the money.

 

btw sigma, i thought i did delete the things you highlighted. i'll do it again now.

[Huw]

hmm, just searched for EGCOMSERVICE_1048.dll and it is nowhere to be found. the instant access folder is still there, but it seems that the .dll file is not. does that mean the system restore has deleted it and i can simply delete the instant access folder in program files?

 

*EDIT: just ran Hijack This! and the entry has vanished too...

Edited August 14, 2004 by huwbeanie

[Steve]

I'd add a partition for the swap file too.

 

No need

 

second HD for that

 

But generally having a partition just for virtual memory is a huge waste of space when any partition will do the jub just as well and provide no speed decrease. Do it on your music drive and defrags are less of an issue as most files will be sub 5MB

 

It can't be a waste of space! I set the virtual memory to a fixed size, hence the partition was created to accomodate it. If you use a variable sized swap file then you can just use System Monitor to see how big it gets and create the partition accordingly. My swap file doesn't suffer from fragmentation like it did when it was put onto a partition with other files. I agree that it should be on the second hard disc though, otherwise it might slow things down due to disc access times.

[Liam]

In all seriousness, though: yes, things can be removed, but some are incredibly clever. Having seen first-hand bills of over £400 JUST from diallers, the only sure-fire advice I can give is to nuke. I wouldn't want that to happen to anyone else, it is such a cunt!

[Steve]

hmm, just searched for EGCOMSERVICE_1048.dll and it is nowhere to be found.  the instant access folder is still there, but it seems that the .dll file is not.  does that mean the system restore has deleted it and i can simply delete the instant access folder in program files?

 

*EDIT: just ran Hijack This! and the entry has vanished too...

 

Is there nothing inside the folder? Delete the folder anyway. The removal instructions for that dialler are what I gave above. I wouldn't have used system restore to go back. Make sure you have the option set to show hidden files and folders turned on before you search for that dll. Go into Windows Explorer and click on Tools then Folder Options then View. Make sure there is NO tick next to "Hide extensions for known file types" and then select "Show hidden files and folders". Then click OK and search for the dll file again.

[Steve]

BTW the entry vanishing from Hijack This! means that the file is not set to run when you boot your PC. That's good at least. Here are the removal instructions given by Kephyr..........

 

http://www.kephyr.com/spywarescanner/libra...ler/index.phtml

 

It's basically the same except you edit the registry manually instead of using Hijack This!

[Huw]

just ran it, and it has vanished. nowhere to be found! seems like it has gone...

[Guest Deeswift]

Back to partitions for a minute, I got 8 on this 160 GB Hitachi.

 

C: SYSTEM (Windows XP Pro) = 3.GB

D: PAGEFILE = 3 GB (Virtual Mem min and max fixed at 768MB. When I get more RAM, this will be fixed at 1.5 GB)

E: APPLICATIONS (Program Files) = 6 GB

F: AUDIO = 40 GB

G: GAMES = 40 B

H: VIDEO = 40 GB

I: DOWNLOADS = 10 GB

J: VARIOUS (documents, storage, etc) = 11 GB

 

This is the best organization I've had, and defragging is a breeze. For my previous XP install on this new machine I tried a single 160 GB partition and it didn't work nearly as good either for organization or defragging. Now it works well.

 

As for nuking the whole OS for the sake of one .dll file, it's really not worth it unless it causes a problem. A lot of people probably don't even have their OS on disc, sometimes they're on a shared PC, sometimes it takes ages, and in this case it's probably not worth it, so recommending a full install isn't really something we'd do.

[Huw]

what is partitioning and what benefits does it have? and how do i do it?

[Steve]

If the page file is gonna be fixed at 1.5GB why have you got it on a 3GB partition? Haven't you got two HD drives Dee? You would be better putting the page file on the second disc.

[Steve]

what is partitioning and what benefits does it have? and how do i do it?

 

Partitioning is splitting up a hard disc drive into portions. Each of these portions is looked at by Windows as a separate drive. Say you split your C drive into 3 partitions, you could have a C, D and E drive. The advantage is that if one drive gets fucked up, it doesn't affect all of your data. It's better to keep applications separate from any data files. It's also good as a matter of tidiness and keeping things together. You need a program to partition your drives - The one I use is Partition Magic.

 

EDIT - I didn't mention access times either. If you install Windows on a 3GB partition as Dee has, then your PC will only need to look on the first 3GB of 160GB (in Dee's case) for any Windows files as they don't get spread over the whole size of the disc when they fragment. That means that in Dee's case the PC is looking on 2% of the disc instead of 100%, which leads to better performance.

 

EDIT 2 - When you defragment, you only need to defragment any partitions that need doing, rather than the entire disc. With a large disc drive this can save you loads of time.

 

EDIT 3 - Oh yeah! You could install more than one operating system and choose which one to boot into. This is good if you wanna try out Linux etc.

 

No more edits now!

[Huw]

nice, i might do that sometime soon...

[Guest Deeswift]

You can partition before Windows is installed, right before you load the operating system, or you can use an application such as Partition Magic later on to split / resize partitions.

 

Benefits are better organization, ease of defragging, speed (if you have more than one drive).

[Huw]

one quick question about partitioning, i take it on one drive you'd just put the whole windows folder? and then with the others put whatever you want in?

[Guest Deeswift]

If the page file is gonna be fixed at 1.5GB why have you got it on a 3GB partition? Haven't you got two HD drives Dee? You would be better putting the page file on the second disc.

<{POST_SNAPBACK}>

 

Reason is because RAXCO PerfectDisk requires twice as much space as the Page File uses to be able to defrag.

 

Your Page File should be fixed at 1.5 times the size of your physical RAM, so if you have 1 GB, you'll need a 1.5 GB Page. A further 1.5 GB is needed so PerfectDisk can move all the data around on the partition and defrag it.

[Guest Deeswift]

one quick question about partitioning, i take it on one drive you'd just put the whole windows folder? and then with the others put whatever you want in?

<{POST_SNAPBACK}>

 

Yep. See my strategy. OS is on one 3 GB patition, then there's audio, applications, video, documents, games, page file, etc all on their own dedicated drives. It's working well for me.