ND-Dialer

Question ? What is It ? And how do you get rid of it. Spybot can't eradicate this tenacious bugger.
Johnson

Not familiar with the name, but it's obviously a dialer (program that dials out from your computer back to its owner or another location). Did Spybot not even detect it? Then consider:

1) Is Spybot up to date with latest definitions?
2) If so, also try Lavasaft Adaware Personal SE. They work great together at picking up what the other misss.

NV-Dialer. My mistake.
Johnson.

hi,

Here

Or manual Removel Instructions here

Quote:

---

Manual removal
Please follow the instructions below if you would like to remove NVDialer manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If NVDialer remains on your system after stepping through the removal instructions, please double-check by stepping through them again.

1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Code Store Database \ Distribution Units \ {91413D86-9F27-402C-B5E3-DEBDD122C3B2}'
3. Exit the registry editor.
4. Restart your computer.

---

--Good Luck--

NV-Dialer hijacks my start menu and disables internet and mail access. It also knocked out my Lavasoft Adaware. I'll try getting a new version. Thanks Angelic.

Looks like just the ticket. You may have just restored my piece of mind. Gracias.

I deleted the registry key, restarted and ran Spybot. Result ? Still 4 entries for NV-Dialer, Spybot figures it runs in memory at shutdown. Problem unsolved but thanks for input.

Hi,

Try Running Spybot in Safe Mode.............Restart your Computer in Safe Mode and do a scan there.................And have you tried this

http://www.2-spyware.com/remove-nvdialer.html

--Good Luck--

Tried in safe mode more than once. This thing throws up lots of defenses when you try exterminating it. First on Spybot comes up NV Dialer- 4 entries then up to 52 others like Avenue D and Double Click. These are deleted over and over again except for NV-Dialer but all are replicated on the next run of Spybot. This is followed by a flurry of silver windows of gibberish with yes and no checkboxes.. so overwhelming (like pop-ups) that I have to manually shut down by pushing the off button. I also tried Bazooka, which says it will get rid of NV Dialer - but - Bazooka does not even recognize it as being on the computer.

So there's one piece of NV-Dialer still alive that's causing the respawning of malware...Have you tried tracking down where that troublesome little program is? Perhaps if you can, you can then manually remove it yourself...just a thought...sounds like you're in a bit of a pickle there. I've been having the same kinda problem with a nasty MyDoom infestation.

Have you tried a program called "hijack this" ? Download it and post the log. Reinstall your ad aware and run it if you can. Make sure everything is updated as always.

When you run spybot, and spybot finds it but says it can't get rid of it cause it's in use or whatever, doesn't it give you an option to run the next time you restart your computer? If so then do that, that way it will do a scan before it get's a chance to load.

I do use the option of running in start-up. Doesn't do a thing. Will try Hijack This. A new wrinkle today- a virus in WinAd Client- 'Trojan Horse IRC/BackDoor.SdBot.50.' AVG is updated but can't remove this. When I try to run Spybot a Google window is thrown up to prevent it. Typing an adress leads nowhere. WinAd Client in registry has one entry marked 'Changed'. Is it safe to delete this ?

Hi

Try the Online Scan at Housecall..........

http://housecall.antivirus.com/house...tart_frame.asp

and the final option Download HijackThis ......Extract it into a permenant Folder.....Run it and post the log here ..........don't try to fix it yourself if you dont know what to look for in it........wait for someone who knows what to look for in and follow the advise.......

--Good Luck--

Logfile of HijackThis v1.97.7
Scan saved at 1:40:51 PM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Win32FixII.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.neopets.com
R3 - URLSearchHook: (no name) - {D6CA5D91-5EA2-4654-9B75-499267012611} - (no file)
O2 - BHO: (no name) - {38F46C0E-BD47-5BC8-875E-61557FAC7763} - C:\WINDOWS\System32\rncw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O2 - BHO: (no name) - {EA598486-E32E-4CAF-9D9C-79CC7D519718} - C:\WINDOWS\RPQEUMKVD.DLL
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {952EC978-4920-4F18-8237-91D69B54C580} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WindowsRegKey update] 16winupdate32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\RunServices: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] 16winupdate32.exe
O4 - HKCU\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKCU\..\Run: [WindowsRegKey update] 16winupdate32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://chat.msn.ca
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Chat - http://cs8.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...p.html?2&false
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...1a0351cafa03db
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1092589562787
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - http://www.picturebuzz.com/common/programs/swicdad.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {4C2D6C46-6602-11D4-A5E3-444553540000} (Alice Control) - http://www.skotos.net/MarrachGame/Alice44.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04b556ea812771d...zip/RdxIE2.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamesmania.com/ExentCtl.ocx
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/...e/collapse.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v41/sol/sol.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...174.8229282407
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/ang...Downloader.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/...pit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/...an/hangman.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.c...winorbiter.cab
O16 - DPF: {C5CA5E7F-58DB-4FFF-9DC2-3E83158DEC9F} (IEActiveXCtl Class) - http://startrekccg.decipher.com/sign...activexctl.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://a320.g.akamai.net/7/320/1456/...layerAxWin.cab
O16 - DPF: {D6CF46FF-02AD-4DD4-A984-B82151785C33} (SwRegMonitor Class) - http://www.picturebuzz.com/common/pr...swtrialreg.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab

I definitly see some problems, but do to my lack of experience with hijack this I feel it is not my position to tell you what you should delete. Deleting the wrong thing can badly mess up your computer. Some things may require you to do a little extra work then just merely clicking delete. However, you should be getting a response by someone who knows what to delete very soon :)

wow.. looks like you have a whole bunch of things in there that are suspicious.

I don't have time to go thru all the entries but here's some that I would google/research further. (search on the exe file or dll file name, like Win32FixII.exe.. that one looks like it's malware)

C:\WINDOWS\System32\Win32FixII.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp

R3 - URLSearchHook: (no name) - {D6CA5D91-5EA2-4654-9B75-499267012611} - (no file) {take this one out, file already removed by another scanner/cleaner]

O2 - BHO: (no name) - {38F46C0E-BD47-5BC8-875E-61557FAC7763} - C:\WINDOWS\System32\rncw.dll

{look into these entries}
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O2 - BHO: (no name) - {EA598486-E32E-4CAF-9D9C-79CC7D519718} - C:\WINDOWS\RPQEUMKVD.DLL
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) [kill this one}
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
---
O4 - HKLM\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE
O4 - HKLM\..\Run: [WindowsRegKey update] 16winupdate32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O4 - HKLM\..\RunServices: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] 16winupdate32.exe
O4 - HKCU\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKCU\..\Run: [WindowsRegKey update] 16winupdate32.exe
--
after you find and delete the files from running via hijackthis and reboot, you'll want to manually delete the files..

now, you also have a LOT of activex install cabs in there..

malware activex install cabs/dll's will cause you're system to immediately get reinfected once you've connected to the net. if I were you, I'd delete the whole lot, then when you do go to the sites (you trust and) you really need them at, they'll redownload.

here's an example of a bad one..
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softw...006_regular.cab

one thing I would do before running your hijackthis, would be to get a trojan scanner, as dialers are commonly known as trojans and not all AV's are good at finding and getting rid of trojans.. look into getting a trojan scanner.
free
A² trojan scanner (http://www.emsisoft.com/en/)
SwatIt (google for it)
Ewido (")

pestpatrol (not free but they have a free online scan. it's a general scanner but picks up dialers well)

here's two online trojan scanners ...
http://www.trojanscan.com/
http://www.windowsecurity.com/trojanscan/

some of the better ones, you'll have to pay for

TDS-3 (considered the best)
tauscan (usually comes in second)
TrojanHunter (ehh, not quite worth paying for, imo)

good luck, looks like you'll need it.

Quote:

---

O4 - HKLM\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE
O4 - HKLM\..\Run: [WindowsRegKey update] 16winupdate32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O4 - HKLM\..\RunServices: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] 16winupdate32.exe
O4 - HKCU\..\Run: [Microsoft Updater Resources II] Win32FixII.exe
O4 - HKCU\..\Run: [WindowsRegKey update] 16winupdate32.exe

---

I'd be really careful about deleting these. Since they look like microsofts products, it might be crucial for your computer to have them, I would do extra research on these or keep waiting for someone that is known to know a lot about using hijack this!

You're quite right Duck.. one should always be careful and research first. It's the best way to learn as well. Many pieces of malware do (try to) disguise themselves as legit MS processes.

Last night I didn't take the time to even look up all these entries. I did google Win32FixII.exe and found only one result and reading that link, it sure seemed bad to me. Googling just Win32Fix brings up more results and I'd still call it "bad" .. certainly don't need it starting up.
see this thread http://computercops.biz/postt66895.html

msconfg.exe (notice the spelling, missing the "i" from msconfig)
Win32.Rbot.H >> http://www3.ca.com/securityadvisor/v....aspx?id=39662

Quote:

---

W32.Randex.gen (Symantec), Backdoor/SDBot, Backdoor.SdBot.jg (Kaspersky), W32/Sdbot.worm.gen.i (McAfee)

Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. This particular variant of this increasingly large family has been distributed as a 69,120-byte, UPX-packed Win32 executable.

When first run, Rbot.H copies itself into the %System% directory as msconfg.exe.

It then adds entries to the following registry keys so that it is automatically run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update = "msconfg.exe"

---

-----
SUCHOST.EXE
http://www.google.com/search?hl=en&l...XE&btnG=Search

Symantec Security Response - Trojan.Treb
http://securityresponse.symantec.com...ojan.treb.html

Sophos virus analysis: W32/Rbot-EQ
http://www.sophos.com/virusinfo/analyses/w32rboteq.html
and/or
Sophos virus analysis: W32/Lovgate-AC
http://www.sophos.com/virusinfo/anal...lovgateac.html

Win32.Myss.CB
http://www3.ca.com/securityadvisor/v....aspx?id=39905

WORM_SDBOT.IK - Description and solution
http://www.trendmicro.com/vinfo/viru...=WORM_SDBOT.IK

the above links for suchost.exe should indicate with 99 percent certainty that
1. it's a baddie.
2. AVG6 got hosed/or compromised.
---

16winupdate32.exe
(check this thread also look at any other google hits)
http://forum.gladiator-antivirus.com...howtopic=17426

and this link
http://home.cyberdefender.com/risk/h...2.exe.log.html
(it's part of sdbot)


I also should point out that v1.97.7 is not the latest version of hijackthis.

All I've done so far is scanned with A Squared 2 and removed these ;
File Name : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\jao.dll
Diagnosis : TrojanSpy.Win32.Briss.k
File Name : C:\WINDOWS\msbbhook.dll
Diagnosis : Spyware.Win32.180Solutions
File Name : C:\WINDOWS\SYSTEM32\exdl.exe
Diagnosis : Spyware.Win32.Exact.a

Well, that's a start but.. I thought that I was giving you a nudge to research things a bit more.

The entries and files that I suggested above (that all point to the sdbot/Myss/Rbot) should be removed. the other stuff I pointed out in my first post should also be done.. research it to be sure but I'm pretty much on track with what I had suggested.

If you really need someone to hold your hand a bit more (I'm no novice at it but my time is quite limited) then head over to www.security-forums.com and post in their hijackthis log section. Also I should point out that there are a number of good forums for posting your hjt log at. here's 3 of the better ones.

TomCoyote's forum http://forums.tomcoyote.org/index.php?showforum=27
spywareinfo's forum http://forums.spywareinfo.com/
net-integration's http://forums.net-integration.net/index.php?

good luck

Or if you want go ahead and post a fresh HijackTHis log here. I'll be tracking this topic now and will see your response - or come to SFDC and I'll see it there too. ;)

Although, with the exception of having you delete the MSN toolbar (which is not malware), helplesslyhopin has done a fine job of leading you here.

:)

You might like to try SwatIT.

http://swatit.org/

It is very thorough, but does take a long time to run.

Cheers

I followed the previous advice and deleted quite a bit, a new log will follow. I also managed to delete two of four NV Dialer items from the registry. The other two would not allow deletion but when I restarted they were gone. Maybe just migrated or hiding. Two were in a software file labeled clearly "nv." These went easy. The other two were in HKey Users, unable to delete them I denied permissions. New log from Hijack this will follow. Thanks !

Logfile of HijackThis v1.97.7
Scan saved at 3:01:59 PM, on 9/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {38F46C0E-BD47-5BC8-875E-61557FAC7763} - C:\WINDOWS\System32\rncw.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O2 - BHO: (no name) - {EA598486-E32E-4CAF-9D9C-79CC7D519718} - C:\WINDOWS\RPQEUMKVD.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://chat.msn.ca

Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

O2 - BHO: (no name) - {38F46C0E-BD47-5BC8-875E-61557FAC7763} - C:\WINDOWS\System32\rncw.dll
O2 - BHO: (no name) - {EA598486-E32E-4CAF-9D9C-79CC7D519718} - C:\WINDOWS\RPQEUMKVD.DLL


Other that those your log looks fine. Are you still having issues?

Fixed those with windows closed. Still having issues.
On reboot adminstrative user was not found so was logged in using "default" HKey User. seem to be a lot of entries in HKEY USERS including
Default\software\nv
S-1-5-18\software\nv
S-1-5-19\software\nv
S-1-5-20\software\nv
S-1-5-21\software\nv
Each has permissions giving total control. Some I deleted but left one. No. "18" Default came back. Can no longer acess mail in Outlook Express or web mail log-in. Probably protecting against downloads. I downloaded Swatit as 2 different kind of extracting files before mail slammed shut. Neither will open. Cheerio, though, ain't technology wonderful?

Well you have XP..... try a restore point?

Since you've been mucking about in the registry......

Did you back up the registry before beginning this?

Most problems are fixed. I regained control of everything for now mostly through use of Regclean, an excellent program. I deleted about 50 registry entries that had winad client in. The first day in a month that AVG did not find a virus to move to the virus vault. Its true I have been "mucking about" in the registry. I've been plagued for more than a year by this, it's do or die now. Either NV Dialer dies or the computer will. Might be time for a new computer anyhow.