TIBS Dialer, Dialer.WSV and hiden.exe errors

Denmore · #1 (**permalink**) 08-02-2005, 06:21 AM

I want to thank you in advance for any help that you can give me. I have tried for several days now to get this problem fixed on my own. I am now ready to pull my hair out!

Here is my log - Any assistance you can give would be GREAT!

Just to let you know - I have ran Adaware, Spybot, Spy Sweeper as well as Nortons. In addition to running in Normal Mode I have also gone into Safe Mode and ran all three.

Logfile of HijackThis v1.99.0
Scan saved at 7:43:52 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\telcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\ieexec.exe
C:\WINDOWS\System32\hiden.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hicom.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Documents and Settings\Dennis Moreland\Start Menu\Programs\Startup\winupdate70943290[1].exe
C:\WINDOWS\wanmpsvc.exe
C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\tmp87.tmp
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update. exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tmpf01.exe
C:\Program Files\WebSiteViewer\127051.dlr
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Dennis Moreland\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allwebseek.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allwebseek.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.allwebseek.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs " /args //b startupdelay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [ieexec.exe] ieexec.exe
O4 - HKLM\..\Run: [j53M973] C:\WINDOWS\vcyok.exe
O4 - HKLM\..\Run: [gzuz] C:\WINDOWS\gzuz.exe
O4 - HKLM\..\Run: [TKDpCFZ] C:\WINDOWS\wcecrh.exe
O4 - HKLM\..\Run: [1QBB] C:\WINDOWS\btpbbv.exe
O4 - HKLM\..\Run: [dcnghql] C:\WINDOWS\dcnghql.exe
O4 - HKLM\..\Run: [hiden.exe] hiden.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [d004RRZ8Q] attmgvw.exe
O4 - Startup: winupdate70943290[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10c286949fb488d...zip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1107728593812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - https://kronos.wirelessretailinc.com...3_1_02-win.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O21 - SSODL: MSMserv - {1A6DFE47-918F-4139-844B-AF8C3A70515B} - C:\WINDOWS\System32\ir50odem.dll
O21 - SSODL: NTWSMON - {397E0F5C-5DA3-4E9D-A0CF-295B35E7AC28} - C:\WINDOWS\System32\mssatpki.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Manageer Network Connections - Unknown - C:\WINDOWS\System32\telcmd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Working Network Connections - Unknown - C:\WINDOWS\System32\hicom.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Winkefc - Unknown - C:\WINDOWS\System32\Winkefc.exe (file missing)
O23 - Service: Winkewa - Unknown - C:\WINDOWS\System32\Winkewa.exe (file missing)
O23 - Service: Winkltb - Unknown - C:\WINDOWS\System32\Winkltb.exe (file missing)
O23 - Service: Winkma - Unknown - C:\WINDOWS\System32\Winkma.exe (file missing)
O23 - Service: Winkmka - Unknown - C:\WINDOWS\System32\Winkmka.exe (file missing)
O23 - Service: Winkmro - Unknown - C:\WINDOWS\System32\Winkmro.exe (file missing)
O23 - Service: Winknj - Unknown - C:\WINDOWS\System32\Winknj.exe (file missing)
O23 - Service: Winkrir - Unknown - C:\WINDOWS\System32\Winkrir.exe (file missing)
O23 - Service: Winkse - Unknown - C:\WINDOWS\System32\Winkse.exe (file missing)
O23 - Service: Winkxo - Unknown - C:\WINDOWS\System32\Winkxo.exe (file missing)

owen · #2 (**permalink**) 09-02-2005, 10:16 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allwebseek.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allwebseek.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.allwebseek.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [ieexec.exe] ieexec.exe
O4 - HKLM\..\Run: [j53M973] C:\WINDOWS\vcyok.exe
O4 - HKLM\..\Run: [gzuz] C:\WINDOWS\gzuz.exe
O4 - HKLM\..\Run: [TKDpCFZ] C:\WINDOWS\wcecrh.exe
O4 - HKLM\..\Run: [1QBB] C:\WINDOWS\btpbbv.exe
O4 - HKLM\..\Run: [dcnghql] C:\WINDOWS\dcnghql.exe
O4 - HKLM\..\Run: [hiden.exe] hiden.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [d004RRZ8Q] attmgvw.exe
O4 - Startup: winupdate70943290[1].exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10c286949fb488...tzip/RdxIE2.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O21 - SSODL: MSMserv - {1A6DFE47-918F-4139-844B-AF8C3A70515B} - C:\WINDOWS\System32\ir50odem.dll
O21 - SSODL: NTWSMON - {397E0F5C-5DA3-4E9D-A0CF-295B35E7AC28} - C:\WINDOWS\System32\mssatpki.dll
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Winkefc - Unknown - C:\WINDOWS\System32\Winkefc.exe (file missing)
O23 - Service: Winkewa - Unknown - C:\WINDOWS\System32\Winkewa.exe (file missing)
O23 - Service: Winkltb - Unknown - C:\WINDOWS\System32\Winkltb.exe (file missing)
O23 - Service: Winkma - Unknown - C:\WINDOWS\System32\Winkma.exe (file missing)
O23 - Service: Winkmka - Unknown - C:\WINDOWS\System32\Winkmka.exe (file missing)
O23 - Service: Winkmro - Unknown - C:\WINDOWS\System32\Winkmro.exe (file missing)
O23 - Service: Winknj - Unknown - C:\WINDOWS\System32\Winknj.exe (file missing)
O23 - Service: Winkrir - Unknown - C:\WINDOWS\System32\Winkrir.exe (file missing)
O23 - Service: Winkse - Unknown - C:\WINDOWS\System32\Winkse.exe (file missing)
O23 - Service: Winkxo - Unknown - C:\WINDOWS\System32\Winkxo.exe (file missing)

Click Fix Checked

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\System32\snim.dll
C:\WINDOWS\System32\ir50odem.dll
C:\WINDOWS\System32\mssatpki.dll
C:\Program Files\AdStatus Service
C:\WINDOWS\System32\ieexec.exe
C:\WINDOWS\vcyok.exe
C:\WINDOWS\gzuz.exe
C:\WINDOWS\wcecrh.exe
C:\WINDOWS\btpbbv.exe
C:\WINDOWS\dcnghql.exe
C:\WINDOWS\System32\hiden.exe
C:\Documents and Settings\Dennis Moreland\Start Menu\Programs\Startup\winupdate70943290[1].exe

When KillBox has rebooted your system, post a fresh log here.