Trusted Zone: http://*.63.219.181.7

Hi,

I need help here. I got this Trusted Zone: http://*.63.219.181.7 problem that I can not get rid of. The following is my hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 下午 11:38:23, on 2005/5/4
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\inertinfo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dosxpd.exe
C:\WINDOWS\System32\audissrp.exe
C:\WINDOWS\System32\fixmapirs.exe
C:\Documents and Settings\T C\桌面\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Name - {12D146E6-CA93-4454-9623-F7E2337C082F} - C:\WINDOWS\System32\msehb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [runload32] Uint32.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe "
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [inertinfo.exe] C:\WINDOWS\inertinfo.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe "
O4 - HKCU\..\Run: [Testimonials] utsgmon.exe
O4 - HKCU\..\Run: [PrcIdle] new32.exe
O4 - HKCU\..\Run: [bingo9] SpyElim.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://ebank.landbank.com.tw/CorporateBank/Download/XENROLL.cab
O16 - DPF: {239B96C6-DBAE-11D6-BABA-0050BA12C71A} (TAIMAC10 Control) - https://ebank.landbank.com.tw/CorporateBank/Download/taimac10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b5c8bdd7d016564606/netzip/RdxIE601_tw.cab
O16 - DPF: {FC25B780-75BE-11CF-8B01-444553540000} (Chart Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/iechart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82713E90-54E4-4E24-A5A5-B4BCD72F39B9}: NameServer = 69.50.176.197 195.225.176.31

Thanks


TC

 

aggie96--You really should start a new thread for your problem.
Suggest you follow the instructions here
http://www.windowsbbs.com/showthread.php?t=37074


FWIW--That IP address belongs to
connect.online-dialer.com (63.219.181.7)

63.216.0.0 - 63.223.255.255
Beyond The Network America, Inc.
Reston Executive Center
12100 Sunset Hills Road, Suite 300
Reston, VA
US


contact: Ray, Jerry
jray@btnaccess.com
+1-703-621-0012

It may be connected to a "dialer" program. Have you checked your phone bill lately?

 

Welcome to WindowsBBS aggie96

Please download remv3.zip, saving to your desktop. Right click and extract the files to a new folder (the files must remain together in a folder of their own).

Set Windows to show hidden files and folders.

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Open the folder with the tool and double click the remv3.bat file to run it. When the tool finishes, uncheck the /safeboot box and click ok to reboot if you used msconfig. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

A text file named log.txt will have been created in Local Disk C: Please open and post the contents of that log as well as a new HijackThis log.

 

More info added in another thread.

http://windowsbbs.com/showthread.php?t=44361

 

Hi, Dave,

The following is the log file,
Files Found.................
----------------------------------------
dskrfuoui.dll
audissrp.exe
autodmfp.exe
chkntfsfat.exe
docntrop.dll
fixmapirs.exe
dwcrnt.exe
diantzpt.exe
dosxpd.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: 0C57-03FA

C:\WINDOWS\system32 的目錄

2005/04/30 下午 08:00 19,456 hdahp.dll
2005/04/13 下午 04:36 19,456 hdana.dll
2005/04/11 下午 05:40 19,456 hdcqi.dll
2005/04/17 上午 08:16 19,456 hddgs.dll
2005/04/24 下午 06:41 19,456 hddpv.dll
2005/04/16 下午 02:46 19,456 hdfsi.dll
2005/04/18 下午 03:49 19,456 hdfuf.dll
2005/04/01 下午 08:46 19,456 hdghg.dll
2005/04/06 下午 08:52 19,456 hdgyk.dll
2005/05/02 下午 09:14 19,456 hdjlx.dll
2005/04/24 下午 03:24 19,456 hdjza.dll
2005/04/26 下午 05:53 19,456 hdkfa.dll
2005/04/23 上午 06:50 19,456 hdkig.dll
2005/04/02 上午 07:14 19,456 hdkii.dll
2005/04/23 下午 01:45 19,456 hdkju.dll
2005/04/09 下午 04:38 19,456 hdkts.dll
2005/03/26 下午 11:18 19,456 hdlgo.dll
2005/04/19 下午 06:00 19,456 hdmhk.dll
2005/04/17 下午 08:14 19,456 hdorn.dll
2005/04/10 上午 09:35 19,456 hdqss.dll
2005/04/04 下午 04:30 19,456 hdrda.dll
2005/04/22 下午 09:00 19,456 hdsds.dll
2005/04/07 下午 06:15 19,456 hdtln.dll
2005/04/23 下午 08:25 19,456 hdtul.dll
2005/04/05 下午 04:06 19,456 hdvyl.dll
2005/03/28 下午 04:25 19,456 hdwwl.dll
2005/05/05 下午 04:42 19,456 hdyrv.dll
27 個檔案 525,312 位元組
0 個目錄 39,021,305,856 位元組可用
msi.dll
Finished

and the new hijackthis file,
Logfile of HijackThis v1.99.1
Scan saved at 上午 01:11:11, on 2005/5/6
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\inertinfo.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\T C\桌面\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Name - {0E37AF04-AFE0-4167-9476-B777841D2601} - C:\WINDOWS\System32\msehb.dll (file missing)
O2 - BHO: Name - {12D146E6-CA93-4454-9623-F7E2337C082F} - C:\WINDOWS\System32\msehb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe
O4 - HKLM\..\Run: [runload32] Uint32.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe "
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [inertinfo.exe] C:\WINDOWS\inertinfo.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe "
O4 - HKCU\..\Run: [Testimonials] utsgmon.exe
O4 - HKCU\..\Run: [PrcIdle] new32.exe
O4 - HKCU\..\Run: [bingo9] SpyElim.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://ebank.landbank.com.tw/CorporateBank/Download/XENROLL.cab
O16 - DPF: {239B96C6-DBAE-11D6-BABA-0050BA12C71A} (TAIMAC10 Control) - https://ebank.landbank.com.tw/CorporateBank/Download/taimac10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b5c8bdd7d016564606/netzip/RdxIE601_tw.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FC25B780-75BE-11CF-8B01-444553540000} (Chart Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/iechart.cab

Thanks for your help.

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O2 - BHO: Name - {0E37AF04-AFE0-4167-9476-B777841D2601} - C:\WINDOWS\System32\msehb.dll (file missing)
O2 - BHO: Name - {12D146E6-CA93-4454-9623-F7E2337C082F} - C:\WINDOWS\System32\msehb.dll (file missing)
O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe
O4 - HKLM\..\Run: [runload32] Uint32.exe
O4 - HKCU\..\Run: [inertinfo.exe] C:\WINDOWS\inertinfo.exe
O4 - HKCU\..\Run: [Testimonials] utsgmon.exe
O4 - HKCU\..\Run: [PrcIdle] new32.exe
O4 - HKCU\..\Run: [bingo9] SpyElim.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Copy the list of filenames below. Open the ver2.txt file in the remv3 folder and add them to the list, then close, saving changes.

hdahp.dll
hdana.dll
hdcqi.dll
hddgs.dll
hddpv.dll
hdfsi.dll
hdfuf.dll
hdghg.dll
hdgyk.dll
hdjlx.dll
hdjza.dll
hdkfa.dll
hdkig.dll
hdkii.dll
hdkju.dll
hdkts.dll
hdlgo.dll
hdmhk.dll
hdorn.dll
hdqss.dll
hdrda.dll
hdsds.dll
hdtln.dll
hdtul.dll
hdvyl.dll
hdwwl.dll
hdyrv.dll
Q2152921.dll
sprmove.exe
Restart.exe

Again, reboot to safe mode and run the remv3 tool. When it finishes, open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all username folders.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Reboot back into Windows.

If you don't have them already, download and install both Spybot 1.3 and Ad-aware SE Personal 1.05 (both free) from the links in my signature. Allow Spybot to load SDHelper upon installation. Immediately check for updates to both programs. Run Spybot and fix everything it finds and prechecks (items in red). Run Ad-aware in the full scan mode, right click within the scan results and select all, then click next and allow removal. (if you do have them already, update and scan) Reboot and do an online virus scan with RAV. If any files are infected, copy the results and post it here. Run another HijackThis scan and post the new log, as well as the new log.txt from the tool.