123 Mania

  1. 08-08-2004  #1
    Jazz25
    Jazz25 is offline Newbie

    Smile 123 Mania

    Hey averyone this is my first post and im a total computer novice. My computer has been taking over by 123 mania and the phone bill was massive with 30 quid worth of calls from premium numbers which i suspect are from the popups from 123 mania. My dad is threatening to dissconect the internet so any help would be appreciated.

  3. 08-08-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    You probably have a lack of protection which has lead to a premium rate dialler being downloaded.

    First of all, read the info contained in the Hijack This Logs post. Run the appropriate programs, then post a Hijack This log here.
  4. 09-08-2004  #3
    Jazz25
    Jazz25 is offline Newbie
    Logfile of HijackThis v1.98.2
    Scan saved at 01:22:24, on 09/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\WINDOWS\System32\rznzmde.exe
    C:\WINDOWS\SM1BG.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\0DAZ4VWN\hijackthis[1].exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll (file missing)
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {622CC208-B014-4FE0-801B-874A5E5E403A} - (no file)
    O2 - BHO: (no name) - {9C5B2F29-1F46-4639-A6B4-828942301D3E} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2EEAC0D8-0112-4F85-878B-BC92A792D660} - (no file)
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [LoadSIPS] rundll32.exe C:\WINDOWS\System32\SIPSPI32.dll,SIPSPI32
    O4 - HKLM\..\Run: [eesfyx] C:\WINDOWS\System32\rznzmde.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
    O4 - HKCU\..\Run: [msbb] c:\program files\n-case\msbb.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_m...uk&ver=1&t=new (file missing)
    O9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_p...uk&ver=1&t=new (file missing)
    O9 - Extra button: FastDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\FastDownloads (file missing)
    O9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...271ab95b94951b
    O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialerca...ernacional.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.co.uk/client/setup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17a511b5...p/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.fastmp3.nl/test/nl.exe
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025962.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn1176.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6678AB00-229E-4A62-A71A-16DA9831B066}: NameServer = 212.67.96.129 212.67.120.148

    Thanks for the quick response!
    Last edited by Jazz25; 09-08-2004 at 01:39 AM.
  5. 09-08-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Hi,
    I have all the information of which entries you need to remove, but before I remove anything, download Hijack This again from http://hjt.isecureit.co.uk and ensure that you press Save and not Open. Save the file in a convienient place. Then let me know when you have done that and I'll post the information. Thanks.
  6. 09-08-2004  #5
    Jazz25
    Jazz25 is offline Newbie
    ok ive saved it to my desktop.
  7. 09-08-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Post a new log please
  8. 09-08-2004  #7
    Jazz25
    Jazz25 is offline Newbie
    Im having trouble ive saved it to my desktop but the window for hijack it has not come up.
  9. 09-08-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Double click the file hijackthis.exe on the Desktop to run Hijack This.
  10. 09-08-2004  #9
    Jazz25
    Jazz25 is offline Newbie
    Quote Originally Posted by owen
    Double click the file hijackthis.exe on the Desktop to run Hijack This.
    Logfile of HijackThis v1.98.2
    Scan saved at 22:36:06, on 09/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\WINDOWS\System32\rznzmde.exe
    C:\WINDOWS\SM1BG.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jane\My Documents\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll (file missing)
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {622CC208-B014-4FE0-801B-874A5E5E403A} - (no file)
    O2 - BHO: (no name) - {9C5B2F29-1F46-4639-A6B4-828942301D3E} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2EEAC0D8-0112-4F85-878B-BC92A792D660} - (no file)
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [LoadSIPS] rundll32.exe C:\WINDOWS\System32\SIPSPI32.dll,SIPSPI32
    O4 - HKLM\..\Run: [eesfyx] C:\WINDOWS\System32\rznzmde.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_m...uk&ver=1&t=new (file missing)
    O9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_p...uk&ver=1&t=new (file missing)
    O9 - Extra button: FastDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\FastDownloads (file missing)
    O9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...271ab95b94951b
    O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialerca...ernacional.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.co.uk/client/setup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17a511b5...p/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.fastmp3.nl/test/nl.exe
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025962.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn1176.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6678AB00-229E-4A62-A71A-16DA9831B066}: NameServer = 212.67.96.129 212.67.120.148

    Finally i managed it!
    Last edited by Jazz25; 09-08-2004 at 10:46 PM.
  11. 10-08-2004  #10
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Well done

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll (file missing)
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O2 - BHO: (no name) - {622CC208-B014-4FE0-801B-874A5E5E403A} - (no file)
    O2 - BHO: (no name) - {9C5B2F29-1F46-4639-A6B4-828942301D3E} - (no file)
    O3 - Toolbar: (no name) - {2EEAC0D8-0112-4F85-878B-BC92A792D660} - (no file)
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [LoadSIPS] rundll32.exe C:\WINDOWS\System32\SIPSPI32.dll,SIPSPI32
    O4 - HKLM\..\Run: [eesfyx] C:\WINDOWS\System32\rznzmde.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
    O9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_...puk&ver=1&t=new (file missing)
    O9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_...puk&ver=1&t=new (file missing)
    O9 - Extra button: FastDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\FastDownloads (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...71 ab95b94951b
    O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialerc...ternacional.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.fastmp3.nl/test/nl.exe
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025962.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn1176.exe

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Then go to C:\Program Files and delete the following:
    WindowsSA
    WindUpdates
    MySearch

    Then go to C:\WINDOWS\System32\ and delete the following:
    SIPSPI32.dll
    rznzmde.exe

    Then go Start> Search and Search for files and folders. Search for and delete:
    wuamgrd.exe

    Then reboot and post a fresh log
+ Reply to Thread
« kelp's list of many, many problems(HiJackThis .log included) | Help Needed with ads234 (Resolved) »