Jump to content


Photo

Relax_B dialer


  • Please log in to reply
9 replies to this topic

#1 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 June 2004 - 06:18 PM

Relax_B Dialer

I inadvertently downloaded a malicious dialer program which, when I started Internet Explorer, would disconnect me from my usual ISP and try to reconnect me to the internet via a premium rate number.

So I ran up to date versions of Spybot and Ad-aware which removed various bits of junk (none of which leapt out as being dialer related, but then what do I know) and now the malicious dialer no longer intervenes on starting IE.

However the DUN settings I believe to be associated with the dialer are still on the machine. They are as follows:-
Connection Name: Relax_B
Phone No: T09096402800
User Name: spannouk-spuk-7-GB-no @ easy-dialer.com

I've trawled your forum and the internet but can find nothing related to "Relax_B" dialer. How can I be sure if the dialer has been removed/disabled completely and is not just dormant and waiting to re-install/re-activate itself at some later date?

Regards
Mel Duckmanton

Windows XP Professional
Internet Explorer 6

#2 TangleWeb

TangleWeb

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 06:33 PM

I'm sure you have done this, but delete the connection out of Network Connections, thenusing Regedit check HKLM Software > Microsoft > Windows > Current Version > Run, RunOnce & RunOnceEX. Look for any entry identifiable as being connected with your rogue dialer. Do the same under HKCU.

It might be interesting to search the registry for the string "relax" & see what you come up with.

If you have never used Regedit & are unfamiliar with doing so, use Hijack This & post your log here.

~Dave

#3 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 07:17 PM

Thanks for getting back to me Dave.

I've deleted the Relax_B connection out of Network Connections.

I've checked HKLM/Software/Microsoft/Windows/Current Version/Run, RunOnce & RunOnceEX & similarly HKCU and found nothing suspicious in any of these.

I did a registry search for "relax" and came up with the following entries/settings:
HKCU/Remote Access/Profile/Relax_B - Auto Connect
HKCU/Software /Microsoft /Windows /Current Version /Internet /Settings /Connections - Relax_B
HKU /S-1-5-21-448539723-1177238915-682003330-1003 /Remote Access /Profile /Relax_B - Auto Connect
HKU /Software /Microsoft /Windows /Current Version /Internet Settings /Connections - Relax_B

I don't know what they tell you. Do I just delete these?

Regards
Mel Duckmanton

#4 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 June 2004 - 05:03 PM

Anybody tell me what I ought to do with the registry entries for the relax_b dialer.

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 10 June 2004 - 05:39 PM

melduckmanton,
Download: SpyBot-Search & Destroy 1.3
http://majorgeeks.co...wnload2471.html

Run a scan, "fix" everything marked in red, then reboot.

Download "Hijack This!"
http://www.spywarein.../hijackthis.zip

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 07:29 PM

The entries in the registry relating to Relax_B (see earlier post) aren't picked up by Hijack This. I found the entries by doing a search on the registry for "Relax_B" after I had deleted the Relax_B dialer from my pc.

However, I have run S&D as requested and Ad-aware also. And I have run HijackThis too and have attached the log.

The question is; What do I need to do to get rid of the last traces of Relax_B from my pc.


Thanks (in advance) for your help.
Regards
Mel Duckmanton

Logfile of HijackThis v1.97.7
Scan saved at 01:27:04, on 11/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ixquick.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKCU\..\Run: [XP Visual Tools] C:\Program Files\CronoSoft\XP Visual Tools\XP_Visual.exe -s
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 11 June 2004 - 08:10 PM

Hi,

The entries in the registry relating to Relax_B (see earlier post) aren't picked up by Hijack This.

Then they are not "active", if you are sure of the entries you found then remove them via Regedit. Just make sure you back up the Registry or create a Restore Point before you do.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - Startup: PowerReg Scheduler.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\HotfixQ0306270.exe <--this file

Restart normally and then ...

Important!
Your system is severly out of date!
Visit Windows Update and install all the "Critical Updates"
http://v4.windowsupd.../en/default.asp
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 June 2004 - 08:00 PM

As suggested, I've deleted the Relax_B entries from the registry (without any apparent ill effects) and I've let HJT fix O4 - Startup: PowerReg Scheduler.exe which appeared to be registration nag program for some software.

I'm a bit dubious however about fixing HotfixQ0306270.exe though as it appears to be associated with my USB flashdisk, although I don't know what the file does and can't remember installing it. Are you confident it's malware?

As for the XP updates, I installed SP1 in the early days and a number of things stopped working properly on my pc so I've had a healthy scepticism of Windows updates since then. Is the operation safer these days?

By the way, thanks for all the help.

Regards
Mel Duckmanton

#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 12 June 2004 - 08:40 PM

Hi,

HotfixQ0306270.exe though as it appears to be associated with my USB flashdisk

If you right-click and select: Properties | Version
I think you'll find there is no info, if this were a legit file it should have.

If you "Google" that filename nothing shows up except for 2 Hijack logs. If you not sure contact your USB supplier and ask them if it's their file.


As for Windows Updates if you do not install them all this is a waste of time as you will just get infected over and over ... the "Critical Updates" plug security holes that these parasites use to infect your machine. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 melduckmanton

melduckmanton

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 June 2004 - 06:34 PM

Hi again,

HotfixQ0306270.exe file properties yielded the following info:-

FileVersion: 3.0.0.3
Description: HotFix Q0306270
Copyright: Copyright c 2003 Prolific Technology Inc

and Prolific are the outfit associated with my flash drive, so I think HotfixQ0306270 is probably legit.

As for the Windows Updates, I hear what you say and I'll take your advice.

Thanks a lot for all your help.

Regards
Mel Duckmanton




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button