• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
melduckmanton

Relax_B dialer

10 posts in this topic

Relax_B Dialer

 

I inadvertently downloaded a malicious dialer program which, when I started Internet Explorer, would disconnect me from my usual ISP and try to reconnect me to the internet via a premium rate number.

 

So I ran up to date versions of Spybot and Ad-aware which removed various bits of junk (none of which leapt out as being dialer related, but then what do I know) and now the malicious dialer no longer intervenes on starting IE.

 

However the DUN settings I believe to be associated with the dialer are still on the machine. They are as follows:-

Connection Name: Relax_B

Phone No: T09096402800

User Name: spannouk-spuk-7-GB-no @ easy-dialer.com

 

I've trawled your forum and the internet but can find nothing related to "Relax_B" dialer. How can I be sure if the dialer has been removed/disabled completely and is not just dormant and waiting to re-install/re-activate itself at some later date?

 

Regards

Mel Duckmanton

 

Windows XP Professional

Internet Explorer 6

Share this post


Link to post
Share on other sites

I'm sure you have done this, but delete the connection out of Network Connections, thenusing Regedit check HKLM Software > Microsoft > Windows > Current Version > Run, RunOnce & RunOnceEX. Look for any entry identifiable as being connected with your rogue dialer. Do the same under HKCU.

 

It might be interesting to search the registry for the string "relax" & see what you come up with.

 

If you have never used Regedit & are unfamiliar with doing so, use Hijack This & post your log here.

 

~Dave

Share this post


Link to post
Share on other sites

Thanks for getting back to me Dave.

 

I've deleted the Relax_B connection out of Network Connections.

 

I've checked HKLM/Software/Microsoft/Windows/Current Version/Run, RunOnce & RunOnceEX & similarly HKCU and found nothing suspicious in any of these.

 

I did a registry search for "relax" and came up with the following entries/settings:

HKCU/Remote Access/Profile/Relax_B - Auto Connect

HKCU/Software /Microsoft /Windows /Current Version /Internet /Settings /Connections - Relax_B

HKU /S-1-5-21-448539723-1177238915-682003330-1003 /Remote Access /Profile /Relax_B - Auto Connect

HKU /Software /Microsoft /Windows /Current Version /Internet Settings /Connections - Relax_B

 

I don't know what they tell you. Do I just delete these?

 

Regards

Mel Duckmanton

Share this post


Link to post
Share on other sites

melduckmanton,

Download: SpyBot-Search & Destroy 1.3

http://majorgeeks.com/download2471.html

 

Run a scan, "fix" everything marked in red, then reboot.

 

Download "Hijack This!"

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

Double-click "HijackThis.exe" and Press "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Click: "Save Log" (generates: "hijackthis.log")

 

Copy and Paste the entire log into your next post.

 

Note: do not attempt to "Fix" anything, as we need to see the entire log.

Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

 

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.

Share this post


Link to post
Share on other sites

The entries in the registry relating to Relax_B (see earlier post) aren't picked up by Hijack This. I found the entries by doing a search on the registry for "Relax_B" after I had deleted the Relax_B dialer from my pc.

 

However, I have run S&D as requested and Ad-aware also. And I have run HijackThis too and have attached the log.

 

The question is; What do I need to do to get rid of the last traces of Relax_B from my pc.

 

 

Thanks (in advance) for your help.

Regards

Mel Duckmanton

 

Logfile of HijackThis v1.97.7

Scan saved at 01:27:04, on 11/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security Professional\NISUM.EXE

C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TBPanel.exe

C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

C:\WINDOWS\System32\HotfixQ0306270.exe

C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe

C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ixquick.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe

O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"

O4 - HKCU\..\Run: [XP Visual Tools] C:\Program Files\CronoSoft\XP Visual Tools\XP_Visual.exe -s

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft.com/typography/clearadj.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Hi,

The entries in the registry relating to Relax_B (see earlier post) aren't picked up by Hijack This.

Then they are not "active", if you are sure of the entries you found then remove them via Regedit. Just make sure you back up the Registry or create a Restore Point before you do.

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe

O4 - Startup: PowerReg Scheduler.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\System32\HotfixQ0306270.exe <--this file

 

Restart normally and then ...

 

Important!

Your system is severly out of date!

Visit Windows Update and install all the "Critical Updates"

http://v4.windowsupdate.microsoft.com/en/default.asp

Share this post


Link to post
Share on other sites

As suggested, I've deleted the Relax_B entries from the registry (without any apparent ill effects) and I've let HJT fix O4 - Startup: PowerReg Scheduler.exe which appeared to be registration nag program for some software.

 

I'm a bit dubious however about fixing HotfixQ0306270.exe though as it appears to be associated with my USB flashdisk, although I don't know what the file does and can't remember installing it. Are you confident it's malware?

 

As for the XP updates, I installed SP1 in the early days and a number of things stopped working properly on my pc so I've had a healthy scepticism of Windows updates since then. Is the operation safer these days?

 

By the way, thanks for all the help.

 

Regards

Mel Duckmanton

Share this post


Link to post
Share on other sites

Hi,

HotfixQ0306270.exe though as it appears to be associated with my USB flashdisk

If you right-click and select: Properties | Version

I think you'll find there is no info, if this were a legit file it should have.

 

If you "Google" that filename nothing shows up except for 2 Hijack logs. If you not sure contact your USB supplier and ask them if it's their file.

 

 

As for Windows Updates if you do not install them all this is a waste of time as you will just get infected over and over ... the "Critical Updates" plug security holes that these parasites use to infect your machine. :wave:

Share this post


Link to post
Share on other sites

Hi again,

 

HotfixQ0306270.exe file properties yielded the following info:-

 

FileVersion: 3.0.0.3

Description: HotFix Q0306270

Copyright: Copyright c 2003 Prolific Technology Inc

 

and Prolific are the outfit associated with my flash drive, so I think HotfixQ0306270 is probably legit.

 

As for the Windows Updates, I hear what you say and I'll take your advice.

 

Thanks a lot for all your help.

 

Regards

Mel Duckmanton

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0