Hello, I need help removing the all-in-one Telecom that's infected my PC. I can't get spybot to successfully remove it. I tried a full spybot scan, both with regular windows, after the reboot, and also in safe-mode like the instructions indicated. I also did a full anti-virus scan as requested. Next, I downloaded and installed the hijackthis software, and here is my "paste" of what the log shows. Please help me remove this.
Thank you,
Wes

Logfile of HijackThis v1.99.1
Scan saved at 11:33:49 AM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 204.230.154.16 ussam201
O1 - Hosts: 204.230.154.17 ussam202
O1 - Hosts: 204.230.154.18 ussam203
O1 - Hosts: 204.230.154.22 ussam204
O1 - Hosts: 148.92.172.228 uslcscs300
O1 - Hosts: 198.132.135.209 usplscs100
O1 - Hosts: 165.253.33.20 sf1d5
O1 - Hosts: 165.253.33.201
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\AIM.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149994510968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://207.14.155.30/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E0756B-8A82-4D85-9A4B-7224FE94C21B}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - C:\Novell\Messenger\nmcg32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

hi zul32,

log looks ok. the scan is pretty old, can you post a new one.
did you add these to your host file?

O1 - Hosts: 204.230.154.16 ussam201
O1 - Hosts: 204.230.154.17 ussam202
O1 - Hosts: 204.230.154.18 ussam203
O1 - Hosts: 204.230.154.22 ussam204
O1 - Hosts: 148.92.172.228 uslcscs300
O1 - Hosts: 198.132.135.209 usplscs100
O1 - Hosts: 165.253.33.20 sf1d5
O1 - Hosts: 165.253.33.201
--------------------------
do a scan with spybot. when its done, right click in the result window and select copy result. copy/paste results into notepad then post that back here also. dont copy the full report, to long.

shelf life

OK, I'm running another scan right now. I don't know what you mean by "did you add these to your host file?"??

I'll post the results in the next reply.

CasaleMedia: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Advertising.com: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

All-In-One Telcom: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\SiteIcons

All-In-One Telcom: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\SiteIcons

All-In-One Telcom: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\SiteIcons

All-In-One Telcom: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\SiteIcons

Avenue A, Inc.: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

BlueStreak: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Cassava: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2025429265-746137067-1957994488-1004\Software\VHLD

DoubleClick: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Engage, Inc.: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

FastClick: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Omniture: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Omniture: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Omniture: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

TagASaurus: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)

Zedo: Tracking cookie (Internet Explorer: wes) (Cookie, nothing done)


--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\LSP.sbi
2007-05-30 Includes\Dialer.sbi
2007-05-30 Includes\Security.sbi
2007-07-11 Includes\Hijackers.sbi
2007-07-11 Includes\Keyloggers.sbi
2007-07-11 Includes\Malware.sbi
2007-07-11 Includes\PUPS.sbi
2007-07-11 Includes\Spybots.sbi
2007-07-03 Includes\Trojans.sbi
2007-07-11 Includes\Cookies.sbi
2007-07-11 Includes\Revision.sbi
2005-02-17 Includes\Tracks.uti
2007-07-11 Includes\TrojansC.sbi
2007-07-11 Includes\SpybotsC.sbi
2007-07-11 Includes\SecurityC.sbi
2007-07-11 Includes\PUPSC.sbi
2007-07-11 Includes\MalwareC.sbi
2007-07-11 Includes\KeyloggersC.sbi
2007-07-11 Includes\HijackersC.sbi
2007-07-11 Includes\DialerC.sbi
2007-06-06 Plugins\TCPIPAddress.dll

OK, I got rid of everything now except for the all-in-one Telcom. I also just ran a Adaware scan, and cleaned up some things found on that too.
You want me to do another new scan?

hi zul32,

thanks for the info. cookies really arent to much to worry about. i do see the All-In-One Telcom. it is a registry value and probably a harmless leftover from a previous clean up. did adaware flag anything, other than cookies?

those host entries you would have to put them in yourself or installing software could do it also.

do these mean anything to you? its where the ips resolve to:

Electronic Data Systems
OrgID: EDS
Address: 750 Tower Drive
City: Troy
StateProv: MI

OrgName: Blue Shield of California
OrgID: BSC-1
Address: 4203 Town Center Blvd
City: El Dorado Hills
StateProv: CA

you use this computer for work related things?

shelf life

Hi, Yes, I have used them for work-related things in the past, but those two entries are old and can be deleted/cleaned up.
I'm not sure exactly how to do that though?
I'm also suspecting that those aren't the culprit either.

hi zul32,


I'm also suspecting that those aren't the culprit either
malware can use a host file, i guessed it was a work computer based on these:

C:\Novell\Messenger
juniper networks\secure application manager
---------------------------------------
iam not seeing anything in the log that looks like the dialer: All-In-One Telcom
maybe its a harmless leftover. for a second opinion i would do a online scan here:
F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.

shelf life

How is it going zul32.

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.