NationStates Jolt Archive

I know this forum isn't really for this, but I'm becoming desperate. Somehow I've downloaded some sort of dialer called SIXA. Everytime I delete it it reappears. What it does is disconnect my internet connection then dial the SIXA dialer. I've run spybot search and destroy, ad-aware, spyware doctor, AVG anti-virus and McAfee anti-virus. Any suggestions?

You try disconnecting from the internet and THEN removing it?

By removing it, I mean search where the files are and delete every one of them by yourself. Make sure nothing is left behind.


Worked for me a couple times.

Google microsoft anti spyware. It's a great free program. Should work

Afternoon, Adrian. :p Start -> Run -> msconfig (Enter)

Go to the Startup tab and uncheck this SIXA thing. If that doesn't work... It'll still be a part of your computer's startup.

Try Adaware by Lavasoft. You may also need to open MSConfig and deconfigure it to run.

Try to reboot in safe mode, and then run your adware removing tool.

You may want to manually modify/delete stuff in your registry base (by running Regedit) but it's tricky.

Usually these programs install something in the ".../Microsoft/Windows/CurrentVersion/Run" folder in the registry base.

Your Internet Explorer's Home page and Search page have probably been hijacked, by the way.

PS: Try to keep a list of stuff that's in your "Run" section in the registry. Update this list every time you install some software. That way, if you ever suspect that you have a spyware or virus, you can check easily if there's something that doesn't belong there.

Colodia - Done it while connected and disconnected
Adejaani - It's freaky that you know my name ( :eek: ) I did the MSconfig thing, but there is no SIXA thing to uncheck Any other suggestions" I googled too, but most of the results were in Dutch. I am trying something called Ewido

[edit]ewido needs windows 2000 to run and I only have '98, back to the drawing board

Get Hijack This. Google it. Download it, boot into safemode, run Adaware, then Hi Jack This if it doesn't catch it. HJT will allow you to directly kill a process, so it can't continue reinstalling. Then you can remove it.

Be VERY careful with Hijack this. It can wipe stuff out that's important if you're not careful.

Oops. Was about to go in and add that warning. Thanks.

Adrian, it's Quincy. I'm the one that introduced you to this place, remember? :p

Uh... The safest bet is that it's a startup subroutine. It's possible they've inserted a few keys into the registry, but that's the most dangerous thing to mess with. Keep googling everything in the startup, since these "Quick Fix" programs might well cause problems by themselves.

I ran hijack this and have no idea what any of these things mean, so I'll post them here.


Logfile of HijackThis v1.99.1
Scan saved at 3:03:00 PM, on 26/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Set Drive Letter to G:] C:\\GDRIVE.EXE -N
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [afterconnect] "C:\Program Files\AfterConnect\AfterConnect.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [NAVNet] "C:\MS32.EXE" /m
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunOnce: [test]

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [test]

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O16 - DPF: {53516791-25D5-4CA6-8001-83B5B2030F8F} (esCalendar Control) - file://C:\Work\MySite\ocx\esMonthCalendarDAX.cab
O16 - DPF: {004FBF50-82E1-47DF-A73D-89FEF248867D} (esMonthViewX Control) - file://C:\Work\MySite\ocx\esMonthView.cab

Adrian, it's Quincy. I'm the one that introduced you to this place, remember? :p

Uh... The safest bet is that it's a startup subroutine. It's possible they've inserted a few keys into the registry, but that's the most dangerous thing to mess with. Keep googling everything in the startup, since these "Quick Fix" programs might well cause problems by themselves.

Ohh, QBall! I didn't recognize you! :cool: I don't think it's a start up thing because it doesn't only happen at startup. I've searched the registry for SIXA, but it's not there. I have killbox, if only I could find the installer file I could try and kill it to stop it from reinstalling.

Tough break i got something like that back in August 2003.

Until you get it fixed make sure you take out your Iternet connection or else youll get Phone bills to Tahiti or Nuie.

They got me for about $120 which is light compared to the 6000 i heard someone got in a month.

Damn InstantAccess!

I ran hijack this and have no idea what any of these things mean, so I'll post them here.

Hmm..I'm really not sure. It's good to know what process are normal for your comp, and have them memorized, written down, or have them tattooed onto a friend. My advice is to not guess as to which is the harmful one. Try selecting the box next to one you think is suspect, and click in the info button.

Until you get it fixed make sure you take out your Iternet connection or else youll get Phone bills to Tahiti or Nuie.
They got me for about $120 which is light compared to the 6000 i heard someone got in a month.

When will phone companies offer security codes to their users? That way, before attempting any long distance call, you would have to enter your 4 digit code on your phone. After 3 failed attempts in 1 hour, long distance calling would be disabled until you call the phone company and talk with someone.

There's a good series of things you can try at this URL:

http://www.komando.com/tips_show.asp?showID=8749

In regards to which programs on your Hijack This list are legit, try this site for problem children:
http://www.sysinfo.org/startuplist.php

When will phone companies offer security codes to their users? That way, before attempting any long distance call, you would have to enter your 4 digit code on your phone. After 3 failed attempts in 1 hour, long distance calling would be disabled until you call the phone company and talk with someone.
They offer it but one has to activat it themselves and very few people could imagine anyone would be so devious as to do this to ones computer.

I don't mean startup in the literal sense, meaning "once Windows has loaded, it's 'there'." It could be a secondary effect of a program. Like a parasite latching onto something. Do you know what you did (or didn't do) just before this SIXA kicks in?

If you managed to get this crap into your system, chances are its not the only junk software in there. You may as well start fresh. To really clean it up you have to take it to someone who knows. None of us here is going to hold your hand while you mess with the registry. If you dont want to take it to someone who knows, then the best bet is to start fresh. Most people dont do this properly. Before you begin, order a service pack 2 cd from Microsoft here: http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
Here is what you do:


1. Physically disconnect the computer from the internet (unplug the phone cable , ethernet cable or whatever physical cable connects you to the internet).
2. Reformat
3. Install Windows XP
4. Install Service Pack 2
5. Plug your computer back into the internet, go online and immediately go to windowsupdate.microsoft.com and get all of the critical updates available.
6. Go to www.mozilla.org and install Firefox. Use this as your web browser from now on.
7. Go to lavasoftusa.com and download Ad-aware
8. Run Ad-aware
9. Install your anti-virus software and update any necessary definition files
10. You should now be clean.

Its also a very good idea to invest in a router. They shouldnt cost more than $50 and will protect you from a large amount of the garbage floating online.

I hope that you've been able to get rid of it by now. If not, try using these programs:

Ad-Aware

Spybot Search & Destroy

Spywareblaster

The first two progs remove spyware and dialers and all of that crap. Spywareblaster "blocks" known threats and thus prohibits that kinda crap from installing in the first place. (Spybot S&D has that same option.)

I'm using all three and have been trouble-free ever since. Good luck!

(Oh yeah, links:
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html
http://www.download.com/SpywareBlaster/3000-8022_4-10396039.html
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html
)