6
Contributors
8
Replies
9
Views
13 Years
Discussion Span
Last Post by DMR
0

Nope, sorry, never heard of this file. What happens when you try to remove it? How did you come across realizing that it doesn't belong? (i.e. how do you know it isn't for some software instead of malware) It seems like something is running at startup ...

0

Nope, sorry, never heard of this file. What happens when you try to remove it? How did you come across realizing that it doesn't belong? (i.e. how do you know it isn't for some software instead of malware) It seems like something is running at startup ...

You are correct it is running at start up as it is in the system tray. I noticed that there was something wrong when pop up ads started to appear when connecting to the internet .When you press Ctrl. Alt. Del. it is there so I close it down, if you right click the file and go to properties this is the info you get:
File:1,0,0,1
Description: Installation utility for www.callinghome.biz
Copyright: Callinghome.biz 2004
Other info:
Original File name: caller.exe
When I tried to delete it a warning box appeared and said in use by Windows, however I tried again and now it's in the recycle bin, waiting for your educated advice.

0

Check in add/remove for something similar & remove it. You can also do the following:

Download & instal Adaware from here
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop & not directly on your hard drive). Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.

0

Well I want to say something.

I did have this file called "cniaezi.exe" (in c:\windows\system32 directory) that keeps loading itself in my registry key HKLM/softwares/microsoft/windows/current/run. This cniaezi.exe file also has the properties like what the original poster mentioned, namely "caller.exe" and from "callinghome.biz"!!! Furthermore, when I tried to delete its entry in my registry key, it would load itself up again at the next reboot. And yes, I did notice I was getting random popups even though I had a popup blocker running (from Avant Browser). That was when I got suspicious of a possible malware and checked my registry and did a google search on "homecalling biz" and so here I am at this site.

Anyway, I did what Crunchi said and not only did I get rid of that malware, I also got rid of a LOAD of other malware and data miners that I didn't know were in my system. I really should stop going to those russian crack sites. :eek:

Here is my log generated by HijackThis, per Crunchie. I think I'm clean now, but if any has anything to say about my log, please speak up!

=========================================

Logfile of HijackThis v1.97.7
Scan saved at 12:32:36 AM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
E:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2003\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2003\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2003\\Parser.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: HiDownload (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9455902778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9466BF91-F874-434F-A6FD-0F6290318E1F}: NameServer = 192.168.0.1

0

Hi motopsycho, welcome to TechTalk! :)

Could you post your log and the description of your problem in a new thread in our Security forum please? Due to recent (and extreme) rise in spyware/malware posts, we're currently trying to concentrate HJT log analysis in that forum.

Thanks,

-DMR

0

I'm an amateur but here is what worked successfully for me.

Go to System Information via
Start Menu, Programs, Accessories, Systems Tools.
Double-click on Software Environment
and then on Running Tasks.

Find callinghome.biz in the rightmost column and then write down the name of that program in the (first) leftmost column.

Now press Control+Alt+Del and look for the program in the Close Program list you find there. Select the program with the mouse and press the Shut Down button.

Now go to Find in the Start Menu and start a search in My Computer after typing in the program name. When the program has been located you can right-click and delete it. This worked fine for me

Don't stop the search immediately however. Let it run a bit longer.
For me it also picked up a Vynotl.exe Shortcut which I suspect from its date and time was somehow picked up from this page!

--------------------------------------------------------------

Well I want to say something.

I did have this file called "cniaezi.exe" (in c:\windows\system32 directory) that keeps loading itself in my registry key HKLM/softwares/microsoft/windows/current/run. This cniaezi.exe file also has the properties like what the original poster mentioned, namely "caller.exe" and from "callinghome.biz"!!! Furthermore, when I tried to delete its entry in my registry key, it would load itself up again at the next reboot. And yes, I did notice I was getting random popups even though I had a popup blocker running (from Avant Browser). That was when I got suspicious of a possible malware and checked my registry and did a google search on "homecalling biz" and so here I am at this site.

Anyway, I did what Crunchi said and not only did I get rid of that malware, I also got rid of a LOAD of other malware and data miners that I didn't know were in my system. I really should stop going to those russian crack sites. :eek:

Here is my log generated by HijackThis, per Crunchie. I think I'm clean now, but if any has anything to say about my log, please speak up!

=========================================

Logfile of HijackThis v1.97.7
Scan saved at 12:32:36 AM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
E:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2003\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2003\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2003\\Parser.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: HiDownload (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9455902778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9466BF91-F874-434F-A6FD-0F6290318E1F}: NameServer = 192.168.0.1

0

Hey sorry didn't reply sooner. LOL I almost forgot about this. But ok I will post this in the security forum too. Since the time I posted this, I had a bunch of trojans in my system that I had to format the damn drive.

0

Since the time I posted this, I had a bunch of trojans in my system that I had to format the damn drive.

Have a read through the "Helping Yourself" post at the top of the Security forum. It contains info and links that can help you lessen your chances of getting reinfected.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.