Dialer.OneOnOne - Removal

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

1. Update the definitions.
2. Close modem connections
3. Restart the computer in Safe mode.
4. Run a full system scan and delete all the files detected as Dialer.OneOnOne.
5. Delete any values added to the registry
6. Restore the Internet Explorer home page.
7. Delete the entry that was added to the RAS phone-book file.
8. Delete files created by the risk.
   

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To close modem connections
This risk uses available modems to create an Internet connection, sometimes without any visible signs. In order to successfully remove this threat, ensure that all modem-based Internet connections are disconnected before proceeding. For instructions on how to do this, consult the appropriate Internet service provider, computer manufacturer, or operating system documentation.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

4. To scan for and delete the files

1. Start your Symantec antivirus program, and then run a full system scan.
2. Run a full system scan.
3. If any files are detected as Dialer.OneOnOne, first write down the full path and file name. Then click Delete.
4. Do one of the following:
   • If your Symantec antivirus program reports that it was able to delete the file, skip to section 4.
   • If your Symantec antivirus program reports that it could not delete the file, proceed with step e.
     
5. Do one of the following:
   • If the file was detected in the folder:
     
     C:\Documents and Settings\<name>\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file
     
     follow these steps:
     
     • Click the Start button > Settings > Control Panel (Windows 98/Me/2000).
       
       or:
       
       Click the Start button > Control Panel (Windows XP).
       
     • Double-click Java Plug-in Control Panel.
     • On the Cache Tab, click the Clear button. This clears the cache folder.
       

5. Delete any values added to the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value:
   
   "[FILE NAME]" = " %Windir%\[FILE NAME].exe -n"
   
   
5. Navigate to the key:
   
   HKEY_ALL_USERS\RemoteAccess\Addresses
   
   
6. In the right pane, delete the value:
   
   "XXXDIAL" = ""
   
   
7. Navigate to and delete the following subkey if it exists:
   
   HKEY_ALL_USERS\Software\RemoteAccess\Profile\XXXDIAL
   
   
8. Exit the registry Editor.

6. To restore the Internet Explorer home page

1. Start Internet Explorer.
2. Connect to the Internet and go to the Web page that you would like to set as your home page.
3. Click Tools, and then click Internet Options.
4. In the Home page section of the General tab, click Use Current, and then click OK.

7. To delete the added entry from the RAS phone-book file

Note: The location of the RAS phone-book file, rasphone.pbk, may vary and some computers may not have this file.

For example, if the file exists in Windows XP, it is usually located in the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder.

Follow the instructions for your operating system:

• Windows 95/98/Me/NT/2000
  1. Click Start, point to Find or Search, and then click Files or Folders.
  2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
  3. In the "Named" or "Search for..." box, type:
     
     rasphone.pbk
     
     
  4. Click Find Now or Search Now.
  5. If you find rasphone.pbk, right-click the file, and then click Open With.
  6. Deselect the Always use this program to open this program check box.
  7. Scroll through the list of programs and double-click Notepad.
  8. When the file opens, delete all the lines that are included in the section:
     
     [XXXDial] or [XXXSERVER]
     
     
  9. Close Notepad and save your changes when prompted.
     
     
• Windows XP
  1. Click Start, and then click Search.
  2. Click All files and folders.
  3. In the "All or part of the file name" box, type:
     
     rasphone.pbk
     
     
  4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
  5. Click More advanced options.
  6. Check Search system folders.
  7. Check Search subfolders.
  8. Click Search.
  9. If you find rasphone.pbk file, right-click the file, and then click Open With.
  10. Deselect the Always use this program to open this program check box.
  11. Scroll through the list of programs and double-click Notepad.
  12. When the file opens, delete all the lines that are included in the section:
      
      [XXXDial] or [XXXSERVER]
      
      
  13. Close Notepad and save your changes when prompted.
      
      

8. Delete files created by the risk

1. Click Start > Programs > Accessories > Windows Explorer
2. Navigate to and delete the following files, if they exist:
   
   
   • %Windir%\Hot_Kiss_pw.ini
   • %Windir%\Adult_Chat_pw.ini
   • %Windir%\Ce_XXX_pw.ini
   • %Windir%\pcconfig.dat
   • %UserProfile%\Desktop\Hot_Kiss.lnk
   • %UserProfile%\Start Menu\Hot_Kiss.lnk
   • %UserProfile%\Desktop\Adult_Chat.lnk
   • %UserProfile%\Start Menu\Adult_Chat.lnk
   • %UserProfile%\Desktop\Ce_XXX.lnk
   • %UserProfile%\Start Menu\Ce_XXX.lnk
     
     
3. Exit Windows Explorer

Technical Details