dialer

Discussion in 'Trojan Defence Suite' started by Judith, Oct 27, 2003.

Thread Status:
Not open for further replies.
  1. Judith

    Judith Guest

    Jooske
    I have not tried to download TDS3 back into my system because I have a driver that I downloaded that needs to be removed and a dialer that insists on automatically trying to connect me upon boot up. Do you think you can give me some insight on that?
    Thank you
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Judith,

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    And could you tell us what driver exactly you need removed?

    Regards,

    Pieter
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please do immediately what Pieter advices as it doesn't sound good at all!
    Looking forward to your posting.
    Try to remember where you got that dialer from.
    (email?)
    And you might like to get Port Explorer with which we can see where it is dialing to.
    But first of all get that hijackthis log as Pieter adviced!
     
  4. MercyMe

    MercyMe Guest

    Logfile of HijackThis v1.97.3
    Scan saved at 8:09:50 AM, on 10/28/03
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr/*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    O1 - Hosts: 64.14.40.138 www.searchscout.com
    O1 - Hosts: 64.14.40.138 www.letssearch.com
    O1 - Hosts: 64.14.40.138 www.searchex.com
    O1 - Hosts: 64.14.40.138 srch.lop.com
    O1 - Hosts: 64.14.40.138 www.searchresult.net
    O1 - Hosts: 64.14.40.138 www.xupiter.com
    O1 - Hosts: 64.14.40.138 runonce.msn.com
    O1 - Hosts: 64.14.40.148 auto.search.msn.com
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM)
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Searchalot (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5594791667
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr/*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    O1 - Hosts: 64.14.40.138 www.searchscout.com
    O1 - Hosts: 64.14.40.138 www.letssearch.com
    O1 - Hosts: 64.14.40.138 www.searchex.com
    O1 - Hosts: 64.14.40.138 srch.lop.com
    O1 - Hosts: 64.14.40.138 www.searchresult.net
    O1 - Hosts: 64.14.40.138 www.xupiter.com
    O1 - Hosts: 64.14.40.138 runonce.msn.com
    O1 - Hosts: 64.14.40.148 auto.search.msn.com

    O9 - Extra button: Searchalot (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

    Then reboot. No sign of a dialer though.

    Regards,

    Pieter
     
  6. MercyMe

    MercyMe Guest

    The information on the driver came from my system Information checker, and I can no longer get in there, the driver name I think, is vfwwdm32.dll , but I have searched for it and can not locate it.
    The Dialer, was set up via , a phone conversation with a young man at Earthlink, and they are now trying to promote, Accelerater, so I have no Idea what he had me do. My machine is probably to old for that. And I have a really strange attachment to this old computer.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    MM, did you do what Pieter asked you to do, did you reboot after it and please tell if everything is now back normal?
    You might like to post another hijackthis log from the current situation after the cleaning Pieter instructed.
     
  8. MercyMe

    MercyMe Guest

    Jooskie
    I just got done and ran a scandisk and defrag. It seems to have freed up my computer, I did lose my origianl Yahoo Web page and have to key it in, and One good thing about the loss of my backup is, whatever was in control isn't any longer. I was constantly getting missdirected or stopped from web sites.
    I will run it again and see what happens .
    Thank you so much.
     
  9. MercyMe

    MercyMe Guest

    Logfile of HijackThis v1.97.3
    Scan saved at 11:33:39 AM, on 10/28/03
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM)
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5594791667
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab


    I have a good many backups in Hijacker , is that what it is supposed to do?
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi MercyMe,

    Your log is clear now.
    How is the computer behaving?

    You can delete the backups HijackThis made after a while (a week or a few reboots), just to make sure nothing you needed was disabled.

    Regards,

    Pieter
     
  11. MercyMe

    MercyMe Guest

    Pieter
    Thank you, things are much better now. I only wish I could figure out what Earthlink did to my dialer.
    My machine shuts down better also.
    Much Thanks
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. :)

    Could you try and describe exactly how that dialer manifests itself?
    Maybe we can solve that one as well.

    Regards,

    Pieter
     
  13. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Hi Pieter.

    I was reading thru this thread.
    A thought here,
    Mercyme mentions Earthlink and Accelerator.
    Could she be talking about the modem/dialup connection?
    I tried a few internet accelerators and there is a program called Accelerator or Web Accelerator.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi the Tester,

    Could be, but I have a hard time imagining why it would be hidden and, if so, where.
    Can you recall where it started up from?

    Regards,

    Pieter
     
  15. MercyMe

    MercyMe Guest

    The dialer appears like the older one with Windows 95. It appears when I boot and if I try to update Norton it will pop up, but I do not see it in Systrey, and do not have a Icon for it , I only have one connection in my Network, and I set that one up myself. The one that Earthlink helped me do is the one coming up, but I had deleted the dialer in the Control Panel, under Network hoping it would stop coming up.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Somehow ever my connection icon (the small two screens) disappeared from the systray after some security update and i never did bother to look somewhere at my settings to have it back there again.
    Might be this is the one MM means?
    Since i am on ADSL i don't bother being online or not.
    For several people i changed their settings in the browser:
    Internet Explorer > Tools > Options > Connection > click the standard dialup connection and set it to "NEVER dial this connection" which saves you from a popup dialer after reboot or opening IE or outlook express or other standard email client.
    Make sure to have the dialer icon on your desktop, so you can open IE or OE all quietly and do other things before you connect to internet, which saves you if you are on dialup.

    This is the only thing i can imagine. If the two little blinking screens icon is not in the systray, you can click the dialer icon on the desktop and it will tell you about your connection and you can close it there just as easy.
    But for dialup i would prefer the blinking icons, to remind you to close it at a certain time.

    If this is the one and solves your problem, i hope, it has nothing to do with any trojan, it is just normal IE / connection behavior from your standard dialer to your own ISP.
     
  17. MercyMe

    MercyMe Guest

    Jooskie
    That worked , thank you.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome, glad it was a setting and no nasty trojan dialer!
     
Thread Status:
Not open for further replies.