0

Hi there,
I'm new to this, so please excuse my ignorance. I have been having a dial up hijacking problems for about 1 week now.
I have installed HijackThis.exe, Spybot search & destroy, Webroot Spysweeper and have found quite a few bad files I've deleted. However, the problem is still happening.

I'm posting my hijackthis log file, in case someone here can look at it and let me know if there's anything in it that gives any indication as to what is wrong. Many thanks advance for any help you can provide!

Logfile of HijackThis v1.99.1
Scan saved at 13:54:57, on 21/01/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.onetel.net.uk/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.onetel.net.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = OneTel.Net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.onetel.net.uk:8080;ftp=proxy.onetel.net.uk:8080
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\BCDetect.exe defer
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.onetel.net.uk

2
Contributors
9
Replies
10
Views
11 Years
Discussion Span
Last Post by DMR
0

Can you describe the problem(s) in more detail please? There are only a couple of possibly suspicious entries in your log, but HijackThis isn't as effective at pointing out infections on Win 98 systems as it is on WIn 2000 or XP systems.

0

Can you describe the problem(s) in more detail please? There are only a couple of possibly suspicious entries in your log, but HijackThis isn't as effective at pointing out infections on Win 98 systems as it is on WIn 2000 or XP systems.

I was having my dial up connection phone number changed to another number. No matter how many times I re-set my dial up connection, it would change back to this unknown phone number.

I found a program called itunesff.exe which I deleted, and the number changing stopped happening. However when I go into my internet provider's website (One Tel in the UK) to check for a rogue dialler checker:
http://www.onetel.co.uk/index.php?node=internet-rogue-diallers

I get the following message on it:

"Warning!
You are currently not connected to the Internet using Onetel's dial-up access number. If you are an existing customer and are connecting through Onetel dial-up at present, you may be at risk.
Your IP address is currently: 10.240.245.241"

That's certainly NOT my IP address! This never used to happen to me before. It used to tell me all was ok, now, no matter what I have tried to fix, I constantly get that message and I'm worried there's still a hidden bug somewhere and I just don't know what to do. My system is running very slowly also.

Hope this info helps. Sorry I am not very good at describing technical stuff :-(

Many thanks for your help!

0

Although I'm not a web designer, judging from a look at the source code of that OneTel page, I believe that the text in/on the page is static. Furthermore, comments visible in the page's source code seem to indicate that certain dynamic functions/elements of the page, such as truly checking your IP address, haven't been added (yet?).

In other words, I think that anyone who goes directly to the page you linked to is going to see exactly the same information, regardless of how they are accessing the page. (For instance, the page tells me that my IP address is also 10.240.245.241.)


However, as the "itunesff.exe" file is known to be a component of a rogue dialer infection, we should probably dig a bit deeper:

1. Download and install the following (free) utilities, but don't run them yet:

CCleaner - www.ccleaner.com
Ad Aware SE Personal - www.lavasoftusa.com

* Open Ad Aware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

* Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

* Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

* Open SpyBot and make sure that it's updated as well. Again- don't actually run a scan yet.


2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


3.. Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Click on Run Cleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


4. Run SpyBot, Ad Aware, and AVG. Have them fix all malicious items they find.


5. Run Spy Sweeper.
* Under the Sweep Options tab, select ALL options under 'What to Sweep'.
* Click the "Sweep" icon and then "Start" to begin scanning.
*When the scan completes, click Next to automatically quarantine all detected items.
*Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.


6. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that Spy Sweeper generated.

0

Although I'm not a web designer, judging from a look at the source code of that OneTel page, I believe that the text in/on the page is static. Furthermore, comments visible in the page's source code seem to indicate that certain dynamic functions/elements of the page, such as truly checking your IP address, haven't been added (yet?).

In other words, I think that anyone who goes directly to the page you linked to is going to see exactly the same information, regardless of how they are accessing the page. (For instance, the page tells me that my IP address is also 10.240.245.241.)

Thanks for that. It puts my mind at ease a bit. The reason I was concerned was due to the fact that this webpage I mentioned, never used to give me that message before! It used to say all was ok and that I was connected to the right number. It suddenly started giving me that warning message right about the same time as when Spybot and Webroot had found some bad files. I won't be too concerned if you think it's just a badly designed webpage then. Thanks again!

0

I've edited my previous post to include some further detection and cleaning steps that you should probably perform just to make sure that there's nothing still lurking about in your system.

Go through those steps and then post the requested log files; it never hurts to be cautious....

0

I've edited my previous post to include some further detection and cleaning steps that you should probably perform just to make sure that there's nothing still lurking about in your system.

Go through those steps and then post the requested log files; it never hurts to be cautious....

Hi again, yes, I noticed and I did exactly as you said.

Here's a copy of the spysweeper log file
********
02:17: |··· Start of Session, 22 January 2006 ···|
02:17: Spy Sweeper started
02:17: Sweep initiated using definitions version 492
02:17: Starting Memory Sweep
02:18: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
02:19: Starting Registry Sweep
02:19: Memory Sweep Complete, Elapsed Time: 00:00:00
02:21: Registry Sweep Complete, Elapsed Time:00:03:33
02:21: Starting Cookie Sweep
02:21: Cookie Sweep Complete, Elapsed Time: 00:00:00
02:21: Starting File Sweep
02:21: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
02:27: File Sweep Complete, Elapsed Time: 00:05:40
02:27: Full Sweep has completed. Elapsed time 00:09:16
02:27: Traces Found: 0
02:17: |··· End of Session, 22 January 2006 ···|
********

Then a copy of the Hijackthis log after doing everything else you mentioned:

Logfile of HijackThis v1.99.1
Scan saved at 02:35:25, on 22/01/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.onetel.net.uk/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.onetel.net.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = OneTel.Net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.onetel.net.uk:8080;ftp=proxy.onetel.net.uk:8080
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\BCDetect.exe defer
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.onetel.net.uk

Thanks again for you help.

0

It all looks clean. :)

Phew! That's a relief! Thank you so much for your help! :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.