I've been hit by a rogue dialler

Discussion in 'System Security & Infection Support' started by Nickweb, Sep 7, 2005.

  1. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    ok, so my family pc has been hit by a rogue dialler, and run up about £50 in phone bills. I have a Dial-up connection with Dellnet, so i thought i'd have at least some protection, but no, i've still been hit by it.

    BT said that when my comp was connected to the net, that the computer dialled a second number at the same time, so i was online happily surfing while the dialler was connected to austria!

    anyways, how would i go about removing this dialler, because i cant afford another £50 ontop of my normal phone bill. cheers guys

    ps i use win98SE on the system, and mcafee anti-virus
     
    Nickweb, Sep 7, 2005
    #1
    1. Advertisements

  2. Nickweb

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Well, one thing you need to do is unplug your phoneline RIGHT NOW. This thing could be dialing in the middle of the night. Second thing you should do is go to a friends computer and download AdAware and updates. Burn that to a CD and take it home and install and run it. Next see if you can see the dialup software in Add/Remove. Most of these programs have an Add/Remove entry.
     
    Fenis-Wolf, Sep 7, 2005
    #2
    1. Advertisements

  3. Nickweb

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    I agree with Fenis-Wolf, but also run the HJT to find the dialer just in case the spyware scan fails
     
    Goober, Sep 8, 2005
    #3
  4. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    the phone lines only ever connected when i actually dial uo, so i'm pretty safe in that sense.

    i'l have a look at the add/remove thing, i dont think the dellnet dialler is infected, i think it's some additional virus. also, BT said they have a free roggue dialler sensor to download at their website for incase it happens in the future.

    when i'm next online with the infected comp, i'll run the hjt log thing, but i dunno how to use it, never done it before.
     
    Nickweb, Sep 9, 2005
    #4
  5. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    ok, here's the log file, although it doesnt mean anything to me, dont understand it at all., oh, and i use norton anti-virus as well, not mcafee, sorry


    Logfile of HijackThis v1.98.2
    Scan saved at 16:16:07, on 11/09/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\TWINMOS\MOBILE DISK V3.0\USBTD.EXE
    C:\WINDOWS\SYSTEM\BTMODEMPROTECTION.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
    C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DELLNET.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\HIJACKTHIS1-98-2.EXE

    F1 - win.ini: run=HPFSCHED
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BTModemProtection] BTModemProtection.lnk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3Com\ModemMgr\Program\mdmMgr.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL (file missing)

    i also got the bt privacy thing on now
     
    Nickweb, Sep 11, 2005
    #5
  6. Nickweb

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL (file missing)

    those, I thiknk,you can delete
     
    Goober, Sep 11, 2005
    #6
  7. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    any others guys, i really need to get this fixed
     
    Nickweb, Sep 17, 2005
    #7
  8. Nickweb

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    The only ture way to know if its gone or not is to fdisk

    Have you run ad-aware or SBS&D? Those will most likely detect it.
     
    Goober, Sep 18, 2005
    #8
  9. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    ok, i've had a look at what starts up with the computer, now i know theres more than needed, can you guys tell me what should be left running for win98SE to work properly, and what shouldnt be there?

    thanks

    Explorer
    Reminder
    Wmencagt
    Lvcoms
    Loadqm
    Mswheel
    Stimon
    Mobmon
    Wkcalrem
    Vptray
    Systray
    Wmexe
     
    Nickweb, Oct 2, 2005
    #9
  10. Nickweb

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    Explorer, Systray, if I remember correctly are the only ones taht have to be running to use windows right...
     
    Goober, Oct 2, 2005
    #10
  11. Nickweb

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    ok, so seeing as this has not been solved for ages, i went and bought a pc mag, with coverdisc that has webroot spysweeper, and bitdefender. it found a trojan.downloader.gen in c:\windows\java\javasys.exe i looked around on google and found a link to another forum about this exact issue, i'd post the link but that's against the rules here.

    anyways it said to delete the javasys.exe file, is that true, and what does the javasys.exe file do? will it screw up my javascript features in IE? really need to fix this.

    thanks
     
    Nickweb, Nov 21, 2005
    #11
  12. Nickweb

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    Java on my pc is even claimed to be a virus (from AVG) but I do not think that viruses can put themselves in system folders? anyways ya, dont worry about javasys. You can delete then redownload it if it makes you feel better.
     
    Goober, Nov 21, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.