Hi all,

I posted my original post in the wrong section, sorry about that, I was confused. Here is my original post:

"hi all,

I'm really worried at the moment. I have a dialer. Last night I was searching and downloaded something which then automatically started calling some one. I pulled my internet cord out, so the full dial couldn't be made. I shut my computer down and came back on today to find that my default internet connections had been changed to some different dial up number. I deleted it, and replaced it with mine, but then if I reboot, it happens again.

I have downloaded spybot, ad-aware, Hijack this AND spyware blaster, and it seems like ive deleted everything I can, but then when I re-did my spybot scan, at the bottom I saw all these "XX dialer" "tango dialer" "ring ring" etc. type of things, but yet spybot says "congratulations! No immediate threats were found."

I DON'T UNDERSTAND!!! And I am freaking out. Please please help me!!!!

Worried."

I was then told to post here, and to first read "BEFORE you post a log, and who will advise you. Also~please put HJT in CORRECT folder"

So, I firstly ran an online anti-virus scan. I used zonelabs.com anti-virus scan (as I had went there to look into a firewall and then discovered there was an online scan I could do) it came up with:

BurstNet - 3rd Party Cookie

Dealtime - 3rd Party Cookie

GameSpy - 3rd Party Cookie

Windowsmedia - 3rd Party Cookie

I then did a spybot scan and it came up with "Congratulations! No immediate threats were found."

So I then did a HiJackThis scan, and I have the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:46 AM, on 4/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guysebastian.com.au/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37670.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CCB46B8-2600-45BD-90FF-0D874BF57CF8}: NameServer = 203.12.160.35 203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CCB46B8-2600-45BD-90FF-0D874BF57CF8}: NameServer = 203.12.160.35 203.12.160.36
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

Can anyone help me!?! Also, I'm not sure how to delete cookies, can someone tell me that?? Please help!!

Worried.

P.S- I have done previous HiJackThis scans, and I have got rid of some of the things on there - I didn't know that I shouldn't have =\ But I do believe they were nothing major - More like Yahoo! Messenger type things and toolbars =\ Sorry if I have made it harder - Computer seems fine though...

Hi
"I deleted it, and replaced it with mine, but then if I reboot, it happens again."
What settings are you changing . explain please?

"I re-did my spybot scan, at the bottom I saw all these "XX dialer" "tango dialer" "ring ring"

Those are not whats on your pc but what SpyBot is looking for , understand ?

I mean I deleted my dial up connection, and created a new connection, which got rid of the different dial up number and put my dial up number back there, with my connection information (user name, password and dial up number) but when I reboot it gets replaced with the dialers number..

Ok, it might help if i could see the number it was changed to

Post a report from this tool if any files show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....legitimate files can be listed.

Ok, I couldn't get the dial up number it was changing to because for some reason it's not changing anymore... I hope thats a good thing! :D At first I just restarted the computer - waited about 10 minutes and nothing changed, so then I turned off the computer, then turned it back on, waited another 10-15 minute, and nothing changed! Does that mean the dialer is gone?? Oh I hope so!!

Anyway, I did what you asked me to, here is the text from BlackLight (I hope this is the right thing anyway!)

03/04/06 14:49:19 [Info]: BlackLight Engine 1.0.33 initialized
03/04/06 14:49:19 [Info]: OS: 5.1 build 2600 ()
03/04/06 14:49:19 [Note]: 7019 4
03/04/06 14:49:19 [Note]: 7005 0
03/04/06 14:49:34 [Note]: 7006 0
03/04/06 14:49:34 [Note]: 7011 1048
03/04/06 14:49:34 [Note]: FSRAW library version 1.7.1015
03/04/06 14:50:10 [Note]: 7007 0

Worried.

Oh, and what about deleting cookies? How do I do that? And what about the 3rd party cookie the online scan found?? Sorry, too many questions! =\

You can delete cookies via Internet options, probaly not nessesary but still a good idea to clear them once and awhile.

Get this free online and post its report please
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.

:o it said I have four dialers and three spyware!!! :( :( :o Here is the log:


Incident Status Location

Adware:adware/purityscan Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\!update.exe
Dialer:dialer.ffk Not disinfected C:\WINDOWS\SYSTEM32\itunesff.exe
Dialer:dialer.baj Not disinfected C:\WINDOWS\internt.exe
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\!update.exe
Dialer:Dialer.ABR Not disinfected C:\Documents and Settings\Lauren\My Documents\Unzipped\hijackthis\backups\backup-20060303-162944-160.inf
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Lauren\My Documents\Unzipped\hijackthis\backups\backup-20060303-162944-790.inf

HELP!!!!!

Manualy delete
C:\WINDOWS\SYSTEM32\itunesff.exe
C:\WINDOWS\internt.exe
C:\WINDOWS\switchagreement.txt

And clear temps with a program such as >
System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

Ok, I manually removed those three things, I downloaded that program and checked everything except cookies and the user defined folder, because I think I had to choose what went in there, rebooted the computer... But now not sure what to do. Another Panda online scan??? I'll just do that anyway :)

Ok, everything is gone except these two things:

Dialer:Dialer.ABR Not disinfected C:\Documents and Settings\Lauren\My Documents\Unzipped\hijackthis\backups\backup-20060303-162944-160.inf
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Lauren\My Documents\Unzipped\hijackthis\backups\backup-20060303-162944-790.inf
But, I think it could be because, I unzipped hijackthis twice. The one where the dialer and adware is, I don't actually use because the one I use is in my program files... I must have forgotten to delete the one in the unzipped folder.. Could that be it? Should I just delete it???

Hi

You can delete it if youd like to ofcouce

Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Ok, I have deleted the hijackthis stuff in the unzipped folder. I have done another online scan and it came up with nothing, so that is good. i did an adaware scan and a spybot scan, and it also came up with nothing.

I downloaded that hosts file and I have also installed SpywareGuard and ZoneAlarms firewall.

Does that mean my computer it fully free of dialers and spyware??? :D Thank you so much, LonnyRJones! You have been such a big help, I cannot thankyou enough! I hope I don't have to come back here again! (not that you all aren't nice, but just because I don't want spyware, adware or dialers etc. ever on my computer!) Hopefully I won't have to come back here and I think I am more protected then I was before (seeing as I had no anti-spyware or anti-adware protection on my computer)

Thank you again!

Worried.

Is the firewall supposed to continue giving me popups saying things are blocked? I don't quite understand all the things that are trying to connect to my computer... Should I be concerned??

Generic host process for Win32 services was blocked from accepting a connection from the internet. (203.12.160.35:DNS)

Generic host process for Win32 services was blocked from accepting a connection from the internet.(203.12.160.36:DNS)

The firewall has blocked internet access to your computer (UDP Port 1026) from 65.191.104.80 (UDP Port 20920) – SmartDefense Advisor.

I clicked on More Info with the SmartDefense Advisor one and it said:

"ZoneAlarm blocked traffic to port 1026 on your machine from port 20920 on a remote computer whose IP address is 65.191.104.80. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise."

Sorry, I just want to make sure I don't have any spyware or anything on my computer.

I just got another pop up thingy from the firewall:

The firewall has blocked Internet access to your computer (TCP Port 135) from 203-219-187-90-per-pow-ts-3-2600.tpgi.com.au (203.219.187.90) (TCP Port 1159) [TCP Flags: S]. - SmartDefense Advisor.

Sorry, Just want peace of mind, I suppose! =S =S

Hi
"Does that mean my computer it fully free of dialers and spyware??? "

I believe so :)

65.191.104.80 = OrgName: Road Runner
OrgID: RRMA
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

http://ws.arin.net/cgi-bin/whois.pl

Untill your more familur with your firewall you can always ask
Here http://castlecops.com/f2-Firewalls.html
Or here http://www.wilderssecurity.com/forumdisplay.php?f=31

:o

I don't know who that road runner person is! I guess this firewall does the job. Could that person be trying to hack into my computer??? Hmm.

Thank you for the links to the forums :) And thank you for all your help!

One more writeup

Understanding and Using Firewalls:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=60

Happy surfing

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help.