MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: A really bad dial-up connection hijacker - help!
October 23, 2019, 03:42:09 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 23, 2019, 03:42:09 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: A really bad dial-up connection hijacker - help!  (Read 1247 times)
mike.fitzgerald1
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« on: September 13, 2004, 01:12:08 PM »

Hi, Hope you can help.

My username, password and connection telephone number to my ISP are hijacked periodically. The connection seems to be sending me to Austria - luckily, I can change them back but it just keeps getting changed back. I have run various spyware (Spybot, Ad-aware etc without luck. Here is my Hijackthis log - I am sure I will have to run my computer in safemode to remedy the situation - can you advise how I do this also?

Many thanks.

Logfile of HijackThis v1.98.2
Scan saved at 16:55:38, on 13/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\winmodem.exe
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM32\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MSMONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE"
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\MOUSE\tips\mouse\tips.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c9 -w
O4 - HKLM\..\Run: [signup] C:\program files\Telstra\signup\tbps.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Winmodem] C:\WINDOWS\SYSTEM\WINMODEM.101\winmodem.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\MSMoney\System\reminder.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - file://C:\WINDOWS\OPTIONS\CABS\CONTENT\COMICS\ikcntrls.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\0PQF4HU7\explorer9[1].cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,83/mcinsctl.cab



 
 
jvic
Senior Member



 
Canada
Post 147 of 150

Status: Online
 Posted - Sep 13 2004 :  06:26:11      
--------------------------------------------------------------------------------
 
I don't see anything in your log that would be causing your problem.You can run HJT again and fix this entry

O16 - DPF: {11111111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\0PQF4HU7\explorer9[1].cab

 
 
 
mike.fitzgerald1
Starting Member



Australia
Post 2 of 2

Status: Online
 Posted - Sep 13 2004 :  08:59:11          
--------------------------------------------------------------------------------
 
Nope. That didn't work unfortunately. I even ran the PC in safe mode with Spybot, Ad-aware and Xoftspy spyware which picked up some registry files but I've just been hijacked again!!

The dial-up connection number is changed to 0011432082018539 (001143 is the country code for Austria from Australia). Interestingly, in 'My connection' on the 'Configure' modem tab, once hijacked I cannot access this Tab - I get an error message 'Information about your modem is invalid'. Once I delete this dial-up connection and make another through the Wizard and reset my Acounts in Outlook etc I have access to the modem configuration again.

I've been on this for 2 days now and it is really starting to bug me. Come on you techies out there, someone must have an answer to this one??? Here is my amended Hijack this log (I have tweaked a few things myself without success). Thanks for your help jvic - anything else I can try besides shooting myself?

My connection is hijacked randomly - it has happened about 5 times today but I must of been in and out of Outlook, My connection and rebooted dozens of times. I ran PandaActiveScan last night (which took forever) - whilst it was scanning and this morning I wasn't hijacked - it didn't pick it up though!


ogfile of HijackThis v1.98.2
Scan saved at 21:02:25, on 13/09/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\winmodem.exe
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM32\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE"
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\MOUSE\tips\mouse\tips.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c9 -w
O4 - HKLM\..\Run: [signup] C:\program files\Telstra\signup\tbps.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Winmodem] C:\WINDOWS\SYSTEM\WINMODEM.101\winmodem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - file://C:\WINDOWS\OPTIONS\CABS\CONTENT\COMICS\ikcntrls.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,83/mcinsctl.cab

 mike.fitzgerald1
Starting Member
 


Logged

 
mike.fitzgerald1
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #1 on: September 13, 2004, 04:30:52 PM »

Eurika!!! Eurika!! I've done it and I did it all on my own.  The little B****** is called Explorer.exe and it was sitting in my Windows/System32 folder - no spyware was picking it up.  I decided to look closely at the Hijack this log posted above and noticed I had an explorer file in the system32 folder.  When I looked in the folder the file in question looked really suspicious - no icon and on the properties tab it was only a few hundred KBS and gave very little information.  I went back to the desktop and performed CTL-ALT-DEL to see what programs were running.  Sure enough there were 2 explorer programs running (I think the other is the standard windows explorer which helps you find files etc on your PC).  I guessed that that explorer.exe was a boot virus(hence the Hijack this log entry above:  O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c9 -w.  Anyway, I went back into system 32 and tried to delete the file but it seemed to be protected and I thought it must therefore be a system file of some sort but then I remebered that if it was already running (as shown in CTL-ALT-DEL) then it wouldn't let me delete it.  I tried  CTL-ALT-DEL again and tried to stop it that way but without success.  I then remembered that if you change the name of a file sometimes it will let you delete it - I changed its name by right clicking on it with my mouse and then deleted it.  I then ran Hyjack this again and cleaned the entry mentioned above.  I then booted my pc in safe mode and ran hijack this again and it was gone - I think I am clean.  Thank god!  It was worse than herpes (not that I would know of course).  

I hope the information above helps someone because this virus is very hard to detect and has caused me much misery.  I suppose it was only my super sherlock holmes skills that managed to beat it....I hope I  have anyway...Goodluck and thanks to JVIC for the help.

Mike.Fitzgerald1  
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #2 on: September 13, 2004, 04:58:12 PM »

Good going.I missed that one.The valid explorer.exe is found in C:\windows.
« Last Edit: September 13, 2004, 04:59:29 PM by jvic » Logged

John Vickers
mike.fitzgerald1
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #3 on: September 14, 2004, 11:05:06 AM »

Further to my last message, I have found a very useful web-page http://cexx.org/dlder.htm which describes in detail how the explorer.exe hijacker works.  It also gives a very useful link where you can fix this nastie.

I hope this helps.

Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 16, 2018, 10:13:01 AM