PDA

View Full Version : Dial Up Connection Problems, Please help??



martinuk
22-07-2005, 06:38 AM
Hi All,
First time here so I hope im inthe right place.

Im still on an old Dial Up Connection(DUC) to get online.

From yesterday something is trying to take over my DUC, when I click on the icon to go on line a new mumber has been added to be dialed.

So I change this to my proper details and connect up fine......But when I disconnect and try to connect again this has all reverted to this bogus dial up details, I presume its hoping im gonna dial up some international number or summat I dont Know..........

I delete the connection in my network places and make a new one and it keeps changing it??

I have a firewall up that comes with WinXP and i have scanned for Viruses etc with Norton.

Can any one help me out as to how to fix this without a format??

Thanks in advance for any suggestions

Martin

drcspy
22-07-2005, 07:42 AM
get yourself spybot search and destroy and ad-aware and instal and run them both then remove all that they find.........sounds like you got some nasty dialler program.........

Renmoo
22-07-2005, 09:10 AM
No doubt it is some nasty dialler making a nest in your computer. Meantime, you can check out PressF1's Spyware and adware etc. FAQ (http://pressf1.pcworld.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 16)

Cheers :)

martinuk
22-07-2005, 11:01 AM
No doubt it is some nasty dialler making a nest in your computer. Meantime, you can check out PressF1's Spyware and adware etc. FAQ (http://pressf1.pcworld.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 16)

Cheers :)

I just downloaded and ran both programs mentioned, they found loads of things so theyare now gone........BUT it hasnt fixed my problem my dial up details are still being altered to this dial up hijacker or whatever it is???

Any more ideas?

Regards as ever
Martin

Rob99
22-07-2005, 11:13 AM
delete it then make a new one

pctek
22-07-2005, 11:26 AM
And run Hijackthis as well. Its in the FAQ.

martinuk
22-07-2005, 11:42 AM
delete it then make a new one

Done that and it just comes back!!

Edward
22-07-2005, 11:44 AM
Can you post a hijacklog here? There's linkage to it in the FAQ

martinuk
22-07-2005, 11:48 AM
And run Hijackthis as well. Its in the FAQ.

Here is my Log file from Hijack this if anyone can understand it??

Thanks again

Logfile of HijackThis v1.99.1
Scan saved at 23:46:07, on 21/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\system32\usbn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE
C:\WINDOWS\twain_32\A4CIS\WATCH.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\webstaff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffdata.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [Internet Robust Download Manager] C:\Program Files\IRDM\IRDM.exe /STARTUP
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c77 -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS\WATCH.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C95D2FC1-A318-493E-A077-47CA69EC8D74}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Speedy Gonzales
22-07-2005, 12:03 PM
This is the prob. Tick these, and click on fix checked

C:\WINDOWS\system32\usbn.exe - this is possibly an adult dialler.

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

Tick the above and reboot. Then see what happens.

If Usbn.exe appears in task manager kill it first.

Edward
22-07-2005, 12:06 PM
Indeed usbn.exe is an adult dialer, and should be removed

martinuk
22-07-2005, 01:03 PM
This is the prob. Tick these, and click on fix checked

C:\WINDOWS\system32\usbn.exe - this is possibly an adult dialler.

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

Tick the above and reboot. Then see what happens.

If Usbn.exe appears in task manager kill it first.

Hey Speedy your a top bloke!!
Thats done the trick, rebooted and my dial up is normal again!!

Can I ask a couple of questions here.....

What have I done by checking the items and clicking fix? have i removed them from my PC or just disabled them? will they re activate?

Also how did you pick them out from my log file so easily? are there common dial up hijack names?

Thanks again you saved me a format and I was dreading that!!

Regards Martin:thumbs:

Speedy Gonzales
22-07-2005, 01:18 PM
By ticking those entries, it stops them from running on startup (I think).

It removes the entry/reference to the file from the registry?

I've never had to use hijackthis to remove diallers etc (yet)! to find out what it actually does. It might remove the reference to it tho.

Not too sure if it removes the actual file, that does the damage. (Do a search for usbn.exe on your PC). If it comes up, delete it.

If usbn.exe doesnt come up, ticking the entry in the Hijackthis log, may have deleted it as well.

If the entries are under run (in the registry) they shouldnt run on startup. (If u tick the entry in Hijackthis).

The easiest way, to find out what's nasty or what isn't, is either post a hijackthis log here. or copy and paste a log here http://www.hijackthis.de/

And then click on analyze.

This site will give the entries in the log a rating of safe, nasty, possibly nasty, or unknown?

The entries this site picks up as nasty, possibly nasty, or unknown, should be checked in Google http://www.google.com or Yahoo http://www.yahoo.com

Either one of these, will give u a hint of what this unknown file is, or what it does.

If it says the entry in the log is related to a virus/dialler/trojan, or similar, the entry (in the hijackthis log), should be ticked and fix checked should be selected, after u tick whatever entries. Thats it!

If u haven't updated, recently (if u dont want to install SP2), now might be a good idea to get the rest of the XP updates.

Good to hear its back to normal :thumbs:

martinuk
22-07-2005, 01:35 PM
This is the prob. Tick these, and click on fix checked

C:\WINDOWS\system32\usbn.exe - this is possibly an adult dialler.

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

Tick the above and reboot. Then see what happens.

If Usbn.exe appears in task manager kill it first.

Thanks speedy that worked a treat,
I found 2 files for this and deleted them............
Thanks again