P
Paul T
Hi, I'm hoping that someone can give me a bit of advice
in fixing a problem of a dialer trying to connect to a
premium rate line which has been appearing on my computer
for the past few days a few minutes after startup. I'm
happy, and more than a little relieved, to say that I
caught this the very first time it appeared - a check of
my phone bill has confirmed that the damage is limited to
less than 1.00GBP - but it didn't take many seconds for
that sum to clock up and I dread to think what the
consequences might have been if I'd been away from my
computer when the dial-up process took place. I now watch
my connection like a hawk, constantly checking that all
is OK, and I never leave my computer unattended without
first disconnecting the phone line.
Having said that, the only time this problem seems to
manifest itself is a few minutes after startup. I switch
the machine on and after it's booted up I connect to my
normal ISP. I'm running Windows XP by the way. At this
point only my normal approved dialers are there. All
appears fine for something like three to five minutes,
then suddenly my line is disconnected. A new dialer has
appeared and tries to connect, and this is where I leap
to remove the phone lead before it can do so. Once
deleted, the dialer does not return until the next
startup, ususally the next morning as I leave my computer
on during the day.
I've run Spybot several times to no avail. It repeatedly
identifies 'DSO Exploit - 5 entries' which I cannot
remove, but I have checked support groups online and it
seems that this is a common problem and (I assume) not
related to my troubles here. This morning, immediately
after disconnecting upon the appearance of the rogue
dialer I ran Spybot - just the DSO Exploit entry again,
then I ran Hijackthis. This is what it found
Logfile of HijackThis v1.97.7
Scan saved at 08:20:24, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\SCVHOST.EXE
C:\Program Files\DSB\DSB.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\Del14.tmp
C:\Documents and Settings\Paul\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Paul\Local
Settings\Temp\Temporary Directory 2 for
hijackthis.zip\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32
\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32
cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program
Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32
\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\System32
\REGCPM32.EXE
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt
yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
(EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-
0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) - http://housecall.trendmicro-
europe.com/housecall/Xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3}
(webhelper Class) -
http://register.btinternet.com/templates/btwebcontrol023.c
ab
I'd be very grateful for any advice on how to fix this
problem. if I've done something wrong, please tell me
what else I need to do with precise instructions on how
to do it! Many thanks.
in fixing a problem of a dialer trying to connect to a
premium rate line which has been appearing on my computer
for the past few days a few minutes after startup. I'm
happy, and more than a little relieved, to say that I
caught this the very first time it appeared - a check of
my phone bill has confirmed that the damage is limited to
less than 1.00GBP - but it didn't take many seconds for
that sum to clock up and I dread to think what the
consequences might have been if I'd been away from my
computer when the dial-up process took place. I now watch
my connection like a hawk, constantly checking that all
is OK, and I never leave my computer unattended without
first disconnecting the phone line.
Having said that, the only time this problem seems to
manifest itself is a few minutes after startup. I switch
the machine on and after it's booted up I connect to my
normal ISP. I'm running Windows XP by the way. At this
point only my normal approved dialers are there. All
appears fine for something like three to five minutes,
then suddenly my line is disconnected. A new dialer has
appeared and tries to connect, and this is where I leap
to remove the phone lead before it can do so. Once
deleted, the dialer does not return until the next
startup, ususally the next morning as I leave my computer
on during the day.
I've run Spybot several times to no avail. It repeatedly
identifies 'DSO Exploit - 5 entries' which I cannot
remove, but I have checked support groups online and it
seems that this is a common problem and (I assume) not
related to my troubles here. This morning, immediately
after disconnecting upon the appearance of the rogue
dialer I ran Spybot - just the DSO Exploit entry again,
then I ran Hijackthis. This is what it found
Logfile of HijackThis v1.97.7
Scan saved at 08:20:24, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\SCVHOST.EXE
C:\Program Files\DSB\DSB.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\Del14.tmp
C:\Documents and Settings\Paul\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Paul\Local
Settings\Temp\Temporary Directory 2 for
hijackthis.zip\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32
\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32
cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program
Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32
\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\System32
\REGCPM32.EXE
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt
yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
(EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-
0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) - http://housecall.trendmicro-
europe.com/housecall/Xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-
0.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3}
(webhelper Class) -
http://register.btinternet.com/templates/btwebcontrol023.c
ab
I'd be very grateful for any advice on how to fix this
problem. if I've done something wrong, please tell me
what else I need to do with precise instructions on how
to do it! Many thanks.