Hey all you PC Gurus. The other evening as I blearily tried to log on to my dialup ISP, it prompted me for my password where I never noticed it before. So I canceled the attempt, and the dialup dialog box showed that the local 7 digit phone number had been replaced with a looooong one.

I use Firefox, but my wife still insists on IE.

When I investigated in the Dialup Networking folder (Windows ME), I noticed all my dialup icons had been similarly duplicated and affected. I deleted them all and created a new one using a local dialup number. The mmodem dialed the local 7 digits (I know the tones...it sound like the first notes to the "Super Chicken" cartoon theme song). After a few minutes online, the Dialup Networking folder shows the same hijack attempt/change of dialup number.

I shut down the computer for the night after deleting the dialups. This morning when I booted up, a message about "Your system files are being updated" (or something like that) flashed momentarily.

The local phone co (SBC) told me the number is a Sprint 10-10 number tied to an international number. Sprint told me that there is a scam where the numbere is inserted, dialed, and then the overseas party somehow reverses the charges so you get royally whacked. Both Sprint and SBC seemed reluctant to guaruntee I won't have to pay anything even though they both know of the fraud.

In case anyone cares, the number is 1-1010-33301167835025.

I downloaded Adaware updates and Spybot, and both found a bunch of stuff. I've downloaded the AVG virusscan update and ran it, with nothing found. The problem is still occurring. Spybot found something called a "DSO Exploit: data Source object exploit." It took 3 tries before it stopped being noticed and repaired by Spybot. I also had to use Spybot's window after the 2nd try to get to the folder where the file resided...there were 4 more files with the same icon and I manually deleted those 4. the last one HKEY_USERS\DEFAULT... wouldn't delete, but Spybot got it on the next try.

Unfortunately, my problem persists. Wed I plan to buy the 2005 release of PCCillin, but I'm concerned something is deeeep inside.

Would reinstalling Windows ME help? I can't afford an upgrade to XP right now as I'd need to get a bigger hard drive first, mo money and mo pain than I need to do right now.

Anyone else ever face this type of issue?

thanks for any help

Erik

 

I would just delete the 1-1010 number out of your dialup connection and then dialup like you did, update all of your virus definitions and everything, like you said you did.

Restart the computer and don't dial into your ISP so there isn't any external connections and run all of your scans, AVG, Adaware, SpyBot, etc. and wipe everything clean including, %temp% files, temp internet files, cookies, and downloaded programs files in the windows folder.

If you scans find stuff, run it over and over until they don't find anything. Restart the computer, make sure your local number is right, and dial in.

You have nothing to worry about unless the number (1-1010) keeps on coming back. Then you have got major issues. Well not major, but a big enough deal that your AVG, adaware, and spybot aren't finding it.

Let me know.

 

majorgeeks.com
download these

adaware se
spybot
aboutbuster
cwshredder

update em all the run them until the all come up clean. be sure to disconnect from the internet when running them

 

Are these any good? I have never tried them. I might try them out.

 

yeah i had a hijacker on my pc a few months about and a tech from microsoft had me dl these to fix my problem. i had a new hijacker and was one of the first to get it

 

Thanks Bryan
I've basically done all that, and it's still happening. Tomorrow i'll be picking up the PCCillin...wife wants the firewall...and I'll be posting again either wed night or thursday morning with the results.

Since I have nothing else to do tonight, I'll try everything over ...again.

Erik

PS Bluemoose, thanks, I'll check those too.

 

When since you are on dialup you don't have as much to worry about as if you were on a static IP address. Let me know. Weird.

 

If you clean everything out and it just comes back again after rebooting, then the command is in the registry or Programs Startup folder. It might be something that is not recognized as a virus, hijacker or adbot.
If ME is like 98 you could try looking in "msinfo"
C:\Program Files\Common Files\Microsoft Shared\MSINFO\MSINFO32*****
Tools
System configuration utility
Startup
In there is the programs that the registry opens. Look to see if anything looks like it don't belong there.
If you see something that might be the problem child, uncheck the box and hit apply,then reboot. if thats not it recheck the box and reboot. A good firewall like Zonealarm might have prevented that from happening. Keep us posted.

 

OK, so I tried once more tues night to delete all cookies, internet files, etc; ran ad-aware and Spybot S&M....ooops, that's S&D...and they didn't find anything.

Logged on to my ISP and after awhile my dialup dialog box values got changed again...this time not only the phone number was changed to the Vanautu (South Pacific!) number, but my user ID was partially changed to what looked to contain a DNS number. I forgot to write it down.

So I shut down for the night. Wed I bought the 2005 PCCillin and installed it. It didn't find anything, virus, trojan, or spyware.

So I followed up on Nightowl's advice and went into msconfig (though I had to do it via Start > Run > MSconfig > "Startup Tab".)

I went one by one through everything listed, comparing each to descriptions found by Googling their names. A very useful site I found was http://computercops.biz/StartupList.html .

I didn't find anything outright as a virus or worm leftover, but I did shut down several *****'s that were indicated as either not important or as cabable of harboring or being affected by nasties. Explorer was one...supposedly NOT IE. I had two instances of something called ATIPOLAB; one had an ***** named ati2evxx***** that checked out as ok, but the other ATIPOLAB had an unkown named ati2plxx***** behind it. i couldn't find any reference to it, so I unchecked it.

Since then, I've booted up and/or been online several times without the problem recurring. Whether this is coincidence or due to anything I shut off, or PC Cillin's firewall, I don't know, since I don't know the true source of the problem. If things seem "cured" I plan to restore one Startup item every few days and see if the issue comes back. If anything new occurs, I'll update again.


Oh, somethiing is 'new"...when I'm offline, the dialup dialog box sometimes appears on it's own. But at least the values are unchanged.

Lastly, I have a program I got free from Lucent a long while back called Vital Agent. It allows you to track what's coming and going, and see what speeds you're getting from your connection.

I looked in the Call Log and discovered it'll tell me exactly when I dialed up, what the modem(s) were "saying", whether the password went through etc. Also tells you what IP addresses are involved in each call.

There were what seemed a few abnormalities of incoming info (it's all in computerese gibberish) around the time of the calls that were possibly hijack attempts. On each, when I was cancelling the call, my modem received a string of characters not seen on other calls.
Example...Rcvd: #}!}$}%e}"&}}}}}#}... and on...too much to peck out here. Anyone recognize this as anything?

Thanks for any help!

Erik

 

Here are a couple of "Tech and Security" forums you could post this question in to get some advice.

http://forums.techguy.org/index-.html
http://www.wilderssecurity.com/index.php?

http://computercops.biz/forums.html

There is so much malware, hijackings, and such, it pays to keep up on any info. As for CWShredder....yes, it does work but you will have to reset your homepage afterwards.

 

Worst case scenario...run a program called HiJackThis found at http://www.spychecker.com/program/hijackthis.html

Post the log here, but DO NOT start removing anything just yet. Let a few of the more knowledgeable pc people help you find the problem. This program will finde absolutely everything that is running on your pc at the moment, and if you remove the wrong registry edit, you'll have a non-working pc. It's a solid program, and works as advertised, but, and I do stress BUT!!! Do NOT just start removing things, as programs you want to work, etc will suddenly stop working. Posting the log it provides will clue a few of us, at least, into what's loading up, and causing your problem. From there we can help you navigate to the correct registry entry, and remove it, without harming your pc. PC's are my side-line hobby, and although I wouldn't call myself an expert, I have many friends who work on them for a living, and can ask them for their advice as well(and will) in regards to your log post. We'll get you back up and running properly.

 

the programs in your MSCONFIG>Startup that start with ATI sounds like what I got. Don't worry, it is not bad. I have and ATI video card. IT looks like the associated software that comes with the card.

 

i have the same file too. I think it's the ati add on program for windows display properties.

 

I should add. DSO exploits with SpyBot are your driver's for your vid card and possibly sound card. They do not need to be removed, but rather right click and ignore them. They are just fine, and no need to pay attention to them. Your dialer is likely hidden a bit more deeply. You could try removing your modem, in your device manager, and letting windows re-install it, as well as update to it's latest drivers. a firewall is a good thing to have, but be careful which one you spend money on, most free firewalls are just that...free.....and relatively useless. You get what you pay for. I'd recommend Norton's Internet Security, which comes with both firewall and anti-virus, and at a reasonable price, with effective protection. I'm still running their 2003 version, and haven't had a problem with it, will be switching soon to 2005.

 

There is a particularly vicious piece of malicious code wandering around the net that hijacks a lot of the registry settings in ME and 98, it doesn’t work very well on XP from what I’ve learned. The scam redirects your dial-up to a “900" number sort of ISP outside of the USA. The charges can run as high as $100.00 a minute, and believe me, you will have h**l trying to get out of paying it.

If you've gotten what I think you have, a reformat and reinstall is the easiest, simplest and best way to get rid of it. Unless your confident you can hack your own registry, don’t. But I’ve seen good computer techs try repeatedly to dig this crap out of systems, and fail. The code installs itself in a number of folders using disguised filenames, hidden folders/files in innocuous places. The DAT/EXE file it uses it copied to a lot of locations, when you dig it out of one location, it reinstalls itself from another.

While you're at it, upgrade to Win XP if your computer is capable of running it. It costs a hundred bucks, takes about an hour or so and it’s worth every cent you put out. Make sure you get a recent production run with SP2 already slipstreamed in the install CD. Makes life much easier, and your system safer.

Do you have a firewall? Zonealarm is the best for the buck, so far.