1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Service provider login number changing

Discussion in 'Virus & Other Malware Removal' started by nzpoohbear40, May 16, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. nzpoohbear40

    nzpoohbear40 Thread Starter

    Joined:
    May 16, 2007
    Messages:
    4
    Hi there,i have a friends computer that keeps changing the login number to conect to the internet.
    when he goes to conect to the net a diferent number is isn the dial up box to what is supose to be there...i have been working on systems for about 16 to 18 years as a hobby but dont know all the answers.
    i have changed his number back to what it is supose to be but when i go to log in it disconects and comes up with will redial in 60 secs then that screen dissapears..when i click on it again to log in there is a totaly different number in there like ( 0037254111951) and even this number changes...the normal login number is 087303030...i have tryed nod 32,hijack this,spybot search and destroy and trend micros homecall to see if i can get rid of what ever is causing this...i know it is some kind of bug or trojan..but i cant seem to get ride of it.
    Can anyone help with a program that might detect where the problem is.
    I have even deleted his conection and created a new one and it works the first time but then when i go to log in the second time it is back up with those numbers again.
     
  2. Sponsor

  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,403
    First Name:
    Derek
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. nzpoohbear40

    nzpoohbear40 Thread Starter

    Joined:
    May 16, 2007
    Messages:
    4
    Logfile of HijackThis v1.99.1
    Scan saved at 4:58:07 PM, on 5/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\keyhook.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Dave\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.nz/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O5 "LPT1:" /M "Stylus C45"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB001" /M "Stylus C45"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /M "Stylus C45" /EF "HKCU"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Also i took the check mark out of the hidden files so that all files can be viewed befor i did the scan.
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,403
    First Name:
    Derek
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click ALL
      • In the Win32 Services group click ALL
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click Non-Microsoft
      • In the Files Created Within group click 60 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 60 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select Non-Microsoft
      • In the additional scans section, please select only these
        • Reg - Desktop Components
        • Reg - Disabled MS Config Items
        • Reg - Safeboot Options
        • File - Additional Folder Scans

      [*]Now click the Run Scan button on the toolbar.
      [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
      [*]When the scan is complete Notepad will open with the report file loaded in it.
      [*]Save that notepad file

    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,403
    First Name:
    Derek
    and send me a PM with the phone number he should be using and any strange/different numbers that do appear so I can track them down
     
  7. nzpoohbear40

    nzpoohbear40 Thread Starter

    Joined:
    May 16, 2007
    Messages:
    4
    hi there..tried to send you a pm and it says im not able to do that yet?...at any rate the number he is supose to use and one of the numbers that come up are both in my origanal post..the 087303030 is the normal number..the big long 0037254111951 is one of the numbers that takes it's place.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,403
    First Name:
    Derek
    lets get the wpfind then as that number he is dialing looks like an international number in Estonia
     
  9. nzpoohbear40

    nzpoohbear40 Thread Starter

    Joined:
    May 16, 2007
    Messages:
    4
    hi there..it wont let me put the whole repot in..is there anything i can take out...it is about 20.000 caracters to long?
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,403
    First Name:
    Derek
    it WILL let you put the report in if you do as asked and attach it & not try to\paste it in

    press reply & then manage attachments & follow prompts
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Service provider login
  1. lilaco
    Replies:
    0
    Views:
    139
  2. zeropoints
    Replies:
    3
    Views:
    348
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/574028

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice