KWSN Orbiting Fortress

[Michelle]

Something strange is going on with my computer. I've done everything I can think of over the last couple of days and it's driving me crazy.

A few days ago I discovered that my 13 year old has accessed some sights that he is way tooooooo young to see...so I became very vigilant. Banned the kiddies from using Internet Explorer because we were getting porn popups. Think I've managed to get rid of those, but I realised yesterday that our ISP dial-up number is being changed to an international number. This happens at random while on the computer, but is always there when the computer is restarted. I've actually had it happen a few times while I've been online, so I have to keep the network connections dialogue box open and be ready to disconnect if it changes over. I have no idea how long this has been happening or how many hours we've run up on some strange international number and I am dreading the next phone bill.
I have the XP firewall, ZoneAlarm, Spybot, Ad-Aware and now Microsoft Anti[spyware programs installed and running. I run Norman Virus Control, and use online virus scans at Symantec, Trend Micro and Panda ActiveScan. The only virus scan that has picked anything up so far is Panda when it picked up

[Sir Hamster of Elderberry]

I'm no expert, but my guess is that some sort of trojan "browser plug-in" is causing this problem. At least that's what MY teenager did to our computer at home. If this is installed as a browser plug-in, then it is re-installing itself every time you start up your browser.

I used a program called "HijackThis" to remove the unwanted plug-ins.
http://www.spychecker.com/program/hijackthis.html

Caution, this is not particularly simple to use, and you can remove things you don't want to remove quite easily. The program will give you a listing of all your browser plug-ins. If you have trouble figuring out what needs to be removed, then post that log here, and we can probably help you identify the troublemakers. (There are also many newsgroups of people who specialize in this sort of thing.)

If you haven't done so already, you should run a complete virus scan in Safe Mode too. Look for and uninstall any programs your teenager may have installed recently too, some of these Spyware programs come bundled with other things (like music sharing).

ni! i!u

[Michelle]

Thanks, Sir Hamster. I downloaded and ran HijackThis and now have a huge log file. I recognise a lot of the stuff on it but I'm not technically savvy enough to know which of the other things might be causing problems.
I know my son has downloaded some music recently, and he's also downloaded a game creator program.

Anyway, here's the huge log file...

[Sir Hamster of Elderberry]

[Sir Hamster of Elderberry]

wow. that a lot of stuff ...

Here is the general process, try to classify everything on this list as:
1) Something you recognise as friendly and/or essential.
2) Something you have no idea what it is.
3) Something that has some similarity to the URLs your computer is being redirected to.

This THREADMASTER looks very suspicious, I'm guessing it's a 3. Unless you know what it is, kill it.
Active process - kill it in the Task Manager before you try to remove anything, then have Hijack This remove it for you:
O23 - Service: Thread Master - http://threadmaster.tripod.com - threadmaster@europe.com - C:\WINDOWS\system32\ThreadMaster\ThreadMast.exe

Trouble, trouble, trouble!!!
O4 - Global Startup: BOINC.lnk = C:\Program Files\BOINC\boinc_gui.exe
(kidding! It's a 1. )

This log raises more questions than I can answer, so hopefully someone else will bail us out (hint hint).

[Cohiba]

After the spyware infection I had to deal with today, I'd say sometimes it is easier to copy off any files you might need wipe the system and start over..
_________________
Smoke-em if you got-em I do..

[KWSN Sir CADCAM]

You should also run CWShredder which you can download here:- http://www.download.com/3120-20_4-0.html?qt=cwshredder&tg=dl-2001
_________________
KWSN Sir CADCAM of the Wooden Rabbit
"Semper In Excrementa" "Hominem Iniocosum Non Diffidite"
"Cîam en des sterko" "Havi ne malesperi personoj kiu havi ne kompreno humuro"

[jbyram2]

Can't help. I've been reading your hijack log over lunch, and googling anything suspicious, but havn't found anything.

Threadmaster seems to be a CPU utilization monitor program, not unusual for DC.

She also has a variety of nvidia and ATI stuff loaded, as if she changed cards several times.

Spywarefighting stuff, like she was saying.

On win98, "msconfig" would list any services that run at startup.m Is there a equivalent for XP?

It does seem that C:\WINDOWS\System32\vbsys2.dll is missing, it was renamed as part of the Trj/Aders.B infection cleanup. Has that been fixed?

One thing to try is to set Zonealarm to notify when anything tries to access the internet, and see what is doing it. At least the things can't call home and reinstall themselves + their friends.
_________________
0.0 Giggly hertzes Folding!
Go Diskless..Pure computing elegance, no frills

The brain I'm wearing makes me eat chocolate and cry!!
Something Completely different

[Cohiba]

I also went through the log and looked stuff UP, man girl you have a lot of crap loaded on that pc again i'd start fresh, but everything I looked up is not spyware, so either a website you visit or program that is not running changes your number.

I mean just from the log alone it looked like you were running 2 different virus scanners. 3 different spyware programs.

So far with SP2 and windows xp the infection rate of spyware has gone down drasticly at work. Also we don't turn off the active x blocker and popup blocker on SP2. Wish ya luck but again with all the stuff possibly conflicting on there i'd take your files and reload the computer.
_________________
Smoke-em if you got-em I do..

[djsmiley2k]

c:\acer\KnobService.exe < spyware or oddnaming?
_________________
Smiley

[Fart in your gen direxion]

Knob Service ?!

Mildew knows all about that !

[Sir Latch]

I still recommend Pest Patrol.... I have posted about it on the forums before... let me see if I can find the original thread...



Okay... different problem but I would recommend you try a similar the same solution... here is the Original Thread

Good luck!
_________________
Sir Latch of the Highlands
Bewarer of the Loonies
I visited the castle in the swamp and all I got was this alpaca scarf... *BURP*
The general rule about people on IRC seems to be: Attractive, Single, Mentally Stable... choose two.

[Michelle]

I was online before to check the replies, and while I was switching from the Valiant Knight thread to the Gorge...the dial-up number changed in front of my eyes so I disconnected.
I've taken a couple of things off with HijackThis - to do with programs I don't have any more. Some of the stuff is multimedia stuff. This computer is an Acer Aspire multimedia thingy so it can be used as a tv or radio as well, that's what knobmonitor etc is for. lol
I've also just signed up with another ISP to see if that makes a difference. It probably won't, but I've been wanting to go back to this ISP for a while now because they were heaps better than my current one.
I took off my son's recently downloaded music and game creator but that didn't make any difference. I'm debating whether to uninstall Netscape and then reinstall it, but I've got so much email in the mail program to catch up on that I don't really want to do that.
As for Cohiba's suggestion of wiping everything off - I don't know. I've had to do that twice over the last six months for other problems and I really don't want to have to do that again.
I'll check out Pest Patrol and see what happens.
Anyway I'll go through that log again, and repost the amended one with only the stuff I don't know.
I'll be later to check it out more - off to do some shopping now.

Thanks, guys. You're great!

p.s. ThreadMaster is a BOINC add-on. It keeps the power usage down a bit so that BOINC isn't always using all the available resources.
_________________
My brain hurts.
Jammy's Brain Donor.



[img]http://www.katrinashome.com/KWSN_Michelle_counter.php[/img]

[KWSN - Den Store Mester]

I can give zero input to the promblem solving, but I have downloaded hijack and run it on the komputer at the home-matrikel. Seem as if I have been good at keeping the babarians from the door, I will go on a skiing holiday tonight, upon my timely return I will go through the log line by line.



P.S. I do not need artificial knobcontrol
_________________
NI! NI! NI!
KWSN - Den Store Mester

[Mr. Snrub]

Are you using the latest versions complete with updates? One of these, I can't remember which, can not be upgraded simply by clicking for updates. You must go to the website and start from scratch. (Spybot S&D 1.3, Ad-Aware 1.05, ZoneAlarm 5.5)

[Michelle]

[The King of Swamp Castle]

[Michelle]

I didn't think of googling the actual number. Nothing comes up for the number itself but I now know where in the world it is.
0011 is our international access code...246 is the country code for Diego Garcia.
I'm off to google the rest of the number and see what happens.

00112463472953
_________________
My brain hurts.
Jammy's Brain Donor.



[img]http://www.katrinashome.com/KWSN_Michelle_counter.php[/img]

[Dagger]

isn't Diego Garcia an island with a US airforce base on it?
_________________
When in doubt, kick it until it works.

[Michelle]

It certainly appears to be.

http://www.greatestcities.com/Asia/British_Indian_Ocean_Territory.html?pl=10
_________________
My brain hurts.
Jammy's Brain Donor.



[img]http://www.katrinashome.com/KWSN_Michelle_counter.php[/img]