Dialer? Username/password changes!

[Inspiron83]

Hello everyone,

This just happened to me today, just out of the blue. I try to connect to my internet provider and the username, password, number and security settings are changed! I change them to normal only to have them come back again! Also when on my connection (normal) and the computer tries downloading a file. The username it gives me is this:
109607.186.28406.10 And the phone number is this: 0043810444449217. It also changes the security settings from Typical to a custom setting (that i always revert to normal everytime i dial). I ran Ad-Aware with the latest definitions but found nothing. Any idea to get rid of this POS? Thanks!

**Update**
I downloaded "HijackThis" and did a scan and got this log, figured i should post it. Thanks again for any help/suggestions! ^_^

Logfile of HijackThis v1.97.7
Scan saved at 9:01:53 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\usbn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Abdullah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.saudi.net.sa:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w10
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105537911682
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12481685-5549-4A7C-8D1A-C63BC8C96C88}: NameServer = 212.118.133.101 62.149.114.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{12481685-5549-4A7C-8D1A-C63BC8C96C88}: NameServer = 212.118.133.101 62.149.114.7

[andiol]

Welcome to WD:

Please download newer version (1.99) of hijack this and upload copy of log file in http://www.hijackthis.de This will give you analysis of your system. Be careful when you fix or delete any keys that may be flagged but are valid for your system.

Good luck!

Andiol

[Ferrit]

I would also go get Spybot Search and Destroy
Spybot Search+Destroy

install it update it and scan with it

and do the same for Adaware
Adaware

Scan fully after updating with both

[Inspiron83]

Thanks for you'r help! Anyways, i used "Hijack This", "Spybot", Add-Aware, and A-Squared updated in safe mode with all updates and found several things. My dialup account stays the same now (no more changes) but every time i connect, within 10-15 seconds...it tries downloading a file from some location (www7. something) and i just cancel it before it goes any further then i am usualy good to go. Further scans reveal nothing. I did delete these lines:
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab

But they keep comming back everytime i restart the computer...any ideas how it keeps trying to download a file (probably more infected junk). Thanks for any help/suggestions!

[Green_Eyed]

Thanks for you'r help! Anyways, i used "Hijack This", "Spybot", Add-Aware, and A-Squared updated in safe mode with all updates and found several things. My dialup account stays the same now (no more changes) but every time i connect, within 10-15 seconds...it tries downloading a file from some location (www7. something) and i just cancel it before it goes any further then i am usualy good to go. Further scans reveal nothing. I did delete these lines:
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab

But they keep comming back everytime i restart the computer...any ideas how it keeps trying to download a file (probably more infected junk). Thanks for any help/suggestions!

Whenever I get entries in HiJack this that I don't recognize, I'll do a search in my registry.

Those three entries that you listed, those are the ones that keep coming back? I would search the registry for those cabs and also look at those folders to see if there's any more information you can get from them, company name, executable, etc.

Also, I noticed that your first HiJack This scan listed a proxy, is that normal for you?

[Inspiron83]

Whenever I get entries in HiJack this that I don't recognize, I'll do a search in my registry.

Those three entries that you listed, those are the ones that keep coming back? I would search the registry for those cabs and also look at those folders to see if there's any more information you can get from them, company name, executable, etc.

Also, I noticed that your first HiJack This scan listed a proxy, is that normal for you?

Yes, the proxy should be a normal thing as the internet here goes through a proxy server (at a national level). Also an intresting fact, if i use Firefox instead of IE...the download never happens and everything seems alright. But as soon as i connect and fire up IE within 10-15 seconds that file tries downloading. So now i am using Firefox while trying to eventualy get to the root of it all. I also found a few suspecting in the "Downloaded Program Files" folder in Windows and i deleted them, as well as something called "dialer" in the main Windows folder! After those were deleted the number stoped changing. Thanks for the help thus far