possible Trojan trying to change dial-up settings?

Welcome to Majorgeeks!

I'm not sure if you have malware problems or not. The only way to find out is for you to run the below procedure.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You need to uninstall Viewpoint Media Player as requested in step 0 of the READ ME.

Then you need to install the current Sun Java version also as requested in the READ ME. You version is way out of date.


Install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

You did not rename HijackThis.exe as requested. This is very important. You also did not select Normal Startup mode. You are using MSconfig to control startups.

If CounterSpy is the free trial version from the READ ME, uninstall it now before continuing.


Start by downloading a tool we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\ibmsvc.exe","c:\windows\sonynet.exe",


After clicking Fix, exit HJT.


Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\Downloaded Program Files\popcaploader.dll
c:\windows\nvidiadrv.exe
c:\windows\inteljet.exe
c:\windows\ibmsvc.exe
c:\windows\sonynet.exe


If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


After reboot, delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Suzanne Reynolds\Local Settings\Temp\


Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Did you miss these two?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

It is consider adware. See: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW_POP.A

And others even refer to it as a Trojan/Backdoor downloader.


You log looks clean other than the Dell MyWay stuff.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome Suzanne! Surf safely!