Italian Rogue Dialler and Italian popups

TheMSsForum.com: The Microsoft Software Forum

First time in 10 years on internet.
Yesterday ended up with a rogue dialler trying to dial out to 7020102463
and the following between &&&&&&&s, abbreviated from Symantec site ,
removed that. Then today some more Italian intrusions placing
files through different directories etc , keywords :
e1xplorer , archiviosex , exsplorer , redfunny , skymasters ,
xbeta69 and the main one sgrunt.
Since removing the sgrunt directory and repeating the process below it has
disappeared but we assume only temporarily, as don't know where keep picking
it up from , certainly
not visiting porn sites , or where else its lurking.
It has also disabled the modem speaker , as distinct from , apparently
setting the volume
high in Modem options. We'd like to get the dial and beep/chime
acknowledgement
back again. In rasphone.pbk does Speaker=1 and Dialmode=1 mean speaker on or
off?
Checked not modem malfunction by trying another modem
&&&&&&&&

Windows 95/98/Me/NT/2000
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is
checked.
In the "Named" or "Search for..." box, type:
rasphone.pbk
Click Find Now or Search Now.
If you find rasphone.pbk, right-click the file, and then click Open With.
Deselect the Always use this program to open this program check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, search for the section named:
[Connessione Predefinita]
Check if the connection number was changed by the dialer, looking at the
following entry:
PhoneNumber=7020102463
If the telephone number does not match with your ISP telephone number,
remove all the entries of this section.
Close Notepad and save your changes when prompted.
Create a new dial-up connection with the right ISP number and parameters.
***** snipped *******
5. To delete the links added by the risk
Click Start > Programs > Accessories > Windows Explorer.
Navigate to and delete the following files:
%UserProfile%\Desktop\WinMoviePlugIn.lnk
%UserProfile%\Desktop\explorer.lnk
%UserProfile%\Start Menu\Programs\WinMoviePlugIn.lnk
%UserProfile%\Start Menu\Programs\explorer.lnk
%UserProfile%\Start Menu\WinMoviePlugIn.lnk
%UserProfile%\Start Menu\explorer.lnk
%UserProfile%\My Documents\WinMoviePlugIn.lnk
%UserProfile%\My Documents\explorer.lnk
%UserProfile%\Favorites\WinMoviePlugIn.lnk
%UserProfile%\Favorites\explorer.lnk
Exit Windows Explorer.

&&&&&&&&&&
Top

Re: Italian Rogue Dialler and Italian popups by Malke

Malke
Mon Dec 26 06:54:42 CST 2005

N Cook wrote:

> First time in 10 years on internet.
> Yesterday ended up with a rogue dialler trying to dial out to
> 7020102463 and the following between &&&&&&&s, abbreviated from
> Symantec site , removed that. Then today some more Italian intrusions
> placing files through different directories etc , keywords :
> e1xplorer , archiviosex , exsplorer , redfunny , skymasters ,
> xbeta69 and the main one sgrunt.
> Since removing the sgrunt directory and repeating the process below it
> has disappeared but we assume only temporarily, as don't know where
> keep picking it up from , certainly
> not visiting porn sites , or where else its lurking.
> It has also disabled the modem speaker , as distinct from , apparently
> setting the volume
> high in Modem options. We'd like to get the dial and beep/chime
> acknowledgement
> back again. In rasphone.pbk does Speaker=1 and Dialmode=1 mean speaker
> on or off?
> Checked not modem malfunction by trying another modem

(snipped Symantec dialer removal instructions - not necessary)

You haven't told us what Windows operating system you are using and what
antivirus product you've got. You mention the Symantec website; if
using NAV, what version and is your subscription active and virus
definitions updated?

First scan with either Sysclean or Dave Lipman's Multi-AV (first three
links below). Then continue your housecleaning by going through the
malware removal steps at the last link below systematically.

http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download

Continue with general malware removal -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

1 usually means "yes" and 0 means "no".

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Top

Re: Italian Rogue Dialler and Italian popups by N

N
Wed Dec 28 05:31:17 CST 2005

In Control Panel
Phone & Modem Options
Properties
Advanced
Extra Settings was

S7=240

I changed it to
S7=240,M1
then Change Default

and
produced SD & RD flashing and "connection was closed"

Removing the comma limiter leaving just
S7=240 M1
brought the modem speaker back to life and normal service resumed


Top

Re: Italian Rogue Dialler and Italian popups by N

N
Thu Dec 29 02:03:14 CST 2005

Looking into Temporary Int. Files history
a few more probably related IPs/keywords for
anyone who collects this stuff
63.246.16.20
216.95.196.22
221.10.201.190
dai.exe
ware/299.exe
exes/uk.exe
dialeri.php?299


"N Cook" <diverse@tcp.co.uk> wrote in message
news:doolrj$fvk$1@inews.gazeta.pl...
> First time in 10 years on internet.
> Yesterday ended up with a rogue dialler trying to dial out to 7020102463
> and the following between &&&&&&&s, abbreviated from Symantec site ,
> removed that. Then today some more Italian intrusions placing
> files through different directories etc , keywords :
> e1xplorer , archiviosex , exsplorer , redfunny , skymasters ,
> xbeta69 and the main one sgrunt.
> Since removing the sgrunt directory and repeating the process below it has
> disappeared but we assume only temporarily, as don't know where keep
picking
> it up from , certainly
> not visiting porn sites , or where else its lurking.
> It has also disabled the modem speaker , as distinct from , apparently
> setting the volume
> high in Modem options. We'd like to get the dial and beep/chime
> acknowledgement
> back again. In rasphone.pbk does Speaker=1 and Dialmode=1 mean speaker on
or
> off?
> Checked not modem malfunction by trying another modem
> &&&&&&&&
>
> Windows 95/98/Me/NT/2000
> Click Start, point to Find or Search, and then click Files or Folders.
> Make sure that "Look in" is set to (C:) and that "Include subfolders" is
> checked.
> In the "Named" or "Search for..." box, type:
> rasphone.pbk
> Click Find Now or Search Now.
> If you find rasphone.pbk, right-click the file, and then click Open With.
> Deselect the Always use this program to open this program check box.
> Scroll through the list of programs and double-click Notepad.
> When the file opens, search for the section named:
> [Connessione Predefinita]
> Check if the connection number was changed by the dialer, looking at the
> following entry:
> PhoneNumber=7020102463
> If the telephone number does not match with your ISP telephone number,
> remove all the entries of this section.
> Close Notepad and save your changes when prompted.
> Create a new dial-up connection with the right ISP number and parameters.
> ***** snipped *******
> 5. To delete the links added by the risk
> Click Start > Programs > Accessories > Windows Explorer.
> Navigate to and delete the following files:
> %UserProfile%\Desktop\WinMoviePlugIn.lnk
> %UserProfile%\Desktop\explorer.lnk
> %UserProfile%\Start Menu\Programs\WinMoviePlugIn.lnk
> %UserProfile%\Start Menu\Programs\explorer.lnk
> %UserProfile%\Start Menu\WinMoviePlugIn.lnk
> %UserProfile%\Start Menu\explorer.lnk
> %UserProfile%\My Documents\WinMoviePlugIn.lnk
> %UserProfile%\My Documents\explorer.lnk
> %UserProfile%\Favorites\WinMoviePlugIn.lnk
> %UserProfile%\Favorites\explorer.lnk
> Exit Windows Explorer.
>
> &&&&&&&&&&
>
>


Top