security_samurai
2005-11-22, 00:42
well this is a fairly long read, so i hope you dont mind. Anyway, heres the situation: I've run several scans before with just about everything, fully updated antivirus and two antispyware programs and always found nothing really that harmful (maybe a few common tracking cookies or two). so here's what happened: i recently installed spybot S&D again (computer was reformated last time i had it) and after doing a scan a threat called Dialer_XX was detected! i checked its details out and it showed as no information for that threat. this is apparently an autostart kind of threat and was initially found on c:\Documents and Settings\ownername\Desktop\WinRAR.Ink (basically the shortcut for winrar) after the scan, i selected 'fix the problem' and it was removed. seems alright? i thought it was, but it wasn't!
After that had happened the shortcut for winRAR had disappeared. i run the scan again a few minutes later to make sure system was completely clean and it finds the same Dialer_XX again, but now its moved to the shortcut for Winamp! (at this moment the tea-timer was on, but i guess it didnt detect any activity occuring) After removing it AGAIN with spybot i was suspicious and run the scan right afterwards again and wouldn't you know it, it moved to another shortcut file for the next program in line (i've noticed it works by targetting the shortcut names alphabetically backwards, first from the W's now to the T's). after getting a bit frustrated and knowing that spybot would eventually clear out all my shortcuts if i continued scanning, i recreated the shortcuts manually for winrar and winamp and ran the scan again. after that happened, the dialer_XX popped up again and was located back only at winRAR again.
quite an odd event that occured, i hope you can solve this! if you're wondering i've run several other in-depth scans with up-to-date signature databases, cleared all temp files, rebooted my computer, downloaded latest security updates and this threat still exists and eludes all attempts from complete removal!
P.S i've done a hijiackthis scan and got the logfile, but for privacy reasons, i'd rather keep it to myself and unless it extremely nessasary, i will email it to you or PM you on the forums it. [hope you understand my actions for this, i'm not paranoid, i'm just a bit cautious] also, the description given by spybot for this threat has no information, and i've also saved a report file. if you need it, i'll probably send it along with the hijackthis log.
After that had happened the shortcut for winRAR had disappeared. i run the scan again a few minutes later to make sure system was completely clean and it finds the same Dialer_XX again, but now its moved to the shortcut for Winamp! (at this moment the tea-timer was on, but i guess it didnt detect any activity occuring) After removing it AGAIN with spybot i was suspicious and run the scan right afterwards again and wouldn't you know it, it moved to another shortcut file for the next program in line (i've noticed it works by targetting the shortcut names alphabetically backwards, first from the W's now to the T's). after getting a bit frustrated and knowing that spybot would eventually clear out all my shortcuts if i continued scanning, i recreated the shortcuts manually for winrar and winamp and ran the scan again. after that happened, the dialer_XX popped up again and was located back only at winRAR again.
quite an odd event that occured, i hope you can solve this! if you're wondering i've run several other in-depth scans with up-to-date signature databases, cleared all temp files, rebooted my computer, downloaded latest security updates and this threat still exists and eludes all attempts from complete removal!
P.S i've done a hijiackthis scan and got the logfile, but for privacy reasons, i'd rather keep it to myself and unless it extremely nessasary, i will email it to you or PM you on the forums it. [hope you understand my actions for this, i'm not paranoid, i'm just a bit cautious] also, the description given by spybot for this threat has no information, and i've also saved a report file. if you need it, i'll probably send it along with the hijackthis log.