PDA

View Full Version : The Struggle to remove Dialer_XX properly!



security_samurai
2005-11-22, 00:42
well this is a fairly long read, so i hope you dont mind. Anyway, heres the situation: I've run several scans before with just about everything, fully updated antivirus and two antispyware programs and always found nothing really that harmful (maybe a few common tracking cookies or two). so here's what happened: i recently installed spybot S&D again (computer was reformated last time i had it) and after doing a scan a threat called Dialer_XX was detected! i checked its details out and it showed as no information for that threat. this is apparently an autostart kind of threat and was initially found on c:\Documents and Settings\ownername\Desktop\WinRAR.Ink (basically the shortcut for winrar) after the scan, i selected 'fix the problem' and it was removed. seems alright? i thought it was, but it wasn't!

After that had happened the shortcut for winRAR had disappeared. i run the scan again a few minutes later to make sure system was completely clean and it finds the same Dialer_XX again, but now its moved to the shortcut for Winamp! (at this moment the tea-timer was on, but i guess it didnt detect any activity occuring) After removing it AGAIN with spybot i was suspicious and run the scan right afterwards again and wouldn't you know it, it moved to another shortcut file for the next program in line (i've noticed it works by targetting the shortcut names alphabetically backwards, first from the W's now to the T's). after getting a bit frustrated and knowing that spybot would eventually clear out all my shortcuts if i continued scanning, i recreated the shortcuts manually for winrar and winamp and ran the scan again. after that happened, the dialer_XX popped up again and was located back only at winRAR again.

quite an odd event that occured, i hope you can solve this! if you're wondering i've run several other in-depth scans with up-to-date signature databases, cleared all temp files, rebooted my computer, downloaded latest security updates and this threat still exists and eludes all attempts from complete removal!

P.S i've done a hijiackthis scan and got the logfile, but for privacy reasons, i'd rather keep it to myself and unless it extremely nessasary, i will email it to you or PM you on the forums it. [hope you understand my actions for this, i'm not paranoid, i'm just a bit cautious] also, the description given by spybot for this threat has no information, and i've also saved a report file. if you need it, i'll probably send it along with the hijackthis log.

tashi
2005-11-24, 06:39
Hello.
If you are requesting help in this forum please post the hjt log as requested here:
Before you post a log (http://forums.spybot.info/showthread.php?t=288[/url)

We are unable to provide malware assistance via pm or email.

Thank you. :)

security_samurai
2005-11-24, 07:50
alright, my bad then :P....heres my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:09 PM, on 21/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 195.228.74.83 L2authd.lineage2.com
O1 - Hosts: 195.228.74.83 L2testauthd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

LonnyRJones
2005-11-24, 12:43
Hi

That logs looks fine

Tashi could you move the thread to false positives please

Done, thank you Lonny. - tashi

tashi
2005-12-08, 12:48
Name User
I moved your log to Malware removal so a hjt helper can analyse it there.
Cheers.

Galadriel
2005-12-13, 02:27
I had the same issue with a shortcut on desktop too.... mine was to a SNES emulator. I haven't fixed it though because I figured it was a false positive.
I've had issues with false positives on several desktop shortcuts in the past. Hope we can help in finding a reason for them.

Cheers,

Cat