Malware name :Win32:Dialer - 1154 [Trj]

[essexboy]

English forum here http://virusinfo.info/showthread.php?t=9184
I really must learn Italian or portugese as that is where most of my searches have lead me, and I am not overly confident with Googles translation ability 

What I intend doing now is remove from start items where I can only get vague information and run a trial and error analysis

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B
O4 - HKLM\..\Run: [SETUP98] C:\WINDOWS\98SETUP.EXE

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis. 

ALSO

As I have not been able to find a deep scanner for 98 could you see whether you have any of these folders under Program Files
%Program Files%\0190 Warner
%Program Files%\a2
%Program Files%\Coolspot\Dialer Control
%Program Files%\Popupkiller
%Program Files%\MicroSoft AntiSpyware

Or either of these two drivers
%System%\DRIVERS\vmx_svga.sys
%System%\DRIVERS\vpc-s3.sys

Also do you know what this programme is on your D drive
ZZPC_info\PC_profess

Lots of questions I am afraid

[angeaa]

When I clicked on Fix Checked the HiJackThis window remained white, then I close it. So I do not know what happened, The only thing is that  in the past I received some warning about the file LICENSEMSE.VBS /B, but at the end no more. I do not know why.
 About the files to check, the first seven are not present in all the C disk, where are all the programs installed.
The Files ZZPC_info\PC_profess are some files taken I think from a CD bought together with an Italian magazine called PC professional.
I can delete  them without problem.
I have also the log file created by HiJackThis, but you do not asked me to send.
If you want I will send it.

For the English forum http://virusinfo.info/showthread.php?t=9184    I gave a look. Do you have some suggestions for me, about what to see?. But thinking about Italian and Portuguese sites that you mention, I started to make a search using Goggle , and I have found a lot of things that I didn't know. Anyhow if I find something about the virus Win32:Dialer - 1154 [trj] I will sent to you.

[essexboy]

Hi Angeaa  If you could post the log - I would like to run silent runners now as that will work on 98.  It will be a long report so could you attach it to your post

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:

Do you want to skip supplementary searches?
click NO[/list]

• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
  

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[angeaa]

The virus doesn't appear more.  I have a doubt about what canceled it. In fact on 24/February I repeated the instructions of your Post  Reply #13 on: February 23, 2008, 02:49:55 PM » running  of  the script and “Advanced System Investigation" on both the disk "C" and "D"., as written in my mail of 24 February.

After that the virus didn't  appeared. I run soon after HiJackThis and the Fix Checked.  as in your Reply #15 on: February 24, 2008
So I do not know if is the AVZ run or the HiJackThis and the Fix Checked.  that stopped the virus.

Now I do not know what to do. Is better to run the Silent Runner, as your last Post or not?. Anyhow I will perform a  complete scan with AVAST.
I would like to know if using Ccleaner is a good idea, because I ran it but only on few items, because I do not know how to restore files that are cancelled , but the system needs that  files.
There are some executable installed that I do not see on  Control Panel \ Application-installation, For this I  am not confident  to remove them without risk some system problem.
Because Ccleaner can see them, may I use CCleaner to de-install them safely?
 Thanks for all your help

[essexboy]

Yes Crapcleaner makes backups of all that is deleted within the CC folder.  If I could have the silent runner just to be sure..  But it looks like it was on your D drive and AVZ killed it 

[angeaa]

ok I ran the Silent runner. I had to download and install the WMI program from Microsoft, because the Silent Runner needs it to be able to run.-

About  the Ccleaner, in the directory C:\Programmi\Ccleaner  there is a log file that contains all the files deleted, but I do not see any backup, unless this applies only when you use the Registry option, but not when you use only the Cleaner.

The report is too long to send in the textual psrt of the post, so i will try to send it as an attach.

[essexboy]

Hi angeaa that shows clean - yes it is only the registry deletions that backup sorry about that. 

Are you having any more problems ?

If not you may now delete all the programmes I had you download

[angeaa]

This morning I received a warning from SUPERANTiSPYWARE that someone was trying to change the Initial page of my Internet Settings.
 Now  the virus is appeared (twice)  exactly in the same manner as already described in detail in my « Reply #9 on: February 21, 2008, 04:54:09 PM.

WHAT CAN I DO?  I NEED HELP!

[Spiritsongs]

   Hi :

 "Alerts" from SUPERAntiSpyware are best addressed by asking for help on
  THEIR Support Forums at http://forums.superantispyware.com .

 And for some unknown reason, essexboy never said anything about "leftover"
 Symantec Entries such as :

 C:\PROGRAMMI\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
 O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


 Their "Presence" implies you did NOT run the "Norton Removal Tool", which
 is available at several Sites !? IF you did, then should use HijackThis to "fix",
 if possible, those Items .

 AND the Hijackthis Log indicated you have an extremely outdated Version
 of Adobe Reader ( 6.0 ), which is an extreme security Risk . Best to uninstall
 it, then seriously consider getting the FREE Foxit Reader, which has Info at
 www.foxitsoftware.com/pdf/rd_intro.php  .

[essexboy]

You are obviously getting it from a site that you are visiting as it is in your temporary internet files.  Clean your temporary files with CC and see if it goes away 

[angeaa]

I have done the following things:
1)  run Ccleaner
2) remove all Symantec remains, using the Symantec Removal Utility downloaded from the Norton site, the version for Windows 98.
 
But the virus is still there, and appears always twice, and the situation is exactly as described in detail in my « Reply #9 on: February 21, 2008, 04:54:09 PM.

I have something strange in my IE  in Chronology. I found some sites that I do not use, but they are present as I visit  them every day.
 
They are:
http://www.mulopol.com/track2/track2.php
http://www.wpse.mobi/track2/track2.php
http://www.wsepro.com/track2/track2.php
 I do not know how to cancel. I have tried with IE, with Ccleaner, with  Internet Option.

The strange thing is that the AVAST is able to detect, but not to cannel the virus.
 There are other suggestions about some operation to do again ( like some already  done in the past days?

About ADOBE reader, there are no newer versions for Windows 98.

[essexboy]

You can replace adobe with foxit reader here http://www.foxitsoftware.com/pdf/rd_intro.php

I would ask you to bear with me a bit as I go over all my old Win9x folders and fixes to see how to secure you from these

[angeaa]

I   removed  Symantec, but not  all the  Symantec entries disappeared, but still there are some of Symantec "leftover"

C:\Programmi\Symantec\LiveUpdate     is empty
C:\WINDOWS\All Users\Dati applicazioni\Symantec\Common Client 
contains a file :  settings.log
C:\WINDOWS\All Users\Dati applicazioni\Symantec\LiveSubscribe
is empty
C:\WINDOWS\All Users\Dati applicazioni\Symantec\LiveUpdate
contains 5 file, regarding Live Update
and a directory C:\WINDOWS\All Users\Dati applicazioni\Symantec\LiveUpdate\Downloads
that contains  a file named minitri.flg    and other 175 ZIP files, for a total of 34,1 MB.

C:\WINDOWS\Application Data\Symantec\Shared contains a file:
MyProfile.UserProfile
C:\WINDOWS\Application Data\Symantec\Shared\Sessions is empty
C:\WINDOWS\Profiles\AD\Application Data\Symantec\Shared\Sessions  contains 2 files
C:\WINDOWS\Profiles\All Users\Dati applicazioni\Symantec\LiveSubscribe   contains 1 file
C:\WINDOWS\Profiles\io\Application Data\Symantec\Shared\Sessions  contains 3  file
C:\Programmi\File comuni\Symantec Shared\CCPD-LC  contains 3  file
C:\Programmi\File comuni\Symantec Shared\Support Controls  contains 3  file

 It is possible to cancel those files, manually, without causing some problems?
Moreover, can I try to run again some of the steps that you suggested to me?

[Lisandro]

I   removed  Symantec, but not  all the  Symantec entries disappeared, but still there are some of Symantec "leftover"

Did you try running the Symantec tool for removal?
Norton Removal Tool for Windows 2000/XP/Vista.

If you don't have Symantec products installed, all those files are save to remove.

[angeaa]

Yesterday I open Avast and before to run the program, the  virus stopped the system.

Then I try to use Alt-Ctrl-Del   to resume windows or Restart. After several tentative I was able
to close the system,. Then I restarted again and went to see the chest file and found the virus inside.
 I started the Avast program and the virus appeared, but as usual the only thing that I can do is to click the "Cancel" tab  (see Reply #9 on: February 21, 2008)
The scan by Avast continued, no other sound alarms happened, but at a certain point the system blocked again and could do nothing else the shut down the PC.

 I have noted that the virus in the Chest have a date of 12 March 2008, so I am afraid that for a strange reason the file was moved there, but I continue to have always the virus in my PC.

The I send the file with the Virus to virus@avast.com. Now I do not know if it is better to cancel the file from the chest or not.

Moreover I  have still  something strange in my IE  in Chronology. I found some sites that I do not use, but they are present as I visit  them every day.
 
They are:
http://www.mulopol.com/track2/track2.php
http://www.wpse.mobi/track2/track2.php
http://www.wsepro.com/track2/track2.php
 I do not know how to cancel. I have tried with IE, with Ccleaner, with  Internet Option., but they are still there!