How can I get rid of a dialer?

[jzbell]

Windows XP w/SP3 IE 7
Compac PresarioProcessor - 2.40 gigahertz
AMD Athlon64Memory - 1.37GB of Ram
200 GB hard drive

When running an AVAST scan, it finds this:

MALWARE: C:System Volume Information/_restore (2466A83D-1B81-456E-9766

It will not let me move it to the Virus Chest nor will it let me delete it.  In both cases, it tells me that "Error occurred during moving file to chest  (deleting).  The operation is not supported for this type of archive."

I've done a search for the file and also tried to find it using EXPLORE and am unable to come up with it.

I did go into the registry and searched for 2466A83D and did find this under SystemRestore:

(Default) REG_SZ (value not set)
DiskPercent REG_DWORD 0x0000000c(12)
MachineGuid REG_SZ {2466A83D-1881-456E-9766-38C2B7E4821

Would this perhaps be the culprit and if so, would someone be able to help me get this off my PC please?

Thanks,

Julea

[Marc57]

Right click on my computer, click properties, click on system restore, put a check in turn off system restore. Rescan with Avast, if everything's OK, go back and remove the check from turn off system restore.

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[wyrmrider]

I'd leave system restore alone till you have gone through TECH's list point by point
an infected item in RESTORE will only get you if you actually do a restore
and if you need to do a restore
a restore with an infected item that is already targeted is much better than no restore being available at all
you may clean your system with ATF Cleaner or CCleaner or by hand

on mbam update scan put a check mark next to any baddies and click REMOVE SELECTED a backup will be made

on SAS update Clean and Quarantine

post the logs but edit out cookies
ignore system restore and files not able to open/scan for now
i.e. you are working down through #5  include trend micro anti rootkit you will do avast in #2

[jzbell]

Ok -- I need more help here.  I went down the list of things to do above and have done most of what's on that list.  For the record, I did run Superantispyware and found 1 tracking cookie -- revci.text which I deleted; everything else was clean.  I ran MBAM and it showed me clean in everything.  I ran Secunia and it showed I had insecure applications with Quicktime and Real Player; Java was good to go.  I don't even use QT or RP, and will be removing RP soon.  Guess I'll leave QT in case I need it for something.

I did all you suggested re: system restore, as well do a search for the specific file.  I did enable PC for viewing of hidden files before searching.  All my searches have been futile and found nothing.  I've run Avast scans several times and it no longer shows  the C:\System Volume Info_restore (2466A83D-1B81...); however, it now shows C:\Windows\installer\f78b92msi\ISSetupfile.SetupFile33, Win32:Dialer-gen [trj].  When trying to move these to the Chest or delete, it tells me, error occurred; This operation is not supported for this type of archive.  So, I'm unable to do anything with it as far as the Avast program is concerned.

Lastly, I ran an F-Secure Online scan.  It showed me clean EXCEPT for 1 spyware.  It was the same tracking cooking that SAS found -- revci.

I do plan to d/l and run Hijack This just to see what it shows.  I've never used HiJack This and have steered clear of it because I've heard one must really know what they're doing when using this program.

Is there something specific I should be looking for when HiJack This presents its finds?

Since I'm coming up clean on ALL scans EXCEPT Avast, other than for 1 tracking cookie ---------- is it possible that what Avast is finding on my PC is a false positive?

Thank You

[jzbell]

Still need suggestions on my posts above.

Since my post last night, I ran 2 more scans.  I reran the MBAM in full scan rather than quick and it showed me clean in everything.

I also downloaded HiJack This and scanned PC.  I got a good report with it.  I got all green arrows and where there were no green arrows, it said it was a good program.

So ------ what's next please?  I have not run a new virus scan this morning to see if the dialer is still showing up as I have a feeling it will still show it's there.

Do you want me to post the HiJack This Log here?  I did run it thorough the Analysis Feature, but maybe I don't understand how it works.

Thanks,

Julea

[jzbell]

I printed off the Short Analysis report and found green arrows for ALMOST everything -- there are a couple of entries that have a question mark by them.

One of them is Boot mode: Normal --- question mark

The other is 016 - DPF: ......... (HP Download Manager) - and gives an http addy

It has a question mark and these words:  Check if you know this site and fix it if you do not.  Unknown ActiveX-Objects, or ActiveX- Objects from unknown sites should always be fixed.  If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino,' 'free plugin', etc., it shuld be fixed!

What is this?  If you need me to post the log report here, I can do that (I think).

Thanks,

Julea

[jzbell]

Yes I can -- does anyone man this forum?  I've had several posts and no response.  Is it possible this can be a FALSE POSITIVE with Avast???  Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:31 AM, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kansascity.com/mld/kansascity/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221145404500
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MediaMax XL Service (MediaMaxXLService) - Unknown owner - C:\Program Files\Streamload\MediaMax XL\MediaMaxXLService.exe (file missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Compaq_Owner\My Documents\Desktop Picture\kai and jade xmas 2006.jpg

--
End of file - 7816 bytes

[Spiritsongs]

   Hi Julea :

 Your HijackThis Log indicates you have Spybot !? IF true, have you run a
 Spybot Scan to see what, IF anything, it detects !? The Spybot Support
 Forums at http://forums.spybot.info have many certified "Malware Removal
 Specialists" that volunteer their "services", which since I see 3 "redirects" in
 your HijackThis Log I recommend you ask them about .

[jzbell]

As mentioned in my posts - Yes, I've run Spybot - many times; along with all the other scans I've told you about.

What are the redirects you find, please?

Thanks,

Julea

[jzbell]

I failed to tell you that Spybot Congragulates me when running it.  I keep ALL of my spyware programs updated and run them regularly.  These scans that you've recommended along with the ones I already have in place just are not finding this dialer.

[wyrmrider]

I agree with spiritsongs
go either to the spybot forum or malwarebytes forum and post in their malware removal forums
be sure to read the stickie and be prepared to follow instructions exactly
Spywarewarrior has a forum as do others

?
did you upload the hit to virus total and jotti?  (or have you still not been able to access?

did you run a couple of rootkit scans?
a-squared scanner is good on demand scanner- one of the few good ones you have not tried
as with ALL scanners watch for FP's   quarantine do not remove/delete
also the Kaspersky on line scan is excellent

again hits in Restore cannot hurt you

have you run ccleaner or atf cleaner?

It would be nice to know where this thing came from and what it was but you might just have to declare yourself clean and set a new restore point

we cannot tell that you have run ANY scans as you have not posted the logs. 
If this was the MBAM forum you would be asked to start over

we are all users like yourself- volunteer forum for the most part

the HJT 016 is an active x
if it were to go away it would be downloaded again if needed
you can google CLSID's and file names if they are unfamiliar

as you say nukeing with hjt is not recommended
you do have some 02 and 04's that take up memory and slow down you system
but I would remove them with their uninstaller use spybot or other to prevent their start at boot up

SD helper is good
Are you running any realtime start at bootup anti-spyware- malware program or other HIPS?

[jzbell]

I cannot access what avast says I have.  I can't even find it other than what Avast scan shows.

I've posted at spybot and not heard back.  I don't know what jotti and virus total are - will google and read/act.  I run Spyware Blaster.  What do you mean by nukeing?

Here's the results of my F-secure scan.

Scanning Report
Thursday, October 09, 2008 18:46:32 - 20:13:09
Computer name: JULEA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ K:\

Result: 1 malware found
TrackingCookie.Revsci (spyware)
System

Statistics
Scanned:
Files: 76456
System: 4693
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-10-09
F-Secure AVP: 7.0.171, 2008-10-09
F-Secure Pegasus: 1.20.0, 2008-09-01
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[wyrmrider]

It really looks as if you are clean if trend micro rootkit scan showed nothing
too bad we will never know where the hit in your restore file came from
looks as if the infection is not active as long as it's not hiding in a rootkit
so go ahead and run ccleaner or atf cleaner
defrag
and do the restore off and on again to clean old restore files and set a new one
find some proactive protection to run alongside avast

jotti and virus total are collections of multiple AV and other scanners
you upload files to them to verify a virus and to see who can deal with it
in your case you could not access but keep in mind if you ever get infected

nuking = removing by bruit force like HJT instead of conventional removal techniques
HJT can remove the head but often leaves lots of fragments, traces, debris, garbage as files and registry entries
thats why I like to use the conventional scanners first
others use HJT first and "we're outta here" (then some other scanner finds one of the fragments and goes nuts)
sometimes you do have to use something like hjt first just to get control- makes removing rest of enteries more difficult but that comes with the territory

did you use same name at spybot forum?

[jzbell]

Hum -- I just posted both of those logs here and I don't see them -- will try again.  Yes on same name at spybot if you're talking username.  They've not responded.  Thanks for your info.