It will not let me move it to the Virus Chest nor will it let me delete it. In both cases, it tells me that “Error occurred during moving file to chest (deleting). The operation is not supported for this type of archive.”
I’ve done a search for the file and also tried to find it using EXPLORE and am unable to come up with it.
I did go into the registry and searched for 2466A83D and did find this under SystemRestore:
Right click on my computer, click properties, click on system restore, put a check in turn off system restore. Rescan with Avast, if everything’s OK, go back and remove the check from turn off system restore.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
I’d leave system restore alone till you have gone through TECH’s list point by point
an infected item in RESTORE will only get you if you actually do a restore
and if you need to do a restore
a restore with an infected item that is already targeted is much better than no restore being available at all
you may clean your system with ATF Cleaner or CCleaner or by hand
on mbam update scan put a check mark next to any baddies and click REMOVE SELECTED a backup will be made
on SAS update Clean and Quarantine
post the logs but edit out cookies
ignore system restore and files not able to open/scan for now
i.e. you are working down through #5 include trend micro anti rootkit you will do avast in #2
Ok – I need more help here. I went down the list of things to do above and have done most of what’s on that list. For the record, I did run Superantispyware and found 1 tracking cookie – revci.text which I deleted; everything else was clean. I ran MBAM and it showed me clean in everything. I ran Secunia and it showed I had insecure applications with Quicktime and Real Player; Java was good to go. I don’t even use QT or RP, and will be removing RP soon. Guess I’ll leave QT in case I need it for something.
I did all you suggested re: system restore, as well do a search for the specific file. I did enable PC for viewing of hidden files before searching. All my searches have been futile and found nothing. I’ve run Avast scans several times and it no longer shows the C:\System Volume Info_restore (2466A83D-1B81…); however, it now shows C:\Windows\installer\f78b92msi\ISSetupfile.SetupFile33, Win32:Dialer-gen [trj]. When trying to move these to the Chest or delete, it tells me, error occurred; This operation is not supported for this type of archive. So, I’m unable to do anything with it as far as the Avast program is concerned.
Lastly, I ran an F-Secure Online scan. It showed me clean EXCEPT for 1 spyware. It was the same tracking cooking that SAS found – revci.
I do plan to d/l and run Hijack This just to see what it shows. I’ve never used HiJack This and have steered clear of it because I’ve heard one must really know what they’re doing when using this program.
Is there something specific I should be looking for when HiJack This presents its finds?
Since I’m coming up clean on ALL scans EXCEPT Avast, other than for 1 tracking cookie ---------- is it possible that what Avast is finding on my PC is a false positive?
Since my post last night, I ran 2 more scans. I reran the MBAM in full scan rather than quick and it showed me clean in everything.
I also downloaded HiJack This and scanned PC. I got a good report with it. I got all green arrows and where there were no green arrows, it said it was a good program.
So ------ what’s next please? I have not run a new virus scan this morning to see if the dialer is still showing up as I have a feeling it will still show it’s there.
Do you want me to post the HiJack This Log here? I did run it thorough the Analysis Feature, but maybe I don’t understand how it works.
I printed off the Short Analysis report and found green arrows for ALMOST everything – there are a couple of entries that have a question mark by them.
One of them is Boot mode: Normal — question mark
The other is 016 - DPF: … (HP Download Manager) - and gives an http addy
It has a question mark and these words: Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX- Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino,’ ‘free plugin’, etc., it shuld be fixed!
What is this? If you need me to post the log report here, I can do that (I think).
Yes I can – does anyone man this forum? I’ve had several posts and no response. Is it possible this can be a FALSE POSITIVE with Avast??? Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:31 AM, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Your HijackThis Log indicates you have Spybot !? IF true, have you run a
Spybot Scan to see what, IF anything, it detects !? The Spybot Support
Forums at http://forums.spybot.info have many certified “Malware Removal
Specialists” that volunteer their “services”, which since I see 3 “redirects” in
your HijackThis Log I recommend you ask them about .
I failed to tell you that Spybot Congragulates me when running it. I keep ALL of my spyware programs updated and run them regularly. These scans that you’ve recommended along with the ones I already have in place just are not finding this dialer.
I agree with spiritsongs
go either to the spybot forum or malwarebytes forum and post in their malware removal forums
be sure to read the stickie and be prepared to follow instructions exactly
Spywarewarrior has a forum as do others
?
did you upload the hit to virus total and jotti? (or have you still not been able to access?
did you run a couple of rootkit scans?
a-squared scanner is good on demand scanner- one of the few good ones you have not tried
as with ALL scanners watch for FP’s quarantine do not remove/delete
also the Kaspersky on line scan is excellent
again hits in Restore cannot hurt you
have you run ccleaner or atf cleaner?
It would be nice to know where this thing came from and what it was but you might just have to declare yourself clean and set a new restore point
we cannot tell that you have run ANY scans as you have not posted the logs.
If this was the MBAM forum you would be asked to start over
we are all users like yourself- volunteer forum for the most part
the HJT 016 is an active x
if it were to go away it would be downloaded again if needed
you can google CLSID’s and file names if they are unfamiliar
as you say nukeing with hjt is not recommended
you do have some 02 and 04’s that take up memory and slow down you system
but I would remove them with their uninstaller use spybot or other to prevent their start at boot up
SD helper is good
Are you running any realtime start at bootup anti-spyware- malware program or other HIPS?
I cannot access what avast says I have. I can’t even find it other than what Avast scan shows.
I’ve posted at spybot and not heard back. I don’t know what jotti and virus total are - will google and read/act. I run Spyware Blaster. What do you mean by nukeing?
Here’s the results of my F-secure scan.
Scanning Report
Thursday, October 09, 2008 18:46:32 - 20:13:09
Computer name: JULEA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ K:\
Result: 1 malware found
TrackingCookie.Revsci (spyware)
System
It really looks as if you are clean if trend micro rootkit scan showed nothing
too bad we will never know where the hit in your restore file came from
looks as if the infection is not active as long as it’s not hiding in a rootkit
so go ahead and run ccleaner or atf cleaner
defrag
and do the restore off and on again to clean old restore files and set a new one
find some proactive protection to run alongside avast
jotti and virus total are collections of multiple AV and other scanners
you upload files to them to verify a virus and to see who can deal with it
in your case you could not access but keep in mind if you ever get infected
nuking = removing by bruit force like HJT instead of conventional removal techniques
HJT can remove the head but often leaves lots of fragments, traces, debris, garbage as files and registry entries
thats why I like to use the conventional scanners first
others use HJT first and “we’re outta here” (then some other scanner finds one of the fragments and goes nuts)
sometimes you do have to use something like hjt first just to get control- makes removing rest of enteries more difficult but that comes with the territory
Hum – I just posted both of those logs here and I don’t see them – will try again. Yes on same name at spybot if you’re talking username. They’ve not responded. Thanks for your info.
I don’t do well in navigating this forum – I can never find my post (LOL).
Re: running ccleaner – I run ccleaner EVERY time I come off the internet. Question for you – when I run the Registry scan and it has items listed and I’m given the option to fix – shouldn’t I be fixing those items?
I messed up – should have made these posts at the spybot forum – they are now assisting me. It still looks likes I’m clean with only outdated Java on my pc, according to them. Time will tell. I still wonder about a false positive since the file seems nowhere to be found in any of the scans I’ve done – even with Kapersky’s scan. I’m still trying to figure this out, but not as panicky as in beginning. I’ve done a new restore point and am taking it from there. Think we can consider this post closed here at avast.
I just finished viewing your Thread on the Spybot Forums and saw a couple
of “Avira” Items that “Shaba” made no mention ; generally speaking, it is NOT
wise to have any “remnants” of a PRIOR antiVIRUS program while using Avast.
I could not tell IF both Avira “Items” in the Log that your posted are/were
“related” ONLY to their “Antirootkit” “Tool”, which MAY be “connected” to their
antivirus program, but we usually recommend using the appropiate Avira
“Removal” programs available at www.avira.com/en/support/av7_upgrade_tools.html .
