F-Secure online scanner found the following trojan
Trojan.Win32.Dialer.q
C:\WINDOWS\Downloaded Program Files\1037639.exe
AntiVir X 1.21 seconds
Avast X 4.56 seconds
BitDefender X 2.83 seconds
ClamAV X 6.84 seconds
Dr.Web X 4.41 seconds
F-Prot Antivirus X 0.35 seconds
Kaspersky Anti-Virus Trojan.Win32.Dialer.q 4.18 seconds
mks_vir X 1.73 seconds
NOD32 X 2.50 seconds
Norman Virus Control X 2.17 seconds
i`m suprised avast did not find it.
How can i get rid of it?
Simply delete the file and update your Windows/ie . Do not use the IE for surfing “untrusted” sites.
i have already updates windows to SP2. I can`t find this file.
How can i find it, i tried searching for it,
Hi,
cd “C:\WINDOWS\Downloaded Program Files”
(the “” are essential)
then enter:
del 1037639.exe
i opened up a command prompt window and typed:
cd “C:\WINDOWS\Downloaded Program Files”
but nothing happened, when i clicked on “find next”
plaese help
Hi Omar,
Firstly you must have found the file because you submited it to Jotti’s scanner as C:\WINDOWS\Downloaded Program Files\1037639.exe
I also noticed that only Kaspserky detected (Which will also be detected by F-secure on line as they use they share the same scan engine) and this file was missed by all the other vendors.
If you could locate the file that you sent in to Jottis scanner then resend to virus@asw.cz and I am sure Avast will add detection.
This is what F-seucre online says about trojans it can’t detect.
'4. How to remove malware that cannot be disinfected by OLS
F-Secure Online Scanner is able to remove viruses but it cannot disinfect Worms, Trojans, Backdoors, etc since there is nothing to disinfect. This type of malware needs to be removed manually from the hard drive.
Please see see more virus removal instructions from here: Link to virus removal page
Good luck in getting rid of it.
Kind Regards
Jlo
Since only Kaspersky and F-Prot (same scan engine) are finding it, this very well can be a false positive by them. Send the file in a password protected zip to virus@avast.com, support@f-prot.com and support@kaspersky.com let’s see what they say about it.
No did not sound like a false alarm. Folder(“O16” entries shown in hjt logs) and filename matches with some Dialer i saw last week.
Hi
the file that i have indicated, was copied and pasted directly from the f-secure online scanner-when the scan finished.
But when i looked in the downloaded files folder, that file was not there.
pehaps a hijackthis log would help:
Logfile of HijackThis v1.97.7
Scan saved at 12:36:19, on 04/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\New Folder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM..\Run: [%FP%Friendly fts.exe] “C:\Program Files\VoyagerTest\fts.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.4574652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{1D50A44D-19CF-4107-9580-5B1A59B85001}: NameServer = 195.93.51.134
i ran the f-secure scanner again, and it gives the following:
Finished: 1 virus found
Scanned files: 55217 Warning: 1 file(s) still infected!
C:\WINDOWS\Downloaded Program Files\1037639.exe Trojan.Win32.Dialer.q
C:\WINDOWS\Downloaded Program Files\1037639.exe Trojan.Win32.Dialer.q
Please use Escan: http://www.mwti.net/antivirus/free_utilities.asp it uses the same Engine F-secure uses(KAV engine reports that dialer). It will delete the file if it is still there. Please start the programm in windows safe mode.:
thanks, i`ll try it!
it did not find the trojan, don`t understand. How come f-secure finds it and nothing else does.
did I tell you to click on “find next” ?
don’t know what you mean anyway, but you should see this in the Command/DOS-Window:
C:\WINDOWS\Downloaded Program Files> and a blinking Prompt/cursor, right ?
what happens ? any filenames reported ?
-and what happens if you type :
DEL 1037639.exe [ENTER]
??
i see the flashing cursor, when i typed in:
DIR *.exe-it says:
volume in drive c is MT26G-4
volume serial number is 3C60-0F9F
directory of c:\documents and settings\omar khokhar
file not found
when i typed:
DEL 1037639.exe
it said, could not find:c\documents and settings\omar khokhar\1037639.exe
it has gone, i used killbox and deleted the file on reboot
I am new and confused. I run both avg and avast but not together.p I have zone alarm sybot and adware on my pc which is installed with xp home edition with svc pack 2 installed. i have scanned with both but i still have a trogan horse dropper small.6.L
C:\System volume Information-restore-{72D1485c-21cf-4604-BE39-68172DFC746E}RP661\A0012592.exe
that message comes up with avg resident shield which says to run avg i have run it and avast nothing shows up also when i run avast and it locates it in the boot scan i get an repair error 42060 message and all i can do is move the files got any ideas? thanks
3snookie, this is a false positive caused by system restore.
Disable system restore, reboot and the problem is solved.
sorry eddy i tried that after reading the posts and that has not worked any other ideas?
You must have done something wrong. This solution will work.