Hello. I have got a virus on my computer. It keeps disconnecting me from the internet, and creating an alternate dial-up connection. Avast recognised it when I downloaded it, but subsequent searches (thorough) do not show anything. But it is definitely there.

I’ve also scanned with SpyBot and the Trend Micro online scanner. According to sygate, the virus hijacked the Trend Micro online scanner. When I try to shut down my computer, I get a message that XPCOM:Eventreciever has crashed. I don’t know if that’s relevant.

Anyway, here’s my Avast log:

27/03/2006 10:38:56 SYSTEM 1788 Sign of “Win32:Dialer-521 [Trj]” has been found in “http://impot[broken]ato.com/a412/ud/d.php[UPX]” file.
27/03/2006 21:42:23 SYSTEM 1764 Sign of “Win32:Dialer-520 [Trj]” has been found in “http://www.impotat[broken]o.com/a412/b_sd_max.php[UPX]” file.

It keeps trying to access the internet, but Avast keeps stopping it, luckily.

What is your OS ?
If XP try scheduling a boot time scan from within avast.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

Your alerts are coming from avasts web shield as the location is shown as the internet - you would have got an alert that the only option was to abort the connection ?
This in effect stops it being downloaded. So subsequent searches won’t find it it isn’t on your computer.

According to sygate, the virus hijacked the Trend Micro online scanner.

What information did you have to suggest that, errors/warnings, etc.

It keeps trying to access the internet, but Avast keeps stopping it, luckily.

avast isn't a firewall so it isn't stopping it accessing the internet, it may well be stopping it from downloading the dialer and this is what you see. This is an educated guess as there isn't enough information to be accurate. What keeps trying to connect, filename, etc. ?

This may well be some form of trojan downloader, which isn’t detected by avast but what it is trying to download is detected. Ewido is a specialist trojan hunter so if you have XP try that and get back to us.

Check this google search return for XPCOM:Eventreciever http://www.google.com/search?q=XPCOM%3AEventreciever

I’m using XP, and I’ve downloaded ewido. It found 4 infected files and a lot of tracking cookies. However, I keep getting messages from Avast telling me that something is getting downloaded from

http://www.impo[broken]tato.com/a412/shed1.php?m=1&b=779&c=3\[UPX]

and asking me if I want to abort the connection. I also keep getting messages from ewido telling me that additional infected files have been detected.

Here’s my log from Sygate:

Application Hijacking has been detected
The application: C:\Documents and Settings\Danny\Desktop\New\spybotsd14.exe try to launch another application: C:\Documents and Settings\Danny\Local Settings\Temp\is-QOOSM.tmp\is-IBTAE.tmp to go to remote host www.safer-networking.org

There seem to be quite a few different filenames involved. I think that most of them are located in the Temp folder. But I can’t delete them.

The boot-time scan seems like a good idea. How do I do that?

This is the web shield detecting something on the website www . impatato.com (see how the link isn’t active, it isn’t advisable to post active links to suspected infected files), or the use of the insert code tag icon

http://www.impotato.com/a412/shed1.php?m=1&b=779&c=3\[UPX]

.

What were you doing at the time, downloading a file/program, etc. when you got the warning ?

What messages from ewido, please give details of the messages ?

The sygate log appears to be indicating the installer file ‘spybotsd14.exe’ of spybot S&D version 1.4’s executable file trying to connect to its home site, were you installing Spybot at the time ?

To schedule a boot-time scan right click the avast icon, select Start avast! Antivirus and click the menu

http://img.photobucket.com/albums/v325/for-dwr/boottime.jpg

I was downloading a… a… key generator. I know that it serves me right. And I have certainly learned my lesson. I won’t be doing it again. It was a mp3 to .swf converter key gen, and I think I downloaded it from here:

http://www.serialz.to/M/20.htm 

I cant find the file now, though.

I’ve done the boot-up scan and deleted all of the 3 infected files detected (the three files were Win32:Dialer-542 [1], Win32:Dialer-542 [2], and Win32:Dialer-542 [3], and they were all located in the temporary internet files folder), but I am still getting messages from Awido and Avast. The messages from Ewido tell me that an infected file has been found, and gives me the option to clean it. The messages from Avast tell me that an infected file has been found and gives me the option to abort the connection. Since I did the the boot-up scan, Avast can detect infected files, but when I try to move it to the chest or delete it, I get a message telling me that
The process cannot access the file because it is being used by another process
Cannot process “C\Documents and settings\Danny\Local settings\Temporary internet files\Content.IE5\5H3JQWEX\wdinit64[2].exe[UPX]” file.

Also: Yes, I did install Spybot after Avast couldn’t detect the virus (or trojan, or whatever). I waited for the Spybot scan to finish (the result was negative) before trying Trend Micro’s scanner.

Sorry if I’m not making myself clear - I’m not very good at things like this.

Hi Dandandan :

 Whenever you get a "Because it is being used by another 
 process" message, it's time to download, then use
"Unlocker" from http://ccollomb.free.fr/unlocker/ .
  However, because it is "Temporary internet  files\Content.IE5\5H3JQWEX\wdinit64[2].exe[UPX]" , I have
 seen antiSPYWARE Experts have a difficult time removing
any "Content.IE5" and recommend you ask for help on the
Spybot forums at http://forums..spybot.info or the forums
at www.landzdown.com . Those forums MAY want to see a
HijackThis log & this program is best downloaded from
 http://www.thespykiller.co.uk/files/HJTsetup.exe . 

Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

At the download prompt, choose “Save”. After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

Hi dandandan,

You are not supposed to post links to malware. There are minors on this forum that may feel tempted to click these links to get infected by it.There are various ways to make direct links ineffective: xxx or dot instead of . just use your imagination.
One is adware, the other link leads to virus Trojan Seeker.181. You have not fully updated or secured your OS. See here:
http://support.microsoft.com/kb/q275609/
To surf secure have this at your comp: only one resident anti-virus solution, only one software firewall, on a clean system install three anti-spyware programs: ad-aware, spybot S&D, spywareblaster. If on win XP download SP2 and auto-update all the software thereon, browser etc. included. Surf safe, stay secure.

polonus

---

Well, that is twice that mention of the bad links has been posted.

Dandandan, please break those active links as has been suggested by using the “modify” button at the top right of those posts you have made.

---

Hello. I have apparently got rid of it now. I’m a bit suspicious, though. I got this from Avast:

Avast active scan report:

27/03/2006 10:38:56 SYSTEM 1788 Sign of “Win32:Dialer-521 [Trj]” has been found in “http://imp[broken]otato.com/a412/ud/d.php[UPX]” file.
27/03/2006 21:42:23 SYSTEM 1764 Sign of “Win32:Dialer-520 [Trj]” has been found in “http://www.impota[broken]to.com/a412/b_sd_max.php[UPX]” file.

Then I scanned my computer with ewido (I think that only the first 5 entries are relevant):

ewido anti-malware - Scan report (full scan)

• Created on: 17:47:25, 28/03/2006

• Report-Checksum: 754F8ACF

• Scan result:

  [1888] C:\WINDOWS\system32\winpdc32.dll → Downloader.Small.cml : Error during cleaning
  C:\WINDOWS\system32\AdService.dll → Downloader.Small.cml : Cleaned with backup
  C:\WINDOWS\system32__delete_on_reboot__winpdc32.dll → Downloader.Small.cml : Cleaned with backup
  C:\WINDOWS\Temp\win79.tmp → Trojan.Dialer.u : Cleaned with backup
  C:\WINDOWS\Temp\win92.tmp → Trojan.Dialer.u : Cleaned with backup

[and a load of tracking cookies]

::Report End

I saw that one of the files couldn’t be cleaned, and so I scanned the computer again. This second scan showed the same 5 files were still infected, and so I thought that the one that I couldn’t get rid of was some kind of master file or something. And I still couldn’t get rid of it. When I restarted my computer, all signs of the viruses had gone. Maybe the computer needs to be restarted for the changes made by ewido to take effect, or maybe something else has happened. I am quite scared now. I’ve ran HijackThis. Here’s the log:

Logfile of HijackThis v1.99.1
Scan saved at 20:18:40, on 29/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C44 Series” /O6 “USB001” /M “Stylus C44”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139346066384
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139346048718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip..{B6072602-ADB9-4A72-87A7-285E75E55148}: NameServer = 212.50.160.100 213.249.130.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

I don’t know if anybody here can understand it - I certainly can’t. I’ll post it on the Landzdown forum as well. Thanks for your help, everybody.

Please help us and help others and don’t post active url links that lead to infected files, etc.