Hi, I’m fairly new to avast, I only just started using it last week on advice from a friend, so I’m looking for some advice about what to do. I’ve had warnings to take action against this virus (Win32:Dialer-1346) twice within 15 minutes. Both times I’ve been using Firefox and opened up multiple tabs (to gamespot.com, IGN.com, eurogamer.net, 1up.com, kotaku.com, mmo-champion.com and worldofraids.com) at the same time when Firefox will say it’s having problems and then the warning comes up saying it’s the Win32:Dialer-1346 virus as “b.exe” in the Application Data folder in my profiles Documents and Settings folder. Both times so far I’ve sent it to the chest and then deleted it. I’d just like to know if that’s the right thing to do, and if there’s anyway to know where it’s coming from and stop it without opening those sites again (assuming it is coming from one of them, although I’ve never had problems visiting them before) and potentially picking it up for a third time?
This is a trojan that is obviously being re-created by some other file/ registry setting on your computer. It seems like Avast is getting the trojan, but not getting what is causing it to be activated.
A general cleaning procedure (originally posted by Tech - one of the forum helpers) is:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try [url=http://www.freedrweb.com/cureit/]DrWeb CureIT![/url] instead.
3. Use [url=http://www.superantispyware.com]SUPERantispyware[/url], [url=http://malwarebytes.org/mbam.php]MBAM[/url] or [url=http://www.spywareterminator.com/]Spyware Terminator[/url] to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with [url=http://www.antirootkit.com/software/index.htm]anti-rootkit applications[/url]. I suggest [url=http://files.avast.com/files/beta/aswar.exe]avast! antirootkit[/url] or [url=http://www.trendmicro.com/download/rbuster.asp]Trend Micro RootkitBuster[/url].
5. Make a [url=http://www.bleepingcomputer.com/files/hijackthis.php]HijackThis[/url] log to post here or [url=http://www.hijackthis.de/#anl]this analysis site[/url]. Or even submit the [url=http://www.runscanner.net/]RunScanner[/url] log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with [url=http://www.javacoolsoftware.com/spywareblaster.html]SpywareBlaster[/url].
8. Check if you have insecure applications with [url=http://secunia.com/software_inspector/]Secunia Software Inspector[/url].
It would be a very good idea to have your computer protected by a firewall, that will alert you to unwanted programs (such as these) attempting to connect outbound, so they can be blocked.
Sorry for what are probably some stupid questions, but how do I clean my temporary files, if you mean just temporary internet ones though I’ve done that.
I’ve just had avast do a full scan and it didn’t turn up anything, I’m pretty sure archive scanning was on, I’ve just started another set to “thorough” and I’m running a DrWeb scan now too.
I’m running a scan with SUPERantispyware now.
I’ve posted a HijackThis log to the analysis site and it didn’t say anything was bad. Here’s the log:
[i]Logfile of HijackThis v1.99.1
Scan saved at 04:51:45, on 26/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
I’m not sure how to disable/reenable System Restore.
My system is already immunized with SpywareBlaster.
I’ve used Secunia and it showed I was using insecure versions of Java and adobe which I have now replaced.
And yes, I am protected by a firewall, the Windows one.
First things first, you still have AVG installed on this computer. This can (and does) cause weird behaviour (running two AV’s, not AVG per se) and it must be uninstalled for Avast to work correctly. Disabling it won’t work.
Uninstall all its components (including the linkscanner) via the control panel, then run the AVG removal tool.
It is quite possible your original report of a trojan may be a false positive. Having 2 AV’s installed can produce unexpected results. Can you please post the full file name and path of the detection.
There is nothing obvious in your HJT log to indicate malware. I take it your “H” drive is the partition that the XP OS is installed onto? Are any other OS installed on any other partitions?
Can you confirm your Internet Explorer is at version 6? This should be addressed.
I better get a bit of clarification of your first post.
The sites you mention that you have open in multiple tabs:
When I first read that I understood that to mean you had those tabs open, from choice. Is that correct, or do they open up uncommanded?
How to clean temp files: There is a disk cleanup utility built into Windows. “Start>programs>accessories>system tools>disk cleanup”
Another way: Download ATF cleaner or Ccleaner. I suggest the first. (If you use Ccleaner, read the tutorial first. You can delete stuff with it that you perhaps wouldn’t want deleted. It’s a useful tool, though, maybe for later.) With ATF cleaner, which runs with no installation required, “select all” (and maybe de-select things like “history” it you want that kept, cookies if you want those kept. Everything else can be deleted.) then run it. Exit.
Don’t worry about disabling System restore for now. We’ll see what that file that’s flagged as a trojan is, first.
The Windows firewall is a good one way firewall. It has little user control over outbound applications, and it is advisable to install a two way firewall so you can actually see- and control - what can connect to the web. I use PCTools firewall. It’s easy enough to use.
Sorry if my first post wasn’t very clear, what happened was (both times the warning came up) I was browsing normally on a single tab then decided to check the websites I mentioned. I opened tabs to them simultaneously and they began loading, they were all loaded or partially loaded when Firefox crashed and I sent the error report, I relaunched firefox and selected to restore the previous session, as the tabs were loading again the warning came up.
I’m removing AVG now, although it seems unlikely to me that would be the cause. Like I said, I’ve had avast for around a week and done exactly as I described above without firefox crashing and then giving the warning.
The “H” drive is my system drive, all my programs and OS are on it. I have no idea why it’s labelled as “H” rather than “C”, but it’s always been that way since I put this machine together.
I assume it’s 6, I haven’t updated IE for a long time as I don’t use it. I’m installing IE8 now though.
I’ve cleaned out my temporary file using the Disk Cleanup tool, although there wasn’t much there.
I’m installing the PCTools firewall now.
Also, SUPERAntiSpyware has finished the scan and all it turned up was a tracking cookie which has now been taken care of.
Edit: Sorry, forgot, the full file name and path is “H:\Documents and Settings[My computer profile name]\Application Data\b.exe”
What version of Firefox are you running? This (possibly combined with a poorly coded webpage) could be the reason for the crash.
Or (more likely) it could be related to having two AV’s present. Especially since they both have a form of webshield; Linkscanner in AVG’s case.
If you were to browse the forum you would start to become aware that two AV’s installed can sometimes co-exist apparently peacefully, sometimes, for weeks or even months after the second one is installed. I see evidence of this frequently. Unfortunately it’s impossible (for me) to know why this is the case.
It is safe to assume though that problems could occur as soon as the second AV is installed, but they may not become apparent until some time later. (Or it might lock up or otherwise protest immediately.)
It really doesn’t seem malware related, but it’s impossible to say until the file tagged as the trojan is identified.
Once AVG is uninstalled, try opening up the tabs again. See if you can reproduce the browser crash.
Once PCTools firewall is installed, expect popups. Each time something tries to connect to the web, it will ask you for permission. (In some cases you may have to research the file name to know whether permission should be granted or not.) Once the permissions have been sorted, the frequency (and annoyance) of the popups will decrease. A lot.
Check that the Windows firewall is turned off as soon as the other one is up and running.
Ok, I’ve uninstalled AVG and can recreate the crash. As soon as I relaunched firefox and tried to restore the session the PCTools Firewall popup told me Sonic Update Manager was trying to access the internet, which seems like a pretty big coincidence, I haven’t clicked Allow or Block yet, but have done a HijackThis scan, here is the log:
[i]Logfile of HijackThis v1.99.1
Scan saved at 06:40:04, on 26/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
I’ve just looked in the Application Data folder where the “b.exe” was, it isn’t there, but there’s a new one called “a.exe” it hasn’t brought up a warning though.
A bit short of time, right now, sorry, but can you please repair your Avast installation.
Control panel>add/remove programs>Avast antivirus>change, and select “repair” after clicking change.
Ok, there is defiantly something about the worldofraids.com website that is triggering this. I just visited it again, there was no crash this time, but I did get the warning and ran HijackThis as soon as it came up, here is the log using the newest version:
[i]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:26:24, on 26/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Sorry to rush off, before.
There is still nothing obvious in that log. Not obvious to me, anyway.
can you locate the file “a.exe” and upload it to www.virustotal.org for an online scan, then post the url of the results page here.
Try downloading, installing, updating and running a scan with MBAM.
This often finds things (and is very good at complete removal) that other scanners sometimes can not.
I visited the worlofraids website, even allowed scripts to run for that site. No alerts, no misbehavior. Doesn’t prove anything much, though.
The new version of HjT has cleared up some uncertainty about some entries that had “file missing” at the end of them.
The firewall applications list looks OK. The allowed to connect list is based on what is called a whitelist, that is the processes are already recognised and known not to be malicious. This does not mean you personally might want everything on that list to have automatically connect when it feels like it. Idividual programs you want to block can usually be done at the programs own interface. For example, Sonci update manager. You’d open the associated program and in the settings tab, if such an option is available, tell it not to check for updates.
The entries listed as “no longer exists at this location” can be deleted, they probably related to the AVG installation.
Ah. I thought they’d fixed that. Please download This hotfix and place it in your Program files\malwarebytesantimalware folder. Allow it to replace the existing version of MBAM.exe.
Then try it.
I’ve done a full scan with MBAM and it didn’t detect and infected objects, but when it finished apparently it didn’t create a log and came up with the “Windows cannot find…” error.
Edit: It appears I needed to create the file path to where it can save logs, I’ve done that and here is a report from a quick scan:
[i]Malwarebytes’ Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3
What was the error message in response to? You searching for the log, or did it pop up automatically when MBAM finished scanning?
Have you checked in MBAM settings (in the second checkbox down) that it should create a log?
However, the point is that nothing is detected as infected.
HJT indicates the same. This has got to be somewhat reassuring.
Please send the quarantined item to Avast from within the chest. (Right click the entry in the chest for the options).
Should the virus warning occur again, try initially doing nothing, but open the folder the file reported is in, then try scanning it with MBAM.
I’m not sure this will actually work, as Avast may lock it, and prevent scanning or correct detection.
How did you get on uploading the file to virustotal? (I’d treat “a.exe” with the same degree of suspicion as “b.exe”.)
If anything new attempts an internet connection now, the firewall should warn you. If unsure whether it’s safe or not, block it. (This can later be undone if necessary.) And let us know.
Love some more second opinions about this scenario.