1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

MANY Viruses! Dialer.Generic/iDialer/Downloader/DriveCleaner/ErrorSafe/Infostealer/..

Discussion in 'Virus & Other Malware Removal' started by p_natalia, Jan 26, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. p_natalia

    p_natalia Thread Starter

    Joined:
    Jan 26, 2007
    Messages:
    7
    Your help would be more than appreciated!!!!

    I have all the viruses of the world!!!!

    That is what Symantec Antivirus tells me... PLEASE HELP!

    Risk Action Count Filename
    Adware.MaxSearch Partial 9 wlzip32[1].exe
    Dialer.Generic Quarantined 2 win91.tmp.exe
    Dialer.Generic Quarantined 2 win484.tmp.exe
    Dialer.Generic Quarantined 5 win38E.tmp.exe
    Dialer.Generic Quarantined 6 srvvcc[1].exe
    Dialer.Generic Pending Analysis 1 srvuzx[1].exe
    Dialer.Generic Quarantined 6 srvlrb[1].exe
    Dialer.Generic Quarantined 6 srvsco[1].exe
    Dialer.Generic Quarantined 6 srvxnz[1].exe
    Dialer.Generic Quarantined 3 srvvrf[1].exe
    Dialer.Generic Quarantined 6 srvedw[1].exe
    Dialer.Generic Quarantined 6 srvwye[1].exe
    Dialer.Generic Partial 2 srvypo[1].exe
    Dialer.Generic Partial 2 srvzxn[1].exe
    Dialer.iDialer Quarantined 2 idd93.tmp.exe
    Dialer.iDialer Quarantined 2 idd485.tmp.exe
    Dialer.iDialer Quarantined 2 idd32F.tmp.exe
    Dialer.iDialer Quarantined 6 idd192.tmp.exe
    Dialer.iDialer Quarantined 6 idd3A.tmp.exe
    Dialer.iDialer Pending Analysis 1 idd485.tmp.exe
    Dialer.iDialer Quarantined 5 idd3BA.tmp.exe
    Dialer.iDialer Quarantined 5 idd2DD.tmp.exe
    Dialer.iDialer Quarantined 6 idd3A.tmp.exe
    Dialer.iDialer Quarantined 3 idd1D9.tmp.exe
    Dialer.iDialer Quarantined 6 idd44.tmp.exe
    Downloader Deleted 2 ADS_NL~1.HTM
    Downloader Partial 2 ads_nl1[1].htm
    Downloader Partial 2 ads_nl1[1].htm
    DriveCleaner Partial 2 installdrivecleanerstart[1].cab
    ErrorSafe Deleted 2 uwa6p_0001_n91m1807netinstaller.exe
    ErrorSafe Pending Analysis 1 UWA6P_0001_N91M1807NetInstaller.exe
    ErrorSafe Partial 2 ErrorSafeFreeInstall[1].cab
    ErrorSafe Partial 2 ErrorSafeFreeInstall[1].cab
    ErrorSafe Partial 2 ErrorSafeNewReleaseInstall[1].cab
    Infostealer Deleted 2 ynnryewa.dll
    Infostealer Deleted 2 jxetpuco.dll
    Trojan.Nebuler Deleted 2 ANTZOM~1.EXE
    Trojan.Nebuler Partial 2 antzom[1].exe
    Trojan.Vundo Reboot Processing 111 Unavailable
    Trojan.Vundo Deleted 2 ikclgynq.dll
    Trojan.Vundo Reboot Required - Deleted 112 qrdumvsr.exe
    WinFixer Partial 4 WinAntiVirusPro2006FreeInstall[1].cab
    WinFixer Partial 3 WinAntiVirusPro2006FreeInstall[1].cab
    WinFixer Partial 4 WinAntiVirusPro2006FreeInstall[1].cab
    WinFixer Partial 3 WinAntiVirusPro2006FreeInstall[1].cab
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, p_natalia.:)

    Welcome to TSG.

    [​IMG]Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    If the above link is broken, try this link. Make sure you extract and save the Hijackthis.exe file in a Permanent folder, rather than a Temp folder.
     
  3. p_natalia

    p_natalia Thread Starter

    Joined:
    Jan 26, 2007
    Messages:
    7
    I followed your instructions and thanks for the prompt reply... here is the log

    Let me know how to proceed.... I am online :)

    I very much appreciate the help

    Logfile of HijackThis v1.99.1
    Scan saved at 00:00:20, on 27/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    c:\program files\firm applications\media viewer\services\streamviewerservice.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\1XConfig.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://set-proxy.accenture.com/bin/setup.proxy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
    O15 - Trusted Zone: *.accenture.com
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://symantec3.atgnow.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
    O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E978949C-5F80-4581-B38C-E39AE0BAD655}: NameServer = 62.6.40.162 194.72.0.98
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: IgniteService - Unknown owner - C:\Program Files\Accenture Connection\9341989\Program\IgniteService.exe" -Service (file missing)
    O23 - Service: Accenture Media Viewer (MediaViewer) - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, p_natalia :)

    There is no evident malware in that log. Lets take a deeper look.

    Download ComboFix from Here or Here. to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  5. p_natalia

    p_natalia Thread Starter

    Joined:
    Jan 26, 2007
    Messages:
    7
    OK Sorry for the reply but i had to come to a friends PC to reply

    1) When I go in safe mode, the desktop wont show up...
    2) I go to safe mode... there is a pop up coming up do you want to continue in safe mode blah blah blah and i say yes
    3) Then i get another message say welcome to the found new hardware wizard. Windows will search for current and updated software by looking on your computer. On the hardware installation CD or on the windows update website to which i press No this time and if i am in safe mode the desktop wont show...
    4) going back to normal mode so that i can get connection to reply to you i get the samfe message as in (3) and the following viruses from symantec dialer.generic, errorsafe, dialer.idialer, trojanvudoo, infostealer... which one of them closes the internet explorer and i have to reboot... :(

    what do you suggest?

    when i go in safe mode and i try from task manager to start a new task... c or desktop it says... windows can't find idlist and then it goes quickly and i cant see the rest /idlist, :0:1364 D:\Documents and then it continues in the same message, make sure that you typed the path correctly... etc
     
  6. p_natalia

    p_natalia Thread Starter

    Joined:
    Jan 26, 2007
    Messages:
    7
    please some help - have i done / said something £"$" and noone replies to me?:(
     
  7. p_natalia

    p_natalia Thread Starter

    Joined:
    Jan 26, 2007
    Messages:
    7
    OK... I believe I have found something more... there hardware which is trying to be installed everytime I boot the computer.

    You can see that the name from the screenshot is "Unknown" and also in the task bar the two icons with the red X are the ones which I believe cause the problem as they seem as dialers that I never installed...

    I hope this helps more... and you can provide some more help on how to proceed.

    Thank you ever so much :)

    PS: I have added what Symantec has found - one more screenshot
     

    Attached Files:

  8. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, p_natalia :)

    Sorry for the delay, but my line went out last night.

    Lets see if we can eliminate Vundo.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 .
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538657

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice