Virus issue

Peacedog · Post by **Peacedog** » Tue Nov 02, 2004 4:56 pm

Ok, I've used the most recent, fully updated, free version of AVG to clean a machine. 81 files found, but only 76 fixed. The other 5 identify as Trojan Horse Dialer.10.X (where xs = some letter). I think some of them are the same, others are different verisions of the virus (I guess).

AVG can't fix them. any ideas on what can?

ANd it looks like Trojan Horse Dialer.10.AH is the main culprit.

Also, today I got to see up close and personal what happens when you take a typical, technologically ignorant, family and expose them to the internet. I hope never to have to do this again in my life.

LawBeefaroni · Post by **LawBeefaroni** » Tue Nov 02, 2004 5:14 pm

Go to a security site and follow removal instructions. May involve registry work, etc.

There are a ton of similarly named trojans at Symantec:
Dialer.comsoft.html
Dialer.xxxAction(cool name!

)

Find yours if it's there and follow their instructions.

Gedd · Post by **Gedd** » Tue Nov 02, 2004 6:23 pm

Definitely check Symantec first. If that doesn't work, give http://www.free-av.com a shot.

Rip · Post by **Rip** » Tue Nov 02, 2004 6:29 pm

Ahhaah, little problem with the ol porn dialers heh? Often when a file can't be repaired you can delete it. Occasionally even having to boot to safe mode with command prompt to do so.

Look up the info on the particular virus removal instructions at symantec, and the fact I'm a Symantec partner influences my opinion only slightly

Peacedog · Post by **Peacedog** » Tue Nov 02, 2004 7:04 pm

It's funny, this was at work but it isn't even work related (the machine is property of a friend of the bosses).

Adaware removed 480something spyware files. AVG removed 76 infected virus files. When I left, free-av seemed to be doing its thing quite well, we'll see how that went tomorrow I guess. 3 users use the computer, and that's clearly 3 to many from a "do you have any basic understanding of internet security" standpoint.

I also learned that Dell's proprietary OS sucks. That is all.

Rip · Post by **Rip** » Tue Nov 02, 2004 7:47 pm

Peacedog wrote:It's funny, this was at work but it isn't even work related (the machine is property of a friend of the bosses).

Adaware removed 480something spyware files. AVG removed 76 infected virus files. When I left, free-av seemed to be doing its thing quite well, we'll see how that went tomorrow I guess. 3 users use the computer, and that's clearly 3 to many from a "do you have any basic understanding of internet security" standpoint.

I also learned that Dell's proprietary OS sucks. That is all.

For future reference another tactic I use sometimes is take the drive out and install as a second drive in a machine with Norton or whatever quality AV software and scan it from that. This will allow files that would have been in use to be dealt with.

Quaro · Post by **Quaro** » Tue Nov 02, 2004 8:44 pm

Best scanner by far I've used it Kaspersky, but it's not free. It does have a 30 day trial, however, which is plenty of time to use it to fix a machine.

SirReal · Post by **SirReal** » Tue Nov 02, 2004 11:02 pm

Consider forcing them away from IE/Outlook, and having them log on as users (as opposed to admins).

EvilHomer3k · Post by **EvilHomer3k** » Wed Nov 03, 2004 12:02 am

Some other things to consider when finished:

Install SP2
Set up Adaware/Spybot to run as scheduled tasks
delete Kazaa

You can also try stinger. It is a free virus removal tool that we use at work. Works pretty well. We use a combination of Norton, stinger, AdAware, and spybot for most of the computers we work on. At the beginning of the year, our office worked on over 200 computers for incoming students. Many of them had over 3000 pieces of spyware and several hundred viruses. The worst one had nearly 6000 instances of spyware. They complained that the computer was a bit slow. Hmm. I wonder why.

Peacedog · Post by **Peacedog** » Wed Nov 03, 2004 11:16 am

Ok. AVG still recognizes Dialer.10.AH. there's lots of dialer stuff at Symantec, but nothing that looks like that.

So, AVG is not recognizing the name of the virus quite right, or .10.AH is AVG for "that Dialer over there".

The resident shield (the active scanner) is picking up a file in the windows/system/32 folder - wdm.dll. It's calling it Backdoor.Agent.BA. This is consistent with Backdoor.Agent.B according to symantec - right down to the .dll files with random characters in the name in that folder.

However, the Backdoor.Agent.B removal tool didn't find the particularl virus on the machine. So I feel like I am back to square one. FWIW, stinger didn't find anything. AntiVir did remove some stuff - but I still get these two particular issues.

Oh, and system restore is disabled right now. All commentary to this point is greatly appreciated (and fwiw, whenever the machine is up and running they'll have spybot, adaware, and something that isn't IE to work with). Will a clean windows install be of any benefit (my guess is no, but what do I know)?

Rip · Post by **Rip** » Wed Nov 03, 2004 11:34 am

Peacedog wrote:Ok. AVG still recognizes Dialer.10.AH. there's lots of dialer stuff at Symantec, but nothing that looks like that.

So, AVG is not recognizing the name of the virus quite right, or .10.AH is AVG for "that Dialer over there".

The resident shield (the active scanner) is picking up a file in the windows/system/32 folder - wdm.dll. It's calling it Backdoor.Agent.BA. This is consistent with Backdoor.Agent.B according to symantec - right down to the .dll files with random characters in the name in that folder.

However, the Backdoor.Agent.B removal tool didn't find the particularl virus on the machine. So I feel like I am back to square one. FWIW, stinger didn't find anything. AntiVir did remove some stuff - but I still get these two particular issues.

Oh, and system restore is disabled right now. All commentary to this point is greatly appreciated (and fwiw, whenever the machine is up and running they'll have spybot, adaware, and something that isn't IE to work with). Will a clean windows install be of any benefit (my guess is no, but what do I know)?

I would rename the file "wdm.dll" if it is in use you may have to boot to a safe command prompt to do so.

Reboot and if you get no errors yu are saft to delete it. I have read reports of people having to take ownership of this file and remove the read-only attribute to be able to delete it.

Also have you ran hijackthis and noted the results. E-mail it to me and I'll let you know if I see any alarming entries.

Peacedog · Post by **Peacedog** » Wed Nov 03, 2004 1:06 pm

Ok. . .

We went in and renamed it through the command prompt safe mode. Everything booted normally after that, but we couldn't delete it in normal mode. We tried deleting it through the command prompt, and still couldn't. Woooo. I don't know the ownership status of the file, but that's clearly something we'd need to do in normal safe mode, via the administrator.

Edit: we were having trouble doing that, but we finally figured out why. The file is gone. On to phase 2.

I think this is all that stands between me and freedom.

Also have you ran hijackthis and noted the results.

No but I have it, and can run it after lunch.

Our new theory here that this is the file that allows Uncle Bill to look at us through our monitors, fwiw.