Trojan_Dialer Message but can't remove the virus!

  kesser 19:36 15 Dec 03
Locked

My Laptop, networked to 3 other machines all running AVG with Zone Alarm Pro on the gateway keeps popping up with AVG RESIDENT SHIELD - Virus found TROJAN_DIALER in C:\system_volumeinformation...... (lots of numbers - looks like a registry string {}) followed by A00038.exe. to remove virus run AVG.
I have run AVG - a trojan cleaner, a system cleaner from trend micro and performed an online scan - nothing! It is not picked up and still I keep getting the message about every twenty mins. It's driving me crazy!!! Oh and have searched registry for string and exe and it's not there....HELP!

  Nellie2 19:44 15 Dec 03

See my post here :) click here

  kesser 19:54 15 Dec 03

Logfile of HijackThis v1.97.7
Scan saved at 19:55:45, on 15/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\wfxmsrvr.exe
C:\PROGRA~1\MICROS~2\Office\1033\OLFMOD32.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ghgkuhkjhkjhkjhkjhjk\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
O1 - Hosts: 212.33.69.3 js1.hitbox.com
O1 - Hosts: 212.33.69.3 stats.hitbox.com
O1 - Hosts: 212.33.69.3 pagead2.googlesyndication.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - click here
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - click here
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - click here
O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - click here
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - click here
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{A63AB05F-7AE3-4409-863D-0CD667A0DFA3}: NameServer = 194.73.82.242

Hope it helps!

  Nellie2 20:00 15 Dec 03

I will have a look at your log for you but as you can see it doesn't post very well here that is why I gave the links to the other forums.

  kesser 20:02 15 Dec 03

Thanks Nellie - I'll post it on the other one too if I can

  Nellie2 20:21 15 Dec 03

From what I can see it is a pretty clean log apart from one line.

Make sure all browsers and windows are closed, run hijack this and put a check against this line and have it fix it.

O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6)
There should be an URL in the line after the numbers in the curly brackets but like I said it doesn't post well here.

If you are still having problems when you have done this then post your log in one of the forums I gave a link to and someone will help.

  kesser 20:29 15 Dec 03

this is the URL attached to that string: click here

Looks pretty sus to me!
I'll let you know.. thanks a lot!

  kesser 20:31 15 Dec 03

sorry, forgot about the url thing changing it's a link called dialer - livecontent and sounds like the one

  Jester2K II 20:36 15 Dec 03

Switch off System restore, reboot and Switch it on again.

The virus is just stuck in System restore and can be detected but not removed. The virus cannot harm you from here.

  Jester2K II 20:37 15 Dec 03
  kesser 20:53 15 Dec 03

Thanks Jester but I already tried this, I have deleted the string found sus by nellie and am hoping that this will do the job:) It hasn't popped up since so I will do the old 'resolve' in an hour or so if it remains that way.

This thread is now locked and can not be replied to.

Best phone camera 2016/2017: Galaxy S7 vs iPhone 7 vs Google Pixel vs HTC 10 Evo vs OnePlus 3T vs…

1995-2015: How technology has changed the world in 20 years

The Pantone Colour of the Year 2017 is Green

Super Mario Run preview | Hands-on first impressions of Super Mario Run: Mario's iPhone & iPad…