Trojan horse Dialer.8.AP

Hello,

I wonder if anybody cab help me. AVG detects a trojan dialer in C:\Documents and Settings\OWNER\Temporary Internet Files\Content.IE5\0LG9lV81\rdgUS780[1].exe (with the name of Dialer.8.ap). I've run everything - anti-virus, AAW, a2, Hijack This, spywareBlaster, Noadware- you name it. Even in safe mode, nothing is detected except in AVG and it can't be eliminated but i can put it in the vault. When I hit remove it removes it but it comes back on again when i scan the second time and my browser is still Hijacked by www.bestsearch.name/index.html . I have opened my system and hidden files so I can locate it in the Temp. Internet Files but nothing is there.

I think what is worth mentioning is that evrerytime it does it scan or I get an error it shows it to me in a different folder in the Content.IE5/xxxxxxxx ...what I mean is those xs are different evrytime ..everytime with a different folder name.

[SIZE=2]Thanks in advance [/SIZE]

PLEASE LET ME KNOW IF I NEED TO POST THE LOGFILE OF HIJACKTHIS:

 

Do you have system restore running?

 

Yes, I think ...What is that anyways ?

Thanks for the help by the way.

 

system restore makes "backup" restore points of a previous state of your pc. Malware can hide in there and reinfect your PC.

I suggest you clean your IE cache and turn off your system restore.
It would be a good idea to re-read the Scanning And Cleaning Steps section of the tutorial as well.

http://forums.majorgeeks.com/showthread.php?t=35407

 

OK ...

How do I turn the system restore off?? and after that do you mean scan my PC again or what ??

Sorry you can tell I am a little confused.

 

Right click on my computer..choose properties..choose SYSTEM RESTORE TAB. Check the box that says "turn off system restore" and confirm the changes. After you turn off system restore follow the entire tutorial again EXACTLY how it is described. I can't stress this enough....

 

Ok,

I turned it off followed the tutorial ..it said that it was fixed but when I restarted again ..my webpage still went back to http://www.bestsearch.name/index.html

But what is interesting is that I know that the trojan horse is still there but nothing is detecting it now...

So I don't know what to do ...Please advise.

Thanks.

 

Please run HiJackThis and attach it to a post as a TXT file...

 

Here is the HijackThis lof file:

 

Well, for starters you're not even at SP1 level for windows XP. That alone can leave you open to so many bad things.

all this has to go
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bestsearch.name/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestsearch.name/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestsearch.name/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html

O4 - HKLM\..\Run: [winupd] C:\Windows\System32\winupd.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.188.194/winsearchie32.chm::/winsearchie32.exe

You're a mess.
After you delete those keys, I HIGHLY HIGHLY HIGHLY recommend you update to atleast SP1 with post SP1 hotfixes.

 

Thanks again Kodo.

You are right I am a mess....

I deleted the ones that you told me about but everytime I run HijackThis it is still there..

Also I went to windows Update to try to update my XP to SP1 and it keeps saying:

Windows Update has encountered an error and cannot display the requested page. Try refreshing the page, clearing your Internet Explorer Temporary Internet Files, closing and restarting Internet Explorer, or trying Windows Update again later

an I did all that but no use ...
So PLEASE advise.

 

you need to run this (CWShredder)
http://www.majorgeeks.com/download.php?det=4086
in safe mode and then run HJT again and delete any entries that appear as I posted above.

 

I did what you told me to do ..I ran CWShredder and HijackThis in safe mode it showed that it deleted it .. but when I restarted I got the same thing back

it is telling me that I have Dialer.8.ap on my system and my home page is still hijacked.

I need to get a rid of this before I download sp1 right??

PLEASE advise ..

 

yes, try to get rid of as much malwar as possible before you update to SP1..

Try this next

Try A squared
http://www.majorgeeks.com/download4281.html

run it from safe mode followed by CWShredder again .

Post a log when you're done.

 

OK..I did what you told me to do A2 found the sucker I removed it ...ran CWShredder....and the ran HijackThis to delet what you mentioned before ....

I restarted ... and then I open my browser...Guess what ...still hijacked and I still get the warning that I have dialer.8.ap

Attached is a copy of the logfile.

This thing is stupid man ..

Thanks

 

Calling in for some backup on this one..stand by.

 

Has there been any solution to this .. I see the thread kinda ended on 30/9 - I am suffering in much the same way as alichami. I have followed Kodo's instructions to the letter, but am unable to get rid of this sucker.

Any assistance would be greatly appreciated.

 

I'll look into this one again today.

 

numinous, please start your own thread so we can track your issues.

alichami,
I rescanned your log and looks like you have a Bagel.O worm on there.

please try this Avast! Home Edition 4.1.418 AV to remove the threat and then try to fix the lines below

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bestsearch.name/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestsearch.name/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestsearch.name/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [winupd] C:\Windows\System32\winupd.exe