Help Please AVG can't get rid of virus

[Rally]

Help please.
My sister's computer is running ME and AVG 7.0.
This am AVG found a virus which it says it can't
get rid of.

It says: trojan horse dialer.17.h
a5088192.cpy

She can connect to the internet and
but cannot access anything (IE, mail, etc.)

Can anyone tell me how to get rid of
or restore her puter?

She said she did a restore and that
didn't help.

Thanks

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt388.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html





| Help please.
| My sister's computer is running ME and AVG 7.0.
| This am AVG found a virus which it says it can't
| get rid of.
|
| It says: trojan horse dialer.17.h
| a5088192.cpy
|
| She can connect to the internet and
| but cannot access anything (IE, mail, etc.)
|
| Can anyone tell me how to get rid of
| or restore her puter?
|
| She said she did a restore and that
| didn't help.
|
| Thanks
|

 

[Rally]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt388.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *

Thanks David for the prompt response.
Maybe I didn't say it right, but she can
connect to the internet (at least her modem
shows up on the task bar and indicates the
speed it is connected) but she can't open
IE or her mail program. I don't know if she
is actually connecting but her modem
indicates she is and her phone line is busy.
How could she download something?
As you can tell, we are novices.

Thanks

 

[David H. Lipman]

You can access the Internet Right ?

Download the files for her.


--
Dave




| On Wed, 02 Feb 2005 18:47:55 GMT, "David H. Lipman"
|
| >1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| >Create a directory.
| >On drive "C:\"
| >(e.g., "c:\New Folder")
| >or the desktop
| >(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| >Download Sysclean.com and place it in that directory.
| >Download the Trend Pattern File by obtaining the ZIP file.
| >For example; lpt388.zip
| >
| >Extract the contents of the ZIP file and place the contents in the same directory as
| >sysclean.com.
| >
| >2) Update Adaware with the latest definitions.
| >3) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| >4) Reboot your PC into Safe Mode and shutdown as many applications as possible
| >5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| >6) Restart your PC and perform a "final" Full Scan of your platform using both the
| > Trend Sysclean utility and Adaware
| >7) Re-enable System Restore and re-apply any System Restore preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| >8) Reboot your PC.
| >9) Create a new Restore point
| >
| >
| >* * * Please report your results ! * * *
|
| Thanks David for the prompt response.
| Maybe I didn't say it right, but she can
| connect to the internet (at least her modem
| shows up on the task bar and indicates the
| speed it is connected) but she can't open
| IE or her mail program. I don't know if she
| is actually connecting but her modem
| indicates she is and her phone line is busy.
| How could she download something?
| As you can tell, we are novices.
|
| Thanks

 

[Melissa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rally,

It says: trojan horse dialer.17.h
a5088192.cpy

I'll only add the following comment for the moment:

".cpy" files are generally files found in "System Restore", and do not
necessarily indicate an "infection" of the machine in general. Please
see this article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263455

- --
Melissa

-----BEGIN PGP SIGNATURE-----

iD8DBQFCASlaKgHVMc6ouYMRAlzXAJ4vm0OhNfY+r52NgUegsqKT98e9YACcDdM+
7N9CtfpW6fo9lIVi9JWm6N4=
=031K
-----END PGP SIGNATURE-----

 

[nobody]

You can access the Internet Right ?

Download the files for her.

Yes, but I am in Texas and she is in Colorado.
She could probably find someone to download
it for her.

I just called her and asked her if she had run
Ad aware and Spy bot and she said she did
and Ad aware ran find but Spy bot quit part way
through. I asked her to try and run it again.

Thanks again.

 

[nobody]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rally,



I'll only add the following comment for the moment:

".cpy" files are generally files found in "System Restore", and do not
necessarily indicate an "infection" of the machine in general. Please
see this article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263455

Thanks Melissa.
I will call her in a minute and ask her to read
me the files again. I know she tried to
restore the system to a previous date so
it may be that it copied a file and that was
not the original name.
I am not real sure what I am looking for
in terms of the name.
I know she had one called Trojan Horse Dialer.17.h
but whether that was a file name or message I
don't know.

Thanks again.

 

[Ian Kenefick]

Thanks Melissa.
I will call her in a minute and ask her to read
me the files again. I know she tried to
restore the system to a previous date so
it may be that it copied a file and that was
not the original name.
I am not real sure what I am looking for
in terms of the name.
I know she had one called Trojan Horse Dialer.17.h
but whether that was a file name or message I
don't know.

Thanks again.

This is not the name of the file - it is the name of the threat
contained within. If this were a filename it would not be a threat as
..h extension is not executable.



Regards,
Ian Kenefick
http://www.ik-cs.com

 

[nobody]

This is not the name of the file - it is the name of the threat
contained within. If this were a filename it would not be a threat as
.h extension is not executable.



Regards,
Ian Kenefick
http://www.ik-cs.com

Thanks Ian.

 

[David H. Lipman]

What version of Adaware did she run ?

--
Dave




| On Wed, 02 Feb 2005 19:10:38 GMT, "David H. Lipman"
|
| >You can access the Internet Right ?
| >
| >Download the files for her.
|
| Yes, but I am in Texas and she is in Colorado.
| She could probably find someone to download
| it for her.
|
| I just called her and asked her if she had run
| Ad aware and Spy bot and she said she did
| and Ad aware ran find but Spy bot quit part way
| through. I asked her to try and run it again.
|
| Thanks again.

 

[nobody]

What version of Adaware did she run ?

I will have to confirm it with her but I think
it is the same as mine...... 6.0.
Off the subject but when I try and update
it always says none is available.

The spybot I believe is 1.2 and
that is the one she said stopped
part way through.

 

[David H. Lipman]

--
Dave




| On Wed, 02 Feb 2005 19:53:54 GMT, "David H. Lipman"
|
| >What version of Adaware did she run ?
|
| I will have to confirm it with her but I think
| it is the same as mine...... 6.0.
| Off the subject but when I try and update
| it always says none is available.
|
| The spybot I believe is 1.2 and
| that is the one she said stopped
| part way through.
|
|

 

[David H. Lipman]

Adaware6 is out-of-date, no longer supported and no longer updated.

The current version is Adaware SE v1.05 (also free for personal use).

--
Dave




| On Wed, 02 Feb 2005 19:53:54 GMT, "David H. Lipman"
|
| >What version of Adaware did she run ?
|
| I will have to confirm it with her but I think
| it is the same as mine...... 6.0.
| Off the subject but when I try and update
| it always says none is available.
|
| The spybot I believe is 1.2 and
| that is the one she said stopped
| part way through.
|
|

 

[nobody]

Adaware6 is out-of-date, no longer supported and no longer updated.

The current version is Adaware SE v1.05 (also free for personal use).

Thanks. I'll update mine and advise her to do same.
Do you think the Spybot stopping has anything to do with this?

 

[GrimReaper]

Got this link from Google

http://www.bullguard.com/forum/8/

GrimReaper

 

[nobody]

Got this link from Google

http://www.bullguard.com/forum/8/

GrimReaper

Thanks Grim. Now I am wondering if it does
have something to do with AVG.

 

[Melissa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi nobody,

Thanks Grim. Now I am wondering if it does have something to do
with AVG.

I haven't played with AVG for almost four years now, so I can't have
an opinion on how it is now, but I do remember some *false positive*
detections that turned into never ending "healing loops" if "heal"
was the option chosen. Very annoying, though I suppose it could be
said that choosing the "heal" option was the cause of all the
problems. However, how/why should a novice think to do anything
other than to trust the software, and choose what seems like a
reasonable option?

Still though, it's not at all unusual for an AV to detect an infected
file in the "Restore" folder, where, for all intents and purposes,
it's harmless; and either by FIFO will be flushed eventually, or
instantly if manual purging of the "Restore" folder is the option
chosen.

The connection problem may be another issue entirely.

- --
Melissa

-----BEGIN PGP SIGNATURE-----

iD8DBQFCAUNqKgHVMc6ouYMRArr4AKDyAVY4eaH1DM9C5//927zVhaGbMgCgsYhV
fbxtJkz+KUDMjTI/oAt4LKc=
=ST/n
-----END PGP SIGNATURE-----

 

[David H. Lipman]

I don't use SpyBot S&D so I can't speculate. I can state that the cause could be disk
fragmentation or other file allocation problems that would require a complete Check Disk
with fix.

--
Dave




| On Wed, 02 Feb 2005 20:04:34 GMT, "David H. Lipman"
|
| >Adaware6 is out-of-date, no longer supported and no longer updated.
| >
| >The current version is Adaware SE v1.05 (also free for personal use).
|
| Thanks. I'll update mine and advise her to do same.
| Do you think the Spybot stopping has anything to do with this?
|

 

[David H. Lipman]

What I suggested will scan the system after purging the Restore Cache and may rule out False
Negatives and/or False Positives and for will scan non-viral malware.

What Rally indicates sounds like the "trojan horse dialer.17.h" was found on a WinME PC
System Restore Cache
in the file "a5088192.cpy".

--
Dave




| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Hi nobody,
|
| On Wed, 02 Feb 2005 14:41:34 -0600, you wrote:
|
| > On Wed, 2 Feb 2005 20:20:44 -0000, "GrimReaper" wrote:
|
| >> http://www.bullguard.com/forum/8/
|
| > Thanks Grim. Now I am wondering if it does have something to do
| > with AVG.
|
| I haven't played with AVG for almost four years now, so I can't have
| an opinion on how it is now, but I do remember some *false positive*
| detections that turned into never ending "healing loops" if "heal"
| was the option chosen. Very annoying, though I suppose it could be
| said that choosing the "heal" option was the cause of all the
| problems. However, how/why should a novice think to do anything
| other than to trust the software, and choose what seems like a
| reasonable option?
|
| Still though, it's not at all unusual for an AV to detect an infected
| file in the "Restore" folder, where, for all intents and purposes,
| it's harmless; and either by FIFO will be flushed eventually, or
| instantly if manual purging of the "Restore" folder is the option
| chosen.
|
| The connection problem may be another issue entirely.
|
| - --
| Melissa
|
| -----BEGIN PGP SIGNATURE-----
|
| iD8DBQFCAUNqKgHVMc6ouYMRArr4AKDyAVY4eaH1DM9C5//927zVhaGbMgCgsYhV
| fbxtJkz+KUDMjTI/oAt4LKc=
| =ST/n
| -----END PGP SIGNATURE-----

 

[Nomad]

I don't use SpyBot S&D so I can't speculate. I can state that the cause could be disk
fragmentation or other file allocation problems that would require a complete Check Disk
with fix.

Thanks. I'll have her run check disk tonight.