getting rid of Win32 dialer trj and LSA shell (export version)

Discussion in 'malware problems & news' started by ania778, Oct 29, 2006.

Thread Status:
Not open for further replies.
  1. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    Hi,

    I'm not sure if I am posting to the right section of the forum. An Avast scan has told me I have Malware.

    There seem to be three areas infected with the Win32 dialer 650 trojan. Avast was unable to move the infected files to the virus chest and was unable to repair the files. Two files are in the C:/"system volume information" folder, the other is in a programme I have never installed in online services : BT Yahoo!. I am unable to delete this file or remove the programme from my system (I get error messages saying I am not allowed to remove it). It came with the computer.

    I've also scanned with spybot and AVG anti spyware and they do not pick up the infected files (AVG picked up some infected cookies and deleted them, spybot picked up various adware files and deleted those).

    I don't understand how I could have been infected as I did a full scan offline with Avast only a couple of weeks ago and all was clean. Maybe I didn't use thorough enough settings that time.

    I've also now updated windows with the latest updates.

    The reason I did a full scan was because I have zone alarm firewall installed and yesterday it picked up LSA Shell (export version) trying to access the internet. I denied access and have now blocked the programme on zone alarm. When I started to read about LSA shell I found it to be an adware dialer host. I am now panicking in case someone is trying to dial premium rate numbers via my pc. I have a phone bill dated 11th Oct which is ok. I'm hoping zone alarm will have blocked any callers. I'm also planning to tell the phone company to block any premium numbers on that line.

    Not sure what else I can do as I seem to be unable to remove the trojan from the files (they are BT dll files so I assume I need this to connect to a british telecom line?).

    Sorry I don't have the full details as Avast for some reason won't allow me to access the scan report at the moment. Will post more if it lets me do this online. Please help, any advice would be much appreciated!
     
  2. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    These are the details of the scan results :



    C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP148\A0043578.msi\Data1.cab\btwebcontrol.dll

    Win32:Dialer-670 [Trj]

    Malware Type : Dialer

    VPS version : 0643-8, 27/10/2006

    Recommended action : move to chest

    On moving to chest : The operation is not supported by this type of archive cannot process



    C:\Program Files\Online Services\BTYahoo\HPPre05.msi\Data1.cab\btwebcontrol.dll

    Win32:Dialer-670 [Trj]

    Malware Type : Dialer

    VPS version : 0643-8, 27/10/2006

    On moving to chest : The operation is not supported by this type of archive cannot process



    I am also getting the following message window when signing onto AOL (first time today)

    Aol Setup

    Improving your connection

    Aol has detected changes in your connection setup. Click OK to finish updating the changes.

    Options “OK” or “remind me later”

    “remind me later” selected
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hello,

    the first one seems to be in System Restore. Best to disable it then reenable it again. If u are not sure how, look here,

    http://www.pchell.com/virus/systemrestore.shtml

    Try another scan after to see if it worked.



    snowbound
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are not they just look like false positive, part of BTYahoo legitimate application?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u upload them to virus total.
     
  6. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    many thanks Snowbound. I switched off system restore and rescanned. The system volume information virus alert no longer comes up. Only the BT yahoo ones are left.
     
  7. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9

    Sorry, not sure how to do this. What is virus total?

    I would just like to get rid of the whole BT Yahoo directory but it won't let me. I've never used it and don't plan to. How can I safely remove a programme that isn't even installed?

    While I was looking in the hidden files I came across one called "unwise". Is this another virus lurking? I scanned it and it came up clean but where do all these strange files come from? I'm always so careful downloading attachments. I used to know where I was with windows 98 but XP seems to have a life of its own.....

    Thanks again for your help
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    http://www.virustotal.com/en/indexf.html

    Submit the file there and see what turns up. U could also submit the file to AVG and see if it is possibly a false positive.
     
    Last edited: Oct 29, 2006
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Hmmmm.......:cautious: Let's see what you get, boy. NOTE: Above results in quote box were results from a scan performed in August 2006. Seems like it was added into most AVs defs. recently...
    Scan performed @ virusscan.jotti.org
    In August it seems most AVs did not regard btwebcontrol.dll as a dialer. Why are they detecting it now?
     
    Last edited: Oct 29, 2006
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
     
  11. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Right, thanks. I'm gettin old. :blink: :D



    snowbound
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That is obvious from ur Avatar!:)
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I still suspect it is a false positive as KAV alos labelled it, might be a legitimate dialer from BT Yahoo, one was on my system also and in the past Ewido flagged it and I wrote to them and they accepted it to be false positive.
    Anyway I am not sure.
     
  14. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    Hi, been trying to upload the btyahoo file to the virus total website and it seems to keep trying to upload over and over with no joy. I think the file is maybe too big or something. I tried to upload to AVG (as I have both Avast antivir and AVG spyware set up) and that also seemed to freeze at opening a new page.

    I thought of emailing it as an attachment but after trying to upload it to virus total it's disappeared from explorer....Should I turn off Avast antivirus when uploading? help losing the will to live here....:oops:
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You can run a rescan with ur AV to see where it is now.
    There is an option on Virus total to click, if u are uploading a file with ur Antivirus enabled at the saem time.
    If u find it now just check its size.
     
  16. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    Thanks, I've rescanned and this is the only thing now showing up as infected.

    I think I can't upload it because despite explorer showing it to be 18324 kb, file properties say it's a whacking 17.8mb! So I can't send to virus total by email as they only take 10mb. It's still not showing up in normal explorer. I found it again by going into properties of the shortcut in the start menu program toolbar and selecting "find target". It says it's a "windows installer package".

    The file shows it was last modified in jan 05 so maybe as you say it is something already built in by BT that Avast is somehow picking up as a virus. The win32 dialer trojan seems to have been around for a couple of years and I've had the computer only a year.

    There is a PC clinic near me. I might take the laptop there to see if they can do anything.
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hello again,

    u could post a HijackThis log over at this site,

    http://gladiator-antivirus.com/forum/index.php?showtopic=10517

    Just follow the instructions at the link, post your log with the issues and the malware experts there will analyse it and give u removal instructions on any infections found.



    snowbound
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    If u can,t see it, may be it is hidden.
    Can u try to run Kaspersky online scan?
    In extreme case i will make the hidden files visible and then manually find it in explorer, then copy it to a CD as a backup and after that I will just delete it manually. That,s it.
     
  19. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    Hi Aigle, I've just run a full kapersky online scan and it came up with no virus on the BTyahoo folder. Does this mean that it is a false positive on avast?

    Yesterday I repeated the Avast full scan and the system volume information files which disappeared when I turned off system restore are now back. I tried to scan these folders with kapersky online but the scan result came back as "object is locked", skipped.

    I've arranged with the phone company to block any premium rate dialing from this line and there have been no calls recorded so I assume my firewall is blocking any access. Would be good to get rid of it if it is a virus but not sure how.
     
  20. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    By the way I don't think I can delete the files because when I tried it came up with a message saying I don't have permission.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s interesting. I don,t feel myself so expert to advice without seeing the things myself. Anyway in this case I will make a backup image of system and then delete all suspected files by booting from BartPE CD. But u can,t do it unless u are sure that u can handle a system loss.

    I will just suggest you to wait until some one expert here gives his opinion.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi dose 18 MB size is shown just for btwebcontrol.dll file or whole BTyahoo folder?
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just found this.
     
  24. ania778

    ania778 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    9
    Thanks Aigle. :) It seems it's the btyahoo HPPre05 installation file that is 18mb not the directory/folder. Looks like it's frequently seen as a virus in error. Not sure why it shows in the system vol info file too.

    I'm not experienced enough to confidently delete system files manually so I think I will keep monitoring my phone bill and might take my laptop to be looked at sometime in the future.

    From what I have read dialers can only harm my system by dialing premium rate numbers. I'm planning to get a new desktop soon so I will try to be more careful with that.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok. BTW u can write to BTYahoo support and importantlu you must write to Avast support as well so if it is a false positive they will fix it.
    Additionally it will not hurt to post a HijackThis log in SWI forum jsut to be sure.
     
Loading...
Thread Status:
Not open for further replies.