resilient virus? WebDialer li-speed00199 :-((
Ralf Quint
i would need some help from you guys.....
i got today a computer from a friend, which is infested with a very
resilient "virus", a dialer called li-speed00199...
To make matters worse, it's a Windows ME system, and even though i
tried to disable the system restore, the beast keeps coming back even
after deleting every possible reference of it in all obvious (windows)
folders as well as several entries in the registry.
I tried to get some more info through google from the web, but all i
could find that would refer to this specific dialers are questions
form others on how to remove that shit....
Anyone with a serious idea on how to get rid of it once and for all???
tia,
Ralf
Nick FitzGerald
Sure -- you say you got the "obvious" registry, etc entries yet it
"keeps coming back", so "obviously" you missed one of the less
obvious tricks.
As there heaps of these and it will take me longer to describe them
all, how to test for them and locate then and even to remember them
all, I'd suggest that your best bet is to send a copy of the EXE(s)
that keep re-appearing to your preferred AV vendor and ask them why
they don't detect it and how to remove it. (You could send it to me
for the same analysis, but I'm going to bed RSN, so may not get onto
it till the AM here -- despite the address, I'm in NZ at +1300.)
--
Nick FitzGerald
Ralf Quint
<ni...@virus-l.demon.co.uk> wrote:
>"Ralf Quint" <Ralf_...@hottmail.com> wrote:
>
>> i would need some help from you guys.....
>>
>> i got today a computer from a friend, which is infested with a very
>> resilient "virus", a dialer called li-speed00199...
>>
>>
>> Anyone with a serious idea on how to get rid of it once and for all???
>
>Sure -- you say you got the "obvious" registry, etc entries yet it
>"keeps coming back", so "obviously" you missed one of the less
>obvious tricks.
Well, that's why i tried to ask for help in here.. ;-)))
ok, i searched files and registry for anything that somehow could be
related to the dialer. Here is a bit more info of what i found out so
far:
- It is placed in a folder "WebDialer", where the actual dialer
executable (dlres.exe) is placed.
- shortcuts to the dialer (then named "li-speed00199") are place into
the Start Menu and Start Menu-Programs and "somehow" are started on
startup in the system tray.
- there are two "Webdialer" folders in the registry, which i also
always removed..
- It seems that there is another executable, rdve.exe associated,
which is placed directly (no shortcut) in the Startup folder. There
are no trace of rdve.exe to be found anywhere in the registry. My
guess so far is that this part is actually dropping the dialer and
creates the "WebDialer" folder and registry entries.
But as i mentioned, there is no obvious trace of which programs
actually drops itself the rdve executable.
The machine is not on a network (anymore), file and printer sharing is
uninstalled and the Windows ME System Restore feature is disabled,
though some of the Symantec "Fix...." tools claim it is still
active....
The system was earlier the week infected with the OpaServ worm, which
was found by NAV (which she keeps up to date some bad Nimda experience
last year), but i later found one more instance with the FixOpsrv,
which got removed and while several consecutive runs did not show up
anymore. Scans specifically for BugBear, Klez, Goner, Nimda and a few
other also all came back negative, however NAV is running only in safe
mode (which takes while, the machine has 2 60GB drives with a lot of
research stuff), but came back negative so far as well...
I have disabled at startup everything that is not vital to the basic
functions of the machine, but so far, the dialer came back every time
the machine is restarted....
>
>As there heaps of these and it will take me longer to describe them
>all, how to test for them and locate then and even to remember them
>all, I'd suggest that your best bet is to send a copy of the EXE(s)
>that keep re-appearing to your preferred AV vendor and ask them why
>they don't detect it and how to remove it. (You could send it to me
mmmh, one general question would be if such "dialers" are considered a
virus or not? But i can give it a try, she is using NAV 2003 and
Symantec is just "around the corner" in Santa Monica...
>for the same analysis, but I'm going to bed RSN, so may not get onto
>it till the AM here -- despite the address, I'm in NZ at +1300.)
too bad, i am in Los Angeles (that's -0800) and i just got back into
the office....
Well, i zip them up when i get my hands on them again and hope you
might be able to help me a bit more...
well, maybe someone else has any useful ideas??
thanks again,
Ralf
Axel Pettinger
>
> - It seems that there is another executable, rdve.exe associated,
> which is placed directly (no shortcut) in the Startup folder. There
> are no trace of rdve.exe to be found anywhere in the registry. My
> guess so far is that this part is actually dropping the dialer and
> creates the "WebDialer" folder and registry entries.
>
> But as i mentioned, there is no obvious trace of which programs
> actually drops itself the rdve executable.
"rdve.exe" is another file name used by the "E" variant [McAfee] of the
"Ultimax" worm: http://vil.nai.com/vil/content/v_99580.htm
It spreads itself via open shares. Remove or protect them. If you do not
remove them, then visit <http://windowsupdate.microsoft.com/> to
download and install all patches from Microsoft for Windows ME.
Otherwise the shares aren't really protected ...
Regards,
Axel Pettinger
vwluvrs
I have gone the regedit method..
I have gone the msconfig method,
I went to their web page for the uninstall
http://econnect.libereco.com/uninstall/uninstal.exe
Installed it and ran it (can you trust it? I think NOT!)
even though it said it was deleted.
I downloaded and ran The Cleaner from www.moosoft.com
no luck..
I already have the latest Norton on my system..
I also brought in Tiny Personal Firewall..
Still have to get rid of this trojan though..
HElp!
Please email me direct
Terry
vwl...@cvip.net
Ralf Quint
wrote:
>Ralf Quint wrote:
>>
>> - It seems that there is another executable, rdve.exe associated,
>> which is placed directly (no shortcut) in the Startup folder. There
>> are no trace of rdve.exe to be found anywhere in the registry. My
>> guess so far is that this part is actually dropping the dialer and
>> creates the "WebDialer" folder and registry entries.
>>
>> But as i mentioned, there is no obvious trace of which programs
>> actually drops itself the rdve executable.
Ok, basically, the problem seems to be solved now...
>
>"rdve.exe" is another file name used by the "E" variant [McAfee] of the
>"Ultimax" worm: http://vil.nai.com/vil/content/v_99580.htm
thanks for the info, i think i got rid of that one actually quickly,
NAV 2003 did not find it, but it hasn't been coming back yet either...
>It spreads itself via open shares. Remove or protect them. If you do not
>remove them, then visit <http://windowsupdate.microsoft.com/> to
>download and install all patches from Microsoft for Windows ME.
>Otherwise the shares aren't really protected ...
Been there, done that....;-))
What helped to get rid of the dialer was actually the program SpyBot
from M.Kolla.
It found some hidden registry entries associated with "DialerFactory",
which had been missed by the latest Ad-Aware (which so far, has worked
fine for me a lot of times...).
Once removed, the system came back to normal and a full system scan
with NAV and latest updates came back negative, i am running right now
a cross check with F-PROT....
Thanks for the info about rdve, i will check if this is known to
Symantec as well (iI normaly guess so)....
take care,
Ralf
Ralf Quint
As I mentioned in my reply to Axel, try SpyBot Search & Destroy von
Patrick Michael Kolla (http://security.kolla.de/index.php), it found
some entries associated with something called "DialerFactory".
Once it had deleted those references, the system was back to normal,
but YMMV...
Ralf
geoi310
trojan, norton, and f-secure to get rid of it but haven't been
successful.
System also had the opaserv worm, and the funlove virus, which were
all detected and removed or fixed.
Any advice or a final official fix for this webdialer would be
appreciated.
Thanks
Http://www.extremelures.com
World's largest selection of Megabait Lures Online!
Giorgio
connection settings since the infected machine uses a proxy server.
I hadn't got rid of this nag cleaning registry trying to guess
entries, so I think it have some voices that are not fair to guess...
I obviously cleaned any file related to the dialer download on the
wole lan (they are well hidden, I coul found some of them only in
explore mode), but the dialer automatically redownloaded from
66.240.141.87:21 over TCP. Using the "recommended uninstaller" only
removed the dialer for a while (then it reinstalled) and installed
another worm.
Finally I manually removed reg entries of those worms and deleted any
related file on the lan, and I blocked with a firewall the address:
none of those worms now seem to exist on the infected computer, but
something is trying to contact the address to download the dialer!
Now I'll format the infected machine, I hope my experience could be
something useful to find the way of getting rid of those reinstalling
nags!
Giorgio
Raffaele
Hello
I solve the problems running the file:
http://econnect.libereco.com/uninstall/uninstall.exe
Now it's all ok!!!!
bye
Giorgio
don't do this, I did and I had another worm installed in my system,
and the li- dialer reinstalled after a while!
It's not a real uninstaller, don't trust!