How to remove Trojan Horse Dialer

oh yes - the files came in the form of a program d/l by mistake from P2P network, Shareaza - "bodystudio"  "bodystudioinstaller.exe" - I thought it might be a graphics program! ..but it presumably dials to a porn site...

I have discovered something else ... Windows seems to have locked the files... it gives "Access is denied" when I run Moosoft's The Cleaner on the relevant folder so that may be blocking the antivirus/trojan programs. [I have Win XP Pro SP1]

Thanks for interest. Any more ideas?

> Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)

Thanks for saying so. I had same luck (incomplete) with them on a virus.

> seems to have locked the files... it gives "Access is denied" when I run Moosoft's

That product is also rather stupid. Especially concerning False positives on MS products and no clear knowledge of what essential programs it is not supposed to touch. Be thankful it was stopped by OS from doing all that it tries.

I don't know what this one is, but I do know that sometimes it pays to rebuild the unit from scratch, to save the debugging time and get back to more productive time.

You might consider other AV or adware, if that is what this is. If you are not intimidated by RegEdit, you might look here:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run

http://securityresponse.symantec.com/avcenter/venc/data/dialer.trojan.html
Dialer.Trojan  
Discovered on: January 09, 2001  
Last Updated on: April 15, 2002 04:46:10 PM
This Trojan dials phone numbers that have a 900 area code.
Also Known As: TROJ_PORNDIAL.A, PORNDIAL.1, PORNDIAL.A, PornDial
Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy  
   
Wild: Low
Damage: Low
Distribution: Low
 
-------------------------------

Looks lame enough, no regedits listed there.

You really should try booting a diskette, but you probably skipped the step for creating one, and the older boot diskettes won't work with NTFS. That gives alternative delete method by using different OS that doesn't lock file. oR IS IT LOCKKED WELL?

Use explorer to find files, then review their properties. Undo anything that makes them hidden or system files. hen delete.

look in the add/remove programs

thanks guys for comments. here's what I did - which I think raises an important question about how to deal with trojans/viruses. And I'd be grateful for feedback.

First of all, I had no joy with any of various programs for Trojans/viruses etc. Anti-Trojan actually crashed the system again.

So, being impatient, I took a risk (which may prove to be stupid) ..-

I went into Command [I'm on XP Pro] and vaguely remembering my DOS, went into the trojan's directory, and after a lot of fiddling to get the names right, deleted the files. Was that OK or dumb?

[The files are now gone, and AVG detects nothing, but who knows what tomorrow may bring?]

Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS.

If this is an OK approach, it's worth knowing. If not, pray for me.

just to say thanks again FlamingSword and StevenLewis for taking the trouble

>Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS
actually this is a good way to do it :~)

when you try to delete the trojan file and you get an access violation error, that's because windows is running that program. to delete it, just go to safe mode (with a boot floppy) and then delete it.

>> I no longer have problems w: Trojans/Dialers/Keyloggers/Hijackers/Trackers/BDE Projectors/etc...

Anyone having problems in this area, email me and I'll give 'ya a hand "cleaning up those nasty pests...  It would consume too much space explaining it all here, I'll just send you the apps I use :).

My system's been *clean* for over 6mos solid

~Shadow

thanx Shadow_Hawk - no probs right now - but good to have a contact in case of emergencies - perhaps u could send me your email -

tato@blueyonder.co.uk

Tato374, please check your mail :).

You should consider buying tds-3 its probbaly the best anti-trojan software out there.Cost is around 40$ or so.
Check out the reviews.
http://www.diamondcs.com.au

If you still have a copy of the trojan program, you might want to examine it for any URLs embedded in it or things like that.  There is a possibility it could be a legitimate adult content dialer thats been altered or binded with a separate malicious piece of software to make it auto-dial without notifying you.

If it does turn out to be a real dialer program that's been hacked or altered, I can bet that the company would be much more grateful to be contacted by you than the FCC.  

Or, you could go directly to the FCC, as auto-dialing mechanisms, especially if they are dialing domestic toll calls, are easy cases to solve for them.

============================
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund Points
Please leave any comments here within the next four days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS
AN ANSWER!
 
akboss
EE Cleanup Volunteer
============================

this question has been finished, but heres my 0.02

when i come across a "rouge" program or the like heres my steps for dealing with it.

1) if it's an app then i look in task manager and try to kill it.
2) if i can kill the app i delete it from registry HKEY_L_M\microsoft\windows\currentversion\run
3) if for some reason app keeps adding itself back to run (or can't delete it) then simply use permissions (YES regedit does have key security) and set permissions to deny for all
4) reboot. Attempt to delete file. Reset permissions on run key. Delete Key.
5) If you STILL can't delete the EXE, use NTFS permissions to set deny to everyone (if no one can access it, it can't run!)
6) reboot. Reset permissions. Delete

If those steps dont get the EXE out then good luck!

If it's a dll my approach is slightly different.

1) regsvr32 /u c:\path\to\the.dll (NOTE: if it's in program files please change to regsvr32 /u "c:\program files\common\etc"...you need the " " for paths with spaces in them)
2) regedit, find > dllname.dll
3) heres the tricky part for DLL's...you have to know what to delete and what traces back to where...so without some common knowledge here i suggest you simply set permissions on the .dll to everyone deny full access. Reboot your pc, if things still work then feel free to delete it. If you get errors trace them back. At this point, it's much better to just say get spybot or ad-aware.

Again, just my $0.02. My EXE removal works over 90% of the time.