tato374
asked on
How to remove Trojan Horse Dialer
AVG Free Edition has identified Trojan Horse Dialer in 2 files [bodystudio(installer).exe
Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)
I've tried the Trend, Panda and Symantec on-line scans which didn't recognise it. I've tried Spybot S&D and Moosoft's The Cleaner - which didn't recognise it.
I did stupidly perhaps try to move the files to a floppy but the system crashed. Otherwise there seem to be no ill-effects to the computer since this morning's scan identified the trojan.
I'm on Broadband so I presume this trojan, which is supposed to make expensive international calls, can't operate.
I cant use the AVG Rescue Disk floppy which I'd already made, because for some reason my computer won't boot from the floppy (despite altering the BIOS Setup) or the CD.
So any ideas how I can destroy these unwelcome guests? Any ways of deleting them directly? A system restore perhaps? (I'm an Athlon XP 1800, Win XP NTFS ).
Many thanks for any help.
Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)
I've tried the Trend, Panda and Symantec on-line scans which didn't recognise it. I've tried Spybot S&D and Moosoft's The Cleaner - which didn't recognise it.
I did stupidly perhaps try to move the files to a floppy but the system crashed. Otherwise there seem to be no ill-effects to the computer since this morning's scan identified the trojan.
I'm on Broadband so I presume this trojan, which is supposed to make expensive international calls, can't operate.
I cant use the AVG Rescue Disk floppy which I'd already made, because for some reason my computer won't boot from the floppy (despite altering the BIOS Setup) or the CD.
So any ideas how I can destroy these unwelcome guests? Any ways of deleting them directly? A system restore perhaps? (I'm an Athlon XP 1800, Win XP NTFS ).
Many thanks for any help.
guidway
do you have any filesharing programs installed like Kazaa. That installs all kinds of programs to the computer and some of them can get detected as trojans. I'm thinking that maybe this is just a false alarm and that it is a mistake from your virus scanner. I could be wrong though...
ASKER
oh yes - the files came in the form of a program d/l by mistake from P2P network, Shareaza - "bodystudio" "bodystudioinstaller.exe" - I thought it might be a graphics program! ..but it presumably dials to a porn site...
I have discovered something else ... Windows seems to have locked the files... it gives "Access is denied" when I run Moosoft's The Cleaner on the relevant folder so that may be blocking the antivirus/trojan programs. [I have Win XP Pro SP1]
Thanks for interest. Any more ideas?
I have discovered something else ... Windows seems to have locked the files... it gives "Access is denied" when I run Moosoft's The Cleaner on the relevant folder so that may be blocking the antivirus/trojan programs. [I have Win XP Pro SP1]
Thanks for interest. Any more ideas?
> Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)
Thanks for saying so. I had same luck (incomplete) with them on a virus.
> seems to have locked the files... it gives "Access is denied" when I run Moosoft's
That product is also rather stupid. Especially concerning False positives on MS products and no clear knowledge of what essential programs it is not supposed to touch. Be thankful it was stopped by OS from doing all that it tries.
I don't know what this one is, but I do know that sometimes it pays to rebuild the unit from scratch, to save the debugging time and get back to more productive time.
You might consider other AV or adware, if that is what this is. If you are not intimidated by RegEdit, you might look here:
HKEY_CURRENT_USER\Software
Windows\CurrentVersion\Run
Thanks for saying so. I had same luck (incomplete) with them on a virus.
> seems to have locked the files... it gives "Access is denied" when I run Moosoft's
That product is also rather stupid. Especially concerning False positives on MS products and no clear knowledge of what essential programs it is not supposed to touch. Be thankful it was stopped by OS from doing all that it tries.
I don't know what this one is, but I do know that sometimes it pays to rebuild the unit from scratch, to save the debugging time and get back to more productive time.
You might consider other AV or adware, if that is what this is. If you are not intimidated by RegEdit, you might look here:
HKEY_CURRENT_USER\Software
Windows\CurrentVersion\Run
http://securityresponse.symantec.com/avcenter/venc/data/dialer.trojan.html
Dialer.Trojan
Discovered on: January 09, 2001
Last Updated on: April 15, 2002 04:46:10 PM
This Trojan dials phone numbers that have a 900 area code.
Also Known As: TROJ_PORNDIAL.A, PORNDIAL.1, PORNDIAL.A, PornDial
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Wild: Low
Damage: Low
Distribution: Low
--------------------------
Looks lame enough, no regedits listed there.
You really should try booting a diskette, but you probably skipped the step for creating one, and the older boot diskettes won't work with NTFS. That gives alternative delete method by using different OS that doesn't lock file. oR IS IT LOCKKED WELL?
Use explorer to find files, then review their properties. Undo anything that makes them hidden or system files. hen delete.
Dialer.Trojan
Discovered on: January 09, 2001
Last Updated on: April 15, 2002 04:46:10 PM
This Trojan dials phone numbers that have a 900 area code.
Also Known As: TROJ_PORNDIAL.A, PORNDIAL.1, PORNDIAL.A, PornDial
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Wild: Low
Damage: Low
Distribution: Low
--------------------------
Looks lame enough, no regedits listed there.
You really should try booting a diskette, but you probably skipped the step for creating one, and the older boot diskettes won't work with NTFS. That gives alternative delete method by using different OS that doesn't lock file. oR IS IT LOCKKED WELL?
Use explorer to find files, then review their properties. Undo anything that makes them hidden or system files. hen delete.
look in the add/remove programs
ASKER
thanks guys for comments. here's what I did - which I think raises an important question about how to deal with trojans/viruses. And I'd be grateful for feedback.
First of all, I had no joy with any of various programs for Trojans/viruses etc. Anti-Trojan actually crashed the system again.
So, being impatient, I took a risk (which may prove to be stupid) ..-
I went into Command [I'm on XP Pro] and vaguely remembering my DOS, went into the trojan's directory, and after a lot of fiddling to get the names right, deleted the files. Was that OK or dumb?
[The files are now gone, and AVG detects nothing, but who knows what tomorrow may bring?]
Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS.
If this is an OK approach, it's worth knowing. If not, pray for me.
First of all, I had no joy with any of various programs for Trojans/viruses etc. Anti-Trojan actually crashed the system again.
So, being impatient, I took a risk (which may prove to be stupid) ..-
I went into Command [I'm on XP Pro] and vaguely remembering my DOS, went into the trojan's directory, and after a lot of fiddling to get the names right, deleted the files. Was that OK or dumb?
[The files are now gone, and AVG detects nothing, but who knows what tomorrow may bring?]
Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS.
If this is an OK approach, it's worth knowing. If not, pray for me.
ASKER
just to say thanks again FlamingSword and StevenLewis for taking the trouble
>Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS
actually this is a good way to do it :~)
actually this is a good way to do it :~)
when you try to delete the trojan file and you get an access violation error, that's because windows is running that program. to delete it, just go to safe mode (with a boot floppy) and then delete it.
>> I no longer have problems w: Trojans/Dialers/Keyloggers
Anyone having problems in this area, email me and I'll give 'ya a hand "cleaning up those nasty pests... It would consume too much space explaining it all here, I'll just send you the apps I use :).
My system's been *clean* for over 6mos solid
~Shadow
Anyone having problems in this area, email me and I'll give 'ya a hand "cleaning up those nasty pests... It would consume too much space explaining it all here, I'll just send you the apps I use :).
My system's been *clean* for over 6mos solid
~Shadow
ASKER
thanx Shadow_Hawk - no probs right now - but good to have a contact in case of emergencies - perhaps u could send me your email -
tato@blueyonder.co.uk
tato@blueyonder.co.uk
Tato374, please check your mail :).
You should consider buying tds-3 its probbaly the best anti-trojan software out there.Cost is around 40$ or so.
Check out the reviews.
http://www.diamondcs.com.au
Check out the reviews.
http://www.diamondcs.com.au
If you still have a copy of the trojan program, you might want to examine it for any URLs embedded in it or things like that. There is a possibility it could be a legitimate adult content dialer thats been altered or binded with a separate malicious piece of software to make it auto-dial without notifying you.
If it does turn out to be a real dialer program that's been hacked or altered, I can bet that the company would be much more grateful to be contacted by you than the FCC.
Or, you could go directly to the FCC, as auto-dialing mechanisms, especially if they are dialing domestic toll calls, are easy cases to solve for them.
If it does turn out to be a real dialer program that's been hacked or altered, I can bet that the company would be much more grateful to be contacted by you than the FCC.
Or, you could go directly to the FCC, as auto-dialing mechanisms, especially if they are dialing domestic toll calls, are easy cases to solve for them.
==========================
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund Points
Please leave any comments here within the next four days.
PLEASE DO NOT ACCEPT THIS COMMENT AS
AN ANSWER!
akboss
EE Cleanup Volunteer
==========================
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
this question has been finished, but heres my 0.02
when i come across a "rouge" program or the like heres my steps for dealing with it.
1) if it's an app then i look in task manager and try to kill it.
2) if i can kill the app i delete it from registry HKEY_L_M\microsoft\windows
3) if for some reason app keeps adding itself back to run (or can't delete it) then simply use permissions (YES regedit does have key security) and set permissions to deny for all
4) reboot. Attempt to delete file. Reset permissions on run key. Delete Key.
5) If you STILL can't delete the EXE, use NTFS permissions to set deny to everyone (if no one can access it, it can't run!)
6) reboot. Reset permissions. Delete
If those steps dont get the EXE out then good luck!
If it's a dll my approach is slightly different.
1) regsvr32 /u c:\path\to\the.dll (NOTE: if it's in program files please change to regsvr32 /u "c:\program files\common\etc"...you need the " " for paths with spaces in them)
2) regedit, find > dllname.dll
3) heres the tricky part for DLL's...you have to know what to delete and what traces back to where...so without some common knowledge here i suggest you simply set permissions on the .dll to everyone deny full access. Reboot your pc, if things still work then feel free to delete it. If you get errors trace them back. At this point, it's much better to just say get spybot or ad-aware.
Again, just my $0.02. My EXE removal works over 90% of the time.
when i come across a "rouge" program or the like heres my steps for dealing with it.
1) if it's an app then i look in task manager and try to kill it.
2) if i can kill the app i delete it from registry HKEY_L_M\microsoft\windows
3) if for some reason app keeps adding itself back to run (or can't delete it) then simply use permissions (YES regedit does have key security) and set permissions to deny for all
4) reboot. Attempt to delete file. Reset permissions on run key. Delete Key.
5) If you STILL can't delete the EXE, use NTFS permissions to set deny to everyone (if no one can access it, it can't run!)
6) reboot. Reset permissions. Delete
If those steps dont get the EXE out then good luck!
If it's a dll my approach is slightly different.
1) regsvr32 /u c:\path\to\the.dll (NOTE: if it's in program files please change to regsvr32 /u "c:\program files\common\etc"...you need the " " for paths with spaces in them)
2) regedit, find > dllname.dll
3) heres the tricky part for DLL's...you have to know what to delete and what traces back to where...so without some common knowledge here i suggest you simply set permissions on the .dll to everyone deny full access. Reboot your pc, if things still work then feel free to delete it. If you get errors trace them back. At this point, it's much better to just say get spybot or ad-aware.
Again, just my $0.02. My EXE removal works over 90% of the time.
Addtional note:
I also tried deleting some virus the hard way, because Windows used it, only then my system crashed.
The virusfiles (some DLL's) where linked to Explorer.exe.
So as extra advise I strongly recommand to first try hard to find out what this program is and find specific removal instructions for this dialer / virus or whatever on the internet.
And as we all know, MAKE BACKUPS! (I do since I had some crashes and nasty virusses)
I also tried deleting some virus the hard way, because Windows used it, only then my system crashed.
The virusfiles (some DLL's) where linked to Explorer.exe.
So as extra advise I strongly recommand to first try hard to find out what this program is and find specific removal instructions for this dialer / virus or whatever on the internet.
And as we all know, MAKE BACKUPS! (I do since I had some crashes and nasty virusses)