• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 73038
  • Last Modified:

How to remove Trojan Horse Dialer

AVG Free Edition has identified Trojan Horse Dialer in 2 files   [bodystudio(installer).exe and body_st.exe in my Shareaza\Downloads dir.  But it can't move them.

Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)

I've tried the Trend, Panda and Symantec on-line scans which didn't recognise it. I've tried Spybot S&D and Moosoft's The Cleaner - which didn't recognise it.

I did stupidly perhaps try to move the files to a floppy but the system crashed. Otherwise there seem to be no ill-effects to the computer since this morning's scan identified the trojan.

I'm on Broadband so I presume this trojan, which is supposed to make expensive international calls, can't operate.

I cant use the AVG Rescue Disk floppy which I'd already made, because for some reason my computer won't boot from the floppy (despite altering the BIOS Setup) or the CD.

So any ideas how I can destroy these unwelcome guests? Any ways of deleting them directly? A system restore perhaps? (I'm an Athlon XP 1800, Win XP NTFS ).

Many thanks for any help.
0
tato374
Asked:
tato374
  • 4
  • 2
  • 2
  • +9
1 Solution
 
guidwayCommented:
do you have any filesharing programs installed like Kazaa. That installs all kinds of programs to the computer and some of them can get detected as trojans. I'm thinking that maybe this is just a false alarm and that it is a mistake from your virus scanner. I could be wrong though...
0
 
tato374Author Commented:
oh yes - the files came in the form of a program d/l by mistake from P2P network, Shareaza - "bodystudio"  "bodystudioinstaller.exe" - I thought it might be a graphics program! ..but it presumably dials to a porn site...

I have discovered something else ... Windows seems to have locked the files... it gives "Access is denied" when I run Moosoft's The Cleaner on the relevant folder so that may be blocking the antivirus/trojan programs. [I have Win XP Pro SP1]

Thanks for interest. Any more ideas?
0
 
FlamingSwordCommented:
> Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)

Thanks for saying so. I had same luck (incomplete) with them on a virus.

> seems to have locked the files... it gives "Access is denied" when I run Moosoft's

That product is also rather stupid. Especially concerning False positives on MS products and no clear knowledge of what essential programs it is not supposed to touch. Be thankful it was stopped by OS from doing all that it tries.

I don't know what this one is, but I do know that sometimes it pays to rebuild the unit from scratch, to save the debugging time and get back to more productive time.

You might consider other AV or adware, if that is what this is. If you are not intimidated by RegEdit, you might look here:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
FlamingSwordCommented:
http://securityresponse.symantec.com/avcenter/venc/data/dialer.trojan.html
Dialer.Trojan  
Discovered on: January 09, 2001  
Last Updated on: April 15, 2002 04:46:10 PM
This Trojan dials phone numbers that have a 900 area code.
Also Known As: TROJ_PORNDIAL.A, PORNDIAL.1, PORNDIAL.A, PornDial
Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy  
   
Wild: Low
Damage: Low
Distribution: Low
 
-------------------------------

Looks lame enough, no regedits listed there.

You really should try booting a diskette, but you probably skipped the step for creating one, and the older boot diskettes won't work with NTFS. That gives alternative delete method by using different OS that doesn't lock file. oR IS IT LOCKKED WELL?

Use explorer to find files, then review their properties. Undo anything that makes them hidden or system files. hen delete.


0
 
stevenlewisCommented:
look in the add/remove programs
0
 
tato374Author Commented:
thanks guys for comments. here's what I did - which I think raises an important question about how to deal with trojans/viruses. And I'd be grateful for feedback.

First of all, I had no joy with any of various programs for Trojans/viruses etc. Anti-Trojan actually crashed the system again.

So, being impatient, I took a risk (which may prove to be stupid) ..-

I went into Command [I'm on XP Pro] and vaguely remembering my DOS, went into the trojan's directory, and after a lot of fiddling to get the names right, deleted the files. Was that OK or dumb?

[The files are now gone, and AVG detects nothing, but who knows what tomorrow may bring?]

Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS.

If this is an OK approach, it's worth knowing. If not, pray for me.
0
 
tato374Author Commented:
just to say thanks again FlamingSword and StevenLewis for taking the trouble
0
 
stevenlewisCommented:
>Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS
actually this is a good way to do it :~)
0
 
PikaCommented:
when you try to delete the trojan file and you get an access violation error, that's because windows is running that program. to delete it, just go to safe mode (with a boot floppy) and then delete it.
0
 
Shadow_HawkCommented:
>> I no longer have problems w: Trojans/Dialers/Keyloggers/Hijackers/Trackers/BDE Projectors/etc...

Anyone having problems in this area, email me and I'll give 'ya a hand "cleaning up those nasty pests...  It would consume too much space explaining it all here, I'll just send you the apps I use :).

My system's been *clean* for over 6mos solid

~Shadow
0
 
tato374Author Commented:
thanx Shadow_Hawk - no probs right now - but good to have a contact in case of emergencies - perhaps u could send me your email -

tato@blueyonder.co.uk
0
 
Shadow_HawkCommented:
Tato374, please check your mail :).
0
 
chezdimCommented:
You should consider buying tds-3 its probbaly the best anti-trojan software out there.Cost is around 40$ or so.
Check out the reviews.
http://www.diamondcs.com.au
0
 
tomdfxCommented:
If you still have a copy of the trojan program, you might want to examine it for any URLs embedded in it or things like that.  There is a possibility it could be a legitimate adult content dialer thats been altered or binded with a separate malicious piece of software to make it auto-dial without notifying you.

If it does turn out to be a real dialer program that's been hacked or altered, I can bet that the company would be much more grateful to be contacted by you than the FCC.  

Or, you could go directly to the FCC, as auto-dialing mechanisms, especially if they are dialing domestic toll calls, are easy cases to solve for them.
0
 
akbossCommented:

============================
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund Points
Please leave any comments here within the next four days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS
AN ANSWER!
 
akboss
EE Cleanup Volunteer
============================
0
 
CetusMODCommented:
PAQed, with points refunded (100)

CetusMOD
Community Support Moderator
0
 
fcislerCommented:
this question has been finished, but heres my 0.02

when i come across a "rouge" program or the like heres my steps for dealing with it.

1) if it's an app then i look in task manager and try to kill it.
2) if i can kill the app i delete it from registry HKEY_L_M\microsoft\windows\currentversion\run
3) if for some reason app keeps adding itself back to run (or can't delete it) then simply use permissions (YES regedit does have key security) and set permissions to deny for all
4) reboot. Attempt to delete file. Reset permissions on run key. Delete Key.
5) If you STILL can't delete the EXE, use NTFS permissions to set deny to everyone (if no one can access it, it can't run!)
6) reboot. Reset permissions. Delete

If those steps dont get the EXE out then good luck!

If it's a dll my approach is slightly different.

1) regsvr32 /u c:\path\to\the.dll (NOTE: if it's in program files please change to regsvr32 /u "c:\program files\common\etc"...you need the " " for paths with spaces in them)
2) regedit, find > dllname.dll
3) heres the tricky part for DLL's...you have to know what to delete and what traces back to where...so without some common knowledge here i suggest you simply set permissions on the .dll to everyone deny full access. Reboot your pc, if things still work then feel free to delete it. If you get errors trace them back. At this point, it's much better to just say get spybot or ad-aware.

Again, just my $0.02. My EXE removal works over 90% of the time.
0
 
NicoLaanCommented:
Addtional note:

I also tried deleting some virus the hard way, because Windows used it, only then my system crashed.
The virusfiles (some DLL's) where linked to Explorer.exe.

So as extra advise I strongly recommand to first try hard to find out what this program is and find specific removal instructions for this dialer / virus or whatever on the internet.

And as we all know, MAKE BACKUPS! (I do since I had some crashes and nasty virusses)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now