?
Solved

How to remove Trojan Horse Dialer

Posted on 2003-02-21
18
Medium Priority
?
73,027 Views
Last Modified: 2012-06-21
AVG Free Edition has identified Trojan Horse Dialer in 2 files   [bodystudio(installer).exe and body_st.exe in my Shareaza\Downloads dir.  But it can't move them.

Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)

I've tried the Trend, Panda and Symantec on-line scans which didn't recognise it. I've tried Spybot S&D and Moosoft's The Cleaner - which didn't recognise it.

I did stupidly perhaps try to move the files to a floppy but the system crashed. Otherwise there seem to be no ill-effects to the computer since this morning's scan identified the trojan.

I'm on Broadband so I presume this trojan, which is supposed to make expensive international calls, can't operate.

I cant use the AVG Rescue Disk floppy which I'd already made, because for some reason my computer won't boot from the floppy (despite altering the BIOS Setup) or the CD.

So any ideas how I can destroy these unwelcome guests? Any ways of deleting them directly? A system restore perhaps? (I'm an Athlon XP 1800, Win XP NTFS ).

Many thanks for any help.
0
Comment
Question by:tato374
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +9
18 Comments
 
LVL 12

Expert Comment

by:guidway
ID: 7994806
do you have any filesharing programs installed like Kazaa. That installs all kinds of programs to the computer and some of them can get detected as trojans. I'm thinking that maybe this is just a false alarm and that it is a mistake from your virus scanner. I could be wrong though...
0
 

Author Comment

by:tato374
ID: 7996355
oh yes - the files came in the form of a program d/l by mistake from P2P network, Shareaza - "bodystudio"  "bodystudioinstaller.exe" - I thought it might be a graphics program! ..but it presumably dials to a porn site...

I have discovered something else ... Windows seems to have locked the files... it gives "Access is denied" when I run Moosoft's The Cleaner on the relevant folder so that may be blocking the antivirus/trojan programs. [I have Win XP Pro SP1]

Thanks for interest. Any more ideas?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 7996583
> Originally, there were 7 files of which Trend Micro's House-scan identified and deleted 5 (but not the others!)

Thanks for saying so. I had same luck (incomplete) with them on a virus.

> seems to have locked the files... it gives "Access is denied" when I run Moosoft's

That product is also rather stupid. Especially concerning False positives on MS products and no clear knowledge of what essential programs it is not supposed to touch. Be thankful it was stopped by OS from doing all that it tries.

I don't know what this one is, but I do know that sometimes it pays to rebuild the unit from scratch, to save the debugging time and get back to more productive time.

You might consider other AV or adware, if that is what this is. If you are not intimidated by RegEdit, you might look here:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:FlamingSword
ID: 7996619
http://securityresponse.symantec.com/avcenter/venc/data/dialer.trojan.html
Dialer.Trojan  
Discovered on: January 09, 2001  
Last Updated on: April 15, 2002 04:46:10 PM
This Trojan dials phone numbers that have a 900 area code.
Also Known As: TROJ_PORNDIAL.A, PORNDIAL.1, PORNDIAL.A, PornDial
Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy  
   
Wild: Low
Damage: Low
Distribution: Low
 
-------------------------------

Looks lame enough, no regedits listed there.

You really should try booting a diskette, but you probably skipped the step for creating one, and the older boot diskettes won't work with NTFS. That gives alternative delete method by using different OS that doesn't lock file. oR IS IT LOCKKED WELL?

Use explorer to find files, then review their properties. Undo anything that makes them hidden or system files. hen delete.


0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7996638
look in the add/remove programs
0
 

Author Comment

by:tato374
ID: 7997192
thanks guys for comments. here's what I did - which I think raises an important question about how to deal with trojans/viruses. And I'd be grateful for feedback.

First of all, I had no joy with any of various programs for Trojans/viruses etc. Anti-Trojan actually crashed the system again.

So, being impatient, I took a risk (which may prove to be stupid) ..-

I went into Command [I'm on XP Pro] and vaguely remembering my DOS, went into the trojan's directory, and after a lot of fiddling to get the names right, deleted the files. Was that OK or dumb?

[The files are now gone, and AVG detects nothing, but who knows what tomorrow may bring?]

Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS.

If this is an OK approach, it's worth knowing. If not, pray for me.
0
 

Author Comment

by:tato374
ID: 7997225
just to say thanks again FlamingSword and StevenLewis for taking the trouble
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7997250
>Is that a legitimate way of dealing with trojans or viruses? For example, AVG has created a virus vault for 2 previous viruses - could I delete them from Command [is it DOS by the way?] Oh I'm Win XP Pro NTFS
actually this is a good way to do it :~)
0
 
LVL 1

Expert Comment

by:Pika
ID: 8093682
when you try to delete the trojan file and you get an access violation error, that's because windows is running that program. to delete it, just go to safe mode (with a boot floppy) and then delete it.
0
 

Expert Comment

by:Shadow_Hawk
ID: 8102072
>> I no longer have problems w: Trojans/Dialers/Keyloggers/Hijackers/Trackers/BDE Projectors/etc...

Anyone having problems in this area, email me and I'll give 'ya a hand "cleaning up those nasty pests...  It would consume too much space explaining it all here, I'll just send you the apps I use :).

My system's been *clean* for over 6mos solid

~Shadow
0
 

Author Comment

by:tato374
ID: 8103291
thanx Shadow_Hawk - no probs right now - but good to have a contact in case of emergencies - perhaps u could send me your email -

tato@blueyonder.co.uk
0
 

Expert Comment

by:Shadow_Hawk
ID: 8105410
Tato374, please check your mail :).
0
 

Expert Comment

by:chezdim
ID: 8169703
You should consider buying tds-3 its probbaly the best anti-trojan software out there.Cost is around 40$ or so.
Check out the reviews.
http://www.diamondcs.com.au
0
 

Expert Comment

by:tomdfx
ID: 8311529
If you still have a copy of the trojan program, you might want to examine it for any URLs embedded in it or things like that.  There is a possibility it could be a legitimate adult content dialer thats been altered or binded with a separate malicious piece of software to make it auto-dial without notifying you.

If it does turn out to be a real dialer program that's been hacked or altered, I can bet that the company would be much more grateful to be contacted by you than the FCC.  

Or, you could go directly to the FCC, as auto-dialing mechanisms, especially if they are dialing domestic toll calls, are easy cases to solve for them.
0
 
LVL 6

Expert Comment

by:akboss
ID: 10509968

============================
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund Points
Please leave any comments here within the next four days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS
AN ANSWER!
 
akboss
EE Cleanup Volunteer
============================
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 10536973
PAQed, with points refunded (100)

CetusMOD
Community Support Moderator
0
 
LVL 1

Expert Comment

by:fcisler
ID: 10704136
this question has been finished, but heres my 0.02

when i come across a "rouge" program or the like heres my steps for dealing with it.

1) if it's an app then i look in task manager and try to kill it.
2) if i can kill the app i delete it from registry HKEY_L_M\microsoft\windows\currentversion\run
3) if for some reason app keeps adding itself back to run (or can't delete it) then simply use permissions (YES regedit does have key security) and set permissions to deny for all
4) reboot. Attempt to delete file. Reset permissions on run key. Delete Key.
5) If you STILL can't delete the EXE, use NTFS permissions to set deny to everyone (if no one can access it, it can't run!)
6) reboot. Reset permissions. Delete

If those steps dont get the EXE out then good luck!

If it's a dll my approach is slightly different.

1) regsvr32 /u c:\path\to\the.dll (NOTE: if it's in program files please change to regsvr32 /u "c:\program files\common\etc"...you need the " " for paths with spaces in them)
2) regedit, find > dllname.dll
3) heres the tricky part for DLL's...you have to know what to delete and what traces back to where...so without some common knowledge here i suggest you simply set permissions on the .dll to everyone deny full access. Reboot your pc, if things still work then feel free to delete it. If you get errors trace them back. At this point, it's much better to just say get spybot or ad-aware.

Again, just my $0.02. My EXE removal works over 90% of the time.
0
 
LVL 4

Expert Comment

by:NicoLaan
ID: 10711405
Addtional note:

I also tried deleting some virus the hard way, because Windows used it, only then my system crashed.
The virusfiles (some DLL's) where linked to Explorer.exe.

So as extra advise I strongly recommand to first try hard to find out what this program is and find specific removal instructions for this dialer / virus or whatever on the internet.

And as we all know, MAKE BACKUPS! (I do since I had some crashes and nasty virusses)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question