Win32/Dialer.U Trojan - HELP!

i don't know if this is new or not, NOD is identifying it as such (Win32/Dialer.U Trojan), but i get way different stuff than from this thread:

https://www.wilderssecurity.com/showthread.php?t=46701&highlight=win32/dialer.u trojan

i really can't identify where this bastard is. it seems to work only when a browser is running (firefox or internet explorer). it tries to connect to this address:

htp://d.mettere.net/a412/a571.php?m0&b=779&c=2

which from a whois search yelds a server in the USA owned by a Chinese company in Hong Kong.

it somehows creates:

. a win*.tmp.exe in windows/temp (* being a random 3 letter/numbers)

. and another in file in documents and settings/user/local settings/temporary internet files, with the name "a412/a571.php?m0&b=779&c=2", and the internet address "htp://d.mettere.net/a412/a571.php?m0&b=779&c=2"


i have ziped it and will be sending it to samples@nod32.com soon. will also try blackspear long solution now, but im afraid it might not work, since the post is from 2004, and even that mettere.net domain was registered 05/2006.

also, i've already tried spybot search and destroy and adaware and they dont show anything wrong. task manager and hijackthis does not shows anything weird also. and neither does the in-depth scan from NOD. only when the virus/trojan activates itself that NOD blocks it. it places a copy of itself in the above mentioned places. other than that, i've cleaned all caches and cookies of both browser and i still cannot find where he's coming from!

one other thing that might be usefull, the only thing that NOD deleted in the probable day of infection, was this:

C:\System Volume Information\_restore{9E779849-8953-46EC-8D11-D86EA82AA0C9}\RP34\A0002558.exe - Win32/TrojanDropper.Agent.ASL trojan - deleted


please help!




eks

 

Eks , Wilders Security forum no longer supports HiJackThis log files analysis
https://www.wilderssecurity.com/showthread.php?t=42148

Please , remove your log via editing your post or your post will be removed by Moderators/Administrators


Make sure your NOD32 is updated.
The latest signature version is 1.1734

Then go through BlackSpears's tutorial to setup NOD32 for maximum protection and automatic work

Then , as shown boot in Safe Mode and scan .
Safe Mode is a special Windows mode where several things are loaded and most of the viruses/spywares can't load in that mode . When so , AV softwares can easily kill the viruses. How to boot into Safe Mode

Goto Start->Programs->ESET->NOD32
Goto the Profiles tab and make sure you use Control Center Profile
When so , make sure your set NOD32 to scan all your hard drives and push Scan&Clean

NOD32 will automatically take care of everything

Reboot in Normal Mode.

I would also recommend you scan with Ewido AntiSpyware (www.ewido.net) , Ad-Aware se Personal (www.lavasoftusa.com) and Panda ActiveScan online scanner (www.activescan.com)

There is one more thing about "SR in XP" which I am not allowed to say , so hope someone else will post it

If this doesn't help , try the general removal instructions by Blackspear here
https://www.wilderssecurity.com/showthread.php?t=50662

Good luck

 

no good :/

tried everything, running NOD in safemode with maxium security settings and advanced heuristics and he did not got rid of the threat. it did detected the .exe in windows/temp, but upon reset it continued poping up. also tried Stinger that BlackSpear mentioned, but it didn't detected nothing (probably because NOD got them first).

even with no single sign of the threat, my computer is still infected

i've also tried http://housecall.trendmicro.com/ now, it starts but then closes the browser without further notice.

i'm proceeding with the last option, the format c:...


eks

 

What about Panda Active Scan www.activescan.com

 

hi eks


Name: Dialer.U
Risk Level: high
Description: Dialer.U is a dialer which when executed is used to dial a high-cost phone number using a modem. Removal of this dialer is advisable if it is not installed for a purpose.
Type: Dialer
Also known as: Trojan.Win32.Dialer.u Win32/SilentCaller.Z [eTrust-Vet]
Removal: This infection can be removed using Spyware Doctor.
http://www.pctools.com/spyware-doctor/