Need help with removing Win32/Dialer.U trojan

Discussion in 'NOD32 version 2 Forum' started by Mybrokenwings, Sep 3, 2004.

Thread Status:
Not open for further replies.
  1. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Help me i have tried everything and Nod32 cannot remove it please tell me how to remove it step by step

    Edit: Erm ok i have not added much information on this..From what it seems now (I tried those online scanners and Trend Micro found a few different ones)

    The two i have found so far (It's strange since Nod32 only finds 3 then it removes then poof a new one appears >_< i hate it... :'( )

    Anyways the names are : Trojan ISTBAR.W Located in : C:\Documents and settings\Mybrokenwings\Local configuration\Temporary internet files\Content.IE5\WTQJOLI3\0006_regular[1].cab *istactivex.dll*

    The other more i less i managed to remove...
    So my question to you guys are Trojans i can just delete "manually"?

    Ps not sure it's called "Local configuration" since i have norwegian Windows Xp
    And not sure about what the english is called
     
    Last edited: Sep 3, 2004
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi (guess it would be more polite of me to greet you by name) :D
    Welcome to Wilders, Mybrokenwings,

    I was sure the Win32/Dialer.U was in NOD32's database. What version of NOD32 are you using?

    You've mentioned you've tried everything, can you tell me what other programs you have scanned with? Also, have you tried scanning while in Safe Mode ?

    If you have not done so already, download Ad-AwareSE and Spybot Search&Destroy (using both programs is recommended as they both will detect dialers too). You can find download links for these two programs, along with instructions on how to update them (don't miss that step), and set them up for a scan of your system: https://www.wilderssecurity.com/showthread.php?t=15913

    Scan with Ad-Aware and Spybot S&D while in safe mode too.
    And empty the 'contents' of your Temp folders and IE's Temporary Internet Files.

    (Since you are using NOD32, I'll move your thread over into the NOD32 forum.)

    Let me know how you do with the scans in safe mode.

    Regards,

    snap
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Thank you for the extra information, Mybrokenwings. That does help. :)

    Please follow the instructions in my first post, and when you're finished, click on the "Post Reply" button at the bottom of this thread to reply to it. That way I'll know you've replied since I've subscribed to the thread. ;)

    Regards,

    snap
     
  4. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Yes i use both Ad aware and spybot search and destroy i also use something called Spybot..
    I updated Nod32 since it seems the autoupdate does not work :blink:
    Then it actually managed to find it it found these 3

    C:\WINDOWS\Downloaded Program Files\WinadX.dll - Win32/TrojanDownloader.Small.NAS trojan - quarantined - deleted

    C:\WINDOWS\sys_nt.exe - Win32/Dialer.U trojan - quarantined - deleted

    C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\LFB7H5CU\seksdialer[1].exe - Win32/Dialer.U trojan - quarantined - deleted

    I must say i have honestly no idea where they come from i also are kind of dork when it comes to viruses and trojans since i simply cannot understand them so when i said i had tried everything i meant safety mode and manually destroy things i knew were trojans then scan with nod32 and Symantec Security online scanner...

    Well more or less i know better now..but Nod32 does still not take it all... Same with Symantec Security online scanner did not either find them..Only one that have found them are Trend Micro..Nod32 also found them after update..
    What these Trojans do are to change your startpage and tries to download other trojans and such i would presume since it tries to upload/download system files.. @_@.

    So here i come home from school and find my pc infiltrated to an extreme degree...it turns out my brother have touched it so heh =/....

    And I have also done what your first post says heh..strange thing is that neither ad aware or spysweeper found them and they are uptodate...
     
    Last edited: Sep 3, 2004
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Have you manually gone to the locations these files are at and deleted them then? Are you seeing any of them now running when you bring up Task Manager?

    I am not sure if you are saying NOD has since found and removed them and you no longer have them now, or...have I mis-read what you are saying?

    It sounds like you may also have a hijacker too. Are you using the most recent version of Ad-AwareSE and Spybot S&D? <-- LOL you edited your post while I was typing up the reply.



    snap
     
  6. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\LFB7H5CU\seksdialer[1].exe

    This one is still here..in these folders can i just delete everything in the folder?

    Heh sorry about that...i am kind of making no sense sometimes..

    Nod32 found those 3 i posted here now it's popping up with it's dreaded red window saying some new + the seksdialer still are there...
     
  7. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    These are from Nod32 log from today

    Time Module Object Name Virus Action User Info
    03.09.2004 20:10:50 AMON file C:\WINDOWS\Downloaded Program Files\WinadX.dll Win32/TrojanDownloader.Small.NAS trojan WINGS\Mybrokenwings

    03.09.2004 20:10:49 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\LFB7H5CU\seksdialer[1].exe Win32/Dialer.U trojan WINGS\Mybrokenwings

    03.09.2004 20:10:49 AMON file C:\WINDOWS\sys_nt.exe Win32/Dialer.U trojan
    03.09.2004 20:10:47 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\LFB7H5CU\seksdialer[1].exe Win32/Dialer.U trojan
    03.09.2004 20:10:45 AMON file C:\DOCUME~1\MYBROK~1\LOKALE~1\Temp\ICD1.tmp\istactivex.dll Win32/TrojanDownloader.IstBar.NAD trojan

    03.09.2004 20:10:44 AMON file C:\DOCUME~1\MYBROK~1\LOKALE~1\Temp\ICD2.tmp\ISTactivex.dll
    Win32/TrojanDownloader.IstBar.NAD trojan

    03.09.2004 20:10:40 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\VUOVJXSX\seksdialer[1].exe Win32/Dialer.U trojan
    03.09.2004 20:10:39 AMON file C:\WINDOWS\sys_nt.exe Win32/Dialer.U trojan
    03.09.2004 20:10:37 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F29W\seksdialer[1].exe Win32/Dialer.U trojan
    03.09.2004 20:10:24 AMON file C:\DOCUME~1\MYBROK~1\LOKALE~1\Temp\ICD2.tmp\istactivex.dll Win32/TrojanDownloader.IstBar.NAD trojan error occured while quarantining the object - - error while deleting - error while deleting - error while renaming - error while deleting

    03.09.2004 19:50:05 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F29W\seksdialer[1].exe Win32/Dialer.U trojan error occured while quarantining the object - - error while deleting - error while deleting - error while deleting - error while renaming - error while deleting

    03.09.2004 18:30:32 AMON file C:\WINDOWS\sys_nt.exe Win32/Dialer.U trojan quarantined - deleted WINGS\Mybrokenwings

    03.09.2004 18:30:22 AMON file C:\DOCUME~1\MYBROK~1\LOKALE~1\Temp\ICD1.tmp\istactivex.dll Win32/TrojanDownloader.IstBar.NAD trojan quarantined - deleted
    03.09.2004 14:12:20 AMON file C:\x.exe Win32/TrojanDownloader.Small.AR trojan WINGS\Mybrokenwings

    03.09.2004 14:12:19 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F29W\1[1].htm VBS/TrojanDropper.Inor.Z trojan
    03.09.2004 14:12:19 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\09EFGXEF\1[1].htm VBS/TrojanDropper.Inor.Z trojan
    03.09.2004 14:12:19 AMON file C:\x.exe Win32/TrojanDownloader.Small.AR trojan
    03.09.2004 14:12:19 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F29W\2DimensionOfExploitsEnc[1].hta VBS/TrojanDropper.Zerolin.A trojan

    03.09.2004 14:12:19 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\OPQFWPYR\2DimensionOfExploitsEnc[1].hta VBS/TrojanDropper.Zerolin.A trojan error occured while quarantining the object - - error while renaming

    03.09.2004 14:11:33 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\OPQFWPYR\2DimensionOfExploitsEnc[1].hta VBS/TrojanDropper.Zerolin.A trojan error while deleting - error occured while quarantining the object - - error while deleting - error while renaming

    03.09.2004 14:04:57 AMON file C:\Documents and Settings\Mybrokenwings\Lokale innstillinger\Temporary Internet Files\Content.IE5\LFB7H5CU\exploit[1].htm probably modified trojan HTML/Exploit.Mht.A deleted WINGS\Mybrokenwings


    Hope that can also help some

    Edit : I am now doing an number 2# scan with Trend Micro also with Nod32 then i will reboot into security mode and do ad-aware and spysweeper and spybot and delete cookies and such and post here when done
     
    Last edited: Sep 3, 2004
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Mybrokenwings,

    I am not finding any information on the sys_nt.exe, WinadX.dll or seksdialer[1].exe files. Even though NOD has detected them, (and if you still have them) can you zip up a copy of the files and submit them to this email addy:
    samples AT nod32.com (replace the AT with @ and remove the spaces)
    Include a link to this thread in the body of the email, please.

    You may have to have all files and folders viewable. To do that, follow these instructions:
    How to Show Hidden Files and Folders

    ----
    Once you are finished the scans you are doing now, you can follow these one's also for clearing your temp folders while you're still in safe mode.

    Once in safe mode, bring up Task Manager (ctrl+alt+del keys) and check that there is none of these files running. If they are, then right-click on them and choose End Process, and close Task Manager.

    Next, empty your Temp folders' contents:

    C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Then do another scan with NOD, Ad-Aware and Spybot S&D (if you have that one too).

    Reboot your computer normally and scan once again with NOD while still disconnected from the internet.

    Then come back and let us know how you made out.

    Regards,

    snap
     
    Last edited: Sep 3, 2004
  9. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    The only one i could find was the sys_nt.exe i have zipped it up and mailed it to that email address you gave me..
    Trend micro didn't find anything now neither did Nod32 so time to manually make sure in safe mode..
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Well that sounds much better. :)

    Just to make sure on the sys_nt.exe file, you can upload it for a scan at Jotti's Malware Scan as a double-check. If the scan comes back as infected (please post back here what the results are), then delete the file sys_nt.exe file in the C:\Windows folder (you may only be able to delete it in safe mode, but check first that it isn't running in Task Manager, then try deleting it.

    snap
     
  11. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Ok..I did as you said and now everything is back.. :'(

    It's not long ago since i actually reinstalled windows and i would hate to do all that again..


    Edit

    I mean it's strange the sys file keeps comming back (after reboot that are)

    With it the site www.buldog-search.com comes with it (and from there the sys files comes)
    so if i would make a wild guess there is some kind of registry or whatever lurking around ; ; :'(

    Edit again do NOT open that page unless you want to be infected with the same as me...I only wrote it here so we could easier find out information about it
     
    Last edited: Sep 3, 2004
  12. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Ok now the sys does not reappear anymore (i reebooted)
    Now it seems only that the buldog thing are left 2 files reappears in my temp folder shall i send them to that email address to?
    I also took and checked them with that online checker it came back as not infected but i know different since it reappears in temp folder after reebot and when i delete it (first removes it from taskmanager) then buldog stops appearing as startpage..
     
    Last edited: Sep 3, 2004
  13. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14

    Heh well it's already deleted and it won't reappear again but it is sent to that email you provided..
     
  14. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Ok i have fixed it!

    *Dances like an wild hamster*

    I deleted it...and i used a program called "Startup manager" To remove it from startup process so now it won't make that file which bugs me and set's my homepage to that buldog thing. And infects me.. :D :D :D :D
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi MyBrokenWings,

    I have read through your posts.


    Just to be sure EVERYTHING is gone and your system is TOTALLY clean, can you do the following after installing the latest Nod32 2.12.2 from www.nod32.com:


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Install update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 3. Install update and run Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 4. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 5. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 6. Turn OFF System Restore, this process depends on your operating system:

    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.

    Step 7. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 8. Restart your system again in “Safe Mode” by pressing/tapping F8 while booting up


    Step 9. Go to the Nod32 Control Centre and click on the “Nod32” module, usually found below the IMON module in the left hand window of the control centre.

    In the right hand window click on “In-depth analysis

    If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

    1. Place a tick in the Quarantine check-box
    2. Select Delete
    3. Send the quarantined file to Eset: samples@nod32.com this file can be found here: C> Program files> Eset> Infected


    Step 10. Run a scan with “Stinger” the program you downloaded above.


    Step 11. Reboot your system into normal mode.


    Step 12. Run a further online scan found here: http://housecall.trendmicro.com/


    Step 13. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”. WEEKLY – check this is “Up to Date”.


    When everything is clean, it is recommended that you turn System Restore back on.


    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…


    Now that your system is clean you may want to take a look here for further discussion on security:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    and here for more:

    https://www.wilderssecurity.com/showthread.php?t=43117

    Hope this helps…

    Let us know how you go…

    Cheers :D
     
    Last edited: Sep 4, 2004
  16. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Hey thanks a bunch ^^ I think noone has ever helped as much with this frustrating matter I am off now to do what you said..I also still have that buldog trojan in a zip if you want it. To that email that are.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No thanks, not me personally ;)

    Can you send the file to Eset: samples@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    Let us know how you go…

    Cheers :D
     
    Last edited: Sep 3, 2004
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Last edited: Sep 3, 2004
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  20. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Ok i did as you told me Nod32 found another trojan which it quarantined and deleted. besides from that almost clean

    The shredder program found something it called a part of malicious program i think it was located here

    C:\Windows\copyfsqt.exe
    It said it was unsure to what to do with it and so am i heh..

    Oh and you said i was to check of an box in Nod32 i couldn't find that box could you please post a screenshot of it? so much easier.. =X
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Delete it, it's related to a search webpage.

    See here for setting up Nod32, and ticking "Quarantine".

    https://www.wilderssecurity.com/showthread.php?t=37509

    When your system first comes up clean, having run all the steps I have advised, please re-run the entire process again, just to be sure...

    Cheers :D
     
  22. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    That i have done umm 3 times now (before you said so) So i would guess it's not needed again heh
    Thanks alot for all the help hehe
     
  23. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Ok i read up on that thread and it seems alot have changed since i don't have the pop3 window and such >_> I downloaded the newest version from their site but still looks different.. >_>
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It will be slightly different because it was a Beta of the current version you now have, but you will get the jist of it on how to set up Nod32...

    Glad your system is now clean.

    Have you taken a look at the other threads I mentioned regarding security?

    Cheers :D
     
  25. Mybrokenwings

    Mybrokenwings Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    14
    Yes i have looked at em heh...
    Thanks again ^^
     
Thread Status:
Not open for further replies.