Win32/Dialer.U Trojan - HELP!

Discussion in 'NOD32 version 2 Forum' started by eks, Sep 1, 2006.

Thread Status:
Not open for further replies.
  1. eks

    eks Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    2
    i don't know if this is new or not, NOD is identifying it as such (Win32/Dialer.U Trojan), but i get way different stuff than from this thread:

    https://www.wilderssecurity.com/showthread.php?t=46701&highlight=win32/dialer.u trojan

    i really can't identify where this bastard is. it seems to work only when a browser is running (firefox or internet explorer). it tries to connect to this address:

    htp://d.mettere.net/a412/a571.php?m0&b=779&c=2

    which from a whois search yelds a server in the USA owned by a Chinese company in Hong Kong.

    it somehows creates:

    . a win*.tmp.exe in windows/temp (* being a random 3 letter/numbers)

    . and another in file in documents and settings/user/local settings/temporary internet files, with the name "a412/a571.php?m0&b=779&c=2", and the internet address "htp://d.mettere.net/a412/a571.php?m0&b=779&c=2"


    i have ziped it and will be sending it to samples@nod32.com soon. will also try blackspear long solution now, but im afraid it might not work, since the post is from 2004, and even that mettere.net domain was registered 05/2006.

    also, i've already tried spybot search and destroy and adaware and they dont show anything wrong. task manager and hijackthis does not shows anything weird also. and neither does the in-depth scan from NOD. only when the virus/trojan activates itself that NOD blocks it. it places a copy of itself in the above mentioned places. other than that, i've cleaned all caches and cookies of both browser and i still cannot find where he's coming from!

    one other thing that might be usefull, the only thing that NOD deleted in the probable day of infection, was this:

    C:\System Volume Information\_restore{9E779849-8953-46EC-8D11-D86EA82AA0C9}\RP34\A0002558.exe - Win32/TrojanDropper.Agent.ASL trojan - deleted


    please help! :(




    eks
     
    Last edited: Sep 1, 2006
  2. ASpace

    ASpace Guest

    Eks , Wilders Security forum no longer supports HiJackThis log files analysis
    https://www.wilderssecurity.com/showthread.php?t=42148

    Please , remove your log via editing your post or your post will be removed by Moderators/Administrators


    Make sure your NOD32 is updated.
    The latest signature version is 1.1734

    Then go through BlackSpears's tutorial to setup NOD32 for maximum protection and automatic work

    Then , as shown boot in Safe Mode and scan .
    Safe Mode is a special Windows mode where several things are loaded and most of the viruses/spywares can't load in that mode . When so , AV softwares can easily kill the viruses. How to boot into Safe Mode

    Goto Start->Programs->ESET->NOD32
    Goto the Profiles tab and make sure you use Control Center Profile
    When so , make sure your set NOD32 to scan all your hard drives and push Scan&Clean

    NOD32 will automatically take care of everything ;)

    Reboot in Normal Mode.

    I would also recommend you scan with Ewido AntiSpyware (www.ewido.net) , Ad-Aware se Personal (www.lavasoftusa.com) and Panda ActiveScan online scanner (www.activescan.com)

    There is one more thing about "SR in XP" which I am not allowed to say , so hope someone else will post it

    If this doesn't help , try the general removal instructions by Blackspear here
    https://www.wilderssecurity.com/showthread.php?t=50662

    Good luck :thumb:
     
  3. eks

    eks Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    2
    no good :/

    tried everything, running NOD in safemode with maxium security settings and advanced heuristics and he did not got rid of the threat. it did detected the .exe in windows/temp, but upon reset it continued poping up. also tried Stinger that BlackSpear mentioned, but it didn't detected nothing (probably because NOD got them first).

    even with no single sign of the threat, my computer is still infected :(

    i've also tried http://housecall.trendmicro.com/ now, it starts but then closes the browser without further notice.

    i'm proceeding with the last option, the format c:... :'(


    eks
     
  4. ASpace

    ASpace Guest

  5. aroon7651

    aroon7651 Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    4
    hi eks


    Name: Dialer.U
    Risk Level: high
    Description: Dialer.U is a dialer which when executed is used to dial a high-cost phone number using a modem. Removal of this dialer is advisable if it is not installed for a purpose.
    Type: Dialer
    Also known as: Trojan.Win32.Dialer.u Win32/SilentCaller.Z [eTrust-Vet]
    Removal: This infection can be removed using Spyware Doctor.
    http://www.pctools.com/spyware-doctor/
     
Thread Status:
Not open for further replies.