Win32:dialer-gen -> What to do?

[ZenZan]

Hi,

I've just spent the last two days trying to get rid of Spyware and Malware and now I'm left with this Trojan Dialer That I just can't seem to get rid of. I've been trawling the forum for the answers and getting no where fast yet seeing the same or similar questions. So I thought I'd post this in the hope someone could give a conclusive solution. (Phew need a lie down after all those big words.)

Right, So the situation:

Running Windows XP
Service pack 2 (sp2)
Avast 4.7 (with the latest updates as of 15-Oct-2006)
Zone Alarm 6.5.731
Windows is fully updated too

Avast is coming up with an alert that a trojan is being downloaded from hxxp://d,mettere,net.

                     (Please note if anyone posts a link to a dodgy (bad) site make sure it is broken IE.use commas instead of . )

Note: this is a good thing it means Avast! is stopping the virus being downloaded
The downside is it doesn't seem to get rid of the dialer (the thing trying to download the Trojan in the first place.

So I tried various spyware removal tools (Norton, {which the yahoo toolbar lets you use for free}, Counterspy, Full Norton system works {free trial}.

I then did a boot scan with Avast! (after reading a post on this forum)

Then Downloaded EWIDO's AVG Anti Spyware 7.5 and ran that.

And I still have these D@mn alerts popping up telling me it's still trying to download the Trojan. And this after every program I've run has ripped out several various Trojans, Trojan dialers, Spyware, Malware, tracking cookies etc.

I do apologize if this is a bit long winded but I'm hoping to save someone the effort of going through all the various paths by being as precise and informative as I can.

Thank you in Advance

P.S. AVG is now joining in by intermittantly popping up with alerts about Trojan.Dialer.qs

[DavidR]

The alerts popping up aren't an indication that you have the dialler on your system, the connection is dropped by web shield so the file/element isn't downloaded. If you keep visiting the site you will keep getting the alert. If it, the dialler isn't on your system avast can't get rid of it.

If you aren't visiting the site, then you have something else on your system that is initiating the connection.

What is you connection method ?
If it isn't dial-up although you might be susceptible to the trojan you shouldn't suffer the potential of connection to a premium rate tel number.

What is your firewall ?
A good firewall should offer protection against unauthorised outbound internet connections.

Did you run Ewido, a.k avgas from safe mode, that is the preferred option ?

[ZenZan]

Hi DavidR thanks for the quick response.

I'm using Zone Alarm as a firewall.

As for the pages that bring up the alerts; Howstuffworks, gmail and this forum. (I guess this is not site related)

I haven't tried AVG in safe mode I'll do so now.

[DavidR]

That's is strange, I don't get any alerts obviously from this forum and just visited howstuffworks.com and no alerts can't check gmail (able to visit the home page though) I don't use it. That is with firefox and NoScript, but scripts are allowed for this forum and temp allowed for howstuffworks, tried these with Maxthon and no problems with the three sites.

So it sounds like something else might be going on behind the scenes, what is the exact file/object that is being detected, check the avast Log Viewer (right click the avast icon), Warning section should provide full detailed of virus name, file name and path/url.

The 'http:// d dot mettere dot net' link doesn't check out with DrWeb link checker and returns a weird error if you try to visit it. I assume I have interpreted the url you obscured correctly ?
The site/page may have been taken down, how were you trying to connect to it or was it a connection you didn't initiate ?

[FreewheelinFrank]

Hi ZenZan,

Have you looked for rootkits which may be hiding malware? You can download a free rootkit scanner here:

http://www.f-secure.com/blacklight/

Could you post a HijackThis! log for us to look at please?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

You could also try an online scan with Kaspersky, which will probably tell you if there is any more malware on your system (although it won't remove it, so make a note of any malware files detected).

http://www.kaspersky.com/virusscanner

[ZenZan]

Ok so here is the HiJackThis log:

And The F-secure list. (I didn't rename anything because I don't know what I'm doing)

As for Kapersky, I haven't run it yet as it will take about 5 hours to complete. (3min for 10%)

And Finally To DavidR

I'm using a broadband connection and I didn't initiate any connection. The URL I gave was not complete here is the full URL hxxp://d,mettere,net/a412/a571,php?m=1&b=779&c=5 (Didn't initiate this)

A few extra's my browser is now coming up with virus alerts, "The whole your PC is infected click here for a free scan" type thing. Which I close straight away and up pops a website for winAntivirus 2006 (which I didn't initiate and therefore don't trust) I also get the odd AllMaxTravel page popping up, wich again I didn't initiate and don't trust. These happen far less than the Avast blocking the download

Thanks for the help guys

[FreewheelinFrank]

The BlackLight scan shows you have a program called Encrypted Magic Folders:

http://www.pc-magic.com/

Is this something you put on the computer yourself?

Some of the hidden files look very suspicious, especially ali.exe. Is this a program you recognise?

[ZenZan]

Encryted Magic Folders is a Program i installed And I've had it for several years. So I'm sure it's OK.

As for ali.exe I've No idea what it is and where it is from. Do I rename that one? What happens if it is something I needed?

[FreewheelinFrank]

It may well be part of Encrypted Magic Folders, so I would leave it, as it is something you installed yourself.

There are some removal tools here that I suspect may find something:

http://www.atribune.org/

Try the SysProtect Remover, Look2Me-destroyer and VundoFix tools. I think one of these will find the hidden spyware you have on your system.

EDIT: instructions for Look2Me-destroyer:

http://www.atribune.org/content/view/28/2/

[ZenZan]

Right so far so good,

Vundo fix Found loads of .dll's to remove. And removed them. Of some interest was that for winwea32 and sstqo it had to remove after rebooting the machine.

Look2Me destroyer couldn't find anything (but that was run after Vundo)

I ran ATF cleaner a nice program for clearing out junk but I wouldn't say anti spy/virus (couldn't find the sysprotect program. Is it under a different name perhaps?)

Now I'm just waiting to see if anything will try and download or my browser gets HiJacked.

Another thing, I've been using Winpatrol and that has blocked a load of dll's over the last two days. It's a neat little program for super control over any changes to your PC. Just don't expect miracles and the "woof" is cute but gets annoying.

Well seem to have fixed it, nothing for over an hour now

Thank you both FreewheelinFrank and DavidR I really appreciate your help.

[FreewheelinFrank]

Glad we could help!

Once you've killed the thing that was hiding the malware, it's worth rescanning with Ewido, AdAware, avast! etc because they often find files or traces that were hidden before.

Do you have SpywareBlaster: this provides useful protection for IE.

Firefox and Opera generally have a better security record than IE, and may help you stay spyware free.

Also make sure you have the latest version of Sun Java, and uninstall all older versions, because these can allow spyware installs.

EDIT: Typo.

[ZenZan]

Ok, bit of a silly question but wich Sun java, where, what version ect. I've looked at thier web site and don't know what is what. To be honest I know nothing about Java.

[FreewheelinFrank]

http://www.java.com/en/download/index.jsp

Uninstall older versions from Control Panel Add/Remove.

[ZenZan]

Aaah so it's UNinstall older versions. Now it makes sense. Cool!
Many Thanks

[FreewheelinFrank]

Sorry, Typo.