Help - I've got a Win32:Dialer-gen. Trojan!

Hi,

I’ve just had 2 alerts from Avast, the first to say:

30/06/2005 19:06:46 SYSTEM 1532 Sign of “Win32:Dialer-gen. [Trj]” has been found in “C:\WINDOWS\system32\dial.dll” file.

And the 2nd one (can’t find a record of it - I’m not very good at programs) said a system restore entry had been affected.

How do I get rid of it please?

Jorolat

Sorry but I’m in a bit of a panic at the moment. Standard shield says "last infected C:\ System Volume Information_restore{lots alphanumerics…\A0069968.dll}

Haven’t gotta clue how I got infected either - anyone know what this trojan does please?

Jorolat

Calmed down a bit now… (relatively)

The info in Event Viewer says:

19.06 Sign of “Win32:Dialer-gen. [Trj]” has been found in “C:\WINDOWS\system32\dial.dll” file.

19.13 Sign of “Win32:Dialer-gen. [Trj]” has been found in “C:\System Volume Information_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP193\A0069968.dll” file.

Can’t find any info on Google

Jorolat

Hi Jorolat,

You seem to have a dialer: a program which connects you to a premium rate number for your dial up connection, instead of your ISP number. They are usually installed when a web site prompts you to install a small piece of software in order to access some (usually ‘adult’) content. They lead to huge phone bills, but do not affect anybody with broadband.

Send the file to the virus vault. To get rid of the system volume warning, you will have to delete all system restore files, bearing in mind that if you do later have a problem, you won’t be able to use system restore.

Turn system restore off and on as described here:

http://www.pchell.com/virus/systemrestore.shtml

You might also want to do a scan with Ad-Aware and Spybot Search and Destroy as if you have one spyware infection you might have others…

SpywareBlaster is also recommended because it blocks the installation of dialers.

Intersting link in your signature, by the way. I’m off to read it now.

Edit: Hmm… Sounds a bit like inheritance of acquired characteristics to me.

Disable system restore and reboot, that will get rid of the system volume information_restore warning.

you don’t say what you did on receipt of the warning/s? (first don’t panic, it doesn’t help), second do no harm (don’t automatically delete items), send them to the chest and investigate as you are doing.

Once you have rebooted, schedule a boot-time scan after that is complete and you are clean you can enable system restore again.

When you say you can’t find something on google, it would help if you said what it was you were looking for.
A search for dial.dll returns 504 hits.
A search for win32:dialer-gen is likely to return less as this is the avast virus name (and some other AVs virus name, only 5 hits less than helpful).
You would be wasting your time looking for the name in the _restore point as this is a name generated by windows at the time it creates the restore point (0 hits as expected), so as you can see there is a trick to searching using google.

Thankyou Frank and David :slight_smile:

First, I’m glad I’m on broadband!

When this event occurred:

19.06 Sign of “Win32:Dialer-gen. [Trj]” has been found in “C:\WINDOWS\system32\dial.dll” file.

It appears that I selected “delete” - if dial.dll is a legitimate dll should I download a copy from somewhere?

When the event below occurred I sent it to the chest - I guess I still have to lose my previuos restore points though!

19.13 Sign of “Win32:Dialer-gen. [Trj]” has been found in “C:\System Volume Information_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP193\A0069968.dll” file.

I have the latest SpywareBlaster definitions enabled & Spybot found nothing (although I’ve only just run it). An Ad-Aware scan is in progress as I type.

I recently opened a new tiscali email account which is now downloading 2 to 6 emails containing Win32:Swen [Wrm] warnings per day. The last week or so I’ve been frantically searching all over the net for a solution to svchost constantly accessing my hard drive. I’ve downloaded programs to help me with this but I haven’t knowingly been to any adult websites (no interest!).

I first used win32:dialer-gen on google but then just ‘win32 dialer’ - was out of my depth with the returns so I came here :slight_smile:

Adaware has found nothing although there are 25 objects in an/the MRU list.

Frank,

Although at first glance there may appear to be a connection with “inheritance of acquired characteristics”, the link below explains why there isn’t (its only a few paragraphs long):

An Error In Associating Lamarck With ‘Adaptive Mutations’?
http://members.aol.com/jorolat/laam.html

Thankyou both again for helping!

Jorolat

Just had a thought - I’ve been having problems trying to get stunnel working with gmail, could the trojan have entered this way?

Jorolat

I’ve done the boot-time scan & no infected files were found - hooray!

I got a lot or “error 42125” for java files though plus “File C:\hiberfil.sys Error 0xC0000022”

More problems ‘sigh’

Jorolat :slight_smile:

It’s not really a problem - it’s normal. You don’t have to worry about them.

When using google for virus related stuff it is often better to search on the infected file name since there is no standard convention with virus naming hence win32.dialer-gen is not very helpful it is a dialer and the -gen is less than helpful.

Virus writers/distributors are speculative and it doesn’t matter that you are not on dial-up the virus arrives but you would be immune to its costly premium rate effect by not being on dial-up.

MRU (Most Recently Used) lists are negligible, just lists of last used files.

I would suggest that you use an anti-spam tool that can delete emails from the server. I use MailWasher Pro (paid) you can use the free version but that only copes with one email account (which should be ok for this case) it obviously won’t cover your gmail account.

Not only does mailwasher filter spam, I can also see suspicious emails as well and flag them for deletion. Once I have done any manual intervention if required I click Process Mail, it then deletes the flagged emails from the email servers and calls my default email program. I then only download the emails I left un-flagged in MailWasher, so it also cuts down on the number of emails downloaded and time.

Sorry I have no experience of stunnel.

Cor! good news for a change - thanks Igor :slight_smile:

Jorolat

Thankyou again David, an informative and useful post!

Apparently stunnel will enable Avast to scan gmail but its low down on my list of priorities at the moment.

Its 10.30 pm here and I’m pretty tired - but I’m very glad this trojan has been sorted out though :slight_smile:

Jorolat