I’ve just spent the last two days trying to get rid of Spyware and Malware and now I’m left with this Trojan Dialer That I just can’t seem to get rid of. I’ve been trawling the forum for the answers and getting no where fast yet seeing the same or similar questions. So I thought I’d post this in the hope someone could give a conclusive solution. (Phew need a lie down after all those big words.)
Right, So the situation:
Running Windows XP
Service pack 2 (sp2)
Avast 4.7 (with the latest updates as of 15-Oct-2006)
Zone Alarm 6.5.731
Windows is fully updated too
Avast is coming up with an alert that a trojan is being downloaded from hxxp://d,mettere,net.
(Please note if anyone posts a link to a dodgy (bad) site make sure it is broken IE.use commas instead of . )
Note: this is a good thing it means Avast! is stopping the virus being downloaded
The downside is it doesn’t seem to get rid of the dialer (the thing trying to download the Trojan in the first place.
So I tried various spyware removal tools (Norton, {which the yahoo toolbar lets you use for free}, Counterspy, Full Norton system works {free trial}.
I then did a boot scan with Avast! (after reading a post on this forum)
Then Downloaded EWIDO’s AVG Anti Spyware 7.5 and ran that.
And I still have these D@mn alerts popping up telling me it’s still trying to download the Trojan. And this after every program I’ve run has ripped out several various Trojans, Trojan dialers, Spyware, Malware, tracking cookies etc.
I do apologize if this is a bit long winded but I’m hoping to save someone the effort of going through all the various paths by being as precise and informative as I can.
Thank you in Advance
P.S. AVG is now joining in by intermittantly popping up with alerts about Trojan.Dialer.qs
The alerts popping up aren’t an indication that you have the dialler on your system, the connection is dropped by web shield so the file/element isn’t downloaded. If you keep visiting the site you will keep getting the alert. If it, the dialler isn’t on your system avast can’t get rid of it.
If you aren’t visiting the site, then you have something else on your system that is initiating the connection.
What is you connection method ?
If it isn’t dial-up although you might be susceptible to the trojan you shouldn’t suffer the potential of connection to a premium rate tel number.
What is your firewall ?
A good firewall should offer protection against unauthorised outbound internet connections.
Did you run Ewido, a.k avgas from safe mode, that is the preferred option ?
That’s is strange, I don’t get any alerts obviously from this forum and just visited howstuffworks.com and no alerts can’t check gmail (able to visit the home page though) I don’t use it. That is with firefox and NoScript, but scripts are allowed for this forum and temp allowed for howstuffworks, tried these with Maxthon and no problems with the three sites.
So it sounds like something else might be going on behind the scenes, what is the exact file/object that is being detected, check the avast Log Viewer (right click the avast icon), Warning section should provide full detailed of virus name, file name and path/url.
The ‘http:// d dot mettere dot net’ link doesn’t check out with DrWeb link checker and returns a weird error if you try to visit it. I assume I have interpreted the url you obscured correctly ?
The site/page may have been taken down, how were you trying to connect to it or was it a connection you didn’t initiate ?
You could also try an online scan with Kaspersky, which will probably tell you if there is any more malware on your system (although it won’t remove it, so make a note of any malware files detected).
And The F-secure list. (I didn’t rename anything because I don’t know what I’m doing)
As for Kapersky, I haven’t run it yet as it will take about 5 hours to complete. (3min for 10%)
And Finally To DavidR
I’m using a broadband connection and I didn’t initiate any connection. The URL I gave was not complete here is the full URL hxxp://d,mettere,net/a412/a571,php?m=1&b=779&c=5 (Didn’t initiate this)
A few extra’s my browser is now coming up with virus alerts, “The whole your PC is infected click here for a free scan” type thing. Which I close straight away and up pops a website for winAntivirus 2006 (which I didn’t initiate and therefore don’t trust) I also get the odd AllMaxTravel page popping up, wich again I didn’t initiate and don’t trust. These happen far less than the Avast blocking the download
Vundo fix Found loads of .dll’s to remove. And removed them. Of some interest was that for winwea32 and sstqo it had to remove after rebooting the machine.
Look2Me destroyer couldn’t find anything (but that was run after Vundo)
I ran ATF cleaner a nice program for clearing out junk but I wouldn’t say anti spy/virus (couldn’t find the sysprotect program. Is it under a different name perhaps?)
Now I’m just waiting to see if anything will try and download or my browser gets HiJacked.
Another thing, I’ve been using Winpatrol and that has blocked a load of dll’s over the last two days. It’s a neat little program for super control over any changes to your PC. Just don’t expect miracles and the “woof” is cute but gets annoying.
Well seem to have fixed it, nothing for over an hour now
Thank you both FreewheelinFrank and DavidR I really appreciate your help.
Once you’ve killed the thing that was hiding the malware, it’s worth rescanning with Ewido, AdAware, avast! etc because they often find files or traces that were hidden before.
Do you have SpywareBlaster: this provides useful protection for IE.
Firefox and Opera generally have a better security record than IE, and may help you stay spyware free.
Also make sure you have the latest version of Sun Java, and uninstall all older versions, because these can allow spyware installs.
Ok, bit of a silly question but wich Sun java, where, what version ect. I’ve looked at thier web site and don’t know what is what. To be honest I know nothing about Java.
Once you are in the clear and can think about something else. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.