1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan horse dialer.17.H

Discussion in 'Virus & Other Malware Removal' started by starchild, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,111
    This showed up in AVG scan this morning, says it's in:

    sporder.dll (icon with a question mark).... trojan horse dialer.17.H

    Before this, the AVG auto updator had come on, but didn't connect and download any new files, so I finally closed it. Don't know if this is related.

    I have an old computer (I'm using now) I've been trying to fix up, I can't get to connect over 28800 bps- so it's very slow and draggy. I'm using that one now, looking for info about the trojan. (Otherwise I would h ave done more searching about it before asking)

    I did find the trojan in google, a security discussion forum where some are writing about it, from the past few days. Also other trojans with similar names. Apparently AVG can't get rid of it, and if the file sporder.dll is deleted after that the computer won't connect to the internet.

    The suggestions given were very long and complex, downloading various programs, and disabling system files. Seemed really complicated and hard to follow to me.

    I stopped the AVG scan, since it doesn't take it out, and now running STINGER (which I downloaded the beginning of Jan).

    Decided to ask about it here, and see if I can find something more simple and direct. Like a program to download to take it out? Maybe one of the online scans like Housecall?

    When it's done scanning I'll scan it with Hijack this, and post it. I also have CWShredder I can run.

    Since AVG runs in the background and puts up a warning if a file has a virus (and it's aware of this virus, if it shows up in the scan) I wonder why it didn't warn about it whenerver I got it?

    I wanted to ask about it here, in the meantime, while I run scans.

    It says "dialer" does that mean if I go online with that computer, someone (somewhere) will be able to tap into my internet connection and make calls?

    My first reaction to seeing a virus is panic, so I'm trying to stay cool and just do things to resolve it. I panic because I really don't know, and don't know that much about it.

    Thanks,

    Carrie
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    The Dialer.Trojan may install itself onto the system. It uses the modem to dial phone numbers that have a 900 area code.

    Run an online antivirus check from at least one and preferably 2 of the following sites

    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www.anti-trojan.net/en/onlinecheck.aspx



    Be sure and put a check in the box by "Auto Clean" before you do the
    scan. If it finds anything that it cannot clean have it delete it or
    make a note of the exact file name and file location so you can delete it yourself.

    And please do post your hijackthis log
     
  3. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,111
    While waiting to find out more. I put in FIND (in the computer with the virus) sporder.dll file. Since AVG hadn't finished the overall scan the first time.

    According to the info I read (elsewhere) someone had deleted this file and couldn't go online, and AVG couldn't get rid of it.

    I found the sporder.dll file (using FIND) and right clicked it, and scan with AVG (just that file) It said it had the trojan. I clicked "move it to the vault" and it did. I was online when I did this, so I don't know if it has effected this. I didn't delete the file, AVG moved it to the vault.

    I am going to run at least one online scan now.

    Seems like this is too simple, after what I was reading about it earlier.
    ---------------------------------------------------

    I had run STINGER and it showed nothing, and CWShredder, which was clean.

    I had checked HiJackThis (earlier) and it didn't seem to have anything new in it.

    There are a few questions about it (overall) like the 2 java ones at the bottom say "file missing". I've downloaded sun java several times, trying to get it to work (I have I.E. 6 that doesn't have java with it).

    Also O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    I saw this in another HJT log and the person was told to take it out.

    I continually have the QuickTime icon come on the taskbar (on the right, where the computer icons are)I've gone in to msconfig and unchecked it (to startup each time) and it checks itself again. Do I need quicktime to start each time? Won't it come on if and when I need it?

    Going by what others post of HJT logs, mine has hardly anything in it.

    Logfile of HijackThis v1.98.2
    Scan saved at 11:41:21 AM, on 2/2/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (file missing)

    ~ Carrie
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
  5. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,111
    Okay, I downloaded the new one.
    Do I have to take out the old one first? If so, I can't find it (un Add/Remove programs or uninstall)

    Right now I'm scanning with 2-Squared.

    In the meantime, I was looking up about sporder.dll This is where the trojan was, and AVG said it moved it to the vault. Apparently it moved the sporder.dll file with it because I no longer have it.

    From looking in google, I see anytime this happened (that file is missing) the computer won't go online again, until it's replaced.

    I was online when I checked to move it to the vault and still online. If I go off it might not come back on again.

    Is there a place I can get and download sporder.dll and have it, like on the desktop, in case it won't go on without it?

    Or, maybe I can replace it from WINDOWS file checker that replaces missing files (from wherever they are stored)?

    You might guess, I'm not an expert on this.

    I don't want to go offline, and not be able to connect again, until I have this set up just in case.

    The HJT log will be next.

    I don't usually use 2-Squared, but it once found a new virus when the other scans didn't. It has to be updated before it can be used, (which I did)

    ~ Carrie
     
  6. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,111
    HJT log (with new version)

    Logfile of HijackThis v1.99.0
    Scan saved at 3:42:49 PM, on 2/2/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YSERVER.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (file missing)

    I ran 2-Squared it said it found one malware C:\ProgramFiles\files\submit\cityscape800x600zip\NNEZTA388.exe

    It said it was spyware and I told it to remove it.

    Didn't say anything about the trojan, which supposedly is in AVG virus vault.

    I suppose one way to find out if the sporder.dll file is needed to go back online is to go off and try. But I'd like to get this resolved (and a way to replace it, if necesary) first.

    Maybe I can run file checker first, and see? I usually run it in SAFE MODE, but want to know where and how to put the file back in, if it comes up.

    ~ Carrie
     
  7. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,111
    LATER:
    I found info and a few downloads that might help if the computer wouldn't go online without the sporder.dll

    I ran the system file checker and it didn't stop on anything missing. (yet I can't that file in WINDOWS> SYSTEMS (or SYSTEMS32) It no longer come up in FIND (files and folders)

    I went offline, and back on, no problem.

    Apparently the virus has been contained, and I don't need sporder.dll (so far, I haven't tried shutting down and coming back on again). Maybe the problems with going online without it were from a newer Windows? I have 98SE.

    Anyway, at this point the virus seems to be gone and I can go online. I've been reading a lot about this this, elsewhere. This trojan (and similiar) and problems from anti virus programs taking out the dll file and causing problems going online.

    At this point I seem to be okay.

    I was going to try and restore the file anyway, but think of the old saying "if it ain't broke, don't fix it".

    ~ Carrie
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/325958

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice