TechSpot

another trojan horse dialer.28.A + CID problem...

By zomas
Oct 6, 2006
  1. Hi there
    AVG has since today repetedly reported problems with trojan horse dialer.28.A and trojan horse dialer.CID. I have sent the corrupted files in the AVG vault, but new ones keep on coming.
    I have read some of the other threads with similar problems and have downloaded HJT, then created the log file attached.
    would someone be kind enough to spend a bit of time helping me?

    thanks in advance,

    thomas
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go and read Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly, including the renaming of HijackThis.exe.

    Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. zomas

    zomas TS Rookie Topic Starter

    ...

    sorry for trying to rush things :) gosh it takes some time to do all that!
    so here are the HJT and AVGAS files.
    i have just rebooted my computer in normal mode, so so far no virus warnings...
    anything i should do next?
    thanks lots for your time and help.

    thomas
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    iTunesSetup.exe
    Win32.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fotolog.net/biscoto

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {35E3555A-9046-9F0D-675A-023421D28DEA} - C:\WINDOWS\system32\uyrpbee.dll

    O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yahjqhtw.dll

    O2 - BHO: (no name) - {D939228B-F11C-427C-80E4-9EFB1E7E353A} - C:\WINDOWS\system32\geeba.dll (file missing)

    O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

    O4 - HKLM\..\Run: [dahomah.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dahomah.dll,ftrttbf

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Win32

    Delete all files in AVG Antispyware quarantine.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\dahomah.dll,ftrttbf
    C:\WINDOWS\system32\uyrpbee.dll
    C:\WINDOWS\system32\yahjqhtw.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. zomas

    zomas TS Rookie Topic Starter

    ...

    hi,
    i have been proceeding as you said, but just as i tried to reboot after entering the paths in killerbox, got prompted with the message:
    "PendingFileRenameOperations Registry Data has been removed by External Process!"
    i guess this is normal (?)
    anyway, rebooted in normal mode, everything seems to be working fine.
    find new log file attached.

    many thanks again

    thomas
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I forgot to have you fix an entry, my apologies.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    iTunesSetup.exe

    Close task manager.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111. MmVrT/iTunesSetup.exe

    Click on the fix checked button.

    Close HJT.

    Reboot your system.

    Other than the above, your HJT log is clean.

    Delete the Killbox backups.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. zomas

    zomas TS Rookie Topic Starter

    howard,
    everything has been working fine for a few days, but i am now experiencing new malware problems.
    AVG antispyware keeps on notifying me of a malware from deluxe communication. it has installed itself under programm files, so i have tried to unistall it, but had to enter a security code and then was notified that all my browser windows would be closed to uninstall the programm. i found that a bit dodgy so didnt go any further...
    what can i do?

    thanks for your help,

    thomas
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post fresh HJT and AVG Anti-spyware logs.

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. zomas

    zomas TS Rookie Topic Starter

    ...

    here we go.
    my computer is being reaaally slow by now... thinking of just formating the har drive and starting fresh.
    please find the log files attached,

    thanks

    thomas
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Where the hell do you keep getting this crap from lol.

    It appears you`re not running any firewall software. This is a huge security risk.

    Download and install either the free Zonealarm or free Kerio firewall programmes.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    DeluxeCommunications

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Dxc.exe
    cproc.exe
    Update.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

    O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

    O20 - AppInit_DLLs: dxclib303562752.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\DeluxeCommunications Delete the entire folder.

    C:\WINDOWS\system32\crunner

    C:\Program Files\Fichiers communs\{34685505-0AED-1036-0722-040512200021}\MyToolBar.dll

    C:\Program Files\Fichiers communs\{E4685505-0AED-1036-0722-040512200021}\Update.exe

    C:\Program Files\Fichiers communs\{E4685505-0AED-1036-0722-040512200021}\services.dll

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\dahomah.dll

    dxclib303562752.dll You will need to find and enter the filepath for this file.

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. zomas

    zomas TS Rookie Topic Starter

    hi
    proceeded as you said but was prompted with an error message when trying to fix the checked entries in hjt. ran the programm again though and all the entries mentionned were gone.
    also couldnt locate dxclib303562752.dll

    i'll download one of those firewalls right now (was only relying on windows firewall...)

    system seems to be running ok for now...
    thanks

    thomas
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean as a whistle. Get that firewall installed asap.

    You might want to take a look at htis thread HERE. It will give you info on how to keep your system more secure.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. zomas

    zomas TS Rookie Topic Starter

    firewall installed and went through other thread
    all seems good :)
    many cheers and thanks
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news.

    Just a quick question. Did you deliberately install the DeluxeCommunications software?

    Regards Howard :)

    This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...