another trojan horse dialer.28.A + CID problem...

Status
Not open for further replies.
Z

zomas

Posts: 11   +0
Hi there
AVG has since today repetedly reported problems with trojan horse dialer.28.A and trojan horse dialer.CID. I have sent the corrupted files in the AVG vault, but new ones keep on coming.
I have read some of the other threads with similar problems and have downloaded HJT, then created the log file attached.
would someone be kind enough to spend a bit of time helping me?

thanks in advance,

thomas
 
Hello and welcome to Techspot.

Go and read Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly, including the renaming of HijackThis.exe.

Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
...

sorry for trying to rush things :) gosh it takes some time to do all that!
so here are the HJT and AVGAS files.
i have just rebooted my computer in normal mode, so so far no virus warnings...
anything i should do next?
thanks lots for your time and help.

thomas
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

iTunesSetup.exe
Win32.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fotolog.net/biscoto

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {35E3555A-9046-9F0D-675A-023421D28DEA} - C:\WINDOWS\system32\uyrpbee.dll

O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\yahjqhtw.dll

O2 - BHO: (no name) - {D939228B-F11C-427C-80E4-9EFB1E7E353A} - C:\WINDOWS\system32\geeba.dll (file missing)

O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

O4 - HKLM\..\Run: [dahomah.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dahomah.dll,ftrttbf

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Win32

Delete all files in AVG Antispyware quarantine.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\dahomah.dll,ftrttbf
C:\WINDOWS\system32\uyrpbee.dll
C:\WINDOWS\system32\yahjqhtw.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
...

hi,
i have been proceeding as you said, but just as i tried to reboot after entering the paths in killerbox, got prompted with the message:
"PendingFileRenameOperations Registry Data has been removed by External Process!"
i guess this is normal (?)
anyway, rebooted in normal mode, everything seems to be working fine.
find new log file attached.

many thanks again

thomas
 
I forgot to have you fix an entry, my apologies.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

iTunesSetup.exe

Close task manager.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111. MmVrT/iTunesSetup.exe

Click on the fix checked button.

Close HJT.

Reboot your system.

Other than the above, your HJT log is clean.

Delete the Killbox backups.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
howard,
everything has been working fine for a few days, but i am now experiencing new malware problems.
AVG antispyware keeps on notifying me of a malware from deluxe communication. it has installed itself under programm files, so i have tried to unistall it, but had to enter a security code and then was notified that all my browser windows would be closed to uninstall the programm. i found that a bit dodgy so didnt go any further...
what can i do?

thanks for your help,

thomas
 
Please post fresh HJT and AVG Anti-spyware logs.

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
...

here we go.
my computer is being reaaally slow by now... thinking of just formating the har drive and starting fresh.
please find the log files attached,

thanks

thomas
 
Where the hell do you keep getting this crap from lol.

It appears you`re not running any firewall software. This is a huge security risk.

Download and install either the free Zonealarm or free Kerio firewall programmes.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

DeluxeCommunications

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Dxc.exe
cproc.exe
Update.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O20 - AppInit_DLLs: dxclib303562752.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\DeluxeCommunications Delete the entire folder.

C:\WINDOWS\system32\crunner

C:\Program Files\Fichiers communs\{34685505-0AED-1036-0722-040512200021}\MyToolBar.dll

C:\Program Files\Fichiers communs\{E4685505-0AED-1036-0722-040512200021}\Update.exe

C:\Program Files\Fichiers communs\{E4685505-0AED-1036-0722-040512200021}\services.dll

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\dahomah.dll

dxclib303562752.dll You will need to find and enter the filepath for this file.

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
hi
proceeded as you said but was prompted with an error message when trying to fix the checked entries in hjt. ran the programm again though and all the entries mentionned were gone.
also couldnt locate dxclib303562752.dll

i'll download one of those firewalls right now (was only relying on windows firewall...)

system seems to be running ok for now...
thanks

thomas
 
Your HJT log is now clean as a whistle. Get that firewall installed asap.

You might want to take a look at htis thread HERE. It will give you info on how to keep your system more secure.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That`s good news.

Just a quick question. Did you deliberately install the DeluxeCommunications software?

Regards Howard :)

This thread is for the use of zomas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

C
  • Locked
Inactive [Not curable - Ramnit] Trojan Horse problem
Replies
13
Views
3K
Broni
Broni
R
Solved Trojan PSW Generic10.BRGJ & Trojan Generic33.QUL
2
Replies
28
Views
6K
Broni
Broni
A
Solved Trojan horse PSW.Generic9.AMLS - hidden desktop/money demanded
2
Replies
26
Views
10K
Broni
Broni

Latest posts

Back