# Dialer.Trojan help needed

By Jkato90 · 4 replies
Sep 9, 2006
1. Each time I connect to the Internet my AntiVirus programm informs me that I have been infected with a Dialer.Trojan.I've attached the reports as you wanted.So please help me.

2. ### Jkato90TS RookieTopic Starter

Why does nobody help me?
Have I forgotten to add something?
I've done everything you mentioned.
So please help me.

3. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but dont run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Delete all files in Ewido quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

MyGlobalSearch\bar

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

54645e7cd5eb274fc4a6cd2f7fefd9da_35.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programme\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/54645e7cd5eb274fc4a6cd2f7fefd9da_35.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{EADDD2F4-3307-4E38-9BAF-7F276E1329B1}: NameServer = 193.92.110.1 194.219.227.2<Only fix this, if it doesnt belong to your ISP.

O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Programme\MyGlobalSearch

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winmxw32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post fresh HJT and Ewido logs, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of Jkato90 only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

4. ### Jkato90TS RookieTopic Starter

I've followed your instructions and until now I haven't received other messages about dialer.trojan.

I've attached the new HJT logfile in case you want to see it.

I think it worked.

Thanks a lot

Almost forgot a folder named backups has been created at my desktop.
Should I delete it?

5. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Hijack this should be in its own folder such as C:\program files\HijckThis\Hijackthis1991.exe Not in temp or on the desktop.

The backup folder on your desktop belongs to HJT and should be moved into the same directory.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

zango

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

zango.exe
54645e7cd5eb274fc4a6cd2f7fefd9da_35.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"

O4 - HKLM\..\RunOnce: [My Global Search Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/54645e7cd5eb274fc4a6cd2f7fefd9da_35.exe

O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

c:\programme\zango

Run HJT and click on the config button, then the misc tools button. Click the delete file on reboot button and browse to C:\WINDOWS\SYSTEM32\winmxw32.dll
click open, you will be prompted to reboot your system, click yes.

Once your system has rebooted, turn system restore back on and rehide your protected OS file.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Jkato90 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Topic Status:
Not open for further replies.

### Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
 TechSpot Account Sign up for free, it takes 30 seconds. Already have an account? Login now. You may also...