TechSpot

Trojan.dropper and Dialer.trojan, plz help =(

By in_cold
Sep 6, 2006
  1. Hi, I've got some sort of trojan on my computer, NAV recognizes it as Trojan.dropper and Dialer.trojan while some other online scanner ID'd it as Trojan.win32.pakes and Trojan.win32.dialer.pz

    The thing is, NAV keeps popping up warnings about files infected by this (mostly in WINDOWS\temp and also somewhere deep in Documents and settings) and says it can't repair it and "access to the file was denied" but when i scan it says it has been repaired but as soon i reboot it comes back. I've tried like 5 different antivirus programs, Rebooted in safe-mode and turned off system restore but nothing has helped, it keeps coming back.

    I also get pop-ups for something called WinAntiVirusPro 2006 (adware anyone?) Are these pop-ups related to the trojans?

    I hope you guys can help me with this, attached my HJT log

    thx in advance
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. in_cold

    in_cold TS Rookie Topic Starter

    Ok now i've done all the things mentioned in the instructions.

    Though virtumundo never managed to restart my comp, it just removed the desktop thenn othing else happened. Virtumundo_fix found a file which i forgot to note the name of which it couldn't delete, not even on reboot.
    Still getting loads of pop-ups about WinAntiVirusPro 2006. Dunno if the trojans were fixed yet.

    Ewido had some problems quarantining a file too, but you'll see that in the log.

    Thx alot for all the help, really appreciate it =)

    Logs attached
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE.

    Try running vundofix again.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

    O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g860093.dll (file missing)

    O2 - BHO: MSEvents Object - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\nnnmkkj.dll

    O2 - BHO: (no name) - {FA7FCE47-B85F-474E-8ADE-F3E7289AF038} - C:\WINDOWS\system32\jkhhg.dll

    O20 - Winlogon Notify: h618 - C:\WINDOWS\g1584125.dll (file missing)

    O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll

    O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll

    Click on the fix checked button.

    Close HJT.

    Delete all files in Ewido quarantine.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winowl32.dll
    C:\WINDOWS\system32\jkhhg.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. in_cold

    in_cold TS Rookie Topic Starter

    When i try to delete C:\WINDOWS\system32\jkhhg.dll with killbox i get an error message saying something like "Registry data removed by an external process"

    I managed to remove C:\WINDOWS\SYSTEM32\winowl32.dll but it still appears in HJT log =S

    Log attached
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The jkhhg.dll file is still there. It`s part of the virtumundo infection and needs to be got rid of.

    I know you`ve already done this, but I`d like you to do it again.

    Download these four tools, but don`t run them yet.

    Tool1 Tool2 Tool3 Tool4

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the tools in the order they are given, in safe mode.

    Once done reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. in_cold

    in_cold TS Rookie Topic Starter

    OMG i think it actually worked this time =D. Thank you sooo much man, i love you xD

    Log attached just in case =)
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very well done.

    Have HJT fix this inactive entry.

    O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. in_cold

    in_cold TS Rookie Topic Starter

    DONE!, Thx ALOT =D

    will add this thread to my favourites for easy access =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...