Trojan.dropper and Dialer.trojan, plz help =(

Status
Not open for further replies.
I

in_cold

Hi, I've got some sort of trojan on my computer, NAV recognizes it as Trojan.dropper and Dialer.trojan while some other online scanner ID'd it as Trojan.win32.pakes and Trojan.win32.dialer.pz

The thing is, NAV keeps popping up warnings about files infected by this (mostly in WINDOWS\temp and also somewhere deep in Documents and settings) and says it can't repair it and "access to the file was denied" but when i scan it says it has been repaired but as soon i reboot it comes back. I've tried like 5 different antivirus programs, Rebooted in safe-mode and turned off system restore but nothing has helped, it keeps coming back.

I also get pop-ups for something called WinAntiVirusPro 2006 (adware anyone?) Are these pop-ups related to the trojans?

I hope you guys can help me with this, attached my HJT log

thx in advance
 
Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok now i've done all the things mentioned in the instructions.

Though virtumundo never managed to restart my comp, it just removed the desktop thenn othing else happened. Virtumundo_fix found a file which i forgot to note the name of which it couldn't delete, not even on reboot.
Still getting loads of pop-ups about WinAntiVirusPro 2006. Dunno if the trojans were fixed yet.

Ewido had some problems quarantining a file too, but you'll see that in the log.

Thx alot for all the help, really appreciate it =)

Logs attached
 
Download the Pocket Killbox programme from HERE.

Try running vundofix again.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g860093.dll (file missing)

O2 - BHO: MSEvents Object - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\nnnmkkj.dll

O2 - BHO: (no name) - {FA7FCE47-B85F-474E-8ADE-F3E7289AF038} - C:\WINDOWS\system32\jkhhg.dll

O20 - Winlogon Notify: h618 - C:\WINDOWS\g1584125.dll (file missing)

O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll

O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll

Click on the fix checked button.

Close HJT.

Delete all files in Ewido quarantine.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winowl32.dll
C:\WINDOWS\system32\jkhhg.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
When i try to delete C:\WINDOWS\system32\jkhhg.dll with killbox i get an error message saying something like "Registry data removed by an external process"

I managed to remove C:\WINDOWS\SYSTEM32\winowl32.dll but it still appears in HJT log =S

Log attached
 
The jkhhg.dll file is still there. It`s part of the virtumundo infection and needs to be got rid of.

I know you`ve already done this, but I`d like you to do it again.

Download these four tools, but don`t run them yet.

Tool1 Tool2 Tool3 Tool4

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run the tools in the order they are given, in safe mode.

Once done reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OMG i think it actually worked this time =D. Thank you sooo much man, i love you xD

Log attached just in case =)
 
Very well done.

Have HJT fix this inactive entry.

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

Other than the above, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of in_cold only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

midian182
OneDrive users must justify why they are closing the app before exiting (Updated)
Replies
17
Views
537
Nobina
Nobina
Shawn Knight
Video Game Hall of Fame nominees this year include Myst, Metroid, and Asteroids
Replies
10
Views
162
ZedRM
ZedRM
Cal Jeffrey
iFixit retracts its iPhone 14's repairability score of 7 and gives it a "4-not recommended"
2
Replies
25
Views
806
Bobbydpue
Bobbydpue

Latest posts

Back