TechSpot

Trojan Horse Dialer.BZB, Generic.WUE

By pavilion
Aug 29, 2006
  1. Hi, I've been having problems with two Trojan viruses - Trojan Dialer.BZB and Generic.WUE..
    I get frequent dialing from my comp and AVG keeps popping up saying i have a virus but even if i manage to heal them, it keeps coming back.. I have included a HJT log

    I appreciate all the help I can get so Cheers
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your version of HJT is out of date. The current version is 1.99.1.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. pavilion

    pavilion TS Rookie Topic Starter

    Ok, I have the latest Hijackthis n have posted a log file
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go and follow the instructions in the link I gave you.

    Your system is infected with some nasties.

    Post a fresh HJT log, only after you have completed the above.

    regards Howard :)
     
  5. pavilion

    pavilion TS Rookie Topic Starter

    Still Problems...

    Hi, I did what you told me upto step 3 - & it told me to post a ewido log if i still have problems.. ewido helped to clear a few things up - but like AVG the trojans keep coming back

    I am now in the process of downloading all those programs and using all of them and after that I will post a fresh HJT log. Speak to you then
     
  6. pavilion

    pavilion TS Rookie Topic Starter

    Looking Good..

    Hi,
    Well everything seems to work fine now after using all those programs - no more spyware symptoms! :D
    Hopefully I can keep it this way and thanks for your help :grinthumb

    P.S I have posted a HJT log like you said
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You`re running a completely unpatched version of Windows. This is a huge security risk. You should run Windows updates and install at least service pack 1 and preferably service pack 2.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    npkcsvc

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    npkcsvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O9 - Extra button: Trucchi console - {FF4D2994-6575-4F03-A5C6-6559C8793A07} - C:\windows\System32\shdocvw.dll

    O9 - Extra 'Tools' menuitem: Trucchi console - {FF4D2994-6575-4F03-A5C6-6559C8793A07} - C:\windows\System32\shdocvw.dll

    O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

    O20 - Winlogon Notify: winymy32 - C:\windows\SYSTEM32\winymy32.dll

    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\windows\System32\npkcsvc.exe

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepathes you need to enter into killbox.

    C:\windows\SYSTEM32\winymy32.dll

    C:\windows\SYSTEM32\keXX32.dll

    C:\windows\System32\npkcsvc.exe

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. pavilion

    pavilion TS Rookie Topic Starter

    Fresh HJT

    Hello again,

    I've done what you told me and I'm posting a fresh HJT log..

    By the way.. I tried deleting the file C:\windows\SYSTEM32\keXX32.dll with killbox several times, but it keeps coming back ? Is this the file that's giving me all these troubles .. ?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that`s the only nasty file you have left on your system as far as I can see.

    Do the following.

    Download haxfix.exe.
    http://users.telenet.be/marcvn/tools/haxfix.exe

    Save it to your desktop.
    Double click on haxfix.exe to extract all files in a folder on the destkop.

    Open the folder haxfix and start fix.bat. This will open a red dos window (dos box).

    You get this message:

    At this point please type the following: keXX <- the first 4 char. see above.
    avpe etc....

    Press Enter to continue with the fix.

    If an infection is found, you'll get a message to close all other open windows.

    Close them, except the red DOS window from haxfix and press Enter.
    The computer will reboot.

    After reboot, a new red dos window will open.

    This message will appear:

    At this point please type the following: keXX

    Press Enter to continue with the fix.

    When the red dos window closes, the fix is ready.

    Post the contents of the logfile c:\haxfix.txt along with a fresh HJT log.

    Regards Howard :)
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It seems there`s a new version of Haxfix.

    So, here are the revised instructions.

    Download haxfix.exe.
    Save it to your desktop.
    Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    Checkmark "Create a desktop icon".
    Click "Next".
    When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
    Click "Finish".
    A red "dos window" (dos box) will open.

    Select option 2. Run auto fix by typing 2, and then pressing Enter.
    If an infection is found, you'll get a message to close all other open windows.
    Close them, except the red dos window from haxfix and then press Enter.
    The computer will reboot.
    After reboot a logfile will open. Save that log.

    Post the Haxfix log and a fresh HJT log.

    Regards Howard :)
     
  11. pavilion

    pavilion TS Rookie Topic Starter

    haxfix

    Hello - its been awhile, but i finally used that haxfix program.. Unfortunately it didn't delete the kexx file, which was strange because in the logfile it says it had identified it ? However there doesn't seem to be any spyware/virus symptons , which is great.. I've posted the haxifx log and a fresh HJT log just in case
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The nasty Kexx entry is still there.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the Haxfix again.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

    Click on the fix checked button.

    Close HJT.

    Run HJT again and click on the config button, followed by the misc tools button. Click the delete file on reboot button and browse to C:\windows\SYSTEM32\keXX32.dll
    click open, you will be prompted to restart your computer, click yes.

    Once your computer has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. pavilion

    pavilion TS Rookie Topic Starter

    Bad Messenger Virus

    Hello again.. I still couldn't get rid of that kexx entry but even worse, I've gotten myself into trouble again & I have another one infecting the comp.

    It started when one of my messenger contacts sent me a msg sayin 'lol look at this etc. (link)' Of course stupid me had to click it and now I have a very nasty virus that gives me alot of problems e.g several popus, i give out the same msg in messenger, major lag issues, modified desktop etc.

    I remember how last time I did all those scans so I followed all those instructions again, however it only managed to get rid of the popups and not the other symptoms.. I've posted a HJT log, which includes a few unfixed items just so you know what I'm dealing with.. Thanks
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions exactly.

    Post a fresh HJT and Ewido log as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. pavilion

    pavilion TS Rookie Topic Starter

    HJT log & Ewido

    Here is my fresh HJT & Ewido log. At the moment I don't see the usual symptoms however knowing those nasties, they could come back at any moment.. There does seem to be an error message I get at the startup though,

    'Error loading w2a031aa.dll
    The specified module could not be found'

    Thanks again for the help
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download haxfix.exe from http://users.telenet.be/marcvn/tools/haxfix.exe
    Save it to your desktop.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msgs.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [tkqc3a4f] RUNDLL32.EXE w2a031aa.dll,n 004c3a4b0000000a2a031aa

    O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\MSN Messenger\msgs.exe

    Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)

    When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
    A red "dos window" (dos box) will open.
    This message will appear:

    Insert the haxdoor notify subkey without the numbers,
    and then press enter:

    At this point please type the following: keXX
    Press Enter to continue with the fix.

    If an infection is found, you'll get a message to close all other open windows.
    Close them, except the red dos window from haxfix and press Enter.

    The computer will reboot, turn system restore back on and rehide your protected OS files.

    After reboot find the logfile c:\haxfix.txt.
    Post the contents of c:\haxfix.txt as an attchment, along with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. pavilion

    pavilion TS Rookie Topic Starter

    haxfix log

    Here is the haxfix logfile as you asked.. All seems to be well
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news.

    Please post a fresh HJT log as requested.

    Regards Howard :)
     
  19. pavilion

    pavilion TS Rookie Topic Starter

    HJT log

    Oh yes, I forgot. Here is the HJT log
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your other thread into this one.

    Well done, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. pavilion

    pavilion TS Rookie Topic Starter

    I will, thanks alot Howard :giddy:
     
  22. pavilion

    pavilion TS Rookie Topic Starter

    Infection - Unable to reboot normally

    Hello again - As you may have guessed I have another problem with more nasties. The problem isn't necessarily mine as it is my sister's laptop that is infected, and i think it is the same one as last time (msn trojan)

    However this time I cannot start windows normally as it boots into a blue screen which says a physical memory dump is taking place - and when it finishes nothing happens.. thus not allowing me to connect to the net from the laptop.

    Hopefully you'll be able to help me get past that - as the rest will probably be the same as last time.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you boot the laptop into safe mode with networking?

    If so, follow these instructions.

    If not, it maybe time for a reformat and reinstall.

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. pavilion

    pavilion TS Rookie Topic Starter

    Hi, I managed to reboot normally so I followed those instructions.. I've attached the ewido and HJT log for you to inspect.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That HJT log is clean.

    Are you still having problems with your sisters laptop?

    Regards Howard :)

    This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...