TechSpot

Trojan horse Pakes.U and Dialer.bzb

By Fishey
Sep 3, 2006
  1. I have a virus on my computer that AVG is detecting called "Trojan horse Pakes.U" and "Trojan horse dialer.bzb".
    AVG's usual screen comes up asking to heal, ignore, or place in the vault comes up.
    So I put it in the vault and delete the file but 5 minutes later it comes back again.
    They are in temporary internet files and the temp folder. So I deleted everything in those two folders thinking it would be gone. But no, 5 minutes later it comes up again.
    I have scanned with Lavasoft ad aware pro, AVG free, Trojan Remover, and spybot search and destroy and none of them did anything.
    How do I get rid of them?
    I have done EVERYTHING that MattJKR was told do do regarding the Pakes.U virus in his thread here.

    I have attached the HJT logfile.
    Please help, I am running out of hair to pull out.
     
  2. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Your log is fairly clean, with a brief scan of it.

    But in any case, the reason it is still there is because it must be in use, and that is why it isn't being deleted. Or that is why it is re-creating itself (because it's still running).

    If you are sure it is in the temp folder, boot into Safe Mode and delete the temps from there. Because viewing of hidden and system files is turned on.

    You can also download and install CrapCleaner: www.ccleaner.com. Open that, go to options, then Advanced and UNcheck the top-most option about "files older then 48 hours".
    Then go back to the Cleaner screen and hit Run Cleaner in the bottom right. When it's done, clean again just to be sure.
    Also be sure you are logged in to the user that you're having trouble with, because ccleaner doesn't clean temps from other users. You'll have to log in to each user and run the cleaner.

    So then, after doing that in Safe Mode, see if the problem stays away.
     
  3. Fishey

    Fishey TS Rookie Topic Starter

    I have already done all of the above.
    I ran spybot search and destroy again and it found and deleted a few ad-aware things but the pakes.u and dialer.bzb are still there.

    Heres a fresh HJT log after getting rid of that crap.
     
  4. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Ya, your log seems clean to me, I don't see anything really.

    So AVG detects those two eh? Can you give the path to the files and what the file names are?
    Also, do those files keep coming back with the SAME name or do they have different names each time?

    I am thinking the bad files must be in a service or sharedll or even a notify key in the registry. But give whatever details AVG gives you.

    You can also run a more complete virus scan from www.bitdefender.com, let us know what that finds.
     
  5. Fishey

    Fishey TS Rookie Topic Starter

    Here are the two file locations:

    C:\WINDOWS\Temp\winF6.tmp.exe

    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OLAHUNC3\srvvbx[1].exe

    The things in bold are the areas that change.
     
  6. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Ok, so I'm guessing that if you enter Safe Mode, you CAN find those files and delete them right?
    And then I'm guessing, even when they are deleted, you go back in Normal Mode and they come back again with a different name?
    If those points aren't right, do explain.

    If those two files are deleted but it comes back, then there is a third culprit. The bitdefender scan may reveal it, but otherwise it might be in your startups somewhere else.

    Get the program called Autoruns from http://www.sysinternals.com/Utilities/Autoruns.html
    Download it and run it (autoruns.exe). Once open, press ESC to stop the initial scan, then click the Options menu and check the option "Hide signed Mirosoft entries". Once checked, click the refresh button to scan again.
    Once the scan is done, click File-Save and save that log.
    Then post the log here for us to look at. Or if you want to shorten it, tell us what you have in these tabs:
    Appinit
    Winlogon
    Services
    Logon

    (Note to anybody who wants to read the log file, it's not very clean, tab delimited, so maybe open with a spreadsheet program.)
     
  7. Fishey

    Fishey TS Rookie Topic Starter

    Yes you are right about that.
    Here is the program logfile.
     

    Attached Files:

  8. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Ok, I see your culprit. But first here is how you can clean up your startups.

    Back in the Autoruns program, to remove a startup, click it so it is highlighted, then click the Red 'X' delete button. This will permenently remove the startup item.
    Making sure that Hide Signed Entries is still checked, remove any entries that have the words "File Not Found" on it. ACCEPT for "Deskpan.dll", which always says that. So leave that one, and remove the rest. File not found obviously means the file is gone, so there is no need to leave the entry.

    Next, in the Browser Helper Objects section, you have a bad entry which, from your log, is called "{55F77B76-B5F6-4DD4-871C-CCAECBD9ADB9}" and currently points to the file "c:\windows\system32\pmkjg.dll".
    This file will likely change names like the others.

    In the UIHost section there is one called "vistaui.exe" which I could find no info about on Google. So that is suspicious unless you know what that is. Based on the name "vista+ui" it sounds like it could be a desktop enhancement maybe? Or theme? A Vista based User Interface? Not sure.

    That same pmkjg.dll file is repeated in the Notify area, which is what I was afraid of. The other file there, "winccf32.dll" is also bad.

    So what you have to do is, in normal mode, get the names of all the bad files first, their path names, etc... But do not try to delete them or even remove the startup entries at this point.

    Next reboot to Safe Mode, check Autoruns again and hopefully they all have the same names, otherwise write down the new names.

    The most important files to delete are the pmkjg.dll and winccf32.dll files, the ones from the notify key. Don't even try to delete the others yet. What you need to do is get the program called EMCO MoveOnBoot. Here is the link:

    http://www.emcohelp.com/ccp_worldwide_license_v4.0/Installation package/redir.php?link=76

    Install it and open it up. All you have to do is click the Delete Actions button, and then select to delete file(s). Next drag and drop the bad files, or browse to each one, and get them all in the list.
    Once you get them all in there, you can restart the PC back to Normal mode. Because if the files are gone, the startups won't matter. Then you can use Autoruns to clean up the leftover startup entries.

    Hope that doesn't sound to complicated. Basically we have to delete the files, then the startup entries. The problem with the entries in Notify, is that they run even in Safe Mode! Which is why you have to use EMCO or HJT to delete the file on reboot.
    Hope it makes sense, I'll be checking in on you tomorrow!
     
  9. Fishey

    Fishey TS Rookie Topic Starter

    I got rid of "c:\windows\system32\winccf32.dll" easily,
    but I couldn't get rid of "c:\windows\system32\pmkjg.dll".
    It doesn't show up in the system32 folder but I know it's there because I right clicked it in Autoruns and it said it was there, but the "Hidden" box was ticked and also grayed out so I cannot untick it. But that shouldn't matter because I have set all folders to show hidden files and folders, yet it still doesn't show up there. So I just typed in c:\windows\system32\pmkjg.dll in MoveOnBoot but when i restarted it is still there.
    So my question now is how do I delete it if I can't see it? Is there a way to make me able to see it?
    Thankyou for all your help so far, I just need to get rid of this one file and it's all over! :D
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    The pmkjg.dll file is part of the Virtumundo infection.

    Download and run these four tools. Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4

    Download and install Ewido http://www.ewido.net/en/download/
    Double-click the Ewido icon on your desktop to run it.
    On the top of the main screen click Shield. Click the word active to change it to inactive.
    On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
    When you have finished updating, exit Ewido.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Make sure all windows are closed. Run Ewido.
    Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
    When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
    Then click 'Apply all actions'.
    Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

    Reboot into normal mode and turn system restore back on and rehide your protected OS files.

    Post the Ewido report and a fresh HJT log as attachments.

    Regards Howard :wave: :wave:

    This thread is for the use of Fishey only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Fishey

    Fishey TS Rookie Topic Starter

    Thankyou so so much Vigilante and Howard. You are lifesavers. My computer is now virus free! Gosh that was a mission to get rid of! I see alot of people are having trouble with the Pakes.U virus now :eek:
    It's a hassle to get rid off.
    Thankyou so much :D
     
  12. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Well glad it's working again. Some of these bugs can get quite involved to remove!

    Next step is protecting yourself more. Get rid of file-sharing apps :)
    Watch your browsing habbits, no porn! Use Firefox. Get a decent Antivirus and keep it up to date. A firewall if you like.
    Protect yourself with Spybot's "Immunize" function. And use Javacoolsoftware's SpywareBlaster as well.
    Then run your Ad-Aware and Spybot and Ewido every week or two.

    And keep Windows up to date.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d still like to see fresh HJT and Ewido logs, just to make sure your system is clean.

    Regards Howard :)

    This thread is for the use of Fishey only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Fishey

    Fishey TS Rookie Topic Starter

    I don't use file sharing apps because I have alot of mates who get viruses off them:(
    I don't look at porn, already use firefox, I have AVG free, ZoneAlarm Pro, Lavasoft AdAware Pro and Spybot S&E (used the immunize function before), and have just downloaded Ewido, and will get SpywareBlaster now.

    Ewido found nothing so that is just an empty log file...
    And my HJT log is attached, I also changed the name of the .exe to HJT so all the files will show up. (I only just learnt this)

    Again thankyou a ton for helping me with this :D
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system still isn`t clean.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O20 - Winlogon Notify: srvdrv - C:\WINDOWS\

    O20 - Winlogon Notify: ssttt - C:\WINDOWS\

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\windows\system32\ssttt.dll


    srvdrv find this file, I don`t know what extension it has as it doesn`t show in your HJT log. It`s probably a .dll file, but might not be. I can find no info for srvdrv and so it`s probably nasty.

    Once you find the file, type the full path into killbox.

    Once your system has rebooted, post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Fishey only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...