TechSpot

Trojan Horse Pakes.U & Dialer.28.A

By MattJKR
Sep 3, 2006
  1. Hi there,

    I have recently found a trojan horse Pakes.U & Trojan Horse Dialer.28.A, on my computer.

    I have been downloading updates for various programmes recently, without trouble, but then yesterday AVG detected Trojan Horse Pakes.U & Trojan Horse Dialer.28.A. AVG keeps detecting it again and again. I want to remove the main Trojan file, which is creating these files. Would you kindly help me through the removal process? I've already read other people's posts about these trojans.

    So far I have run Ewido anti-spyware, as told to on this forum, but am still getting the problems. I ahve attached 3 files, the HijackThis scan, done before I ran Ewido, the Ewido Report (Sorry - I foregot to remove some cookies first, so most of it is made up of cookies) & the HijackThis scan done after Ewido was run. Unfortunatley, even after running Ewido I am still getting the same message...

    Any help would be greatly appreciated,

    Thanks

    MattJ.
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Make sure you have the latest virus definitions for AVG.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Toolbar888

    Close control panel.

    Run a full system scan with AVG and delete whatever it finds.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\Wanadoo\WanadooConnectionKit\atdialler1.exe

    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\ToolBar888

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.


    Regards Howard :wave: :wave:

    This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. MattJKR

    MattJKR TS Rookie Topic Starter

    Hi Howard,

    Thanks for your very helpful advice - I have done all of the steps that you said, I have noted a few things, which may be of reference:


    1) When trying to remove "ToolBar888" from the Add/Remove programs pannel, the following message was displayed:
    "An error occured when trying to remove ToolBar888. It may have been already uninstaled. Do you wish to remove it from the list?" - I chose to leave it in the list.

    2) The full scan with AVG found 3 files infected with the Trojan Pakes.U virus - which I deleted....

    3) The directory "C:/ Program Files / Toolbar888" was not found on my system...

    4) I didn't remove instances "O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\Wanadoo\WanadooConnectionKit\atdialler1.exe" & "O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm", as they I belive are3 something to do with my internet providor - Wanadoo....

    5) I accidently removed my sound card driver - so I am now downloading the file from the website - should I do the final HijackTHis scan first, or install the sound card driver again first?

    So far, touch wood, there have been no instances of the usual AVG message.

    Thanks Again

    Matthew.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Reinstall your sound drivers, then post a fresh HJT log.

    Regards Howard :)
     
  5. MattJKR

    MattJKR TS Rookie Topic Starter

    Howard,

    The problem has returned - I just got a message saying that a Torjan Pakes.U virus has been found again - what should I do now?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you give me the full filepath to the infected file?

    Regards Howard :)
     
  7. MattJKR

    MattJKR TS Rookie Topic Starter

    The file path is: C:\Docuemnst & Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvvbx[1].exe AND C:\Windows\Temp\win66.tmp.exe

    Also, I get regular messages via Internet Explorer saying all about virus software, even when I'm not using internet explorer...

    Should I take a HiJackThis log in normal or safe mode? - I'll leave the sound driver for now...
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t ru it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    win66.tmp.exe and any other process that has the same .tmp.exe extension.
    srvvbx[1].exe

    Close task manager.

    Run a full system scan with AVG and delete whatever it finds.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvvbx[1].exe

    C:\Windows\Temp\win66.tmp.exe

    Also, enter any other filepath that has the .tmp.exe file extension.

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Let me know how your system is running.

    Regards Howard :)
     
  9. MattJKR

    MattJKR TS Rookie Topic Starter

    Latest Update

    Hi again,

    I tried the adive and parts of it worked, but parts of it didn't, below are any notes worth pointing out:

    1) AVG found 3 files again, at the locations:
    C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvhtu[1].exe / srvsjt[1].exe AND C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\CH630XYJ\srvwcs[1].exe
    I deleted these files, and then tried to delete them with KillBox - but there was an error message, as detailed in point 2.
    I was thinking if the message comes again, I should restart & delete these 3 files with killbox alone - & then do an AVG Scan after reboot?

    2) KillBox failed to work - It stated:
    "PendingFileRenameOperations Registry Data has been removed by External Process!" - I couldn't delete any of the files, although I had already deleted all of them with AVG - could this be a problem?!?

    EDIT - Trojan Dialer 28A is back....

    If anyone could help, it would be greatly apprecaited.

    Thanks for all of the help so far Howard,

    Matthew

    p.s. I was wondering if the Trojan is linked with the Internet Exploere messages that I have been getting - I thought they may be linked.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Killbox normally gives that error when the files are not there/have already been deleted.

    See how your system runs and let us know.

    Edit: please post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. MattJKR

    MattJKR TS Rookie Topic Starter

    Just now I have recieed the usual messages - Pakes.U is back at location: C:\WINDOWS\Temp\win97.tmp.exe, while Dialer.28.A can be found at C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\8LEN49U3\srvfao[1].exe

    Is there anything that can be done? - As things currently are, when they are detected, I am moving them to the Virus Vault of AVG.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Cleaner programme from HERE.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Run the Ccleaner programme and make sure all the boxes are ticked in the Windows and Application tabs. Click the run cleaner button, run the programme several times with no browser windows open. Then, click on the issues button and make sure all the boxes are ticked. Click the scan for issues button and click the fix selected issues button. Do this several times until no more issues are found.

    Go to C:\WINDOWS\Temp and delete everything Windows will let you.

    Then go and do the same here C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5

    Reboot into normal mode and turn system restore back on and rehide your protected OS files.

    Let me know the outcome.

    Regards Howard :)
     
  13. MattJKR

    MattJKR TS Rookie Topic Starter

    I ran CCleaner and that removed a lot of stuff. In addition I was able to remove all files from the Temp folder (C:\WINDOWS\Temp), and all files accept “index.dat” (which was 3,552kb in size) was remove from the Temporary Internet Files folder (C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5). I have attached the HiJackThis log that I got following the cleaning of this folder.

    In addition I have just run Spybot – which found 3 Registry Keys of “AstraKiller” and 1 registry value & 2 registry keys of “Smitfraud-C. Toolbar888”. All of which I have removed. “Toolbar 888” is now no longer listed in the Add/Remove Programs List. I then ran Skybot once more it found no other files. Oh yes, and I also re-installed my sound card driver….

    In addition I then ran Adaware SE (Personal) – which found several negligible files (all MRU Lists), which I removed. I then did a “Deep Scan” using A squared (free version), which detected one file, classed as a small threat, which I deleted.

    Do you have any advice over how to avoid future problems – I already use AVG, A squared, Ccleaner, Spybot & AdAware?

    Touch wood, everything seems fine at the moment, thanks for all your help Howard,

    Matthew.
     
  14. MattJKR

    MattJKR TS Rookie Topic Starter

    Well, unfortuantley, the Trojan horse Pakes.U has just returned, at C:\WINDOWS\Temp\Win6D.tmp.exe

    Man, this really is a pain,

    If anyone could help then please do let me know - I'm at my wits end with this one....

    Matthew
     
  15. MattJKR

    MattJKR TS Rookie Topic Starter

    Update - Ran An Autoruns Log

    Hi there,

    I was reading some other threads regarding the Pakes.U virus, which said to try & run an Autoruns log, which I have done.

    I have attached the file on here, if anyone who knows how to analyse it could help, I would be very appreciative...

    The virus is still returning affecting the usual files - the files at C:\WINDOWS\Temp\winXX.tmp.exe & C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5

    Many Thanks

    Matthew.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and run these four tools. Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    c:\windows\system32\sstts.dll
    c:\windows\system32\winmmt32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post fresh HJT, Ewido and Autoruns logs and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. MattJKR

    MattJKR TS Rookie Topic Starter

    Right,

    I ran the four programs, which didn’t find anything – the only one that did was VundoFix, that found a file “C:\WINDOWS\system32\wvutuvv.dll”, which I deleted.

    KillBox removed the two files, as far as I know; at least no error came up when I was trying to delete them. The Ewido scan found one Trojan Pakes file, which I deleted, and several cookies which were also removed….

    Attached are several files, the HJT log, the Ewido scan log & the Autoruns log. I have also attached the Vitumundo Be Gone 1.5 log file & the Look2Me Destroyer log file. If someone in the know could look over them for me?

    Once again, thanks for all your help, hopefully that will be it now – but I have a felling its not,

    Matthew.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these two entries.

    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

    O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)

    Other than the above, your HJT log is clean.

    You have deleted these files? If not you should do so.

    C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\O9MJOXMN\srvmke[1].exe
    C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\srvcsx[1].exe
    C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\ZCN9QN1S\srvjsj[1].exe

    It seems you`ve been hit with a new infection that`s doing the rounds. Hopefully a simple fix will be found real soon.

    I hope this is an end to your problems, but like you I have my doubts. please let me know how things go.

    Regards Howard :)

    This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. MattJKR

    MattJKR TS Rookie Topic Starter

    Hi Howard,

    I have done all of the above things, then I ran scans with Spybot S & D, Adaware Se, A squared (free), Ewido & AVG Anti Virus.

    All of the scans came back clean (accept the usual cookies) - so thus far everything seems to be OK...

    The sooner they come out with a simple fix the better - it would save many of us a lot of trouble.

    Hopefully this will be the last time that I say this, Many Thanks for your help, it is all greatly appreciated,

    Matthew.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news, I`m really pleased for you.

    The problem with antivirus/antispyware/anti-trojan programmes is, they`re always playing catch up. No sooner have they got a fix for some malware, then another newer variant turns up and it starts all over again.

    Safe surfing habits seems the only way of avoiding these nasty infections.

    You might want to take a look at this thread HERE. It will show you how you can keep your system more secure.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...