Trojan.Starter.V causing Pakes.U and Dialer.28.A?

[exiled]

Hi,

I seem to have a problem that bears some resemblance to the problems posted by MattJKR (https://www.techspot.com/vb/topic57865.html) and Fishy (https://www.techspot.com/vb/topic57911.html. I'd already taken steps to try to eradicate the problem before coming across these threads and so I'll try and describe the symptoms and already-tried solutions as succinctly as possible.

After scanning with AVG I found that some files I had were infected and used AVG to delete them. Shortly after AVG started reporting that it had found an infected file, which I moved to the vault and deleted. A second infection was then reported and I did the same thing. However, both these infections are continuing to appear in the same directory (as follows):
Trojan horse Pakes.U appears in C:\WINDOWS\Temp\win12.tmp (filename varies)
Trojan horse Dialer.28.A appears in C\Documents and Settings\simon\Local Settings\Temporary Internet Files\Content.IE5\Y9TU4M8H\srvqgg(1).exe (filename and immediate parent directory name both variable).

So I run Housecall and find ADW.Mytoolbar.A but I can't do anything about it with Housecall. Then I run Bitdefender and find Trojan.Spy.Agent.AB and Trojan.Starter.V. Bitdefender could handle Trojan.Spy.Agent.AB but was unable to deal with Trojan.Starter.V.

C:\Documents and Settings\simon\Local Settings\Temp\mst2B.tmp


Infected with: Trojan.Spy.Agent.AB

C:\Documents and Settings\simon\Local Settings\Temp\mst2B.tmp Disinfection failed

C:\Documents and Settings\simon\Local Settings\Temp\mst2B.tmp Deleted

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)=>lzma_solid_nsis0003

Infected with: Trojan.Starter.V

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)=>lzma_solid_nsis0003
Disinfection failed

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)
Update failed

Then I run Spybot S&D and get a whole load more stuff including Smitfraud.C, Smitfraud.C-toolbar888 and Astakiller. In total there were 40 problems and S&D tok care of them.

McAfee Stinger reported nothing, while the online Ewido scanner reported a number of tracking cookies - they all appeared to be the usual suspects.

I've just done another bitdefender scan and it is still reporting the Trojan.Starter.V...

Infected with: Trojan.Starter.V

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)=>lzma_solid_nsis0003
Disinfection failed

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\Documents and Settings\simon\Local Settings\Temp\win2F.tmp.exe=>(NSIS o)
Update failed

AVG is still popping up messages every half hour or so telling me about another Pakes.U or Dialer.28.A. Seems to me that it might be Trojan.Starter.V that is the root - but I don't know for sure and I don't know how to deal with Trojan.Starter.V.

I've run HJT and the log is attached:


Can anyone be so kind as to suggest what I can try next?

Cheers,

exiled

PS: Sorry I should have added that I've also run Adaware SE.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System_OEM\blank.htm

Click the fix checked button and close HJT.

Other than the above, your HJT log is clean.

Go HERE and follow all the instructions exactly.

Then, download the Autoruns programme from HERE.

Once you have finished, post fresh HJT and Ewido logs as well as the Autoruns log.

Regards Howard :wave: :wave:

This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[exiled]

Hi Howard,

thanks for the help. OK here's a desciption of what has been done since the lsat post.

1. Bitdefender scan showed that Trojan.Spy.Agent.AB and Trojan.Starter.V were both still present on the system.
2. Still getting Winantiviruspro popup when IE launched.
3. HJT run and R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System_OEM\blank.htm fixed
4. Ran Kapersky and it found the following:
C:\WINDOWS\SYSTEM 32\ winojk32.dll - the details of this showed it to be "Packed.Win32.Klone.g"
5. Ran Ewido and applied recommended actions to all events.
6. Ran Adaware Spybot S&D.
7. Booted to safe mode and ran:
SmitfraudFix
VundoxFix
VirtumundoBegone
Look2MeDestroyer
AboutBuster
Cwshredder
Adaware VX2
Adware SE
Spybot
HJT
8. Ran Autoruns and HJT and Ewido again (logs attached)

I'm still getting the Pake.U occurances so I guess the root problem still remains!

What next Maestro?

Cheers,

Exiled

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O20 - Winlogon Notify: winojk32 - C:\WINDOWS\SYSTEM32\winojk32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winojk32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Run a full scan with Ewidow and delete whatever it finds. Delete all files in quarantine.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[exiled]

Hi Howard,

OK, I have done exactly as you suggested an dthe HJT and Ewido reports are attached. I noticed that in the HJT log that winojk32.dll was still listed but was appended with "file missing" - is there something else that I need to do to finish this off for good?

I'm going to run F-secure, Kapersky etc again in the meantime to see if they pick anything else up.

Cheers,

Exiled

 

[howard_hopkinso]

Have HJT fix this inactive entry.

O20 - Winlogon Notify: winojk32 - winojk32.dll (file missing)

Other than the above, your HJT log is now clean.

In Firefox, click tool/options/privacy and click clear cookies now, click ok.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[exiled]

Howard,

after scanning with F-secure, winojk32.dll was found in C:\!KILLBOX. F-secure says that it deleted this, but I'm scanning again to make sure.

Is this the infection moving around or just a reporting feature in Killbox?

Chees,

Exiled

Scanning Report
Tuesday, September 05, 2006 15:17:31 - 16:29:04

Computer name: SIMONXP05
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 2 malware found
Packed.Win32.Klone.g (virus)

* C:\!KILLBOX\WINOJK32.DLL (Deleted)

Tracking Cookie (spyware)

* System (Disinfected)

 

[howard_hopkinso]

That`s just the backup that Killbox makes. You can safely delete all the killbox backups.

Regards Howard

 

[exiled]

Hi Howard,

F-secure ran clean after that scan, but when I ran Kapersky it found the following:

C:\System Volume Information\_restore{FEE37581-5F9E-417F-B320-23F3E8D37D1E}\RP1\A0000006.dll Infected: Packed.Win32.Klone.g

I presume this is a system retore point. After the last round of cleaning using killbox I booted to normal mode and then reinstated system restore...

...I've turned it back off to remove the restore points and I'm scanning again with Kapersky. Fingers crossed. Do you think this will be sufficient or should I try something else?

Cheers,

Exiled

Kapersky ran clean with system restore turned off so it is looking good. Have turned system restore back on again and am doing a final Kapersky scan. 6 years in tech support has taught me never to expect anything, but I am hopeful that this is the end of the infection.

Cheers Howard, I really appreciate the help!

Exiled

 

[howard_hopkinso]

As far as I`m concerned, you system is clean.

If you have any futher virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.