TechSpot

Trojan.Starter.V causing Pakes.U and Dialer.28.A?

By exiled
Sep 4, 2006
  1. Hi,

    I seem to have a problem that bears some resemblance to the problems posted by MattJKR (http://www.techspot.com/vb/topic57865.html) and Fishy (http://www.techspot.com/vb/topic57911.html). I'd already taken steps to try to eradicate the problem before coming across these threads and so I'll try and describe the symptoms and already-tried solutions as succinctly as possible.

    After scanning with AVG I found that some files I had were infected and used AVG to delete them. Shortly after AVG started reporting that it had found an infected file, which I moved to the vault and deleted. A second infection was then reported and I did the same thing. However, both these infections are continuing to appear in the same directory (as follows):
    Trojan horse Pakes.U appears in C:\WINDOWS\Temp\win12.tmp (filename varies)
    Trojan horse Dialer.28.A appears in C\Documents and Settings\simon\Local Settings\Temporary Internet Files\Content.IE5\Y9TU4M8H\srvqgg(1).exe (filename and immediate parent directory name both variable).

    So I run Housecall and find ADW.Mytoolbar.A but I can't do anything about it with Housecall. Then I run Bitdefender and find Trojan.Spy.Agent.AB and Trojan.Starter.V. Bitdefender could handle Trojan.Spy.Agent.AB but was unable to deal with Trojan.Starter.V.

    Then I run Spybot S&D and get a whole load more stuff including Smitfraud.C, Smitfraud.C-toolbar888 and Astakiller. In total there were 40 problems and S&D tok care of them.

    McAfee Stinger reported nothing, while the online Ewido scanner reported a number of tracking cookies - they all appeared to be the usual suspects.

    I've just done another bitdefender scan and it is still reporting the Trojan.Starter.V...

    AVG is still popping up messages every half hour or so telling me about another Pakes.U or Dialer.28.A. Seems to me that it might be Trojan.Starter.V that is the root - but I don't know for sure and I don't know how to deal with Trojan.Starter.V.

    I've run HJT and the log is attached:


    Can anyone be so kind as to suggest what I can try next?

    Cheers,

    exiled

    PS: Sorry I should have added that I've also run Adaware SE.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System_OEM\blank.htm

    Click the fix checked button and close HJT.

    Other than the above, your HJT log is clean.

    Go HERE and follow all the instructions exactly.

    Then, download the Autoruns programme from HERE.

    Once you have finished, post fresh HJT and Ewido logs as well as the Autoruns log.

    Regards Howard :wave: :wave:

    This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. exiled

    exiled TS Rookie Topic Starter

    Hi Howard,

    thanks for the help. OK here's a desciption of what has been done since the lsat post.

    1. Bitdefender scan showed that Trojan.Spy.Agent.AB and Trojan.Starter.V were both still present on the system.
    2. Still getting Winantiviruspro popup when IE launched.
    3. HJT run and R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System_OEM\blank.htm fixed
    4. Ran Kapersky and it found the following:
    C:\WINDOWS\SYSTEM 32\ winojk32.dll - the details of this showed it to be "Packed.Win32.Klone.g"
    5. Ran Ewido and applied recommended actions to all events.
    6. Ran Adaware Spybot S&D.
    7. Booted to safe mode and ran:
    SmitfraudFix
    VundoxFix
    VirtumundoBegone
    Look2MeDestroyer
    AboutBuster
    Cwshredder
    Adaware VX2
    Adware SE
    Spybot
    HJT
    8. Ran Autoruns and HJT and Ewido again (logs attached)

    I'm still getting the Pake.U occurances so I guess the root problem still remains!

    What next Maestro?

    Cheers,

    Exiled
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O20 - Winlogon Notify: winojk32 - C:\WINDOWS\SYSTEM32\winojk32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winojk32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Run a full scan with Ewidow and delete whatever it finds. Delete all files in quarantine.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. exiled

    exiled TS Rookie Topic Starter

    Hi Howard,

    OK, I have done exactly as you suggested an dthe HJT and Ewido reports are attached. I noticed that in the HJT log that winojk32.dll was still listed but was appended with "file missing" - is there something else that I need to do to finish this off for good?

    I'm going to run F-secure, Kapersky etc again in the meantime to see if they pick anything else up.

    Cheers,

    Exiled
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this inactive entry.

    O20 - Winlogon Notify: winojk32 - winojk32.dll (file missing)

    Other than the above, your HJT log is now clean.

    In Firefox, click tool/options/privacy and click clear cookies now, click ok.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. exiled

    exiled TS Rookie Topic Starter

    Howard,

    after scanning with F-secure, winojk32.dll was found in C:\!KILLBOX. F-secure says that it deleted this, but I'm scanning again to make sure.

    Is this the infection moving around or just a reporting feature in Killbox?

    Chees,

    Exiled


     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s just the backup that Killbox makes. You can safely delete all the killbox backups.

    Regards Howard :)
     
  9. exiled

    exiled TS Rookie Topic Starter

    Hi Howard,

    F-secure ran clean after that scan, but when I ran Kapersky it found the following:

    I presume this is a system retore point. After the last round of cleaning using killbox I booted to normal mode and then reinstated system restore...

    ...I've turned it back off to remove the restore points and I'm scanning again with Kapersky. Fingers crossed. Do you think this will be sufficient or should I try something else?

    Cheers,

    Exiled

    Kapersky ran clean with system restore turned off so it is looking good. Have turned system restore back on again and am doing a final Kapersky scan. 6 years in tech support has taught me never to expect anything, but I am hopeful that this is the end of the infection.

    Cheers Howard, I really appreciate the help!

    Exiled
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As far as I`m concerned, you system is clean.

    If you have any futher virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of exiled only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...