TechSpot

viruses

By dwazzy
Jul 20, 2006
  1. i am having problems getting rid of these 3 viruses. An avg warning keeps popping up and i can't get rid of them. Everything i have tried that i have come across on line hasn't worked.

    I keep getting Trojan Horse Dialer.bzb, Trojan Horse Dialer.AXJ., and trojan horse generic.wue.






    can you please look and see if there is anything here that i can get rid of.

    Thank You
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow all the instructions exactly.

    Post a fresh HJT log as a .txt attachment, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. dwazzy

    dwazzy TS Rookie Topic Starter

    sorry

    sorry about that
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dbe4434789b25_13.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.jcash.biz/l/158c3a63d263a50c387dbe4434789b25_13.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    158c3a63d263a50c387dbe4434789b25_13.exe You will need to search your system for this file. It may or maynot be there.

    Reboot into normal mode and turn system restore back on.

    Other than the above entry, your HJT log is clean.


    Regards Howard :)
     
  5. dwazzy

    dwazzy TS Rookie Topic Starter

    still having a problem

    I think that process worked for the trojan files. I havn't seen a pop-up for one of them yet. However ewido keeps popping-up with a malware
    name- adware.Virtumonde and its location is C:\windows\system32\awtqr.dll this pops up what seems like every 5 seconds. I click on the clean and move to quarantine but it still resurfaces.

    Thanks for the help with the other problem.
     
  6. dwazzy

    dwazzy TS Rookie Topic Starter

    and just as i sent this the trojan virus returned, trojan horse dialer.axj
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions for running the Vundofix tool.

    Let us know if it helps.

    Regards Howard :)
     
  8. dwazzy

    dwazzy TS Rookie Topic Starter

    I tried VundoFix and followed the directions. The search results came up negative.

    AVG has popped up with all the previously entered Trojans as well.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have you tried running AVG from safe mode, with system restore turned off?

    Could you please give me the exact file paths that AVG is finding?

    Regards Howard :)
     
  10. dwazzy

    dwazzy TS Rookie Topic Starter

    These are all the files i found during my last AVG check this earlier today.
    I will try your suggestion now.


    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\1261QXGH\srvpks[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\89MZCP23\srvnex[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\89MZCP23\srvyxt[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\F7T6P2C7\srvkrm[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\F7T6P2C7\bgates[2].exe
    C:\WINDOWS\Temp\win105.tmp.exe (as well as win112, win13B, win102, win 103, and win10B)
    C:\WINDOWS\system32\ismon.exe
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That helps an awful lot.

    Go HERE and follow the instructions.

    Then, download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    srvpks[1].exe
    srvnex[1].exe
    srvyxt[1].exe
    srvkrm[1].exe
    bgates[2].exe
    win105.tmp.exe
    win112.tmp.exe
    win13B.tmp.exe
    win102.tmp.exe
    win103.tmp.exe
    win10B.tmp.exe
    ismon.exe

    Close task manager.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    Input all these filepaths into killbox.

    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\1261QXGH\srvpks[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\89MZCP23\srvnex[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\89MZCP23\srvyxt[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\F7T6P2C7\srvkrm[1].exe
    C:\documents and setting\owner\local Settings\Temporary Internet Files\Content.IE5\F7T6P2C7\bgates[2].exe
    C:\WINDOWS\Temp\win105.tmp.exe (as well as win112.tmp.exe win13B.tmp.exe win102.tmp.exe win103.tmp.exe and win10B.tmp.exe)
    C:\WINDOWS\system32\ismon.exe

    Once your system has rebooted, turn system restore back on.

    Let us know if that helps.

    Regards Howard :)
     
  12. dwazzy

    dwazzy TS Rookie Topic Starter

    ok i think that worked for the trojan viruses. however ewido is still going crazy with the alert for malware in C:\windows\system\32\awtqr.dll
     
  13. dwazzy

    dwazzy TS Rookie Topic Starter

    i can find the file and everytime i try to do anything with it it tells me it is being used by another person or program.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    awtqr.dll is part of the Virtumundo infection. There seems to be a new variant about at the moment.

    Try this VirtumundoBeGone tool HERE. This is a differnt tool to the last one you tried.

    Regards Howard :)
     
  15. dwazzy

    dwazzy TS Rookie Topic Starter

    Thank you for all your help. It appears that all of my problems have gone away. AVG ran a clean check and the ewido alert seems to have gone away. You have been very helpful.
     
  16. dwazzy

    dwazzy TS Rookie Topic Starter

    I do have one more small problem and i was wondering if you could point me in the right direction on where to go since this is not a virus problem. My homepage constantly goes back to the emachine home page. no matter how many times i change it in the internet settings it will still default to emachine.com.

    Thanks again for the help earlier.
     
  17. gmuser2006

    gmuser2006 TS Rookie Posts: 37

    Run HiJack-This and have it fix the R0 entry.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
     
  18. dwazzy

    dwazzy TS Rookie Topic Starter

    i tried that and each time i run hjt it reappears
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post a fresh HJT log.

    Regards Howard :)
     
  20. dwazzy

    dwazzy TS Rookie Topic Starter

    Home page

    I've tried changing my home page for internet explorer several times and each time it defaults back to the emachines home page. I ran HJT and checked off RO but it keeps returning every time i run a new HJT.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these entries.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

    O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)

    Click on the fix checked button and close HJT. Reboot your computer.

    You should now be able to change your home page.

    I have merged your new thread into this one.

    Regards Howard :)
     
  22. dwazzy

    dwazzy TS Rookie Topic Starter

    I figured out how to fix my problem. I ran hijack this in safe mode under owner instead of administrator and it allowed me to get rid of the RO and allowed me to change the internet homepage.

    Thank you for all of you help.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s excellent news.

    Thanks for letting us know.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...