Trojan Horse Dialer.BZB, Generic.WUE

Status
Not open for further replies.
P

pavilion

Posts: 14   +0
Hi, I've been having problems with two Trojan viruses - Trojan Dialer.BZB and Generic.WUE..
I get frequent dialing from my comp and AVG keeps popping up saying I have a virus but even if I manage to heal them, it keeps coming back.. I have included a HJT log

I appreciate all the help I can get so Cheers
 

Attachments

  • hijackthis.log
    5.9 KB · Views: 6
Hello and welcome to Techspot.

Your version of HJT is out of date. The current version is 1.99.1.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Go and follow the instructions in the link I gave you.

Your system is infected with some nasties.

Post a fresh HJT log, only after you have completed the above.

regards Howard :)
 
Still Problems...

Hi, I did what you told me upto step 3 - & it told me to post a ewido log if i still have problems.. ewido helped to clear a few things up - but like AVG the trojans keep coming back

I am now in the process of downloading all those programs and using all of them and after that I will post a fresh HJT log. Speak to you then
 
Looking Good..

Hi,
Well everything seems to work fine now after using all those programs - no more spyware symptoms! :D
Hopefully I can keep it this way and thanks for your help :grinthumb

P.S I have posted a HJT log like you said
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You`re running a completely unpatched version of Windows. This is a huge security risk. You should run Windows updates and install at least service pack 1 and preferably service pack 2.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

npkcsvc

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

npkcsvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O9 - Extra button: Trucchi console - {FF4D2994-6575-4F03-A5C6-6559C8793A07} - C:\windows\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Trucchi console - {FF4D2994-6575-4F03-A5C6-6559C8793A07} - C:\windows\System32\shdocvw.dll

O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

O20 - Winlogon Notify: winymy32 - C:\windows\SYSTEM32\winymy32.dll

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\windows\System32\npkcsvc.exe

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepathes you need to enter into killbox.

C:\windows\SYSTEM32\winymy32.dll

C:\windows\SYSTEM32\keXX32.dll

C:\windows\System32\npkcsvc.exe

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Fresh HJT

Hello again,

I've done what you told me and I'm posting a fresh HJT log..

By the way.. I tried deleting the file C:\windows\SYSTEM32\keXX32.dll with killbox several times, but it keeps coming back ? Is this the file that's giving me all these troubles .. ?
 
Yes, that`s the only nasty file you have left on your system as far as I can see.

Do the following.

Download haxfix.exe.
http://users.telenet.be/marcvn/tools/haxfix.exe

Save it to your desktop.
Double click on haxfix.exe to extract all files in a folder on the destkop.

Open the folder haxfix and start fix.bat. This will open a red dos window (dos box).

You get this message:

At this point please type the following: keXX <- the first 4 char. see above.
avpe etc....

Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.

Close them, except the red DOS window from haxfix and press Enter.
The computer will reboot.

After reboot, a new red dos window will open.

This message will appear:

At this point please type the following: keXX

Press Enter to continue with the fix.

When the red dos window closes, the fix is ready.

Post the contents of the logfile c:\haxfix.txt along with a fresh HJT log.

Regards Howard :)
 
It seems there`s a new version of Haxfix.

So, here are the revised instructions.

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open. Save that log.

Post the Haxfix log and a fresh HJT log.

Regards Howard :)
 
haxfix

Hello - its been awhile, but i finally used that haxfix program.. Unfortunately it didn't delete the kexx file, which was strange because in the logfile it says it had identified it ? However there doesn't seem to be any spyware/virus symptons , which is great.. I've posted the haxifx log and a fresh HJT log just in case
 
The nasty Kexx entry is still there.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run the Haxfix again.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

Click on the fix checked button.

Close HJT.

Run HJT again and click on the config button, followed by the misc tools button. Click the delete file on reboot button and browse to C:\windows\SYSTEM32\keXX32.dll
click open, you will be prompted to restart your computer, click yes.

Once your computer has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Bad Messenger Virus

Hello again.. I still couldn't get rid of that kexx entry but even worse, I've gotten myself into trouble again & I have another one infecting the comp.

It started when one of my messenger contacts sent me a msg sayin 'lol look at this etc. (link)' Of course stupid me had to click it and now I have a very nasty virus that gives me alot of problems e.g several popus, i give out the same msg in messenger, major lag issues, modified desktop etc.

I remember how last time I did all those scans so I followed all those instructions again, however it only managed to get rid of the popups and not the other symptoms.. I've posted a HJT log, which includes a few unfixed items just so you know what I'm dealing with.. Thanks
 
Go HERE and follow the instructions exactly.

Post a fresh HJT and Ewido log as attachments into this thread, only after doing the above.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
HJT log & Ewido

Here is my fresh HJT & Ewido log. At the moment I don't see the usual symptoms however knowing those nasties, they could come back at any moment.. There does seem to be an error message I get at the startup though,

'Error loading w2a031aa.dll
The specified module could not be found'

Thanks again for the help
 
Download haxfix.exe from http://users.telenet.be/marcvn/tools/haxfix.exe
Save it to your desktop.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msgs.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [tkqc3a4f] RUNDLL32.EXE w2a031aa.dll,n 004c3a4b0000000a2a031aa

O20 - Winlogon Notify: keXX32 - C:\windows\SYSTEM32\keXX32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\MSN Messenger\msgs.exe

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)

When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:

At this point please type the following: keXX
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.

The computer will reboot, turn system restore back on and rehide your protected OS files.

After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt as an attchment, along with a fresh HJT log.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I have merged your other thread into this one.

Well done, your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Infection - Unable to reboot normally

Hello again - As you may have guessed I have another problem with more nasties. The problem isn't necessarily mine as it is my sister's laptop that is infected, and i think it is the same one as last time (msn trojan)

However this time I cannot start windows normally as it boots into a blue screen which says a physical memory dump is taking place - and when it finishes nothing happens.. thus not allowing me to connect to the net from the laptop.

Hopefully you'll be able to help me get past that - as the rest will probably be the same as last time.
 
Can you boot the laptop into safe mode with networking?

If so, follow these instructions.

If not, it maybe time for a reformat and reinstall.

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi, I managed to reboot normally so I followed those instructions.. I've attached the ewido and HJT log for you to inspect.
 
That HJT log is clean.

Are you still having problems with your sisters laptop?

Regards Howard :)

This thread is for the use of pavilion only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

S
Inactive Malware created Win7 system processes I cannot end or delete
2
Replies
36
Views
5K
Broni
Broni
Bazfire
  • Locked
Inactive Removing possible Trojan
Replies
4
Views
2K
Broni
Broni
ToshibaProblems
  • Locked
Inactive AVG trojan horse problem.
Replies
1
Views
3K
Broni
Broni

Latest posts

Back