Trojan Horse Pakes.U & Dialer.28.A

Reinstall your sound drivers, then post a fresh HJT log.

Regards Howard

Howard,

The problem has returned - I just got a message saying that a Torjan Pakes.U virus has been found again - what should I do now?

Can you give me the full filepath to the infected file?

Regards Howard

The file path is: C:\Docuemnst & Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvvbx[1].exe AND C:\Windows\Temp\win66.tmp.exe

Also, I get regular messages via Internet Explorer saying all about virus software, even when I'm not using internet explorer...

Should I take a HiJackThis log in normal or safe mode? - I'll leave the sound driver for now...

Download the Pocket Killbox programme from HERE. Extract it but don`t ru it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

win66.tmp.exe and any other process that has the same .tmp.exe extension.
srvvbx[1].exe

Close task manager.

Run a full system scan with AVG and delete whatever it finds.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvvbx[1].exe

C:\Windows\Temp\win66.tmp.exe

Also, enter any other filepath that has the .tmp.exe file extension.

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Let me know how your system is running.

Regards Howard

Latest Update

Hi again,

I tried the adive and parts of it worked, but parts of it didn't, below are any notes worth pointing out:

1) AVG found 3 files again, at the locations:
C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\KPQF412R\srvhtu[1].exe / srvsjt[1].exe AND C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\CH630XYJ\srvwcs[1].exe
I deleted these files, and then tried to delete them with KillBox - but there was an error message, as detailed in point 2.
I was thinking if the message comes again, I should restart & delete these 3 files with killbox alone - & then do an AVG Scan after reboot?

2) KillBox failed to work - It stated:
"PendingFileRenameOperations Registry Data has been removed by External Process!" - I couldn't delete any of the files, although I had already deleted all of them with AVG - could this be a problem?!?

EDIT - Trojan Dialer 28A is back....

If anyone could help, it would be greatly apprecaited.

Thanks for all of the help so far Howard,

Matthew

p.s. I was wondering if the Trojan is linked with the Internet Exploere messages that I have been getting - I thought they may be linked.

Killbox normally gives that error when the files are not there/have already been deleted.

See how your system runs and let us know.

Edit: please post a fresh HJT log.

Regards Howard

This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Just now I have recieed the usual messages - Pakes.U is back at location: C:\WINDOWS\Temp\win97.tmp.exe, while Dialer.28.A can be found at C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\8LEN49U3\srvfao[1].exe

Is there anything that can be done? - As things currently are, when they are detected, I am moving them to the Virus Vault of AVG.

Download the Cleaner programme from HERE.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Run the Ccleaner programme and make sure all the boxes are ticked in the Windows and Application tabs. Click the run cleaner button, run the programme several times with no browser windows open. Then, click on the issues button and make sure all the boxes are ticked. Click the scan for issues button and click the fix selected issues button. Do this several times until no more issues are found.

Go to C:\WINDOWS\Temp and delete everything Windows will let you.

Then go and do the same here C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5

Reboot into normal mode and turn system restore back on and rehide your protected OS files.

Let me know the outcome.

Regards Howard

I ran CCleaner and that removed a lot of stuff. In addition I was able to remove all files from the Temp folder (C:\WINDOWS\Temp), and all files accept “index.dat” (which was 3,552kb in size) was remove from the Temporary Internet Files folder (C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5). I have attached the HiJackThis log that I got following the cleaning of this folder.

In addition I have just run Spybot – which found 3 Registry Keys of “AstraKiller” and 1 registry value & 2 registry keys of “Smitfraud-C. Toolbar888”. All of which I have removed. “Toolbar 888” is now no longer listed in the Add/Remove Programs List. I then ran Skybot once more it found no other files. Oh yes, and I also re-installed my sound card driver….

In addition I then ran Adaware SE (Personal) – which found several negligible files (all MRU Lists), which I removed. I then did a “Deep Scan” using A squared (free version), which detected one file, classed as a small threat, which I deleted.

Do you have any advice over how to avoid future problems – I already use AVG, A squared, Ccleaner, Spybot & AdAware?

Touch wood, everything seems fine at the moment, thanks for all your help Howard,

Matthew.

Well, unfortuantley, the Trojan horse Pakes.U has just returned, at C:\WINDOWS\Temp\Win6D.tmp.exe

Man, this really is a pain,

If anyone could help then please do let me know - I'm at my wits end with this one....

Matthew

Update - Ran An Autoruns Log

Hi there,

I was reading some other threads regarding the Pakes.U virus, which said to try & run an Autoruns log, which I have done.

I have attached the file on here, if anyone who knows how to analyse it could help, I would be very appreciative...

The virus is still returning affecting the usual files - the files at C:\WINDOWS\Temp\winXX.tmp.exe & C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5

Many Thanks

Matthew.

Download and run these four tools. Follow the instructions for using each tool.

Tool1 Tool2 Tool3 Tool4

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

c:\windows\system32\sstts.dll
c:\windows\system32\winmmt32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post fresh HJT, Ewido and Autoruns logs and let me know how your system is running.

Regards Howard

This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Right,

I ran the four programs, which didn’t find anything – the only one that did was VundoFix, that found a file “C:\WINDOWS\system32\wvutuvv.dll”, which I deleted.

KillBox removed the two files, as far as I know; at least no error came up when I was trying to delete them. The Ewido scan found one Trojan Pakes file, which I deleted, and several cookies which were also removed….

Attached are several files, the HJT log, the Ewido scan log & the Autoruns log. I have also attached the Vitumundo Be Gone 1.5 log file & the Look2Me Destroyer log file. If someone in the know could look over them for me?

Once again, thanks for all your help, hopefully that will be it now – but I have a felling its not,

Matthew.

Have HJT fix these two entries.

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)

Other than the above, your HJT log is clean.

You have deleted these files? If not you should do so.

C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\O9MJOXMN\srvmke[1].exe
C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\srvcsx[1].exe
C:\Documents and Settings\User.PC-0982\Local Settings\Temporary Internet Files\Content.IE5\ZCN9QN1S\srvjsj[1].exe

It seems you`ve been hit with a new infection that`s doing the rounds. Hopefully a simple fix will be found real soon.

I hope this is an end to your problems, but like you I have my doubts. please let me know how things go.

Regards Howard

This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Howard,

I have done all of the above things, then I ran scans with Spybot S & D, Adaware Se, A squared (free), Ewido & AVG Anti Virus.

All of the scans came back clean (accept the usual cookies) - so thus far everything seems to be OK...

The sooner they come out with a simple fix the better - it would save many of us a lot of trouble.

Hopefully this will be the last time that I say this, Many Thanks for your help, it is all greatly appreciated,

Matthew.

That`s great news, I`m really pleased for you.

The problem with antivirus/antispyware/anti-trojan programmes is, they`re always playing catch up. No sooner have they got a fix for some malware, then another newer variant turns up and it starts all over again.

Safe surfing habits seems the only way of avoiding these nasty infections.

You might want to take a look at this thread HERE. It will show you how you can keep your system more secure.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of MattJKR only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.