Trojan Horses Dialer.COH; Dialer.28.A; Generic2.HLG

Hello:

I have a malware problem that has escalated to the point of total despair.

It all started when my trial NAV detected a certain dialer.generic trojan horse. Since it wouldn't go away, I seeked help in forums. Meanwhile, the NAV expired and I installed the free edition of AVG Anti-Virus.

I followed the other forum's instruction and installed Spybot Search & Destroy, Lavasoft's AD-Aware SE Personal, AVG's Anti-Spyware and Microsoft's Window Defender, Disk Cleaner, Spyware Blaster and KillBox.

I've run them in the order I was told, in safe mode and normal mode, deleted the files I was supposed to delete, but still, the AVG Anti-Spyware kept warning me about the following trojan horses: Dialer.COH, Dialer.28.A and Generic2.HLG. Sometimes it would prompt me to move 'em to the vault (which I always did) and sometimes it would give me the choice to heal (in which case I also did).

Before, the problem was the annoying warning from AVG. Now, I have a bigger problem. One of the instructions in the other forum was to update my Windows, which I did. The updated included the new Internet Explorer, which started working just fine. But today no more. Every time I start it, it will crash. Also, Searh & Distroy started a few days ago to warn me about changes in the registry. I denied them and, I suppose, it created a rule and now it doesn't stop denying some change in the registry from a certain ITBarLaoyout. This occurs every second, if not sooner, and won't stop.

Please help!

I attach my system's summary. If you do need any further info, just let me know.

Many thanks

 

where do I find "Read and run me first"

Excuse me but the link you sent me for "Read and run me first" sends me to the following page

http://forums.majorgeeks.com/showthread.php?t=35407

and in it it reads the following message:

"The board has been moved to a new server. If you still seeing this message, you could try the following to flush your DNS cache: ipconfig /flushdns"


I already did this procedure, to no avail. This page also asks me to log in, but it doesn't recognize my name or password.

Where else can I find the "Read and run me first" info?

 

Special Removal Procedures

Sorry again, but the "Read and run me first" instructions refer to a "Special removal procedures" before following the steps.

I'm again having the same accesibility problem as before, since I am sent to:

http://forums.majorgeeks.com/showthread.php?t=74501

where the same message

"The board has been moved to a new server. If you still seeing this message, you could try the following to flush your DNS cache: ipconfig /flushdns"

appears.

My gut feeling is that my case doesn't apply, but I am done thinking I'm smarter than the malware.

Please send me the correct link in the same manner as you did with the "Read and run me first" as this worked wonderfully fine.

Thank you very much

 

OK, finally back.

First of all, after follwing the Read and Run me first steps, I continue to have the same problems.

I did what was instructed, but, in order to be sure, I'll repeat it, step by step and let you know what were the results.

• I found no unknown/suspicious programs via the Add/Remove Programs feature.
• The MSConfig Startup Mode was already in Normal. However, I still clicked apply and restarted
• I emptied the vaults of the anti-virus and anti-spyware programs that I installed previously
• Emptied the Recycle Bin
• Hidden files, system files and file extensions were already enabled
• Currently, I am only using AVG Anti-Virus Free version. However, I did un-install all but one of the anti-spyware tools I was adviced to intall from another forum: Lavasoft's AD-Aware SE. If you have any suggestion of a better anti-virus, I will appreciate it
• Currently, I am only using the MS Windows XP firewall. Again, if you have a better suggestion...
• I created a new folder directly under C: and downloaded all the tools directly into it
• Unzipped, installed and updated as told
• Rebooted in Safe Mode. It did work.
• Unplugged the modem cable and shut down all apps
• Ran CClean with the default settings. I did this with every account, including Administrator, for which I had to reboot every time in safe-mode. Lots of stuff cleaned
• Ran MS Windows Malicious Software Tool in my account, which has administrator privileges, and didn't find anything wrong
• Ran Spybot S&D and didn't find anything wrong. However, I was confused since at no time I was asked any Teatime option. I just ran it with default settings
• Ran MS Windows Defender and didn't find anything wrong
• Additionally to the Read and Run me First steps; I ran AD-Aware SE. This one did find bad stuff and I proceeded to move the infected files to it's vault and, subsequently, deleted it. I attach the report (named Adaware.txt) just in case you are interested
• Rebooted in Safe Mode with Networking Capabilities
• Went to BitDefender page, agreed to it's terms, installed the Active X controls and proceeded with the scan. It did find something wrong and I attach the log as requested
• Went to the Panda page, installed the Active X controls and proceeded with the scan. It also found bad stuff and I attach the log as requested. However, something happened during the scan. When the red status bar was more ore les 80% done, a Windows messagge popped telling me that no "profile is create", refering to MS Outlook account and indicating me how to create one. It is true that I haven't created an Outlook account, but when I clicked OK (the only option), the on-line scan stopped. I ran the same scan again, and again the same happened
• Rebooted in Normal Mode
• Ran getrunkey.bat and then shownew.bat. I attach the respective reports
• Checked the Special Removal Procedures and couldn't find any match to my problem, so I didn't follow any of it's instructions.
• Downloaded HijackThis to the specified folder. Then renamed the file as told, ran it and saved the log, which I attach.

Back again in Normal Mode, I discovered that my problem was unsolved. AVG detected a dialer trojan, only this time with a different name: Trojan horse Generic2.IKA. I rushed to grab a pen where to write it's name and it disppeared before I could heal it. Also, a flashing "malware warning" appears on the lower right side of the Taskbar (Quicklaunch is it called?). When clicked, it opens a window which has all the appearance of a legit MS Windows XP program (I mean graphically), with an apparent XP logo and all, but it does not indicate any company/software name. It just makes some "quick scan" and in a few seconds it tells me I am infected with about 9 malicious items. By this time I know this is fake (or isn't it?) and I don't proceed with the "full scan", something it urges me to do. Finally, I noticed that there are 2 un-identified entries in the Start/All Programs from the Taskbar (they have unidentified icons). They are located not inbetween the regular programs, but "up there", where some MS utilities are, such as Windows Update, etc. Their names are Online Security Guide, which refers to the web page http//www.protectionlist.com, and Security Troubleshooting, which refers to http//www.asecuritytest.com. I have never knowingly installed these.

Now, since it was already late for me, I went to bed and decided to post the reply tomorrow (today Novembr 17th). And today, immediately upon starting, AVG ran an automatic test (this had never happened before), found the above mentioned trojan and vaulted it. As for the "spyware warning" it's also not there. I will keep and eye on it and inform you if it comes back.

What still doesn't work is Internet Explorer! And this is perhaps the worst thing of all. It did work in Safe Mode with Networking Capabilities, but not in Normal Mode. As i told you before, I was instructed by another forum to run Windows Update. This, however, coincided with the release of the newest version of IE. In the beginning it worked just fine. Now, I don't know if the IE problem is malware/virus-related or is it just an awful coincidence and the IE just doesn't work. But I haven't heard of any problems with it, have you? Any advice on how I can fix this or go back to the previous version of IE will be greatly appreciated.

By the way, the problem with IE is that it crashes upon start. It never really opens, just prompts me a Window with the Send/Don't Send Report, but it also has another opiton, Debug. The latter doesn't appear to solve the problem and the IE just closes.

For info on my PC, please note that I already uploaded the AIDA32 report in my first post.

Thanks a lot for the help so far and I hope my logs and reports are as helpful.

 

Continuing the uploadig...

 

Hello Chaslang:

I just did the first set of instructions and, following them, I will wait for you or anyone else to indicate me when to continue with the second set of instructions.

However -and this might be foolish of me-, I am not quite sure what are these procedures about. Are we addressing the malware problem, the IE problem, or both of them? Alsi, what is your last post about?

Thank you for your help

 

Hello:

Problem 1, Malware, seems to be gone ever since this morning. Problem 2, IE crash, however, remains.

I finished the second set of instructions and proceed now to attach the logs.

FYI, DirectX common and ODBC Service were already set in Stop Service, but their Start-up Type was set to Automatic. I changed them as told and subsequently deleted the NT Services, again as told.

Please note that the rapport.txt file I uploaded in my previous post was run right after installing SmitfraudFix and ran the Search option in Normal Mode. The file I am attaching now is the report after I ran the Clean option in Safe Mode. By the way, I had no problem with the process.exe file.

Also, FYI, wininet.dll was not infected, as I didn't get any prompt to replace it. The computer did not reboot automatically. In fact, it opened the new rapport file right away. Nevertheless, I followed the instructions and rebooted manually in Safe Mode, although there was no apparent change, prompt or anything. I immediately rebooted in Normal Mode, as told.

I had a question. I noticed that nobody has viewed the BitDefender report I was asked to post earlier in this thread. Not that I'm complaining of the help I am being given; all the contrary I appreciate it infinitelly. Just courious though.

I await your next instructions to fix the remaining "bunch" of problems.

Many thanks

 

Indeed. My appologies. I am doing it now.

Well, right on the side of the attachements, I can read "1 view" or "0 views". But nevermind. I appreciatte your help.

It is just the demo version.

I haven't done anything you say in your latest post because I need to go out for a while. Once I do it, I will tell you.

Again, many thanks

 

I just finished the remaining steps and here are the logs

 

Sorry, I forgot to tell you that IE is working fine now. By now, problems appear to be completely gone. If, however, there was more to be done, of course I will do it.

I cannot thank you guys enough

 

OK, I deleted the last two folders and file. I've been starting the PC in order to check things out, although I haven't work throughly and, so far, nothing wrong has happened. For all I know, the problems have been fixed. I don't know if I shoul wait, or do something specific in order to be really, really sure that I am bug-free now.

Once again, I cannot thank you enough.

Regards