Hello,
I have been experiencing a slow down while browsing the internet. CPU will spike at times to 100%. Did a scan and avast home did not detect anything. Completed an online scan with Kaspersky and it found the Trojan-Ransom.Win32.Hexzone.agn
Scanned the effected files again with avast home and Spy Bot Search and Destroy and still not seen by those two programs.
Any help to gain some wisdom and removal plan about this trojan would be appreciated.
Thanks in advance!
I would first confirm the detection.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
If multiple scanners detect it as infected - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
Thank You DavidR,
I will work thru your suggestions. Here is a text of what/where the trojan was found:
Scan statistics:
Files scanned: 140508
Threat name: 2
Infected objects: 3
Suspicious objects: 1
Duration of the scan: 07:13:43
File name / Threat name / Threats count
C:\Documents and Settings\Ray\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Email-Worm.Win32.Bagle.mail 1
C:\Program Files\REFN\FormViewer\Rudder.dll Infected: Trojan-Ransom.Win32.Hexzone.agn 1
D:\Program Files\REFN\FormViewer\Rudder.dll Infected: Trojan-Ransom.Win32.Hexzone.agn 1
D:\Program Files\ZipForm 5.0\Rudder.dll Infected: Trojan-Ransom.Win32.Hexzone.agn 1
Here is a link to the scan, in which only two were able to detect it:
http://www.virustotal.com/analisis/7abaa303d8b0464beb1972314761cd38
or
http://www.virustotal.com/analisis/7abaa303d8b0464beb1972314761cd38
Hopefully one of those links will work…
Hi lobotex,
How to Remove Trojan.Ransom.Hexzone Manually?
Trojan.Ransom.Hexzone warning
Before we get started, you should backup your system and your registry, so it’ll be easy to restore your computer if anything goes wrong.
To remove Trojan.Ransom.Hexzone manually, you need to delete Trojan.Ransom.Hexzone files.
Stop Trojan.Ransom.Hexzone processes:
flowMediaDecoder_23[1].exe
Delete Trojan.Ransom.Hexzone DLLs:
tprlib.dll
Get rid of Trojan.Ransom.Hexzone registry keys:
AppID\tprlib.DLL
AppID{E82CA17E-0C70-4F8C-AD15-5C00B3229DE5}
wgpnveuntgkzhhz.Ptuqrxdtuvrqu.1
wgpnveuntgkzhhz.Ptuqrxdtuvrqu
wgpnveuntgkzhhz.Mwldsmiywjelk
wgpnveuntgkzhhz.Mwldsmiywjelk.1
{F31776F2-6138-4179-B062-6C00E71589F7}
{DE6532E2-FD43-4DFB-9108-14140DBAB88C}
{0B62BEBA-FE11-41A7-B2D8-5A6437525101}
{A60B986B-4FED-44F4-A830-47CE85A85E88}
{1408E208-2AC1-42D3-9F10-78A5B36E05AC}
{44D67555-2D4E-4227-AB49-E509D025C487}
Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DE6532E2-FD43-4DFB-9108-14140DBAB88C}
Note: In any Trojan.Ransom.Hexzone files I mention above, “%System%” is a variable referring to your PC’s System folder. Maybe you renamed it, but by default your System folder is “C:\Windows\System32″ on Windows XP, “C:\Winnt\System32″ on Windows NT/2000,” or “C:\Windows\System” on Windows 95/98/Me.
“%Program_Files%”, “%ProgramFiles%”, or “%Profile%” is a variable referring to a folder in your PC where applications that aren’t a part of your PC’s operating system are installed by default. You may have changed this folder’s name or moved it, but if you didn’t touch it, find the folder as “C:\Program Files”. If you’re having trouble finding this folder, you can locate it by looking up registry value “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir”.
Also, “%UserProfile%” is a variable referring to your current user’s profile folder. If you’re using Windows NT/2000/XP, by default this is “C:\Documents and Settings[CURRENT USER]” (e.g., “C:\Documents and Settings\JoeSmith”).
How to delete Trojan.Ransom.Hexzone files in Windows XP and Vista:
How to stop Trojan.Ransom.Hexzone processes:
How to remove Trojan.Ransom.Hexzone registry keys:
Trojan.Ransom.Hexzone warning Because your registry is such a key piece of your Windows system, you should always backup your registry before you edit it. Editing your registry can be intimidating if you’re not a computer expert, and when you change or a delete a critical registry key or value, there’s a chance you may need to reinstall your entire system. Make sure your backup your registry before editing it.
How to delete Trojan.Ransom.Hexzone DLL files:
That’s it. If you want to restore any Trojan.Ransom.Hexzone DLL file you removed, type “regsvr32 DLLJustDeleted.dll” (e.g., “regsvr32 jl27script.dll”) into your command box, and press your “Enter” key.
Did Trojan.Ransom.Hexzone change your homepage?
polonus
Before dealing with this send the sample rudder.dll to avast so that detections can be improved.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
If there happen to be any other files as referenced by polonus’s instruction, also check those at virustotal and send to avast as required.
Thank you both for taking the time to help provide a solution. I have uploaded the suspect file via the user file section.
No problem, glad I could help.
Thanks for taking the trouble to help improve detections.
Next step the other two applications, which work well to compliment avast.
Welcome to the forums.
Hi lobotex,
We hope you will soon have solved this. Some advice: update and patch your OS with all the latest updates and patches, and also your third party software through PSI Secunia: http://secunia.com/PSISetup.exe
Then use normal user rights for your normal online activities and full admin rights just when you need this for updating programs and installing trusted software etc., this will certainly reduce the effects of all known malware on your OS by some 92%. Use a browser with the possibility to (fully or temporarily) disable scripts to run on a web page like the Firefox browser with the NoScript extension installed. Using these so-called Safe Hex methods will reduce the possibility of being infected by malware considerably, and this is our experience,
polonus
I got Trojan-Ransom.Win32.Hexzone.agn today I am scared, my kaspersky internet security deleted it am I safe or must I do more?
Start by reading and complying with previous advice and answer any questions asked of the original poster in this topic.
PLease be more clearer, I asked if I was safe, I am really panicking. I would really appreciate if you oculd tell me if kaspersky deleting the trojan has made be safe or is there more to be done?
Hi sasuke_s,
What more do you need there is a full thread of it, plus the manual removal instructions for this malware, so check everything there meticulously if it is no longer on your computer and you know you have fully recovered from this,
polonus
There are many replies in this topic which both offer suggestions and ask questions, so that is where you start, by answering the questions and following the advice and reporting results.
Thanks to all for taking the time to offer advise and solutions. I ran the PSISetup.exe and was found to be 98% with two Adobe items needing updating. After those two updates and a rescan, now at 100%. Also from a previous post, I was able to delete the files that contained the virus threat and it no longer shows up. At this point, the system slow down is still happening only when browsing the web. IEXPLORER CPU usage still spikes to 100% causing slow page transitions like back in the dial up days. It started a few weeks ago and I feel it has to be something associated with a Windows update, but not really sure. I will keep poking around the Microsoft boards as well.
Thanks again!!
lobotex
I scanned to find the registrys and did everything told except internet explorer as did not change homepage. Could not find the trojan file n task managaer “flowmedia…” None of the registrys were on my registry. Kaspersky deleted the trojan automatically and so I could not find it and manually delete the file. Am I safe?
Well safe is a word I don’t often use, but you are certainly in much better shape than you were.
I take it you aren’t experiencing any of the symptoms you were before ?
Nope laptop is going smoothly.
Thank you and sorry for my sudden panick.
You’re welcome, it is understandable to panic.