Win32:Dialer-gen13

Hello.
I have searched on the forum for some answers to try and delete reoccuring malware detections, but they still keep coming back. When i try to put the thing in the chest it doesn’t let me, so i click delete.

I have tried doing a boot-time scan and using AVG to try and find the virus. It found the virus but it still kept coming back after i quarantined it.

Malware name
: Win32:Dialer-gen13 [Trj]
File name: C:\Documents and Settings\Jonny\Local Settings\Temporary Internet Files\Content.IE5\AHC7WLYT\srvums[1].exe
File name2:C:\WINDOWS\TEMP\win1F.tmp.exe

I am using Windows XP Pro.
My firewall is Zone Alarm Pro
I have attached my Avast warning log and my HijackThis log.

Hi Impact247,

You’ve obviously cleaned out a lot of malware, judging from the avast! log!

A lot of it seems to have been hiding in temp files, and the dialer you mention is still lurking in the same place.

So first I recommend a thorough purge of temp files: download and run CleanUp! and if requested to reboot to allow deletion of some temp files, do so.

http://www.stevengould.org/software/cleanup/

If you haven’t done so already, download install and update these two programs: Ad-Aware and Spybot Search & Destroy.

http://www.download.com/3000-2144-10045910.html

http://www.safer-networking.org/

Update AVG Anti-Spyware and boot into safe mode:

http://www.pchell.com/support/safemode.shtml

Run scans with all three programs.

Reboot and run another scan with HijackThis! If the following entries are still there, tick the box next to the entries and have HijackThis! fix them:

O2 - BHO: (no name) - {15C09A6A-B215-20EC-B472-07E15B54AB68} - C:\WINDOWS\system32\wnyjvbb.dll

O2 - BHO: SurfMatch - {5EA18C9B-8A38-4b15-B196-AEFCB48F4B5D} - (no file)

O4 - HKLM..\Run: [ocnzpve.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ocnzpve.dll,aveopkd

O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

Reboot into safe mode and delete these files if you can find them (you may need to enable ‘view hidden files and folders’ in the tools>folder options tab of explorer:

C:\WINDOWS\system32\ocnzpve.dll

C:\WINDOWS\SYSTEM32\winwea32.dll

Finally, run another scan with HijackThis! and post it so we can check that no malware remains, or recommend a further course of action if any malware survives!

Thank you very much for such a quick reply!

I followed all your instructions except when i tried to delete C:\WINDOWS\SYSTEM32\winwea32.dll
it said the file was in use and i could not delete it.

After following all of your instuctions (Except for the one), the virus apparently still remains as Avast! keeps popping up with the same warning, but more often!
I think that it only comes up when i go onto an internet browser. I am using Mozilla Firefox

Yep! Stubborn little fellow!

Can you try KillBox on the file please?

Follow the instructions on this page:

http://www.bleepingcomputer.com/files/killbox.php

The path you type in is:

C:\WINDOWS\SYSTEM32\winwea32.dll

When you reboot you should be able to remove the entry with HijackThis!

Wow… As much as Killbox tried, it could’nt be deleted. The start bar kept flashing, so the dll maybe something to do with that?

I’ve just been searching Yahoo! for winwea32.dll, and yes, it does seem to resist KillBox.

http://www.2-spyware.com/forum/topic609.html

However, it doesn’t seem to be able to resist The Avenger!

http://forums.afterdawn.com/thread_view.cfm/352205

We need to adapt -kemisti-'s advice to suit you.

1. Please download http://swandog46.geekstogo.com/avenger.zip The Avenger by Swandog46 to your Desktop.

[]Click on Avenger.zip to open the file[]Extract avenger.exe to your desktop

  1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Quote: Files to delete:
    C:\WINDOWS\system32\tfvf.dll
    C:\WINDOWS\system32\765b3a5.exe
    C:\WINDOWS\system32\c903ca1d.exe
    C:\Documents and Settings\Mones\Local Settings\Application Data\765b3a5.exe
    C:\Documents and Settings\Mones\Local Settings\Application Data\c903ca1d.exe
    C:\WINDOWS\SYSTEM32\winwea32.dll
    C:\WINDOWS\system32\cmd.dll
    C:\WINDOWS\system32\notepad.dll
    C:\WINDOWS\system32\wuauclt.dll

    Registry values to replace with dummy:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, start The Avenger program by clicking on its icon on your desktop.
    [] Under “Script file to execute” choose “Input Script Manually”.
    [
    ]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
    [] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    [
    ] Click Done
    [] Now click on the ]Green Light to begin execution of the script
    [
    ] Answer “Yes” twice when prompted.
  2. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice].)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file] that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have [u]backed up all the files, etc., that you asked it to delete], and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  3. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log ] by using Add/Reply

Post a fresh HJT log.

In your case, you will need to enter only the following:

[s]Quote:[/s] Files to delete:

C:\WINDOWS\SYSTEM32\winwea32.dll

Registry values to replace with dummy:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs 

EDIT: Removed ‘Quote’ above as it was cut and pasted by mistake. The Avenger interprets text before commands as comments, so it will not have affected the running of the application.

Oh dear. It removed the file, but now a windows message keeps popping up saying:

“The drive is not ready for use; its door may be open. Please check drive A: and make sure that the disk is inserted and that the drive door is closed.”

I don’t have a floppy disk drive.

Also AVG came up saying that the Dialer was still there.
???

I’d just found an alternative method here, but now we’ll have to deal with the consequences of the method you tried.

Could you post another HijackThis! log?

Scan your computer using Hijackthis. After scan locate line O20 - Winlogon Notify: win???32 - C:\WINDOWS\SYSTEM32\win???32.dll. ??? [3 questionmarks- the forum is substituting a smiley] is replaced with any 3 symbols (For example: winzdn32.dll). Go to C:\WINDOWS\SYSTEM32\, find win???32.dll file and rename it adding .txt extention (win???32.dll.txt). Restart the computer.

http://www.spyware-removal-guideline.com/win-tmp-exe-popups-removal

This obviously fits the description you provided, as win1F.tmp.exe was a symptom.

The Aveger log would be useful too!

The log from the most recent use of The Avenger may be viewed by going to the File menu, and choosing “Open log file.”
but now we'll have to deal with the consequences of the method you tried.
What do you mean by this?

Also would you like me to follow the instructions in the quote?

Also i don’t think i saved the avenger log, Sorry!

but now we'll have to deal with the consequences of the method you tried.
What do you mean by this?

I mean the Windows message that keeps popping up. We need to find what is causing that message and fix it.

Also i don't think i saved the avenger log, Sorry!

The log is saved automatically: if you ope The Avenger and follow the instructions, you should be able to view the log.

I followed the instructions, but it says that there is no avenger.txt file.

The malware entry is still there:

O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

:frowning:

It sounds like The Avenger didn’t run correctly.

Have you tried renaming the file as described in the spyware-removal-guideline.com link?

Yes, I changed the file to Winwea32.dll.txt
Should it stop the virus pop-ups?

If you restart the computer, yes.

That’s assuming the method works, of course! Malware is constantly evolving to defeat removal methods, unfortunately.

When you reboot, see if you can fix the entry with HijackThis!

Also let me know if you are still getting the message about the open drive.

OK. I rebooted and the drive thing still keeps coming up.

Hi Impact247,

Try this anti-malware tool: http://support.microsoft.com/kb/890830/
It has what it takes to deal with this…

polonus

You should be able to fix the HijackThis! entry now:

O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)

I’d recommend a scan with TuneUp Utilities which has a free trial to look for any stray registry entries that may be referencing the a: drive:

http://www.tune-up.com/

I don’t think the virus is there anymore as it hasnt yet come back, but the a: drive thing still is.

First of all, I’d recommend another run of CleanUp!: while the malware was active it was creating more infected temp files, and these need to be purged.

Have you tried a registry scan with TuneUp Registry Cleaner?

In the Customize & Analyze section, open TuneUp StartUp Manager and look for any items you don’t recognise. If you find anything suspicious, you can disable it and restart to see if it is causing the problem.

Is there any more information you can give us about the warning message? You could try Event Viewer to find more information:

http://support.microsoft.com/kb/302542

If you see any warnings in Application or System, you can right click and select properties to get more information.

http://en.wikipedia.org/wiki/Image:Windows_XP_Event_Viewer.png