I have Trojan Horse Downloader.generic6.AEPH

By divdivyaya
Mar 20, 2008
Topic Status:
Not open for further replies.
  1. I keep getting this found when I run AVG and delete it but it keeps coming back. It seems to be causing a lot of pop-ups in internet explorer to open even though I don't use internet explorer, and when they pop-up AVG detects the "threat". I am super new at this, so sorry if I don't understand what you want me to do at first.

    I tried to put my HJT log, but it wouldn't allow me to have "links"(?) so i'm not sure what I should do.

    Thank you for any help.
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    Hi divdivyaya, :wave:

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

    Good luck and welcome to techspot.

    This thread is for the use of divdivyaya only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    thanks so much for the reply. I'm having some issues getting the internet to even work on my computer now (i think the computer gods hate me for some reason), which is why I haven't replied to you sooner. Once, I get the internet problems fixed I will be sure to let you know the info from those different tests. Thanks again for any help
  4. kritius

    kritius TechSpot Guru Posts: 2,087

    I'll be waiting.
  5. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    FINALLY, got my internet working and did all 15 steps except for that Trend Micro House Call because it made my laptop freeze repeatedly.
    Here are my HJT, combofix, and AVG anti-spyware logs. The AVG antiroot kit didn't find anything to fix.

    Like I said before, my symptoms are that AVG only detects the threat when I have a mozilla window open and it basically just causes internet explorer advertisement windows to pop-up.


    Thank you so much for the patience and any help you can offer
  6. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Run Smitfraudfix
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:

    For Internet Explorer 7

    * Click Start, click Control Panel, and then double-click Internet Options.
    * On the General tab, click Delete... under Browsing History.
    * Next to Temporary Internet Files, click Delete files, and then click OK.
    * Next to Cookies, click Delete cookies, and then click OK.
    * Next to History, click Delete history, and then click OK.
    * Click the Close button.
    * Click OK.

    For Mozilla 1.x and Up

    * Click Edit from the Mozilla menubar.
    * Click Preferences... from the Edit menu.
    * Expand the Advanced menu by clicking the plus sign.
    * Click Cache.
    * Click the Clear Cache button.

    For Opera

    * Click File from the Opera menubar.
    * Click Preferences... from the File menu.
    * Click the History and Cache menu.
    * Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
    * Click Ok to close the Preferences menu.

    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    Afterwards attach rapport.txt and a fresh Hijackthis log
  7. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    Here are the rapport and HJT logs

    Thanks!
  8. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Update your Java Runtime Environment
    A lot of infections will exploit old versions of Java
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    -------------------------------------------------------------------------------------------------------
    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: (no name) - {BF3131E4-3C4C-4103-BB5B-9CFB442F0515} - C:\WINDOWS\system32\jkhhh.dll (file missing)
    O4 - HKCU\..\Run: [Euoep] "C:\Program Files\Common Files\s?stem\e?plorer.exe"


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press

      E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    This is the tricky part Navigate to:C:\Program Files\common Files\ Don't delete the System folder if it falls into alphabetical order, this one should be at the very bottom

    Folders:
    C:\Program Files\Common Files\System <-(This Folder should be all the way at the bottom;out of alphabetical order)


    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    OTMoveIt2 can deal with Purity, the custom screen can be used.
  10. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    I didn't have a "system" folder out of alphabetical order, only one in alphabetical order (the folders at the bottom were: speech engines, system, tivo shared, wise installation), so I didn't delete an folder. Here is that HJT log.
  11. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Let's try like kritius said

    First
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

    ClickSpring
    Cowabanga by OIN
    MediaTickets
    MediaTickets by OIN
    OIN
    Outer Info Network
    PurityScan
    PurityScan by OIN
    Snowball Wars by OIN
    TizzleTalk
    TizzleTalk by OIN
    Yazzle by OIN
    Yazzle ActiveX By OIN
    Yazzle Cowabanga by OIN
    Yazzle Kobe :filtered:! By OIN
    Yazzle Picster by OIN
    Yazzle Sudoku by OIN
    Yazzle Snowballwars by OIN
    Yazzle Kobe Balls! by OIN
    Zolero Translator
    or anything similar with OIN, Outer Info, or Yazzle


    Reboot your computer!!!
    --------------------------------------------------------------------------------------------

    Download OTMoveIt2 by OldTimer.
    • Save it to your desktop

    • Double Click OTMoveIt2.exe
    • For Vista - Right Click OTMoveIt2.exe and choose Run As Administrator).
    • Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
      IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar)
    • Right-click and choose Paste.
    • Click the red Moveit! button.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    # The list will be processed and the results will be displayed in the right-hand pane.
    # Click Exit when done.
    # A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
    # Attach the log back here

    Reboot the computer.
    -------------------------------------------------------------------------------------

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    ------------------------------------------------------------------------------------------

    Run another Hijackthis and attach log here
     
  12. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    I didn't have any of those programs listed. Also, when I ran OTMoveIt2 it couldn't find that file?...but I guess it should tell you that in the log
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Ok, well the registry entry is gone, so it's not running.

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  14. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    I have ComboFix from Step 12 of those first 15 steps required. When I run it now, a bar pops up as if it's starting up, but after it fills all the way nothing happens. No program starts up. I tried downloading combofix again and it still doesn't work. Do you know why it would work before and not now?
  15. kritius

    kritius TechSpot Guru Posts: 2,087

    Go to start>run and type combofix /u or copy and paste this into the run box then hit ok.

    Redownload combofix and try it again.
  16. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    I tried to run it by typing that in, and by redownloading it. Neither worked. I still get that bar that fills up without the program opening.
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

    Close all other windows before proceeding.

    This means TURN OFF ALL other security programmes.
    Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

    Double-click on dss.exe and follow the prompts.
    When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

    Re-enable your security programmes and reconnect to the net.
  18. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    Here are those texts from my DSS run.
  19. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Have you had connection problems the last few days?
  20. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    no, I haven't really had connection problems recently. I did have to disconnect to do that DSS step. I had connection problems at the beginning of this whole virus thing, b/c I needed to disable my internet for a test I was taking and when I went to re-enable it I had problems. I ended up not being able to fix it, so i just did system restore to a point before I disabled it.
  21. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    my AVG just detected another trojan horse: "trojan horse generic.10.XQ" It's in my virus vault
  22. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  23. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    Here are the results of the Kaspersky scan.....thanks for the continued help, I REALLY appreciate it
  24. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Nothing in Kaspersky scan except for a false positive.

    Lets go ahead and secure the work you have done, and set a new restore point.


    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
  25. divdivyaya

    divdivyaya Newcomer, in training Topic Starter Posts: 17

    does that mean I should delete HJT, ad aware, ad-watch. CCleaner, virtmundo begone, atf-cleaner, and all the logs that I saved?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.