# TechSpot

Jun 16, 2008
1. Hi,
For the past couple of months that I have scanned my computer with AVG I always get two trojan horses popping up; Trojan Horse Downloader.purity scan and Trojan Horse Downloader.Generic2. Every time I heal them, but the very next time I scan my computer they keep popping up. As well, I think this may be the reason for why my computer is running slower than ever lately. I really would appreciate any help I could get. Thank you.

2. ### Blind DragonTS EvangelistPosts: 4,048

Highjackthis Instructions
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log

3. ### soccer_chikaTS RookieTopic Starter

log file

here is the log file

4. ### Blind DragonTS EvangelistPosts: 4,048

You have a lot more than 2 trojans, log is cluttered with foistware, spyware, ect.

• Click the Browse... button
• Navigate to the file C:\Program Files\Common Files\zziw\zziwm.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

5. ### soccer_chikaTS RookieTopic Starter

i don't see the file zziwm.exe, but there is a file zziwd

7. ### soccer_chikaTS RookieTopic Starter

it goes from zziw to zziwd then i can choose between class-barrel or vocabulary... what should i click on?

8. ### Blind DragonTS EvangelistPosts: 4,048

from upload -> browse -> select zziwd.exe

9. ### soccer_chikaTS RookieTopic Starter

the file opens up to either class-barrel or vocabulary

10. ### Blind DragonTS EvangelistPosts: 4,048

we are going to fix it, I recognize those from other infections.

I am almost done with your first few steps

11. ### soccer_chikaTS RookieTopic Starter

okay...thanks. I'm sorry I have such a messed up computer.

12. ### Blind DragonTS EvangelistPosts: 4,048

No problem, I also need you to tell me what you are using for an Anti-virus. I see AVG7 - which is outdated / and pieces of Mcafee - looks outdated. I recommend you uninstall both and get Avira Antivir

------------------------------------------------------------------------

New.net Removal instructions
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

You may have to hit ctrl+alt+del then stop this process from running C:\Program Files\NewDotNet\nnrun.exe

Afterwards, come back and post a fresh hijackthis log and I will have further instructions ready.

13. ### soccer_chikaTS RookieTopic Starter

here is the second file after i removed that file. As well, i couldn't find any Mcafee files that i could uninstall.

14. ### Blind DragonTS EvangelistPosts: 4,048

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {68E0AA80-7904-47AB-6E37-6BAD2A46C2A9} - C:\WINDOWS\system32\egdlub.dll (file missing)
O2 - BHO: UrlHelper Class - {6D023EBF-70B8-45A6-9ED5-556515FA0FE4} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: (no name) - {7A368449-18AB-4058-8FEA-37D1E862C5BE} - C:\WINDOWS\system32\nju.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A391142-85F7-810B-DEDF-A428E4253BB9} - C:\WINDOWS\system32\tlaesbx.dll (file missing)
O2 - BHO: (no name) - {8ACF7826-E498-BC69-ED2C-CBBE4E7B65E0} - C:\WINDOWS\system32\btrrrfj.dll (file missing)
O2 - BHO: (no name) - {DAB12469-EC87-B82C-A838-CA5E636E63B1} - C:\WINDOWS\system32\ppvrrn.dll (file missing)
O2 - BHO: BearSharePersonalization - {DD1849EA-8403-4441-8DFF-7575AAE1DC16} - C:\Program Files\BearShare Applications\Personalization\BearSharePersonalizationIE_v1044.dll
O2 - BHO: (no name) - {EA7C73B8-ED0A-B0AB-7B95-C09EFC6550E3} - C:\WINDOWS\system32\pwj.dll (file missing)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BSMediaBar.dll
O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Zango Messenger\em2.exe" -wait
O4 - HKLM\..\Run: [o94R36W] queext40.exe
O4 - HKLM\..\Run: [iROcvO] C:\WINDOWS\mfvbjth.exe
O4 - HKLM\..\Run: [f4bd8GPFN] C:\WINDOWS\mfvbjth.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
O4 - HKLM\..\Run: [iROcvùõš/‚²‘ÆßfÏNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
O4 - HKCU\..\Run: [Zyv5RWami] ctf20.exe
O4 - HKCU\..\Run: [zziw] C:\PROGRA~1\COMMON~1\zziw\zziwm.exe
O4 - HKCU\..\Run: [BearSharePersonalization] "C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe"
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\BRITTANY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\alg.dll,,,,,
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------------

Uninstall through add remove if there:
BearShare Applications
Zango Messenger
ISTsvc
zziw
IMVU

--------------------------------------------------------------------------

OTMoveit2 by OldTimer
• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
[b][kill explorer]
C:\WINDOWS\system32\egdlub.dll
C:\WINDOWS\system32\nju.dll
C:\WINDOWS\system32\tlaesbx.dll
C:\WINDOWS\system32\btrrrfj.dll
C:\WINDOWS\system32\ppvrrn.dll
C:\WINDOWS\system32\pwj.dll
C:\WINDOWS\system32\queext40.exe
C:\WINDOWS\mfvbjth.exe
C:\WINDOWS\system32\ctf20.exe
C:\WINDOWS\system32\alg.dll
C:\Program Files\BearShare Applications /s
C:\Program Files\Zango Messenger /s
C:\Program Files\ISTsvc /s
C:\Program Files\Common Files\zziw /s
[start explorer][/b]
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Attach the OTMoveit log along with a fresh Hijackthis ran afterwards.

15. ### soccer_chikaTS RookieTopic Starter

Explorer killed successfully
< C:\Program Files\BearShare Applications /s >
C:\Program Files\BearShare Applications moved successfully.
< C:\Program Files\Zango Messenger /s >
C:\Program Files\Zango Messenger moved successfully.
< C:\Program Files\ISTsvc /s >
< C:\Program Files\Common Files\zziw /s >
C:\Program Files\Common Files\zziw\zziwd moved successfully.
C:\Program Files\Common Files\zziw moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06162008_212504

16. ### Blind DragonTS EvangelistPosts: 4,048

Let's try this to be sure.

Note: In the event you already have Killbox, this is a new version that I need you to download.
• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\queext40.exe
C:\WINDOWS\mfvbjth.exe
C:\WINDOWS\system32\ctf20.exe
C:\WINDOWS\system32\alg.dll

• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

-------------------------------------------------------------------------------

After reboot:
Malwarebytes' Anti-Malware

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
• and Launch Malwarebytes' Anti-Malware
• then click Finish.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---------------------------------------------------------------------------

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

----------------------------------------------------------------

Java Runtime Environment 6 Update 6
• The 5th option down is the one you want (click Download)
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

---------------------------------------------------------------------------

Remove Mcafee products
1. Click Start, Settings, Control Panel.
2. Double-click Add or Remove Programs.
3. Select the McAfee SecurityCenter product.
4. Click Remove and follow the steps provided.
6. Click Save and save the file to your desktop
7. Make sure all McAfee windows are closed.
8. Double-click MCPR.exe to run the removal tool. (Vista users need right click and run as administrator)
9. Restart your computer after receiving the message CleanUp Successful.

-----------------------------------------------------------------------

Attach MBAM with new Hijackthis

17. ### soccer_chikaTS RookieTopic Starter

Here is the new HiJackThis Log file, as well as the other log file. Also, there was one of those PendingFileRenameOperations things for the first thing you wanted me to do. It said, "Registry Data has been removed by external process!"

18. ### Blind DragonTS EvangelistPosts: 4,048

Did you click Ok at any PendingFileRenameOperations prompt

yeah i did

20. ### Blind DragonTS EvangelistPosts: 4,048

Launch OtMoveit! and click the green Cleanup! button

• Set correct settings for files
• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• This is a good time to clear your existing system restore points and establish a new clean restore point:
• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

• Or Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• <= Get the free google toolbar to help stop pop up windows.
• <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

21. ### soccer_chikaTS RookieTopic Starter

Thank you soooo much! You have no idea how much i have appreciated all the help!

22. ### Blind DragonTS EvangelistPosts: 4,048

Should you have any more problems you know where to find me.

Regards,

BD

23. ### challengerTS Rookie

Help! seem to have the same problem as soccer_chika, when I scan with AVG. I Followed the first part of what was suggested previously by blind dragon. I have a hijackthis report if I post it can anybody help. You seem very clued up I amafraid I'm not.

Challenger

24. ### Blind DragonTS EvangelistPosts: 4,048

Topic Status:
Not open for further replies.