TechSpot

Trojan Horse Downloader.purity scan + Trojan Horse Downloader.Generic2

By soccer_chika
Jun 16, 2008
Topic Status:
Not open for further replies.
  1. Hi,
    For the past couple of months that I have scanned my computer with AVG I always get two trojan horses popping up; Trojan Horse Downloader.purity scan and Trojan Horse Downloader.Generic2. Every time I heal them, but the very next time I scan my computer they keep popping up. As well, I think this may be the reason for why my computer is running slower than ever lately. I really would appreciate any help I could get. Thank you.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. soccer_chika

    soccer_chika TS Rookie Topic Starter

    log file

    here is the log file
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You have a lot more than 2 trojans, log is cluttered with foistware, spyware, ect.

    I am working on typing up your instructions now, but please

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\Program Files\Common Files\zziw\zziwm.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
  5. soccer_chika

    soccer_chika TS Rookie Topic Starter

    i don't see the file zziwm.exe, but there is a file zziwd
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    please upload and post results
  7. soccer_chika

    soccer_chika TS Rookie Topic Starter

    it goes from zziw to zziwd then i can choose between class-barrel or vocabulary... what should i click on?
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    from upload -> browse -> select zziwd.exe
  9. soccer_chika

    soccer_chika TS Rookie Topic Starter

    the file opens up to either class-barrel or vocabulary
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    we are going to fix it, I recognize those from other infections.

    I am almost done with your first few steps
  11. soccer_chika

    soccer_chika TS Rookie Topic Starter

    okay...thanks. I'm sorry I have such a messed up computer.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    No problem, I also need you to tell me what you are using for an Anti-virus. I see AVG7 - which is outdated / and pieces of Mcafee - looks outdated. I recommend you uninstall both and get Avira Antivir

    ------------------------------------------------------------------------

    New.net Removal instructions
    First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

    To Get rid of NewDotNet, go to:

    Start > Control Panel > Add or Remove Programs and remove the following:

    New.Net Applications or New.Net Domains (anything that says New.Net)

    If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

    In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

    You may have to hit ctrl+alt+del then stop this process from running C:\Program Files\NewDotNet\nnrun.exe

    Afterwards, come back and post a fresh hijackthis log and I will have further instructions ready.
  13. soccer_chika

    soccer_chika TS Rookie Topic Starter

    here is the second file after i removed that file. As well, i couldn't find any Mcafee files that i could uninstall.
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {68E0AA80-7904-47AB-6E37-6BAD2A46C2A9} - C:\WINDOWS\system32\egdlub.dll (file missing)
      O2 - BHO: UrlHelper Class - {6D023EBF-70B8-45A6-9ED5-556515FA0FE4} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
      O2 - BHO: (no name) - {7A368449-18AB-4058-8FEA-37D1E862C5BE} - C:\WINDOWS\system32\nju.dll (file missing)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: (no name) - {8A391142-85F7-810B-DEDF-A428E4253BB9} - C:\WINDOWS\system32\tlaesbx.dll (file missing)
      O2 - BHO: (no name) - {8ACF7826-E498-BC69-ED2C-CBBE4E7B65E0} - C:\WINDOWS\system32\btrrrfj.dll (file missing)
      O2 - BHO: (no name) - {DAB12469-EC87-B82C-A838-CA5E636E63B1} - C:\WINDOWS\system32\ppvrrn.dll (file missing)
      O2 - BHO: BearSharePersonalization - {DD1849EA-8403-4441-8DFF-7575AAE1DC16} - C:\Program Files\BearShare Applications\Personalization\BearSharePersonalizationIE_v1044.dll
      O2 - BHO: (no name) - {EA7C73B8-ED0A-B0AB-7B95-C09EFC6550E3} - C:\WINDOWS\system32\pwj.dll (file missing)
      O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BSMediaBar.dll
      O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Zango Messenger\em2.exe" -wait
      O4 - HKLM\..\Run: [o94R36W] queext40.exe
      O4 - HKLM\..\Run: [iROcvO] C:\WINDOWS\mfvbjth.exe
      O4 - HKLM\..\Run: [f4bd8GPFN] C:\WINDOWS\mfvbjth.exe
      O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
      O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
      O4 - HKLM\..\Run: [iROcvùõš/‚²‘ÆßfÏNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mfvbjth.exe
      O4 - HKCU\..\Run: [Zyv5RWami] ctf20.exe
      O4 - HKCU\..\Run: [zziw] C:\PROGRA~1\COMMON~1\zziw\zziwm.exe
      O4 - HKCU\..\Run: [BearSharePersonalization] "C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe"
      O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm491LZCA
      O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\BRITTANY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
      O20 - AppInit_DLLs: C:\WINDOWS\system32\alg.dll,,,,,
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    --------------------------------------------------------------------------

    Uninstall through add remove if there:
    BearShare Applications
    Zango Messenger
    ISTsvc
    zziw
    IMVU

    --------------------------------------------------------------------------

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b][kill explorer]
      C:\WINDOWS\system32\egdlub.dll
      C:\WINDOWS\system32\nju.dll
      C:\WINDOWS\system32\tlaesbx.dll
      C:\WINDOWS\system32\btrrrfj.dll
      C:\WINDOWS\system32\ppvrrn.dll
      C:\WINDOWS\system32\pwj.dll
      C:\WINDOWS\system32\queext40.exe
      C:\WINDOWS\mfvbjth.exe
      C:\WINDOWS\system32\ctf20.exe
      C:\WINDOWS\system32\alg.dll
      C:\Program Files\BearShare Applications /s
      C:\Program Files\Zango Messenger /s
      C:\Program Files\ISTsvc /s
      C:\Program Files\Common Files\zziw /s
      [start explorer][/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Attach the OTMoveit log along with a fresh Hijackthis ran afterwards.
  15. soccer_chika

    soccer_chika TS Rookie Topic Starter

    Explorer killed successfully
    File/Folder C:\WINDOWS\system32\egdlub.dll not found.
    File/Folder C:\WINDOWS\system32\nju.dll not found.
    File/Folder C:\WINDOWS\system32\tlaesbx.dll not found.
    File/Folder C:\WINDOWS\system32\btrrrfj.dll not found.
    File/Folder C:\WINDOWS\system32\ppvrrn.dll not found.
    File/Folder C:\WINDOWS\system32\pwj.dll not found.
    File/Folder C:\WINDOWS\system32\queext40.exe not found.
    File/Folder C:\WINDOWS\mfvbjth.exe not found.
    File/Folder C:\WINDOWS\system32\ctf20.exe not found.
    File/Folder C:\WINDOWS\system32\alg.dll not found.
    < C:\Program Files\BearShare Applications /s >
    C:\Program Files\BearShare Applications moved successfully.
    < C:\Program Files\Zango Messenger /s >
    C:\Program Files\Zango Messenger moved successfully.
    < C:\Program Files\ISTsvc /s >
    File/Folder C:\Program Files\ISTsvc not found.
    < C:\Program Files\Common Files\zziw /s >
    C:\Program Files\Common Files\zziw\zziwd moved successfully.
    C:\Program Files\Common Files\zziw moved successfully.
    Explorer started successfully

    OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06162008_212504
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Let's try this to be sure.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\queext40.exe
      C:\WINDOWS\mfvbjth.exe
      C:\WINDOWS\system32\ctf20.exe
      C:\WINDOWS\system32\alg.dll

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    -------------------------------------------------------------------------------

    After reboot:
    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    ---------------------------------------------------------------------------

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    ----------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    ---------------------------------------------------------------------------

    Remove Mcafee products
    1. Click Start, Settings, Control Panel.
    2. Double-click Add or Remove Programs.
    3. Select the McAfee SecurityCenter product.
    4. Click Remove and follow the steps provided.
    5. Download the Mcafee removal tool from http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
    6. Click Save and save the file to your desktop
    7. Make sure all McAfee windows are closed.
    8. Double-click MCPR.exe to run the removal tool. (Vista users need right click and run as administrator)
    9. Restart your computer after receiving the message CleanUp Successful.

    -----------------------------------------------------------------------

    Attach MBAM with new Hijackthis
  17. soccer_chika

    soccer_chika TS Rookie Topic Starter

    Here is the new HiJackThis Log file, as well as the other log file. Also, there was one of those PendingFileRenameOperations things for the first thing you wanted me to do. It said, "Registry Data has been removed by external process!"
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Did you click Ok at any PendingFileRenameOperations prompt
  19. soccer_chika

    soccer_chika TS Rookie Topic Starter

  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Launch OtMoveit! and click the green Cleanup! button

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    • Or Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
  21. soccer_chika

    soccer_chika TS Rookie Topic Starter

    Thank you soooo much! You have no idea how much i have appreciated all the help!
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You are very welcome, I am glad that I was able to help you.

    Should you have any more problems you know where to find me.

    Regards,

    BD
  23. challenger

    challenger TS Rookie

    Trojan Horse Downloader. purity scan

    Help! seem to have the same problem as soccer_chika, when I scan with AVG. I Followed the first part of what was suggested previously by blind dragon. I have a hijackthis report if I post it can anybody help. You seem very clued up I amafraid I'm not.

    Challenger
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.