Trojan Horse Downloader infection

By MoreThanDork ยท 6 replies
Feb 20, 2007
  1. OK. So, about a week ago, my comp was infected with Trojan Horse Downloader.Generic2.MUZ. Since then, my comp has been excessively slow (ball park, 5-10 times slower) in all processes and I get a varied amount of pop-ups, which I've never had before.

    My roomate is pretty good with computers and did what he could to get rid of it, downloading AVG Anti-virus and Ad-aware Personal and SBS&D etc. But the darn thing kept showing up again. I googled it trying to learn something and get rid of it. I found House Call and ran it several times but to no avail. I found a forum where someone said they got rid of it by running regedit and removing all unnecessary programs. I asked my roommate to do so, he did, and it's gone, but others with similar names have shown up.

    I went through all 11 or 12 steps your site requires. I had problems with the second to last step, running AVG in Safe Mode because I couldn't find the options in AVG that your instructions require I adjust. So, I just ran AVG as normal and it "healed" the following infections automatically after scanning:

    Trojan Horse Downloader.Zlob.FC
    Trojan Horse Generic3.AWS

    I then restarted in safe mode again and found the proper settings (complete system scan) but was still unable to figure out how to save the report as a button.

    I truly hope you can help me out. I've been working day and night for a week to rid this thing. I've attached my Hijack This log only.

    Thanks so much for your time.

    Attached Files:

  2. tomrca

    tomrca TS Rookie Posts: 1,000

    please post the log produced from avg anti-spy too.
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint Toolbar
    Viewpoint Manager

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    COM+ Messages
    Viewpoint Manager Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchosts.exe<Not to be confused with svchost.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {48B97C7F-7790-379C-D9A7-043015F83BFA} - C:\WINDOWS\system32\ugutkh.dll (file missing)

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll

    O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\oqlwwgjt.dll (file missing)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll

    O4 - HKLM\..\Run: [zvpjhhj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Johs\Local Settings\Application Data\zvpjhhj.dll",dnmpjp

    O4 - HKLM\..\RunServices: [LSass speech driver] C:\winnt\msdos.exe C:\winnt\speech\speechdrv.dll

    O20 - Winlogon Notify: winqne32 - winqne32.dll (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\Documents and Settings\Johs\Local Settings\Application Data\zvpjhhj.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log. Instructions for AVG Antispyware can be found HERE.

    Regards Howard :wave: :wave:

    This thread is for the use of MoreThanDork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. MoreThanDork

    MoreThanDork TS Rookie Topic Starter

    So, the reason I couldn't figure out how to follow your AVG anti-spyware instructions before is because, as my roommate pointed out to me, I only had AVG anti-virus, not anti-spyware.

    I went through all your instructions then I downloaded the anit-spyware and ran that, then hijack this. I've attached both logs.

    Thanks for all your help so far! I haven't had any of the typical symptoms yet today. Though yesterday, inbetween my post and yours, i was still getting pop-ups and though my comp was much faster than it'd been since getting the virus, it still wasn't as fast as before.

    Today my comp has been as fast as always and hasn't yet had a pop-up. So, so far so good.

    Anything more you think I need to do? I'll let you know if the symptoms show up again or anything else bad happens.
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean.

    Delete all files in AVG Antispyware quarantine.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of MoreThanDork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. MoreThanDork

    MoreThanDork TS Rookie Topic Starter

    so much!

    Just because I'm paranoid and shook up from having this terribly horrible virus and I've yet to receive this specific instruction, is it safe to turn back on all my real-time protective devices again? eg. AVG shield and such?

    Thank you again for your time and your help. It is greatly appreciated!
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, you can now turn on your real time protection again.

    Regards Howard :)

    This thread is for the use of MoreThanDork only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...