I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan....

I'm sorry to say that I am also having problems with a variant of win32/trojandownloader.unruy.BV trojan, as I've noticed someone else recently here has had. I am running Windows XP with Avast and the Windows Firewall.

The problems started about a week ago, and I've been diligently trying to get rid of it since then. My initial problem was IE opening to ads of its own volition (I use Firefox) and my wave sound being muted. I was doing research for a paper when Avast told me the site was dangerous and I aborted the connection; shortly thereafter the problems started.

I ran my regular programs (Avast, Spybot, AdAware) and then ramped up the removal by using MBAM and Super AntiSpyWare and elso doing an online eset scan. Avast couldn't handle the problem (which eset says is the variant listed above) because it said the program was in use (it is in my memory.) Some of the other programs didn't even pick it up. Eset contained it...until I started my computer again, and it was back. In the midst of this, I ended up with that stupid AV rogue antivirus (which came with its own host of problems,) but one of the programs seems to have done the trick getting rid of that.

So, I came here. I diligently followed all the directions in the READ & RUN ME FIRST and the Windows XP Cleaning thread, down to the minutest step. I thought things seemed to be okay when I was done, but I haven't actually restarted my computer yet since I ran MGTools, because it doesn't instruct me to do so in that thread. I haven't had any hits from Avast or IE ads opening, but I am suddenly getting redirects in Firefox, which I wasn't until today after I finished the cleaning procedure, so something is still wrong. I've thought the thing was gone so many times in the last week, only to have it return on reboot, that I am practically terrified to turn the computer off.

So, as for the requested logs:

SASI log- I don't have one because it found nothing this last time I ran it.
MBAM log- see attached
RR log- see attached
Combofix log- see attached
MGtools log- see attached.

I'm starting to get really frustrated with this- it is taking me hours and hours to try to get the stupid thing off my computer. I'd really appreciate some help. Thanks so much!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

1) Thank you SO much for helping.

2) My SAS is updated- I actually updated two times Thursday AM, and I did each time I ran it. Could it be that it was MBAM that didn't find anything? One of those two programs found nothing the time I ran it following the "READ & RUN," and I really thought it was SAS.

3) Attached are two old (4 days) SAS logs (from before I came here) and one from today- I'm sorry, I really didn't think there was one from today because I thought it said it didn't find anything, but honestly, I was in a rush, so maybe I am remembering incorrectly.

4) I thought I did take action on what MBAM found- I can't imagine I didn't, but if the logs say I didn't, then I probably somehow managed not to. Would you like me to run it again and then supply another log?

Again, thanks, and in the meantime, I will follow the directions in your first post.

 

Bootkit info

Is this the correct information?



Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 33651d4929a84a7ab9d65c115ce1bdc0

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Thanks- followed your latest instructions. Though I haven't had any warnings from Avast in the 5 minutes or so since I finished those steps, I am still getting redirects in Firefox, so I don't know if the problem is gone of if I have something else going on in addition. (Taking my online microbiology test this AM was a challenge with those redirects!)

I've attached the MGtools log.

Thanks for taking a look at it!!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Just wanted to add that immediately upon hitting "submit reply" on my last post, Firefox crashed, which I can't recall having happen ever before- not sure if it is related.

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Little more info so as not to confuse things- Firefox has crashed several times in the last 10 minutes, and a couple times I got, at the same time, an error message about a Firefox program process, plugin-container.exe, so I suspect it is a Firefox software issue and perhaps has nothing to do with the other challenges my poor computer is facing.

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

I tried to remove Firefox using Add/Remove Programs as there is no uninstall option with Firefox in the start menu. Clicking the button did approximately nothing. Any pointers on how to manually uninstall? (I did reboot just in case that might make a difference- it did not.)

An interesting note- only ONE bookmark in Explorer is working correctly anymore. I only have about 4 anyway, but most of them (the link I saved to this thread, the Eset online scanner link, and one other link, can't remember what) do absolutely nothing when I click on them. I can get to these sites by typing in the URL, but I am still getting random redirects in Firefox, like for instance, when I clicked on the link in your last post to got to the Firefox download page, I got redirected to a page to buy "Registry Defender." I am, however, no longer getting Explorer pop-ups, my wave volume has been fine, and I don't get redirects in Explorer.

Thoughts?

Big thanks!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

FWIW, I also followed the directions from Mozilla support to run the uninstall this way:

"If the Uninstall Wizard does not run, you can start it manually, by running C:\Program Files\Mozilla Firefox\uninstall\helper.exe"

This also does nothing.

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Finally found some other Mozilla support info that said to delete the program folder if nothing else worked, so I did it. I rebooted then followed your directions, but in no way am I convinced it worked, because all my bookmarks were still there when I reinstalled. So far, though, no redirects. If clicked through about 20 links so far and nothing.

What next?

Thanks!!!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Thanks for the quick reply.

I installed the new version and was able to uninstall, but had to do it twice to get it to work properly. Both times, I was unable to find any Mozilla Firefox folder (it was there before uninstall) and was not permitted to delete the Mozilla folder in application data because the computer says it is in use by another person/program (though I couldn't possibly tell you what.)

It does seem to be working now, though.

Did my logs look clean on the last scans? I'd like to believe everything is gone, but just because they seem okay to me right now, doesn't mean they are.

If things seem clear, what steps do I take to put my system back in order?

I really appreciate all your help- thanks!

Happy 4th!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

I ran through all the steps to put my computer back in order. The only thing that didn't go as planned was that, despite my having disabled it and having gotten all sorts of warnings about doing so, my system restore somehow already seemed to be enabled when I went back in. I created a new restore point that indicates it is after my computer was clean. Everything else went smoothly.

I updated to IE8 and will try to get used to it as your link says it is now generally considered to be safer than Firefox. My bookmarks in IE are working again.

I downloaded Outpost firewall, disabled my connection, booted the Windows firewall, and enabled Outpost. It seems to be working well. I still have avast running.

I can't thank you enough for all your help. If there a mechanism whereby I can donate via Paypal to either the website or to you directly? I'm a starving student, so to speak, and can't afford much, but your help has been invaluable- though only my schoolwork (which is already submitted) and some backed-up pictures and music are on this computer, it would have been a colossal pain to reformat as I don't currently have a CD drive.

Thanks so much fo everything!!!!!!!

 

Re: I'm also having problems with a variant of win32/trojandownloader.unruy.BV trojan

Thanks a million- you've been a huge help. Hopefully the new firewall will help prevent future problems.





(Haha- just realized I said I booted the Windows firewall. Of course I meant I got rid of it.)