Downloader - AWX trojan is killing me

You have to follow the directions in the READ ME to download and run it.

Again follow the directions in the READ ME. These are not things on your PC. They are websites that you need to goto to run the online scanners. Run these two scans and save the logs as requested then attach them.

Then run this Virtumonde aka Trojan Vundo Removal and attach the log from VundoFix as requested.


Now goto Add/Remove programs and Uninstall the below software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Screensavers Installer

Now install the current version of Sun Java from: Sun Java Runtime Environment


After doing all of the above attach new logs from ShowNew and HJT.

 

You never renamed HijackThis.exe as requested in step 7 of the READ ME. This is very important as indicated in the READ ME. Without doing this, some new forms of malware will not show in your log!! Please rename it NOW. I will post a fix below and hopefully it will work anyway, but when you post the follow up HijackThis log I will request, you must have the HijackThis.exe file renamed!

Start by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {A64EEA9C-BED6-4D0E-BC3F-265B949D7C34} - C:\WINDOWS\system32\hid13n.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - AutorunsDisabled - (no file)

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vtstq.exe
C:\WINDOWS\system32\hid13n.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now after reboot attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

This time it is correct. Last time it was not! You can check that for yourself just by looking in the logs. Renaming the executable file has nothing to do with what the log file will be named.

Did you remember to exit all browsers and also remember to click Fix checked in HijackThis? The lines I asked you to fix are still there. See for yourself. Please try again, but this time before running HJT make sure ALL browsers are closed and also let's disable Windows Defender first too:

To Disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

The repeat the previous steps with HijackThis. Then reboot and attach a new HJT log.

Also make sure you indicate how your PC is running!