Help with trojan virus from hell..Please

Welcome to Major Geeks!

If you have run all of the READ & RUN ME, you need to attach the correct logs. You have only attach 2 of the 6 required logs. You attached AVG Antispyware (which you you did not allow to fix anything so you will have to re-run it) and HijackThis. You need to attach the below:

• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat

We don't need whatever it is that you attach in your second message as these are not the logs requested in the READ ME.

It would also be helpful if you told us your exact problem. Saying a trojan or virus was found is not helpful because there a tens of thousands of them. Exactly what was found and where was it found?

 

Re: Help with trojan files:runkeys and Shownew

And the other two?

Plus are you rerunning AVG Antispyware?

 

Re: Sorry. Here is the problem

They will only exist if you saved them as indicated in the READ ME.

Let's get started with what we have thus far. But you really need to re-run AVG Antispyware and Quarantine or Delete everything and attach a new log. Also if you don't have logs for BitDefender and Panda, it would be a good idea to run them again and be sure to save logs as instructed. You can run them in normal boot mode which will make it easier to save logs.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11
Java(TM) SE Runtime Environment 6 Update 1

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Search - ?p=ZNxpt211MFUS

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

What are the below are for/from?

Code:

"C:\Documents and Settings\mom\Application Data\"
PMCC          Aug 19 2007              "Pmcc"
setup_~1.exe  Aug 19 2007      161624  "setup_en[1].exe"
BUGSDE~1      Aug 19 2007              "bugsdestroyer"
 
"C:\Documents and Settings\mom\Local Settings\Application Data\"
PMCC          Aug 19 2007              "Pmcc"
 
"C:\Documents and Settings\All Users\Application Data\"
BUGSDE~1      Aug 19 2007              "bugsdestroyer"

 

Re: AVG

Are you using PeoplePC? Do you use the toolbar? Did you know some consider various things from PeoplePC to be malware? See the below for one:

This PPCTOOLBAR_6.2.0.12.DLL Malware Research Report contains ...

Also see your Panda log where both of the below from PeoplePC were detected:
c:\windows\system32\unPPC.exe
C:\Program Files\PeoplePC\Toolbar\PPCToolbar_6.2.0.12.dll

 

Okay! Just do what I gave you in message # 7 and be sure to answer my questions at the end.

 

Did you forget to apply the fixME.reg patch? Try again. Tell me exactly what happens. Do you get a success message or an error message? If you get a success message, attach a new log from GetRunKey.

You are not running the proper HijackThis file that was renamed. See your first post. You must run only the correct one.

What in the world did you do with HijackThis???? You did not follow my instructions. It appears that you had it fix everything that was in your log. This is not what I asked you to do. You MUST NOT do things on your own. You need to run HijackThis and restore everything from the backup under the Misc Tool button you will see when it starts up. Then ONLY FIX what I requested and nothing else. Then attach a new log.

 

What exactly are you referring too?

 

Re: What exactly are you referring to?

But my question was did you get a success message.

I cannot completely fix everything you may have messed up but I will try to work up something that may fix some of it. I'll post something in my next message.

 

Re: What exactly are you referring to?

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You must make sure you tell me if you receieve a success message for adding the above fixME.reg patch to the registry.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

If you are not getting a success message what are you getting. You need to get a success message or it is not working and then there would be no sense in getting new logs. Tell me exactly what you are doing and what is happening when you try to create and apply the fixME.reg patch.

 

The instructions said

Try this and tell me what happens.