i can't get rid of 2 win32 trojan downloader

Hi guys i need some help with these virus please.

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gif In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Hi Bigarric i want apology because i posted a log without following your instructions

 

Be sure you complete all the steps in the "READ & RUN ME FIRST", it's made for your benefit. It looks long but it's really not, every step is broken down step by step for users who are not as familiar as others.

Be sure you run the online scanners if nothing else.

 

ok i just want also apology because before i posted a lof without followind you instructions

 

It's ok, your new

 

Bigarrick ccleaner says that This process will permanently delete files from my system.shall i carry on? sorry but as you said i'm new.

 

Yes, it's ok as the files are only the temporary files from the internet and some other logs that are unnecessary.

 

Hi bjgarrick,i have done everything but still got the win32 trojan downloader
Re panda active scan the window of it was half open and for some reason i wasn't able to enlarge it and save the report,i did run getrunkey and shownew but all the time i closed the log in notepad everything would desapear,tell me what i have to do next

 

Hi bjgarrick these are the logs of bitdefender,getrunkey and HIJ,for shownew i have to open another thread what do u suggest?

 

it looks like that i had some problems to upload the HIJ log whay?

 

shownew log

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.

• Click the X to exit the program.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R3 - Default URLSearchHook is missing

O2 - BHO: Duplex - {4D8603D1-E19F-4DB9-B841-CF0B3AECF967} - C:\WINDOWS\system32\apparat.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/

O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\VVSN ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

After you complete the above, reboot once more and attach a fresh HJT log. Also let me know how things are running.

 

Hi Bjgarrick first of all i want thank u for all your help and your patience,ok
after i run the HIJ you are ask me to boot into safe mode and navigate to and DELETE the following if they should remain,i don't understand sorry, do i need to run again the HIJ tool in safe mode?

 

What I mean is, after you run HJT reboot into Safe Mode and delete the folder "C:\Program Files\VVSN" if it exist. Afterwards then run CCleaner. After you do that reboot normally and reset the web settings.

 

Thank you for your clearness Bjgarrick,i will do tomorrow or thursday,it's has been a long day,i just realize that you are help me from Alabama,it's amazing!
i will let you know in the next few days.

 

Okay, the sooner the better because something may change.

 

Hi Bjgarrick,i was trying to run Hoster but i can't find Restore original Host,there is Restore microsoft's file is it the same?

 

Yes, it's "Restore Microsoft's HOST file".

 

Hi Bjgarrick,well i have run hoster,Hjt,ccleaner,reseted web settings and security settings,after all this i have run ad-awre se personal, and still it detected the 2 win32 trojan downloader!

 

First, attach a fresh HJT log from normal mode. Also, can you attach the log from what is detecting the trojan?

 

Hi ok,here i have the logs!!

 

Let's run two scans with should address that detection which isn't really a thread.

1. Download, install and run CleanUp!.

2. Download, install and run MRU Blaster.

Once you complete this, reboot and run another scan.

 

Hi shall i do the scans in safe mode? did u mean it's not really a threat?

 

Run them in normal mode.

I meant it's not a thread, it's ok cookies per the log.

 

i run MRU-blaster,do i have to clean all the items that's been detected?

 

Yes, clean everything both programs find.

 

ok,windows cleanup has deleted 15210 files is it ok? do i need to run a scan with both tools again?

 

I would to be sure it removed everything. Also, there will always find things as everytime you open any browser you will have cookies.

 

do i need to do a scan again with both tools?

 

If your talking about MRU Blaster and CleanUp! I would to confirm it removed everything but like I said you will always have cookies because everytime you open a browser you will have temp files.

If your talking about Ad-Aware then yes, make sure it didnt come back.

 

Bjgarrick i'm afraid they are still there,i've just ran ad-aware,i got a log also

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you do this, reboot and it should be gone.

 

All the time you say reboot,i think to reboot the pc in safe mode,what do you mean exactly with reboot? thanks Bjgarrick

 

sorry can you help me to find notepad?

 

Bjgarrick unbelievable they are gone,how did u do that?do u think that's clean now?shall i do the toggle system restore?and what about all those tools
that i have downloaded to clean the pc?which one shall i keep?

 

Manual registry edits 99% of the time will remove anything.

If you havn't then yes I would toggle SR. Also, any tool/program I had you install/run you can now delete them all.

Everything you need is here, How to Protect yourself from malware!.

 

Hi Bjgarrick, can you tell me why should i change internet explore for Mozzila Firefox?and regarding the tools that i have downloaded,can i keep HJT & fixme.re? can you tell me also if i have sun java? and about the anvirus software
i do have norton anvirus 2005 shall i keep it?or do u suggest to get rid of it?
thank you so much for all your help,have a good sunday.

 

It's up to you, I use both. Before IE7 Firefox was the safest browser but after using it since it's release I've noticed it's a lot better th an IE6 so both are great browsers. The majority of Firefox users use it because you have use "extensions" that will do just about anything.

They are no longer any good so you can delete them. HijackThis is only for advanced users, it's also updated so what you have may not be the current version if you need it later on.

If you havn't installed it then see the thread below (How To Protect) on how to install it.

I will leave this decision up to you however I will recommend AVG AntiVirus simply because it's better.

You should see this article on How to Protect yourself from malware!

 

Hi Bjgarrick,can you explain me please what does mean IE6 or IE7?ragarding the software antivirus do you recommend AVG free edition?
Re sun java,i have j2se runtime enviroment 5.0,j2se runtime enviroment 5.0 update,and j2se runtime enviroment 5.0 update 9, do i need to keep all these?
thanks!

 

ok i got it, internet explore 7

 

What about Mozilla firefox 2.is it that one that i have downloaded from this site?or is the previuos version?

 

Hi Chaslang, thanks! i downloaded a firewall, Zone Alarm free,it looks good,but the problem is that a window comes up all the time with all the programs that want be installed,so basically i don't know what programs are allow because most of them are known by codes.how do i know if i have downloaded the last version of Mozzilla Firefox? is it better than the previous one?

 

Thank you,just one more question,in one of my email address i keep receiving
a kind of spam emails from different address,always about finacial issues,how can i get rid of them?

 

ok thank you so much!!