I currently have installed Ad-Aware Free Version 7.1.0.10, with updated definitions file (0118.0000). I have repeatedly scanned my computer and despite numerous attempts to remove and/or quarantine this malware file, it keeps showing up even after rebooting my computer and with Lavasoft supposedly removing/deleting the bad files. Not to mention that it is slowing my system down, pop-ups, etc.
I read some other posts and downloaded and ran Hijack This. The log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:09 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SQL Anywhere 10\win32\dbisqlg.exe
C:\Program Files\SQL Anywhere 10\Sybase Central 5.0.0\win32\scjview.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CnwiDeviceAgent] C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [A00F6F4B3.exe] C:\DOCUME~1\bsears\LOCALS~1\Temp\_A00F6F4B3.exe
O4 - HKCU\..\Run: [A00F2A733.exe] C:\DOCUME~1\bsears\LOCALS~1\Temp\_A00F2A733.exe
O4 - HKCU\..\Run: [DBISQL10] "C:\Program Files\SQL Anywhere 10\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral500] "C:\Program Files\SQL Anywhere 10\Sybase Central 5.0.0\win32\scjview.exe" -preload
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: imagePROGRAF Status Monitor.lnk = C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pilgrimenergy.net
O17 - HKLM\Software\..\Telephony: DomainName = pilgrimenergy.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pilgrimenergy.net
O20 - Winlogon Notify: 2cb2ad8d382 - C:\WINDOWS\system32\__c0064449.dat (file missing)
O20 - Winlogon Notify: __c0064A29 - C:\WINDOWS\system32\__c0064A29.dat (file missing)
O20 - Winlogon Notify: __c0071EE2 - C:\WINDOWS\system32\__c0071EE2.dat (file missing)
O20 - Winlogon Notify: __c0086556 - C:\WINDOWS\system32\__c0086556.dat (file missing)
O20 - Winlogon Notify: __c008E53C - C:\WINDOWS\system32\__c008E53C.dat (file missing)
O20 - Winlogon Notify: __c009510 - C:\WINDOWS\system32\__c009510.dat (file missing)
O20 - Winlogon Notify: __c00972B1 - C:\WINDOWS\system32\__c00972B1.dat (file missing)
O20 - Winlogon Notify: __c0098FC4 - C:\WINDOWS\system32\__c0098FC4.dat
O20 - Winlogon Notify: __c00AC7D4 - C:\WINDOWS\system32\__c00AC7D4.dat (file missing)
O20 - Winlogon Notify: __c00AF098 - C:\WINDOWS\system32\__c00AF098.dat
O20 - Winlogon Notify: __c00BC97B - C:\WINDOWS\system32\__c00BC97B.dat (file missing)
O20 - Winlogon Notify: __c00E22D0 - C:\WINDOWS\system32\__c00E22D0.dat (file missing)
O20 - Winlogon Notify: __c00F33E1 - C:\WINDOWS\system32\__c00F33E1.dat (file missing)
O20 - Winlogon Notify: __c00FF9DA - C:\WINDOWS\system32\__c00FF9DA.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7945 bytes
Please, please, someone tell me how to get this malware off my computer. Thanks -
Brad
Full Version: WIN32.TrojanDownloader...etc.
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hello,
You've stepped into something really sticky there that is thwarting attempts to remove it. Let's try some special tools because this is a little deeper than the HijackThis tool or Ad-Aware can deal with.
Let's start with this one called: ComboFix (this is a free tool developed by independent volunteers - not Lavasoft FYI). It should not be run by anyone without expert guidance specifically helping you such as here in this forum.
Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. That is because some malware removal can damage your system so that Windows won't boot and should a problem occur, the Windows Recovery Console would be an option to use to bring the system back up.
After you have the recovery console installed (if that step was necessary), then proceed to download and run the ComboFix tool.
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall
You've stepped into something really sticky there that is thwarting attempts to remove it. Let's try some special tools because this is a little deeper than the HijackThis tool or Ad-Aware can deal with.
Let's start with this one called: ComboFix (this is a free tool developed by independent volunteers - not Lavasoft FYI). It should not be run by anyone without expert guidance specifically helping you such as here in this forum.
Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. That is because some malware removal can damage your system so that Windows won't boot and should a problem occur, the Windows Recovery Console would be an option to use to bring the system back up.
After you have the recovery console installed (if that step was necessary), then proceed to download and run the ComboFix tool.
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you. If it calls for a reboot, just let it and then the tool will need to run some more before it pops up a log.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Do not mouseclick combofix's window while it's running. That may cause it to stall
QUOTE(LS CalamityJane @ Sep 9 2008, 04:52 PM) 
Hello,
You've stepped into something really sticky there that is thwarting attempts to remove it. Let's try some special tools because this is a little deeper than the HijackThis tool or Ad-Aware can deal with.
Let's start with this one called: ComboFix (this is a free tool developed by independent volunteers - not Lavasoft FYI). It should not be run by anyone without expert guidance specifically helping you such as here in this forum.
Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. That is because some malware removal can damage your system so that Windows won't boot and should a problem occur, the Windows Recovery Console would be an option to use to bring the system back up.
After you have the recovery console installed (if that step was necessary), then proceed to download and run the ComboFix tool.
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall
You've stepped into something really sticky there that is thwarting attempts to remove it. Let's try some special tools because this is a little deeper than the HijackThis tool or Ad-Aware can deal with.
Let's start with this one called: ComboFix (this is a free tool developed by independent volunteers - not Lavasoft FYI). It should not be run by anyone without expert guidance specifically helping you such as here in this forum.
Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. That is because some malware removal can damage your system so that Windows won't boot and should a problem occur, the Windows Recovery Console would be an option to use to bring the system back up.
After you have the recovery console installed (if that step was necessary), then proceed to download and run the ComboFix tool.
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you. If it calls for a reboot, just let it and then the tool will need to run some more before it pops up a log.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Do not mouseclick combofix's window while it's running. That may cause it to stall
Ok - I think I've got everything solved. After reading your reply and realizing I was unsure whether my computer had Recovery Console downloaded or not, I called our IT guy from down the street (this is my work computer). He had ComboFix on hand and downloaded and ran the program and it appears it wiped out the WIN32.TrojanDownloader and associated files (it was identified as c:/windows/system32/~.exe). Unfortunately, he closed out everything before I had a chance to copy the log, but from his review of the log, ComboFix found and deleted 3 files, including that one listed above. If i run into anymore problems, I will post again - but in the meantime, thank you so much for your assistance and for directing me to the right fixes.
Ok, well, it would have saved a copy of the log on your hard-drive at:
C:\Combofix.txt
When you get to the machine at work could you pull up a copy and copy & Paste the log results back here so I can review just to make sure all went ok?
C:\Combofix.txt
When you get to the machine at work could you pull up a copy and copy & Paste the log results back here so I can review just to make sure all went ok?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.