I have read so much about this threat that I am confused. Some sites say it is a hoax. Your site says it is a password stealer. I can't remove it. Norton doesn't detect it and neither does AVG or Spybot. Adaware is the only program that sees it but if I try to remove it, it just comes back.

Please help.
Thanks.

(Also, each time Adaware 2008 loads it says the server is busy. I got the recent updates manually but still can't get rid of the trojan.)

You're not alone. I'm getting the same infection - Trojan Win 32-PWS. As in your case, only Ad-Aware's extended virus scanner detects it. I also deleted it, and it returned. Norton and Spybot do not detect it.

Yes, please help. I don't believe uninstalling and reinstalling Ad-Aware is the solution. There must be a way of permanently deleting this virus, if this virus is really a threat. I wonder how many other users are getting it. There's something very strange here. Why is Ad-Aware detecting it, but no other spyware programs?

Thanks.

Because you said this is an extended (av) detection, I'd like to check the Ad-Aware scan logs for information on exactly what it found in case this could be a false postive.

In Windows XP, the Ad-Aware Log files are located in:

Ad-Aware 2007 users:
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\Ad-Aware<date information>.log

Ad-Aware 2008 users
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log

To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button.

For Vista Users that would be
C:\Program Data\Lavasoft\Ad-aware\logs\Ad-Aware<date information>.log

I am having a bit of a problem uploading. When I follow the path you sent for the logs, the only ones that come up are in DreamWeaver (ie. XML)

This is what I see but it is in DW: Ad-Aware 20081223 17-49-52.log

(Also, just an FYI of what I did. I tried to get rid of the malware by disabling system restore, running safe mode and then using Adaware 2008 (all updated). Inside safe mode it detected win32trojanpsw.mapping. So I quarantined it and ran Adaware again. It showed up ... again. I then tried just removing it and running Adaware 2008 again. Still the beast came back. Maybe I missed a step somewhere?

And, we did try to find an online game and I read on the internet that an online gaming site is the one originally responsible for this stupid malware so it seems we may legitimately have it. Normally we don't surf much and always have Adaware updated. However, we only had the free version at the time. I bought "plus" after realizing that "free" wasn't getting rid of the malware. Of course that didn't help.

Is there another way to get my log files to you or something else we should be doing?

I ran Ad-Aware 2008 in safe mode, and it was no longer there - at least for now. We'll see what happens.

BTW, I am not running any extended version. The free version found this bug and then after we got the Adware 2008 Plus, it also found it.

Even if this is a false positive for us..which I don't think it is. We still need to get rid of it, don't we? Seeing its ugly mug with a threat of 10 is more than a little unsettling.

I opened the log files via dreamweaver. I hope this is what you are after. If not, I need more help on how to get them in 'nonXML' format.

-------------------------------

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="aawlog.xsl"?>
<log>
<header logDate="2008-12-23" logTime="17:49:52" scanCompleted="True">
<userAndComputer computerName="KAIZER" scanUser="SYSTEM" guiUser="Owner"/>
<fileVersion version="7,1,0,12">CEAPI.dll</fileVersion>
<fileVersion version="7,1,0,12">aawservice.exe</fileVersion>
<fileVersion version="7.1.0.11">Ad-Aware.exe</fileVersion>
<progamRelease>Plus Edition</progamRelease>
<defFile>C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdef</defFile>
</header>
<systemInformation>
<processor noOfProcessors="1">AMD Athlon™ XP 2400+</processor>
<memory availablePct="16" totalPhysical="469086208" availablePhysical="73228288" totalPageFileSize="1109823488" availablePageFileSize="284512256" totalVirtual="2147352576" availableVirtual="1712357376"/>
<operatingSystem majorVersion="5" minorVersion="1" build="2600">Microsoft Windows XP </operatingSystem>
</systemInformation>
<applicationSettings>
<setting name="Def Home Page" value="http://www.msn.com">Default Home Page</setting>
<setting name="Def Search Page" value="http://ie.search.msn.com">Default Search Page</setting>
<setting name="Unload Known Processes" value="True">Unload malicious processes and modules</setting>
<setting name="Unload Modules" value="True">Unload Modules</setting>
<setting name="Unload IE" value="False">Unload Browsers while scanning</setting>
<setting name="Suppress Fails" value="False">Suppress Failure Warnings</setting>
<setting name="Remove at Reboot" value="True">Let Windows remove files at Start-Up</setting>
<setting name="Skip Files Large Than" value="1048576">Skip Files Large Than</setting>
<setting name="Use Extended Engine" value="True">Using Extended Engine</setting>
<setting name="Extended Engine Heurestics" value="0">Use heurestics with Extended Engine</setting>
<setting name="Background Process" value="False">Run Scan as Background Process</setting>
<setting name="Suppress Progress" value="False">Suppress Progress bar during scan</setting>
<setting name="Deactivate Ad-Watch" value="True">Deactivate Ad-Watch</setting>
<setting name="Reanalyze Scan Results" value="True">Re-analyze Scan Result</setting>
<setting name="Scan TAI Level" value="3">Ignore Infections with TAI lower than</setting>
<setting name="Startup Auto Clean TAC Higher Than" value="10">Automatically remove infections with TAI higher than</setting>
<setting name="Startup Close After Scan" value="False">Close Ad-Aware after start-up scan</setting>
<setting name="Startup Update Def File" value="False">Update Definitions File before scanning</setting>
<setting name="Startup Scan Mode" value="Off">Startup Scan Mode</setting>
<setting name="Service Startup Scan Mode" value="Off">Windows Startup Scan Mode</setting>
<setting name="Update At Startup" value="True">Update Definitions on startup</setting>
<setting name="Auto Quarantine" value="False">Quarantine objects prior to removal</setting>
<setting name="Safe Mode" value="False">Safe Mode</setting>
<setting name="Delete Restored Items" value="True">Delete Restored Items</setting>
<setting name="Integrate In IE" value="False">Integrate into Windows Explorer</setting>
<setting name="Dump Exceptions To Disk" value="False">Dump Exceptions To Disk</setting>
<setting name="Perm Archive Caching" value="False">Permanent Archive Caching</setting>
<setting name="Write Protect SysFiles" value="True">Write Protect System Files</setting>
<setting name="Skin File" value="Ad-Aware 2008">Current skin</setting>
<setting name="Use Sound" value="False">Play a sound if scan locates an infection</setting>
<setting name="Sound File" value="C:\Program Files\Lavasoft\Ad-Aware\alert.wav">Current sound (wav file)</setting>
<setting name="GUI Menu Animation" value="2">Menu Animation</setting>
<setting name="Lang File ID" value="0">Current language file</setting>
<setting name="Log To Disk" value="True">Create Log file</setting>
<setting name="Log File Path" value="C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\">Log file Path</setting>
<setting name="Log File Path" value="1">Limit log files to</setting>
<setting name="Basic Settings" value="True">Include basic settings</setting>
<setting name="Advanced Settings" value="True">Include advanced settings</setting>
<setting name="User And Comp Name" value="True">Include user and computer name</setting>
<setting name="Environment" value="True">Environment information</setting>
<setting name="Log Running Processes" value="True">Running processes</setting>
<setting name="Log Running Process Modules" value="True">Running processes and modules</setting>
<setting name="Ignored Objects" value="True">Include info about ignored objects in log file</setting>
<setting name="Remind To Update" value="True">Notify when Definitions File is Outdated</setting>
<setting name="Backup Definitions File" value="True">Backup Definitions File</setting>
<setting name="Remind To Update" value="7">Consider definitions File Outdated after x days</setting>
<setting name="Use Proxy" value="False">Use Proxy</setting>
<setting name="Proxy URL" value="ProxyAddress.com">Proxy URL</setting>
<setting name="Proxy Port" value="1234">Proxy Port</setting>
<setting name="Proxy User Name" value="">Proxy User Name</setting>
<setting name="Proxy Password" value="No password set">Proxy Password</setting>
</applicationSettings>
<definitionsFile version="143" build="8" buildDate="2008/12/22" buildTime="06:11:01">C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdef</definitionsFile>
<executableFile version="7,1,0,12">ceapi.dll</executableFile>
<executableFile version="7,1,0,12">aawservice.exe</executableFile>
<executableFile version="7.1.0.11">Ad-Aware.exe</executableFile>
<scanSection completed="True">
<scanSettings>
<setting name="Method" value="Smart"/>
<scanObjects/>
</scanSettings>
<scanStatistics>
<items scanned="2"/>
<infections detected="0" ignored="0" removedDuringScan="0" quarantinedDuringScan="0"/>
</scanStatistics>
<scanDetailedStatistics>
<scanType name="Process Scan" critical="0" total="0"/>
<scanType name="Registry Scan" critical="0" total="0"/>
<scanType name="Registry PE Scan" critical="0" total="0"/>
<scanType name="Hosts Scan" critical="0" total="0"/>
<scanType name="File Scan" critical="0" total="0"/>
<scanType name="Folder Scan" critical="0" total="0"/>
<scanType name="LSP Scan" critical="0" total="0"/>
<scanType name="ADS Scan" critical="0" total="0"/>
<scanType name="Cookie Scan" critical="0" total="0"/>
<scanType name="File Hash Scan" critical="0" total="0"/>
</scanDetailedStatistics>
<foundInfections/>
<ignoredItems/>

{Moderator edit: removed unneeded info}

You know, when I look at what DW brought up, it seems to be showing version 7, which makes no sense when I bought and downloaded Adaware 2008. I wonder if something is conflicting there. I have no Adaware 7 left on my computer. I am glad safe mode worked for you. Did you disable system restore first? Otherwise, according to another tech I talked to before coming on here, when you reboot your computer, the malware will come back.

I my case, I shut down SR then went into safe mode and ran Adware. Unfortunately it came back anyway. Who knows. While I wait for help on here, I am going to try it again. You never know.

Right now I am running Adaware again and ...voila...1 infection detected. I'd bet the farm it's still the same trojan.

I just read in another forum where this is being discussed. It is in 'false positives'. I see that another poster was also getting xml so I am hoping to follow the instructions there and send my log properly. I have another scan in progress which as detected what I think is the same malware again.

In false positives, you say to look for 'the log file that has the ending extension of .log and it's icon would look like a text file.' However, there is no file in there with .log
The only two I see are awprocesseslog and coreenginecommunicationlog. No text file ending in .log

Interesting. They show up as .log after I download them but not before. Here is the other one, just in case....

kblue, your version of Ad-Aware is just fine - it is the 2008 version but the build # begins with 7 doesn't mean it is Ad-Aware 2007

And, the xml log won't read very well here. We need the one that has .log extension. It should look like this in your folderClick to view attachment

However, I could pick out pertinent findings from the log you did post.

It said:
logDate="2008-12-23" logTime="17:49:52 (date and time of scan)

infections detected="0" ignored="0" removedDuringScan="0" quarantinedDuringScan="0"
No infections found on that scan

It also indicated you were using "Smart Scan"

What you need to do is a Full System Scan. When done post the log from that scan and it will be namd by date and time and end in the .log extension (and if you view by icons, it will be a text file that looks like page in a book)

Hello again and thanks for responding. While waiting for a reply I did another scan in safe mode and while the malware popped up again there, it hasn't shown itself on a recent full scan I did once I put everything back the way it was. System restore still is not on at this point. I am going to reboot my computer, do another scan and see what happens.

As far as the logs go, I still cannot locate what you are asking for. The path I am following is..

my computer..c drive...documents and settings...all users...application data...lavasoft...adaware...logs.

Inside I have:

aawlog (stylesheet)
adaware event (txt)
adwatch regsheet logfile (xml)
coreenginecommunicationlog (xml)
adaware20081223 21-02-41.log (xml)
adwatch connect logfile (xml)
awprocesseslog (txt)
update (txt)

There is nothing else and nothing which resembles the file you have shown in the sample.
I wonder why not?

I will reboot, rescan and let you know if the malware returns. I'd sure like to know why I can't access the logfile you are asking for....

Ok, now this is weird. When I did the last full scan, there was one infection showing right up until the end. After the scan finished it showed zero infections. However, I do continue to have 5 items in quarantine. 4 of those were non-threatening and 1 was the malware. I recall this from the scan I did while in safe mode. I had quarantined everything.

Well I rebooted..still with SR off and started another full scan, expecting to see zero infections. Just a few minutes into the scan I am showing 10 infections. I was attempting to load my browser to come here but I did that last time as well....and never showed 10 infections. I have no idea what they are yet but wonder how I can get 10 without doing much since the last reboot.

Still, if I don't have the win32.trojanpsw.mapping malware showing, I'll post again to let you know its been resolved. If someone can tell me what to do if I do, in fact, have it in quarantine, I'll be very grateful. I do not want that bugger coming back.

Hi kblue. It seems you have a bigger mess on your hands than I do. To answer your question, when I ran Ad-Aware in Safe Mode, no I didn't disable System Restore. I had a computer consultant once tell me it wasn't necessary. So I don't know what the right answer is on this. I think the issue of System Restore is more important for you because you still had the virus in Safe Mode, and I didn't.

I deleted the quarantined virus first level file. I'm not management, so I not trying to tell you what to do. It seems that quarantine is there as a safeguard in case a virus is attached to a critical file. In this case, I took a chance and deleted it because it the virus came back on the second scan, and the quarantined file looked safe to delete. Hang in there. I know this whole thing is exasperating.

Thanks for mentioning the "False Positives" forum. I'll have to look at it.

BTW: I have the log file that they wanted you to send. It was right where it should be. Strange that you don't have it.

- Barry

Hi guys,

Barry2 is correct about System Restore. It used to be advised by Antivirus programs to turn it off during cleaning, however, that will wipe out ALL your system restore points. These days with malware removal being very tricky, it's better to have a recovery option of a System Restore point should something go wrong, because even an infected Restore point is better than none at all. So turn that on and when we are done determining your machine is clean, we'll give you instruction on how to clear any old system restore points and create a fresh new one at that time. For now it is better to leave system restore turned ON, please.

Barry, if you have that scan log in text file can you attach it here for review?

Interesting about SR. The technician who told me to turn it off...and sent a detailed description via email was one of your own techs. After we downloaded Adaware 2008, we had issue after issue...scanner not connecting, defs not loading..etc. He sent us a link where we could download manually, then after we got the core.aawdef file in the right place and did a scan, then the malware showed up and kept showing. He sent us the following which I am cutting and pasting below, from my email, minus his name. He basically indicated that if his fix didn't work, that I was to come here and ask for help. So I did.

The good news is that I repeated his steps one more time and now the malware is gone. I think what I forgot to do the first time(s) was to make sure I'd selected "minimal" in Safeboot. I'm not certain what I may have missed. However, I can say that when I ran Adaware in safemode without turning off SR, I didn't get rid of the virus.

Here is a copy of the email. If in fact it is not good to turn of SR, perhaps all Lavasoft support personnel should know this. On the other hand, it is what worked for us.
(BTW I still can't see the txt of my log. Should I post a separate topic for this? It concerns me that I don't seem to have a log anywhere. What I have is on the list I posted above. No less, no more.)

------------------------------------------------------------------------------------------------
Thank you for contacting us

Unfortunately, some types of malware may be able to reproduce themselves after being detected and removed by an anti-spyware program.

Please ensure you run an update and are using the latest version of Ad-aware.

Check in your Windows control panel > Add-Remove programs to see if there is any new software installed on your computer that you are unaware of. If you do find any uninstall them but pay attention to any dialog boxes that appear and decline any invitations that may come up as a result of the uninstall.

Disable system restore in the properties menu of My Computer then run Ad-aware. Remove/ Quarantine any files that Ad-aware describes as a threat. Reboot your system into Safe Mode without networking(Usually by pressing F8 during boot process, and choosing Safe Mode or see text below) and scan again then re activate system restore.

Go to Start > Run > type MSCONFIG ,click on the Boot.ini tab,under Boot Options, click (turn on) /SAFEBOOT, select Minimal. The malware will not be able to make a network connection.

Reboot to apply the changes. The computer will boot into SafeMode, run a full scan using Ad-Aware to clean your system. When finished, reopen MSCONFIG following as above and uncheck (turn off) the /SAFEMODE box, Boot Options to boot into normal Windows mode when you restart.

Always make sure that Ad-Watch is up and running, as this will prevent your computer from getting infected, rather than removing it once infected.

Ad-Watch should warn of registry changes if the malware is re-installing itself.

Different software have slightly different malicious files in detection, and no program detects everything. If you have big problems that Ad-Aware does not detect/remove, we recommend you post in our support forums at www.lavasoftsupport.com where employees and volunteers will be able to help you further with the specific infection.


Kind regards

*****- Lavasoft Support

And I just want to apologize if I sound like I am telling you your business. I don't mean to. Just wanted to let you know that the advice to disable SR was from lavasoft. Next time I won't be so quick to disable SR. Just thought the guy who told us to do it was 'up on' the latest fixes.

Thanks again for your help and in advance for ideas on the log file.

I found another thread where another Adaware 2008 poster talks about having to append his XML log file to upload as a txt file. So, I thought, "Yay! I can do what he did." However, when I go to rename my DW file, it doesn't end in xml. (See below) However, when I try to save it to Notepad it shows as being xml. Why it doesn't end with xml confuses me.

Ad-Aware 20081224 12-52-48.log is how it shows, yet it is definitely xlm.

Here is the thread:

http://www.lavasoftsupport.com/index.php?showtopic=18962

It seems that other people don't see a proper txt file in logs either, so I am not alone. If you can tell me how to convert the xml to txt, I'd be able to upload log files.

Please tell me if what you see is the file you are after. On the macromedia support forums for dw I was shown how to convert dw files back to txt. I have uploaded that file.
Currently, I have 5 items in quarantine and one is the win32.trojanpws.mapper
Do I delete quarantine.aaw in the Adaware file?

Sorry, but I no longer have it. I discovered that Ad-Adware presets the number of log files to 1. I recently found this setting and upped it, so I can now have multiple logs. The only logs in text format that I now have are my last clean scans.