Ad-aware.exe.hdmp / POwerspider-F

Hello all,

Avast resident shield recently picked up a trojan file called “ad-aware.exe.hdmp” which it labelled as a “Win32:Powerspider-F” trojan. I immediately put the file in the Avast Virus chest.

How can I:
-check to make sure that the trojan is contained;
-make sure that it caused no damage; and
-repair any damage it caused?

Thanks!

Some notes about the problem:
-I believe the file was less than one day old when Avast caught it. This is for 3 reasons: I regularly scan my computer with several programs; I had a hunch something odd was happening with my computer; and the file was in the temporary files folder, which I clean out several times a day with CCleaner.
-The file was never moved or opened by me.
-Symantec has a list of attributes of Powerspider (http://www.symantec.com/security_response/writeup.jsp?docid=2003-070416-2510-99&tabid=2). Of all the files and registry entries listed, my computer has none.
-Google has only 3 results for “ad-aware.exe.hdmp”. The most helpful I could find was in Portuguese (http://linhadefensiva.uol.com.br/forum/index.php?showtopic=44176). From the imperfect translation by Google Translate, the page said one symptom of the virus is disappearing entries in the Control Panel and Add/Remove Programs window. Neither of these things happened to me.

The avast chest is a protected area where it can’t get out and nor can it be run by any outside program.

I can’t say if it did any damage before it was detected all you can do is run other tools (that are more specialised in anti-spyware/trojan detections) to check for that. But if the files and registry entries mentioned in the in the report you (and google results) mentioned it is unlikely.

If you haven’t already got this software (Item 1) freeware, download, install, update and run it, preferably in safe mode.

  1. If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator. Or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition
  3. Spybot Search and Destroy

Thanks for your reply, David!

I already have AVG, Spybot S&D, and Ad-aware. I will scan with all of those in safe mode.
I also am trying “Windows Malicious Software Removal Tool” and “BitDefender Online scan” (the latter of which was recommended by the page in Portuguese).

The page in Portuguese also recommended something called “Combofix.” What is that, and is it useful at all in this context?

Finally, could the program “HijackThis” be used in this situation at all?

Combofix as it name suggests is a combination of tools, you will see a number of very long topics relating to combofix as it generated huge data files requiring analysis and then action with other tools. This most certainly isn’t a user tool in the way avg-as or adaware are run, find and deal with malware.

Combofix is more like hijackthis on steroids, but yes HJT could be used to generate information on what is running on your system. you could post the contents of the log it may need to be split over two or more posts if it is too big to copy and paste into one post. You could also yses one of the on-line analysis sites for information and check out the unknown/harmful entries using google on the file names, etc.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2

I checked the log with both on-line analyzers and it looks clean.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:13 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WIN\System32\svchost.exe
C:\WIN\system32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WIN\System32\nvsvc32.exe
C:\WIN\system32\HPZipm12.exe
C:\WIN\system32\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WIN\System32\svchost.exe
C:\WIN\Explorer.EXE
C:\Documents and Settings\Jesse\Desktop\Computer Stuff\Utilities\procexp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WIN\system32\ZCfgSvc.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WIN\system32\ctfmon.exe
C:\WIN\system32\1XConfig.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM..\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\WIN\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] “nwiz.exe” /installquiet
O4 - HKLM..\Run: [AVG7_CC] “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe” /STARTUP
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZCfgSvc.exe] C:\WIN\system32\ZCfgSvc.exe
O4 - HKLM..\Run: [PRONoMgr.exe] “C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe”
O4 - HKLM..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [CoolSwitch] C:\WIN\system32\taskswitch.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WIN\system32\ctfmon.exe
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161806649163
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161825132541
O17 - HKLM\System\CCS\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS1\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS2\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS3\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WIN\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WIN\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WIN\system32\S24EvMon.exe


End of file - 7980 bytes

  1. You don’t appear to have an active firewall or are using XP’s firewall which provides no outbound protection.

  2. You have two resident antivirus programs, AVG and avast!
    Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. You can have additional on-demand scanners or use on-lne scanners as a back-up scanner.

The AVG I referred to is the anti-spyware not the anti-virus.

  1. Ensure you have the latest version of JRE (JAVA Runtime Enviroment) because older versions can be vulnerable to malware (yours is out of date). First remove All Older Versions From Add/Remove Programs.
    Then get the latest update from here http://www.java.com/en/download/index.jsp

Can you recommend a firewall that doesn’t take up too much of the system resources?

Comodo Personal Firewall.
Others? Kerio or PcTools ones.

Comodo Firewall is the best for me :slight_smile:

Hi there I am sorry to say you have a wareout infection

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O17 - HKLM\System\CCS\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS1\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS2\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194
O17 - HKLM\System\CS3\Services\Tcpip..{38FADF3B-5CC5-4ADC-BE8E-A2254417810A}: NameServer = 68.87.64.146,68.87.75.194

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure “Run fixit” is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don’t let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

You also have two AV’s running

Anti-Virus programs take up an enormous amount of your computer’s resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine

My error ignore the previous post I made a typo in my search :cry: Good job that others are watching me )
To err is human to forgive is divine

If those lines were already fixed they should be restored from backup I think.

Wait, I don’t have a wareout problem?

Correct, I was working on another log at a different web site and for some unknown reason got my responses mixed up I apologise for the concern this caused :cry:

the fix will cause NO problems on an uninfected machine, it will just deliver a null report.

No harm done, I actually decided to take the weekend off of working on my machine, so I saw the correction the next day before I tried the fix.

Looks like my computer is back to normal. Thanks for your help, everyone! It was top-notch advice!