win32 and empa.exe

Hello iam a newbie, did some reading and followed step 1 to 4 as described by L’arc:
Windows Disk Cleanup Utility ============

1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK

Step 2: avast! Boot Time Scan ============

1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.

Haved the files attached please help don’t know what to do next.

Hi brainman1,

First some info about the malware you have encountered.
Trojan.Downloader.aao is wreaking havoc on many a PC. This particularly malicious application usually infiltrates a system through security exploits or via dubious means, which further facilitate the download and ultimate installation of additional malicious applications. Trojan.Downloader.aao is known to download adware, spyware or other malware from various servers and sources on the internet. Trojan.Downloader.aao is regarded as a high security risk to any PC system, therefore one needs to immediately remove it from any computer system, once is had been detected. Important to bear in mind is the fact that Trojan.Downloader.aao regularly carries out covert downloads onto computers, as well as it has a predilection to install rogue security programs and other malware. Trojan.Downloader.aao needs be removed from a system immediately, as it affects the system in such a way that the opening of illicit network connections, the use of polymorphic tactics to self-mutate, the disabling of already installed security software, modification of system files, and not forgetting the installation of additional malware is pretty much assured.

How to manually remove Trojan.Downloader.aao

To save time and avoid risking destroying your computer, we highly recommend use a spyware scanner such as SUPER AntiSpyware, to detect Trojan.Downloader.aao and other spyware, adware, Trojans, viruses, keyloggers, and more that can be hidden in your PC. Downlaod from here:
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Files associated with Trojan.Downloader.aao infection:

empa.exe
lwpwer.exe
CbEvtSvc.exe

Trojan.Downloader.aao processes to kill:

empa.exe
lwpwer.exe
CbEvtSvc.exe

Then post another hjt logfile to analyze as an attached txtfile,

polonus

Thanks for reply polonus
Did scan with SAS and quarantine and deleted files.
Attached the hijack file:

can anybody advise me ofn what to do next?
Thanks


An analysis of your last HJT log shows the following problems :

We couldn’t detect any active process of a firewall on your system. Possible reasons are :
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s firewall which gives only inbound protection. Better would be the use of a 2-way firewall which has both inbound and outbound protection.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Unnecessary (deactivated) entry that can be fixed. Related to WindowsLive\Messenger.
http://www.spyandseek.com/Search.php?search_for=5C255C8A-E604-49b4-9D64-90988571CECB&search=SAS-Search (5th & 6th on list)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
Unnecessary (deactivated) entry that can be fixed. coIEPlg.dll - Browser plugin related with Norton_Confidential

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. IPSBHO.dll - Symantec Intrusion Prevention

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
Unnecessary (deactivated) entry that can be fixed. Related to Symantec CoIEPlg.dll
http://www.spyandseek.com/Search.php?search_for=7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA&search=SAS-Search (3rd & 4th from bottom of list)

O4 - HKLM..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.6.0\SbOEAddOn.exe
Must be fixed! Related to Hotbar’s Weather Forecast tool for your desktop.
http://www.threatexpert.com/files/SbOEAddOn.exe.html
http://www.bleepingcomputer.com/startups/spamblocker-14625.html

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=CD67F990-D8E9-11d2-98FE-00C0F0318AFE&search=SAS-Search (1st on list)

O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
Unnecessary (deactivated) entry that can be fixed. Related to AVG Internet Security.
http://www.pcpitstop.com/libraries/process/i/avgwdsvc.exe.html

As you can see above, there are leftover remains of both Symantec/Norton and AVG. These entries show that your computer is not clean of former av services and this could be a contributing factor to your problems.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

Explorer.EXE
System task
Microsoft Windows Explorer

spoolsv.exe
System task
Microsoft Printer Spooler Service

MDM.EXE
Backgroundtask
Machine Debug Manager

SeaPort.exe
Backgroundtask
Microsoft search enhancement

slserv.exe
System task
modem software on CLEVO 2200C/27

svchost.exe
System task
Microsoft Service Host Process

ups.exe
System task
Uninterruptible

WLIDSVC.EXE
Unknown task ( Windows Live ID Service )
Unknown task http://www.pcpitstop.com/libraries/process/i/WLIDSVC.EXE.html

mHotkey.exe
Backgroundtask
Chicony Multimedia Console

SearchIndexer.exe
System task
Search Indexer

jusched.exe
Backgroundtask
Sun Java Update Scheduler

devldr32.exe
Application
Creative Ring3 NT Interface

ashDisp.exe
Virusscan
Avast AntiVirus

WLIDSvcM.exe
Unknown task ( Windows Live ID Service Monitor )
Unknown task http://www.pcpitstop.com/libraries/process/i/wlidsvcm.exe.html

ctfmon.exe
System task
Alternative User Input Services

SUPERAntiSpyware.exe
Anti Add/Spyware software
SUPERAntiSpyware

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

IEXPLORE.EXE
Application
Windows internet explorer

IEXPLORE.EXE
Application
Windows internet explorer

wltuser.exe
Backgroundtask
wltuser.exe

HijackThis.exe
Application
Merijn Hijackthis

SearchProtocolHost.exe
System task
SearchProtocolHost