Hello forum,

My parents shared computer has the Win32:downloader-pku trojan on it as reported by Avast! I’ve been trolling the forum looking for a procedure to remove this and I’ve seen various tools being used.

Can somebody let me know which tool to use first so that I can post the requested logs and maybe get rid of this thing? I’d rather restore this from scratch, but the systems restore discs were never created when they bought this box and I’m thinking creating them now will possibly put the trojan on the discs with the restore data.

Thanks for your time,
busterdog

Some more information would be helpful, e.g the file name/s and location/s of the detection/s.

There is a possibility that this is just the symptom of a larger problem and the above information would hopefully indicate that.

hey I suggest you follow this guide.

http://forum.avast.com/index.php?topic=53253.0.

then a malware expert will guide you from there.

Lets find out what the problem is first.

Thanks for your responses.

The virus chest shows filenames of 80000064@ located under Windows\Installer.… and a file name of 00000004.@ in the same path. The last two that are reported shows as “Win32:Malware-gen” now, but was the "Win32:Downloader-PKU[Trj].

I just spent a couple hours waiting for a avast boot time scan to finish and it found some of the above file names which I okayed a delete, but they seem to be back or at least persistant. Avast keeps plopping it into the Virus Chest every 5 minutes or so.

Any other info I can provide?

thanks again,
busterdog

Yes that has an underlying infection that needs specialist removal, follow the instructions in the guide link that mikaelrask provided and attach the logs here for further analysis by a malware removal specialist.

This may take a little time with time zones and volunteer work commitments. It is almost 12:30am in the UK and essexboy will be in bed now, so it will be later today before he is able to take a look at it. Unless one of the other malware removal specialists in a closer time zone can pick it up.

Whilst the alerts are a pain avast is preventing the infection from getting worse or downloading more malware.

(I’ll try this again, looks like i may have lost my post)

Thanks DavidR,

I was expecting some issues with the time zones involved so I also expect this may take a bit to clear up. I also have the added ‘bonus’ that the workstation is 20 miles from where I live and my folks are still fairly active. So I haven’t been able to get to the workstation for the past two days. Sometimes parents don’t listen.

I’ll get some logs posted as quick as I can. And maybe get a key to the house.

Much appreciated!
busterdog

PS if i have double posted I apologize. We are have been dealing with 100F degree weather for four weeks and power has been a bit wonky here in the middle U.S.

I got access to the machine and have attached the requested logs.

Thanks for your help, I appreciate it.

busterdog

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 [2010/10/16 12:32:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/11/14 12:09:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010/12/22 07:14:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011/02/20 16:11:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-2646965363-668145429-1483013181-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\windows\assembly\GAC_32\Desktop.ini
C:\windows\assembly\GAC_64\Desktop.ini
C:\windows\Installer{58a39912-581e-a9f4-4bfc-71602711a65d}
C:\Users\Gene\AppData\Local{58a39912-581e-a9f4-4bfc-71602711a65d}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks Essexboy for your time and help.

I followed the recipe you sent along and everything went fairly well. I have a couple of questions just to verify just to make sure I didn’t miss something:

a. OTL ran well but there are multiple users on this machine. The screen shot of OTL did not have the ‘Scan all Users’ box selected, so I ran OTL without that option. Is this correct?

b. I had disabled Avast per instructions, but Combofix kept telling me it was running. I went as far as trying to close the AvastUI.exe entry in task manager, but it refused to close. So I went on with running Combofix. Just thought you may need to know this information.

So far in the past hour Avast has not popped up a quarantine message, which is pretty nice. I’ll have to leave it to my family to use and I’ll check back in a few hours and see how it’s doing.

I"ve attached the requested logs.

Again, thanks for your help. I have spent a lot of time working on this for my Dad. I actually was setting up to back everything up and set up for a factory restore! Since multiple family members use this, and not all live here, coordinating that has been a problem as well.

So I really appreciate your time and help.

busterdog

No I only needed all users for the initial scan …

How is the computer behaving now ? Any problems

No, it appears to be doing well, thanks to you and others here. Reports from the homestead has stated that no new warnings have appeared for some hours.

Anything we should be watching for? Otherwise, what’s the next step, if any.

Thanks.
busterdog

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

[quote author=essexboy link=topic=101528.msg813759#msg813759 date=1342811005]
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

I see that you say at the very start that this should not be used with other computers - but this appears to be the same problem I’m having with my computer. It just started today, and I get a new warning every 10 minutes from Avast. It has me concerned and I want to clean up my computer, but after searching on Google for how to remove it, I have already seen at least one website talking me through wiping out a lot of my Windows processes and this has me very scared on how to proceed.

Please help me…I have no experience with this sort of thing.

Thanks,
Deb

That is correct you shouldn’t use fixes as they are crafted for what is on a specific system.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and start your own new topic (see below) and attach the logs there, not in the LOGS topic.

• Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum (click the New topic button at the top of the page see image) and we will try and help you there.

There may be a delay due to time zone and availability of the specialists, essexboy is in the UK and it is almost 2:25am here now.

Essexboy,

Finally got back to this workstation and ran through the clean up processes that you requested. According to my Dad, things are running well. One of my Sisters who use this also report it’s doing very well. I have requested they observe and let me know if there are any new alerts in the next 24 hours.

Otherwise, like I reported before, this operation appears successful. Thanks for your help, I appreciate it very much.

As a late friend of mine used to say, “next time i see ya, I’ll buy you a nickel beer”. ;D

I’ll let you know what happens after the 24 hour cool down period.

Busterdog

Thank you very much - I will get on that as soon as I get home from work - for now I have shut my computer down until I can try to fix it.

Essexboy,

All things seem to be working at this end now. It took a bit more than 24 hours for me to get back over here, but family members report the quarantine messages have stopped and remain quiet.

I am upgrading software for them today and it is, indeed, behaving itself.

Thanks much for all your time!

busterdog

Grand … Once all is updated it should be a hardier system ;D

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe