Question

Ad-Aware carrying trojans?

Asked by: PaulCaswell

I just got this virus alert from Avast:

27/05/2007      09:30:02            Engine version                          =      5.1.00
27/05/2007      09:30:02            DAT version                             =      5039
27/05/2007      09:30:02            Number of virus signatures in EXTRA.DAT =      None
27/05/2007      09:30:02            Names of viruses that EXTRA.DAT can detect =      None
27/05/2007      19:14:27      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\19AD16\Yab.exe      MultiDropper.cfg (Trojan)
27/05/2007      19:14:39      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\3D9E2\ieen_c.exe      Spy-IEen (Trojan)
27/05/2007      19:14:39      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\3D9E2\ieen_s.exe      Spy-IEen (Trojan)
27/05/2007      19:14:43      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\690BE\rsasgina.dll      FakeGina.dll (Trojan)
27/05/2007      19:14:43      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\690BE\fakegina.dll      FakeGina.dll (Trojan)
27/05/2007      19:14:45      Deleted       PAULSLAPTOP\CaswellP      Ad-Aware.exe      C:\Documents and Settings\Paul\Local Settings\Temp\AAWTMP\C34112218\3163F5\mailpv.exe      Generic PWS.f (Trojan)

What just happened? It looks to my untrained eye as if Ad-Aware is bringing trojans onto my laptop. Am I right?

Paul

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-05-27 at 12:17:48ID22597306
Topics

Anti-Spyware

,

Anti-Virus

Participating Experts
3
Points
500
Comments
28

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. securybanks phishing trojan
    Has anyone found a way to permantly remove "securybanks phishing trojan"? I have used various spyware removal tools ie: Spy Sweeper, Adaware, hijack this, trojan hunter and still I cannot get this removed fully, it reinstalls itself every time i start pc.
  2. Trojan Log??
    Ive seen a laptop infested with spyware and had a few trojans...one was pwsteal which could steal passwords and send them over email..... Is there a way to log to know how the trojans are coming in or other viruses for that matter? Would be nice to know what entry points the...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: SheharyaarSaahilPosted on 2007-05-27 at 12:30:32ID: 19165069

AAWTMP folder is from Ad-Aware which is created during a scan and deleted itself upon the completion of scan.
These files can be the left over from an Ad-Aware scan whcih was not completed properly or couldn't delete the files due to some certain reasons, like file in use or stuff like that.

What i would recommend after this happening, to boot your system in safemode and run the Ad-Aware scan there, and then run Scan Disk to get rid of all the temporary files on your hard drive.

It should take care of the issue.

 

by: younghvPosted on 2007-05-27 at 12:32:47ID: 19165077

In addition to everything already said, I would also download and install (free)  Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

I still run SpyBot, but have replaced Ad-Aware since testing this.

Vic

 

by: PaulCaswellPosted on 2007-05-27 at 12:39:00ID: 19165095

Others seem to be having similar problem.

http://www.lavasoftsupport.com/index.php?showtopic=3926

Paul

 

by: SheharyaarSaahilPosted on 2007-05-27 at 12:42:21ID: 19165105

that's an issue about the message about corrupted definition file.....are you getting the same error too?

 

by: PaulCaswellPosted on 2007-05-27 at 12:43:21ID: 19165109

Thank SheharyaarSaahil, that sounds like good advice.

Downloading super... as we speak. Thanks for the advice.

Paul

 

by: PaulCaswellPosted on 2007-05-27 at 12:45:54ID: 19165119

SheharyaarSaahil, this happened DURING a scan but it has never happened before and I run Ad-Aware at least weekly.

Paul

 

by: SheharyaarSaahilPosted on 2007-05-27 at 12:48:06ID: 19165124

you should be worried if its STILL happening....otherwise if it was for once only, then you can forgive the software :)

 

by: PaulCaswellPosted on 2007-05-27 at 12:54:24ID: 19165135

Perhaps Avast just happened to be looking in Ad-Aware' temp folder while some trojan had been unpacked from a zip or cab on my pc!

Time for a FULL virus scan! :(

Paul

 

by: SheharyaarSaahilPosted on 2007-05-27 at 12:55:24ID: 19165138

for sure.....but this time in safemode please :)

 

by: PaulCaswellPosted on 2007-05-27 at 13:23:09ID: 19165190

To be sure it wasnt a 'doctored' definitions file I had just pulled down I downloaded the beta and followed the instructions. Now it has deleted my old definitions and the download of the new one fails!!! :(

Paul

 

by: PaulCaswellPosted on 2007-05-27 at 14:12:36ID: 19165269

Even stranger!

I just got

27/05/2007      22:01:01      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      SUPERAntiSpywar      C:\RECYCLER\S-1-5-21-2042538849-3001720675-1536069704-1006\Dc5\Tools\Security Exploits\File Forensics\DPWiper\DPWIPER.exe      New Malware.aj (Trojan)
27/05/2007      22:01:03      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      SUPERAntiSpywar      C:\RECYCLER\S-1-5-21-2042538849-3001720675-1536069704-1006\Dc5\Tools\Security Exploits\File Forensics\Portable GetDataBack\GetDataback_for_FAT.exe      New Malware.aj (Trojan)
27/05/2007      22:01:03      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      SUPERAntiSpywar      C:\RECYCLER\S-1-5-21-2042538849-3001720675-1536069704-1006\Dc5\Tools\Security Exploits\File Forensics\Portable GetDataBack\GetDataBack_for_NTFS.exe      New Malware.aj (Trojan)

from McAfee (sorry, I said Avast earlier) but superantispyware hasnt reported anything! Its still scanning!

Looks like McAfee has found the remains of a deleted trojan in the recycler but this must have been left by super...! So somewhere in my cabs and zips is a number of trojans that McAdee can detect but these other systems wont.

My issue still stands. The last thing I did before my system detected this virus was to download a new definitions file from LavaSoft.

Paul

 

by: PaulCaswellPosted on 2007-05-27 at 14:29:15ID: 19165315

Hey! Hang on! That is McAfee watching Super... check the recycle bin isn't it! Doh!

 

by: younghvPosted on 2007-05-27 at 16:57:38ID: 19165634

Have you deleted all 'temp' files and emptied the recycle bin?

CCleaner (www.ccleaner.com) does a great job (with XP or Vista) of removing all of the junk files that get left by other applications and IE.

Vic

 

by: SheharyaarSaahilPosted on 2007-05-27 at 23:59:07ID: 19166348

yeah i agree...that seems like your system is having plenty of junk files :)

 

by: PaulCaswellPosted on 2007-05-28 at 01:21:27ID: 19166520

All scans finished and clean, at least as far as McAfee and superantispyware are concerned.

The worrying part is this.

0. I havent had a virus hit for more than a year. McAfee is kept up-to-date. I use FireFox with NoScript.
1. McAfee On-Access detected some trojans while Ad-Aware was running. They were found in its temporary folder.
2. McAfee On-Access detected some trojans while super... was running. They were found in the recycle bin.
3. The last thing I did before the trojans were detected was to download a new definitions file for Ad-Aware.
4. Full deep scans by McAfee and super... found nothing lurking anywhere on my system.
5. I havent visited any unusual sites recently.


The Sherlock Holmes principle suggests to me that the trojan came down in the Ad-Aware definition file. I really don't want to be right here.

Paul

 

by: PaulCaswellPosted on 2007-05-28 at 02:03:53ID: 19166623

I really dont get this! I just ran yet another Ad-Aware full scan and yet again, McAfee found trojans in the Ad-Aware temp folder while it was running! What's going on???

Paul

 

by: younghvPosted on 2007-05-28 at 03:32:32ID: 19166804

Do you have the 'hueristics' feature turned on with your McAfee?
It may just be that some of the character strings in your new Ad-Aware defs resemble some malware-like code.

I am running McAfee on one computer with Defs 5039 dated 25 May.

You might want to try using one of the on-line scanners (won't interfere with existing), just for the peace of mind.

On-Line Anti-virus Scan
http://www.trendmicro.com/hc_intro/default.asp
http://www.pandasoftware.com/products/activescan.htm

Vic

 

by: PaulCaswellPosted on 2007-05-28 at 05:15:39ID: 19167038

Heuristics is switched on. I've checked that I have the latest McAfee defs.

I'm running a HouseCall scan right now.

 

by: younghvPosted on 2007-05-28 at 05:26:32ID: 19167061

Sounds good.
I'll be off line for a while, but will check back.

Vic

 

by: PaulCaswellPosted on 2007-05-28 at 07:09:45ID: 19167357

McAfee showed:

28/05/2007      10:47:33            Engine version                          =      5.1.00
28/05/2007      10:47:33            DAT version                             =      5039
28/05/2007      10:47:33            Number of virus signatures in EXTRA.DAT =      None
28/05/2007      10:47:33            Names of viruses that EXTRA.DAT can detect =      None
28/05/2007      14:03:49      Deleted       PAULSLAPTOP\CaswellP      IEXPLORE.EXE      C:\Documents and Settings\Paul\Local Settings\Temp\V95CJIa05888      Spy-IEen (Trojan)
28/05/2007      14:04:05      Deleted       PAULSLAPTOP\CaswellP      IEXPLORE.EXE      C:\Documents and Settings\Paul\Local Settings\Temp\V95CJIa05888      Generic PWS.f (Trojan)

while HouseCall was running.

HouseCall found 10 infections, failed to clean 3 of them. I am starting another scan.

Paul

 

by: younghvPosted on 2007-05-28 at 08:48:03ID: 19167820

Paul - all of those temp files need to be deleted.
I have used CCleaner on hundreds of XP computers without ever having a glitch.
Clean up all of the junk, then try again.

Also (without re-reading everything) do your SuperAS and McAfee scans in Safe Mode. That prevents a lot of processes from starting and results in a much 'deeper' scan.

Vic

 

by: SheharyaarSaahilPosted on 2007-05-28 at 12:10:01ID: 19168594

yes, and after that can you please download hijackthis from here?
http://www.majorgeeks.com/download3155.html

run it, and click on Scan and Save a Log File,
paste the log file here >> http://www.hijackthis.de/

hit analyse, and the click on Logfile of Hijackthis link where it says "The following analyses has been stored temporarily"
post the link to the log file here please.

 

by: PaulCaswellPosted on 2007-05-28 at 15:27:12ID: 19169300

HijackThis log here:

http://www.hijackthis.de/logfiles/c988ded7b84d7829f941883ea3205604.html

CCClean complete.

Panda found some AdWare and some trojans but wanted money to remove them. HouseCall found some stuff and failed to fix them. I am feeling a little cynical.

I've run all the scanners I can find with McAfee On-Access switched off. I'm going to start again with OnAcces switched on next.

If there's something in there, why is McAfee not finding it?

Paul

 

by: dextronePosted on 2007-05-28 at 17:40:19ID: 19169595

Ask a friend for an AV boot disk, that's your best bet.

Put the cd in your computer in your cd-rom drive and restart{make sure your BIOS boots from cd first}, and scan. TRY An avg-free boot disk...

 

by: dextronePosted on 2007-05-28 at 17:41:03ID: 19169597

Oh yes; forgot to mention; be sure to UPDATE the AV you use to make the boot disk PRIOR to making the disk....

 

by: SheharyaarSaahilPosted on 2007-05-28 at 22:18:40ID: 19170242

i cannot see anything really bad in your log file except that Flashget thingie, if you are are not really addicted to it, i would advise to get rid of it, and go for Orbit >> http://www.orbitdownloader.com/

 

by: PaulCaswellPosted on 2007-05-29 at 01:03:34ID: 19170673

It looks like I'm all clear now.

I am guessing that something that contained a virus/trojan had been recently deleted and Ad-Aware, just by looking at it, was triggering McAfee.

I still dont understand why McAfee couldnt find it on a deep scan but that is probably another question.

Thanks all for your help, you guy are amazing!! :)

Paul

 

by: younghvPosted on 2007-05-29 at 04:22:17ID: 19171388

Hey Paul,
Glad you were able to work through it.
Thank you for the points.

Vic

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...