• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:


How can I get rid of all trace of Trojan-Downloader.WinAD.c ?
Kaspersky AV has deleted it after a full system scan and can now run .exe's okay but still get garbled dialogue boxes on system start-up and when loggin out. No response from Kaspersky support after 4 days !!
2 Solutions
Adaware, spybot search+destroy, spyware dr. :) "Spyware Dr." got rid of it on my client's PC, but you need a full version (i.e. pay for it)
cehrnowAuthor Commented:
Have run Adaware.SE which found it and deleted it. But still can't remove the garbled dialogue boxes.
Track em down.
Press ctrl+alt+delete as soon as possible when you start the box.
See what executable starts this. Or narrow it down.

Also run hijackthis.

analyse the log at the site.
Remove the ones marked nasty.
See if that solves it.

If NOT post a link to your hijackthis log so I can have a look.
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Get Autoruns from:


When you run it, it shows a bunch of startups. From the View menu, select everything between "Show Appinit..." to "Hide Microaoft..." then select Refresh.

Examine the list carefully and disable anything that looks suspicious of unnecessary.

Reboot and see if that did it.
cehrnowAuthor Commented:
Have checked and nothing suspicious at all. Tried disabling some anyway but no difference. Does the fact that the box appears before logging in help diagnose ? PS. Using Windows XP Sp2.
What version of Windows are you running?

Did you try Hijackthis?
Don't post the entire log here. Instead send us the link to the on-line log analysis page.

Also, you can save the results of Autoruns using File -> Save as... to a text file and cut and paste those results here, just in case.

When you say the box appears "before logging in" do you mean it appears even before you type in your password?
cehrnowAuthor Commented:
WindowsXP SP2.
Yes, dialog box appears before the list of user names appear and it is necessary to click OK to continue. Some garbled characters in it.
this virus is really a baby virus...
discovered today from some big software company.. and not yet discovered (or published) from others.....

the Trojan.downloader (or Trojan.dropper, depends on the company's sintax) it's a big family... you can find generical info about it in internet.... and you can start to have an idea of what kind of virus is..... but for more info or for a complete removal instruction it's better to wait unless you really know what to do!

so..... this is not a solution...... but i can't be sure of what the virus do! neither can someone that hasn't the virus or the code of the virus i think....

you can try to find something in the regedit at the list of startup run process but it's not sure you really find something...
if you can... wait
"Yes, dialog box appears before the list of user names appear and it is necessary to click OK to continue. Some garbled characters in it."

It's probably installed as a Service or Device Driver then.

When you run Autoruns, pay particular attention to the Services group. Post the output here if not sure using "File->Save as" to save it to a text file first.

To look for suspect device drivers, start Control Panel -> System -> Hardware -> Device Manager.

Then click on View and "Show Hidden Devices". Then pay particular attention to "Non plug-and-play devices". If you don't feel confident don't remove unknown devices, post their names here so we can see what might be suspicious.
cehrnowAuthor Commented:
to mastrominchione: Understood - good advice but frustrating !

to r-k: Services section only has:

CVPND...cvpnd.exe    (Cisco Systems VPN Client)
kavsvc....kavsvc.exe  (Kaspersky AV)
NVSvc....nvsvc32.exe (Provides system and desktop level support for the NVIDIA display driver)

Those all seem OK.

Anything interesting or unknown in the Devices (esp. the non plug-and-play after enabling "show hidden devices")?
cehrnowAuthor Commented:
So many and nothing obvious to me..how about ASCTRM, Fips, Klif, Klmc, ksecdd, mnmdd, Null, vsdatant ?
These are all legit drivers, from  MS, Kaspersky and Zone Alarm.
cehrnowAuthor Commented:
Still not a complete solution but understand the situation much better now and agree that I should wait a while for a defined solution.
Thanks for your help.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now