Downloader-AWX (REMOVAL PROCEDURE)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by elitelogi, Jun 19, 2006.

  1. elitelogi

    elitelogi Private E-2

    Since this forum is strictly moderated, this post with removal instructions might get deleted by the admins (and if so, I apologize to those admins)....
    BUT, I know several people are still struggling with the Downloader-AWX trojan. After following all the procedures and using all the tools, THIS IS HOW I FINALLY CLEANED MY COMPUTER!!!!!.

    This trojan embeds itself into IE as a BHO and you'll notice it when going to "Manage Add-ins" from the Tools menu in IE. It also places 2 files into the C:\Windows\System32 directory. One is a .dll file and the other is a .exe. The file names appear to be random, but if you sort by "Date Modified" in windows explorer, both the files will have the same dates/time. (This is how I found the .exe because VirusScan only flagged the .dll. As others have reported, the VirusScan (I'm using McAfee) will find it using the latest definition file (at least 4786), but it can't remove it or delete it.

    Here is how I removed it (WORKED FOR ME, BUT FOLLOW AT YOUR RISK):
    First, I had to temporarily turn off the System Restore feature of XP.
    Second, I ran HijackThis to determine the proper .dll file.
    The scan will show the following odd entries:
    O2 - BHO: (no name) - {b9547f8b-857f-41ca-a1a1-023371078929} - C:\WINDOWS\system32\krnmmc.dll (NAME OF YOUR FILE IS PROBABLY DIFFERENT!!!!!)

    O20 - Winlogon Notify: krnmmc - C:\WINDOWS\SYSTEM32\krnmmc.dll

    Whatever the name of your .dll file is, you should notice both of these corresponding entries. Apparently, as soon as you log into Windows, the Winlogon.exe service will load the .dll which is why it makes it tough to delete it.

    So, simply checking these and hitting the "Fix It" button in HijackThis did NOT work. I had to use the MISC TOOLS section of HijackThis (get there by clicking the "Config" button from the scan screen, and clicking the "Misc Tools" button at the top.) And then use the "Delete file on Reboot" tool, to navigate to and flag the .dll file for deletion. I believe HijackThis will prompt you to restart your computer.

    After reboot, re-run scan from HijackThis and delete any remaining registry entries. Also, don't forget to also delete the corresponding .exe file from the System32 directory that I mentioned earlier. Next, I would re-run a complete system scan with your VirusScan software and make sure any residual files are deleted.

    Don't forget to re-enable your system restore feature when all finished.
     
    elitelogi, Jun 19, 2006
    #1

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds