Need Help with Downloader Trojan

Note the C:\WINDOWS\system32\Rpccwcamh.exe file is pretending to be a Microsoft file with a description of Generic Host Process for Win32 Services which would really be what the valid svchost.exe file from Microsoft is. What this file really is this:

http://www.sophos.com/security/analyses/trojqqrobabs.html


It also says the original file name of Rpccwcamh.exe is rpcs.exe

The m1.exe and wincom.exe files (which are exatcly the same file) are actually the same as Rpccwcamh.exe as far as what they are internally name and what the original file names are. They are just different sizes than Rpccwcamh.exe

 

You logs appear to be clean too. Just delete that Rpccwcamh.xxx file I had you rename. And then empty your Recycle Bin to get rid of it.

Go slowly when you do this to make sure no problems arise. Only reinstall one or to applications at a time and then reboot. After reboot, make sure everything is okay and then continue the process. However do the below first!!


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

By the way you may want to read more about what AVG removed from your PC which may have been a secondary infection on top of what we were fixing. McAfee call the infection that AVG removed a different name. They call it W32/Cekar. Read this to learn more: http://vil.nai.com/vil/content/v_141463.htm

In short it is a worm and can infect all executables on a PC. The key information in the above link is: