How do I remove Downloader virus??? Help!

My Norton AntiVirus Software detected a "Downloader" virus at
"C:\WINDOWS\system32\autlog.dll". The Software can't fix, quarantine,
or delete the infected file, even though all the definitions have been
updated. I've gone on SafeMode and tried to scan and remove the virus
from there, but it still won't. I've also tried to manually remove it
by going to the location and trying to delete the file in question, but
the computer won't let me. I've run AdAware as well but Norton
AntiVirus is still saying I have it, and the pop-up warning window
won't go away!

Someone told me that I can't remove it manually because the infected
file is a registry file. So the question is, how do I remove this thing
from my computer? Please help! Thanks!

BrianNo@gmail.com wrote:

> My Norton AntiVirus Software detected a "Downloader" virus at
> "C:\WINDOWS\system32\autlog.dll". The Software can't fix, quarantine,
> or delete the infected file, even though all the definitions have been
> updated. I've gone on SafeMode and tried to scan and remove the virus
> from there, but it still won't. I've also tried to manually remove it
> by going to the location and trying to delete the file in question, but
> the computer won't let me. I've run AdAware as well but Norton
> AntiVirus is still saying I have it, and the pop-up warning window
> won't go away!
>
> Someone told me that I can't remove it manually because the infected
> file is a registry file. So the question is, how do I remove this thing
> from my computer? Please help! Thanks!

A "Downloader" virus is too generic a term. Didn't NAV give you an actual
name? If it did, what is it? Googling for "autlog.dll" brought me nothing
which isn't unusual for malware, since it is common for viruses and malware
to have random names.

You can try scanning with David Lipman's Multi_AV or Sysclean:

http://www.elephantboycomputers.com/...icros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download
http://pcdid.com/Multi_AV.htm - additional Multi_AV instructions

You might also want to scan with Ewido and go through some of the other
removal steps here:
http://www.elephantboycomputers.com/...moving_Malware

If none of that works, you should run HijackThis and post your log at one of
the specialty forums listed at the site above (not here, please).

Otherwise, take the machine to a professional computer repair shop (not your
local version of BigStoreUSA).

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

Hi. I tried your Sysclean software, and I followed the directions, but
the software didn't find any infections on my computer. When I
restarted my computer on normal mode, NAV said that I still have the
"Downloader" virus.

Also, that's the only name NAV will give me. All it says is that it's a
Trojan Horse virus and that it's called "Downloader".

Perhaps there's another way to remove this virus before it wreaks havoc
on my computer?

Thanks.

BrianNo@gmail.com wrote:

> Hi. I tried your Sysclean software, and I followed the directions, but
> the software didn't find any infections on my computer. When I
> restarted my computer on normal mode, NAV said that I still have the
> "Downloader" virus.
>
> Also, that's the only name NAV will give me. All it says is that it's a
> Trojan Horse virus and that it's called "Downloader".
>
> Perhaps there's another way to remove this virus before it wreaks havoc
> on my computer?

What happens when you try to delete the autlog.dll file? If you get an error
message, what does it say? Are you using a current version of NAV (2005/06)
with updated virus definitions?

Things to try:

1. Right-click on the file and look on the Version tab if it exists. This
can help get information about where the file came from, although most
malware doesn't have it.

2. If I were working on the machine and was *very* sure the file was malware
(and since I'm not and can't see your computer please take this advice with
that caveat):

a. If the file is in use and can't be deleted or renamed in Safe Mode, I
would try Safe Mode Command Prompt. Navigate to the file location and try
deleting it from the command line.

b. If that didn't work, I would boot the system outside of Windows with
either a Bart's PE or other professional tool and delete the file that way.
You may or may not have the ability to do this; there is no way for me to
know.

3. Have you run Ewido as I suggested? I would. Make sure you update it and
then boot into Safe Mode to scan.

4. If Ewido doesn't find anything, do as I also suggested and run HijackThis
and post your log to one of the following specialty forums (not here,
please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/foru...howtutorial=42
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

5. Send the autlog.dll to VirusTotal to see if they can identify it.
http://www.virustotal.com/flash/index_en.html

6. Take the machine to a professional computer repair shop (not a big box
store) where someone skilled in virus/malware removal can look at it.

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

Malke, I guess simply deleting file would not help because as OP wrote AV's
tried to do that without success.

To OP: most likely this dll module is injected into system processes, I
would use Far (http://farmanager.com/) to search where this module is
loaded - goto processes tab, alt + f7 and search for occurences of 'autlog'
string. If it will be found in processes let us know where exactly. Another
option is to search for this dll in registry. It can be registered as BHO or
Winlogon notification package. Removing usually helps - but only for cases
when module does not protect itself.

--
Vladimir (Windows SDK MVP)

"Malke" <notreally@invalid.com> wrote in message
news:%23MpbCH0pGHA.4932@TK2MSFTNGP05.phx.gbl...
> BrianNo@gmail.com wrote:
>
>> Hi. I tried your Sysclean software, and I followed the directions, but
>> the software didn't find any infections on my computer. When I
>> restarted my computer on normal mode, NAV said that I still have the
>> "Downloader" virus.
>>
>> Also, that's the only name NAV will give me. All it says is that it's a
>> Trojan Horse virus and that it's called "Downloader".
>>
>> Perhaps there's another way to remove this virus before it wreaks havoc
>> on my computer?
>
> What happens when you try to delete the autlog.dll file? If you get an
> error
> message, what does it say? Are you using a current version of NAV
> (2005/06)
> with updated virus definitions?
>
> Things to try:
>
> 1. Right-click on the file and look on the Version tab if it exists. This
> can help get information about where the file came from, although most
> malware doesn't have it.
>
> 2. If I were working on the machine and was *very* sure the file was
> malware
> (and since I'm not and can't see your computer please take this advice
> with
> that caveat):
>
> a. If the file is in use and can't be deleted or renamed in Safe Mode, I
> would try Safe Mode Command Prompt. Navigate to the file location and try
> deleting it from the command line.
>
> b. If that didn't work, I would boot the system outside of Windows with
> either a Bart's PE or other professional tool and delete the file that
> way.
> You may or may not have the ability to do this; there is no way for me to
> know.
>
> 3. Have you run Ewido as I suggested? I would. Make sure you update it and
> then boot into Safe Mode to scan.
>
> 4. If Ewido doesn't find anything, do as I also suggested and run
> HijackThis
> and post your log to one of the following specialty forums (not here,
> please):
>
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/foru...howtutorial=42
> http://aumha.net/viewforum.php?f=30
> http://castlecops.com/forum67.html
> http://spywarewarrior.com/viewforum.php?f=5
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
>
> 5. Send the autlog.dll to VirusTotal to see if they can identify it.
> http://www.virustotal.com/flash/index_en.html
>
> 6. Take the machine to a professional computer repair shop (not a big box
> store) where someone skilled in virus/malware removal can look at it.
>
> Malke
> --
> MS-MVP Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"

Hi there. I downloaded Ewido as you recommended, updated the
definitions, and then ran the software in SafeMode, and voila, Ewido
identified the virus and quarantined it. Thanks for all your help.
Phew!

BTW, just to let you know, Ewido identified the virus as
"Downloader.Conhook.aa" and "Downloader.Conhook.ab"

From: <BrianNo@gmail.com>

| Hi there. I downloaded Ewido as you recommended, updated the
| definitions, and then ran the software in SafeMode, and voila, Ewido
| identified the virus and quarantined it. Thanks for all your help.
| Phew!
|
| BTW, just to let you know, Ewido identified the virus as
| "Downloader.Conhook.aa" and "Downloader.Conhook.ab"

The Conhook is NOT a virus.
It is a Trojan that is similar in functionality to the Vundo Trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

BrianNo@gmail.com wrote:

> Hi there. I downloaded Ewido as you recommended, updated the
> definitions, and then ran the software in SafeMode, and voila, Ewido
> identified the virus and quarantined it. Thanks for all your help.
> Phew!
>
> BTW, just to let you know, Ewido identified the virus as
> "Downloader.Conhook.aa" and "Downloader.Conhook.ab"

Excellent. Since David Lipman identified the culprit as a trojan similar to
Vundo, you may want to run one of the Vundo fixes here:

http://www.elephantboycomputers.com/page2.html#Winfixer

This is just to be sure your machine is really, really clean. It's your
call.

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

From: "Malke" <notreally@invalid.com>

..ab"
|
| Excellent. Since David Lipman identified the culprit as a trojan similar to
| Vundo, you may want to run one of the Vundo fixes here:
|
| http://www.elephantboycomputers.com/page2.html#Winfixer
|
| This is just to be sure your machine is really, really clean. It's your
| call.
|
| Malke

Hi Malke:

FYI

The Conhook Trojan uses a BHO and uses the Winlogin Notify key just like the Vundo does.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

> From: "Malke" <notreally@invalid.com>
>
> .ab"
> |
> | Excellent. Since David Lipman identified the culprit as a trojan similar
> | to Vundo, you may want to run one of the Vundo fixes here:
> |
> | http://www.elephantboycomputers.com/page2.html#Winfixer
> |
> | This is just to be sure your machine is really, really clean. It's your
> | call.
> |
> | Malke
>
> Hi Malke:
>
> FYI
>
> The Conhook Trojan uses a BHO and uses the Winlogin Notify key just like
> the Vundo does.
>

Thanks, David. So you think the OP is clean and doesn't need to do anything
further?

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

From: "Malke" <notreally@invalid.com>


| Thanks, David. So you think the OP is clean and doesn't need to do anything
| further?
|
| Malke

It appears that Ewido handled it OK.

It also wouldn't hurt to take other actions "just in case".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

> The Conhook is NOT a virus.
> It is a Trojan that is similar in functionality to the Vundo Trojan.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

At the risk of sounding stupid, I've never actually heard of the Vundo...
any links that could be useful?

--U

Unobtrusive wrote:

>
>> The Conhook is NOT a virus.
>> It is a Trojan that is similar in functionality to the Vundo Trojan.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>
> At the risk of sounding stupid, I've never actually heard of the Vundo...
> any links that could be useful?
>
> --U

http://www.google.com/search?hl=en&q...=Google+Search

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

From: "Unobtrusive" <menchi1@bigpond.com.au>

htm
|
| At the risk of sounding stupid, I've never actually heard of the Vundo...
| any links that could be useful?
|
| --U
|

Not a stupid question at all !

Sophos calls the Vundo Trojan - Troj/Agent-DO
http://www.sophos.com/virusinfo/anal...ojagentdo.html

Symantec:
http://www.symantec.com/security_res...912-99&tabid=2

McAfee:
http://vil.nai.com/vil/content/v_127690.htm

And now for the Conhook...
McAfee calls the Conhook Trojan - Dwnloader-AWX
http://vil.nai.com/vil/content/v_139973.htm
http://vil.nai.com/vil/content/v_140040.htm

Sophos:
http://www.sophos.com/support/knowle...oduct_search=0

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[susan_ihm]

Start the computer in safe mode.
Navigate to the infected files and right click on it and click on properties.
Click on the security tab and click on the advanced button.
Uncheck the box which says "Inherit from parent the permission......."
Click on remove>apply>yes>ok.
Restart the computer again in safe mode and login into the administrator user and delete the infected file.
Take a backup of the registry and search for the infecte file and delete it.
Try this.........