NIS 2009 keeps saying it has blocked the "downloader" virus.  It does this everytime on reboot, when on internet, etc.  I have tried various things to get rid of this such as:

-Ran scan using Malwarebyte's Anti-Malware

-Scan using Super Anti-Spyware

-Panda online scan

Each one found something and it was cleaned but NIS still pops up stating it blocked it.  I have been through my registry, run many cleanings, and went thru steps found in similar posts in this forum.  Cannot get this thing to go away.

I originally thought it was a startup item called "Taskman" which points to c:\windows\system32\taskmanegr.exe. However, I re-named the file and removed from startup group and still get virus message.

Can anyone take a look at my HiJackThis log file and help me destroy this thing!

Thanks.

Not yet.  I will do that, reboot, and post back with my results.

Looks as though system restore is turned off and there are no restore points.

NIS 2009 keeps saying it has blocked the "downloader" virus.  It does this everytime on reboot, when on internet, etc.  I have tried various things to get rid of this such as:

-Ran scan using Malwarebyte's Anti-Malware

-Scan using Super Anti-Spyware

-Panda online scan

Each one found something and it was cleaned but NIS still pops up stating it blocked it.  I have been through my registry, run many cleanings, and went thru steps found in similar posts in this forum.  Cannot get this thing to go away.

I originally thought it was a startup item called "Taskman" which points to c:\windows\system32\taskmanegr.exe. However, I re-named the file and removed from startup group and still get virus message.

Can anyone take a look at my HiJackThis log file and help me destroy this thing!

Thanks.

---

CCallahan wrote:
Looks as though system restore is turned off and there are no restore points.

---

I am running a Windows Home Server so it may have turned it off since it handles backups regularly.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:03 PM, on 5/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\EPU-6 Engine\SixEngine.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
D:\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\ASUS\TurboV\TurboV.exe
D:\Norton AntiBot\agent\Bin\NortonAntiBot.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\D-Link\SharePort\SharePort Network USB Utility.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
D:\Norton AntiBot\agent\Bin\NABMonitor.exe
D:\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
D:\APC PowerChute Personal Edition\apcsystray.exe
D:\Logitech\SetPoint\x86\SetPoint32.exe
D:\America's Army Deploy Client\AADeployClient.exe
D:\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Badmofo\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "D:\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TurboV] "C:\Program Files (x86)\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [NortonAntiBot] "D:\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [D-Link Network USB Utility] C:\Program Files (x86)\D-Link\SharePort\SharePort Network USB Utility.exe -mini
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBOA.EXE /FU "C:\Windows\TEMP\E_S4C57.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinUpdate] C:\Users\Badmofo\AppData\Local\Windows Update\scvhost.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = D:\MagicDisc\MagicDisc.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Home Server.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - D:\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - D:\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\PerfectDisk10\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SymantecAntiBotAgent - Symantec - D:\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - D:\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10843 bytes
 

Hi

Are you running Vista 64bit (x64)??

What is the file name and loactaion the Norton detects?? 

When you downloaded and installed Malwarebytes and SuperAntispyware Free, did you do a definition update then do run Full Scans??

Try for now, Kaspersky Online Scan, http://www.kaspersky.com/virusscanner   (not file scanner on same page) 

Quads 

Aren’t you supposed to be able to see Risk details in Security History under Resolved/Unresolved Security Risks, the location of the malicious file being one of them?

I will run the online scan. 

As for the questions.......yes, i did definition updates before the scans..........and the location shown in NIS is always c:\windows\???? (the file name is always different.....the last one found was c:\windows\jdeadss.exe...one before that was c:\windows\asvemdsaemaory.exe....if i go and try to find these they do not exist, even with hidden files shown).

and yes…i am running Vista 64-bit

Have you unchecked the option 'Hide protected operating system files'? It's just below the Show hidden files option.

Malware on 64-bit Vista? :shock: 

---

CCallahan wrote:

I will run the online scan. 

 

As for the questions.......yes, i did definition updates before the scans..........and the location shown in NIS is always c:\windows\???? (the file name is always different.....the last one found was c:\windows\jdeadss.exe...one before that was c:\windows\asvemdsaemaory.exe....if i go and try to find these they do not exist, even with hidden files shown).

---

The reason suspected to why you cannot find these files is because it's after the fact, something is downloading these files in the "Windows" folder and Norton grabs them, then you go and look but Norton has already grabbed them.

 Are you connected to a Network??

Quads 

Yes....Anti-Malware ran on my system no problem.

I am on a LAN with my wife's computer and my WHS box.  She has NIS 2009 on her's and has not received any virus messages.

(The Kaspersky scan is still in process of running.  I will repost when done.)

Kaspersky online scan finished and found nothing.  I rebooted and as soon as Windows comes up I got another “downloader” blocked message…this time it was c:\windows\asvemdsaemaory.exe (which if searched out does not exist…even with all files set to show)

The silence is worrying me.  I'm hoping someone still has some ideas of what I can do. 

Currently, I am scanning my WHS with ClamWin just to make sure there are no infections.

Just so I fully understand the situation; WHS = Windows Home Server, right?  And this is connected to your ISP via what?

Why ClamWin?

ClamWin has a low detection rate

Have you tried disconnecting from you LAN, then once you see it is clean, restart your PC and see if the problem happens again, when connected to no other PC.

Quads 

1)  WHS = Windows Home Server

2)  Used ClamWin cause it's free and I don't have anything else to use.  Alot of other free ones don't work well on WHS.

3)  The WHS box is connected to a router with the rest of the computers which gain outside access via cable modem.

4)  I have not tried disconnecting from LAN.  That will be my next step.  

Problem is weird.  The only time I have gotten a virus message for most of the day is right after reboot.  Almost like NIS stops a service and it is started again upon boot.

I'm still not sure on the internet connection; are the 'workstations' hooked to the router or just to the server?  If everything is hooked to the router, hhmmm

But if the server is the only physical connection to the router and then the others connect to the server only, I would try and get something stronger than ClamWin (even a trial version would do) to scan the server with.

Also you can try this; right before you shut your system down, unplug the network connection from the system then shutdown.  When you start back up do you see the virus message then?

This is what I have done so far.......I rebooted just to make sure the message was still coming up.  After a few minutes after reboot I got it to show.  NIS 2009 blocked it.  I then unplugged the workstation from the network and rebooted.  Left it overnight and have had no message yet.

However, I plugged the cable back in and rebooted just to see if the message would come back.  So far, I haven't received another message.  Not sure what has happened to cause it to stop.  I downloaded Avast WHS edition trial and scanned the server.  It did not find anything and is monitoring it actively.

(Answer to your earlier question is the router has all machines plugged into it and all access the net through the router.)

I'm not sure if there is anything further I can do at this time.  If the message comes back I will post again.

Thanks for the help.  Let me know if there are any other actions to be taken.