Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Downloader


  • Please log in to reply
7 replies to this topic

#1 craneop

craneop

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mountains
  • Local time:05:55 PM

Posted 16 March 2008 - 02:52 PM

Hello everyone, This weekend my av\malware progams found the following. Is there a bigger problem with my comp. I seems to be getting alot of trojans in the last 3-6 months. I do all of my banking on the comp. I will call bank and change all p\w's. Thanks for the help. Joe mc

Avg found- Trojan horse downloader presario.A C:\WINDOWS\system32\msCMT srvc.exe (file size 160kb) Avg this file to the virus vault.

-squared Free - Version 3.1
Last update: 3/15/2008 11:47:43 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 3/15/2008 11:50:49 PM

c:\windows\system32\fonts detected: Trace.Directory.IamBigBrother
c:\program files\pcsecurityshield detected: Trace.Directory.Privacy Defender 3.0
C:\Documents and Settings\Owner\Cookies\owner@compaq-desktop.aol[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:35 detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:41 detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:42 detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:43 detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:44 detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\477jmz03.default\cookies.txt:79 detected: Trace.TrackingCookie
C:\hp\bin\CorelWP\src\intro.exe detected: Trojan.Win32.RC5_Dropper.e
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p
C:\hp\region\EN_US-ie.reg detected: Trojan.WinREG.StartPage

Scanned

Files: 131508

BC AdBot (Login to Remove)

 


m

#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 16 March 2008 - 03:54 PM

I assume that since you have AVG, that you are using Windows XP? Please only run this tool if you are.
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode.
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will popup, along with a log shortly after. Copy the contents of the log back in your next reply.

Edited by PropagandaPanda, 16 March 2008 - 03:54 PM.


#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 16 March 2008 - 04:03 PM

information on this thread from the same member http://www.bleepingcomputer.com/forums/t/136643/spybot-s-d/


relates to this problem which might help the hunt for a cure

#4 craneop

craneop
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mountains
  • Local time:05:55 PM

Posted 16 March 2008 - 05:30 PM

Propaganda Panda, Thanks! You are the man. I appreciate your reply. I ran the program,and here is the log.SDFix: Version 1.158

Run by Owner on Sun 03/16/2008 at 06:15 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 18:19:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000042

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 9 Apr 2003 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"

Finished!

Not to get ahead of myself here. Do I delete all of my erunt backups,or quarantine them with avg.What about restore points? Thanks for the help. Thanks Joe Mc

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 PM

Posted 16 March 2008 - 05:44 PM

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

Download OTMoveIt2 by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTMoveIt2.exe to launch the program
  • Click on the green CleanUp! button.
  • When you do this a text file named cleanup.txt will be downloaded from the Internet.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet you should allow it to do so.
  • After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
  • Select Yes.
  • Doing this will remove the specialized tools and backups.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent ...

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: [color="green"]Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "[b]Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 craneop

craneop
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mountains
  • Local time:05:55 PM

Posted 16 March 2008 - 06:24 PM

Quietman7,Propaganda Panda, Thank you !!! I very much appreciate the help. I ran OTmoveit2. I will now run all av\malware tools. Create new restore point/erunt backup. Cleanup system.THANKS AGAIN Joe Mc

#7 craneop

craneop
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mountains
  • Local time:05:55 PM

Posted 16 March 2008 - 06:28 PM

One quick ? Should I delete the other two user accts on this comp and then recreate. Or is that not necessary ? Thank you

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 16 March 2008 - 06:33 PM

This most likely won't be nessesary since malware usually loads itself onto the program files or the WINDOWS folder. The files saved on the accounts are not run at startup.

However, should you feel the need to be extra safe, by all mean do.

Edited by PropagandaPanda, 16 March 2008 - 06:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users