Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Downloader


  • Please log in to reply
20 replies to this topic

#1 kdshakk

kdshakk

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2009 - 10:38 AM

Hello,

I seem to have Trojan downloader on my windows XP laptop. I have Norton Antivirus, which is detecting it, but cannot get rid of it. In fact the message says "Downloader cannot be removed from an usupported file." This just started a few days ago and I cannot say that anything major has happened yet, but I am really trying to avoid a disaster. Can you please help me try to figure out how to remove this thing? I don't get very much information from Norton re: version name or anything like that. I did review some of the processes that were posted for others, but I did not want to start anything without getting someone to guide me through it. Thanks so much for your help.

Karen

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 17 February 2009 - 03:23 PM

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2009 - 08:04 PM

Ok. I am going to post the log below. After the program ran and I deleted the infected files when the notepad log popped up so did the same Norton message from before.

Thanks!

Malwarebytes' Anti-Malware 1.34
Database version: 1771
Windows 5.1.2600 Service Pack 3

2/17/2009 7:56:42 PM
mbam-log-2009-02-17 (19-56-42).txt

Scan type: Quick Scan
Objects scanned: 93399
Time elapsed: 20 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{02910a3c-5d77-4a3e-8a13-fdf81ac7fecd} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0485b9a3-61d4-40a9-82ee-5b8b6bd51a58} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29143580-a3e7-4afb-a8ef-b88f3b56c5a3} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3eb2d5e5-ab7c-46db-950e-878cf812aa1c} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5caeb087-af31-494d-842d-39cf1c7adade} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5df8c005-6e2e-4bd6-a765-304a8e550ece} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{60659361-1c5f-4fa7-aeb0-f39df2547122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a97a178-3e84-45af-8f28-982c22e9a49d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d9351b3-4ebe-4f8f-981e-9af90ba99f54} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7e22e1d0-5af8-4fb8-a635-bd31b3308c71} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{821a05ed-bb06-4444-a1e0-f0ab21ff626d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{886bacae-e094-4bde-912e-99c3a3ddd122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f290589-db12-447f-8f38-d24653ce9f13} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bad16ee0-5134-4dc2-bd33-46a557c93d36} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec6671fe-7062-4f26-8383-4b887c4cb50b} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc8db863-22bc-4382-ac7a-96fabfd95bb8} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e9d2f33-4585-4404-aa57-15b2b03707f4} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Messenger Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xbtb05988.xbtb05988toolbar (Adware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Karen Shakkour\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

#4 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 February 2009 - 10:14 AM

Though the log says that everything has been removed successfully I am still getting the message that I have a Trojan Downloader from Norton. Any more thoughts?
Thanks so much for your help.

Edited by kdshakk, 18 February 2009 - 10:14 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 18 February 2009 - 11:31 AM

Did Norton provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system? Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved.

Now rescan again with MBAM but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 February 2009 - 11:56 AM

Norton does not give a specific name. I disabled Norton (forgot the first time) and did a quick scan again and found 4 more problems which I deleted, but got the pop up again after I rebooted and enabled Norton. Now I am doing a full scan so I am writing this email from another computer. I actually have to leave town (and my computer) for two days so may not be able to report results til then.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 18 February 2009 - 12:00 PM

That's fine. Make sure you repeat your anti-virus scan in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 21 February 2009 - 10:56 AM

I ran a full scan on Malware, after updating, and it came up with no threats. Then I shut down and restarted in safe mode and ran Norton Antivirus. I came up with one cookie, which I removed. When I restarted in Normal mode the same Norton message popped up during the raloding process. Below is the link to the information I get from Norton when I choose "get help". The link says it is low risk, but the pop up message from Norton says that is is hight risk. In any case the Malware now says there are no threats, but I still keep getting the message.

http://securityresponse.symantec.com/secur...-101518-4323-99


Thanks

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 21 February 2009 - 11:58 PM

That's just a generic description of a downloader. Norton should be identifying the file it is detecting as a downloader and its location.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 22 February 2009 - 08:32 AM

Yes, I know it should, but it doesn't. A window pops up that says Actions Required, Norton has detected threats that requre your attetion, The risk is high, the title says Downloader cannot be removed from an ussported file. I get to the other link when I choose help. AND when I open a web page in IE I am taken to a Symantec home page reset (which I have not done yet).

I realize I should be getting more infor, but for some reason I'm not.

#11 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 22 February 2009 - 11:58 AM

I just clicked on the the word downloader in the files description and I got another window. It says that the affect area is one file and under details this is what it says word for word: [maximizer_startup.exe]inside of [c:/program files\notebook maximizer\update.exe]

Hoping this gives some insight.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 22 February 2009 - 05:06 PM

maximizer_startup.exe is a process related to Notebook Maximizer or Maximizer Startup by Ingenuiti.

The detection on that file may be a false positive. Anytime you suspect a file may be a false positive, get a second opinion. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.

If it is a false positive, then you should contact the vendor and advise them so they can investigate and make corrections.

Symantec has instructions for dealing with possible false detections. Please read Symantec False Positive Submission.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 22 February 2009 - 06:30 PM

Jotti's found nothing, Virus Total identified Backdoor/IRC.Zapchast (see below)

File update.exe received on 08.15.2007 00:28:01 (CET)Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - Backdoor/IRC.Zapchast
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -

Additional information
MD5: 0f57df13e64f9213421f5debaf00518a
SHA1: 511215aee70fcadc615f24b8c6fcc3ba86756455
SHA256: 0567cac2b9f102d9c5bf0c1babc1a6be04dc1f3964acae2bfbd66bb82ab84e05
SHA512: ed546798cab059b834c4e0e576dfe93fd3f6f48fdb31ad2b6c15301589ce60effc1a3cb1cbed1bbe45f808df518b15a577f673d61229a75c030a3545023e9641

Edited by kdshakk, 22 February 2009 - 06:32 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 PM

Posted 23 February 2009 - 10:53 AM

I would send a copy of the file to Symantec so they can investigate further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 kdshakk

kdshakk
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 23 February 2009 - 11:48 PM

Symantec wants to charge me $100 to "look at it".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users