Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader Trojan


  • Please log in to reply
3 replies to this topic

#1 rst21

rst21

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 13 April 2006 - 10:17 AM

I was surfing the internet yesterday, and my Symantec anti-virus software posted the following in a popup:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\cosgrove\Local Settings\Temporary Internet Files\Content.IE5\8J7RQC59\e[1].anr
Location: C:\Documents and Settings\cosgrove\Local Settings\Temporary Internet Files\Content.IE5\8J7RQC59
Computer: WWS-78CR23A
User: cosgrove
Action taken: Clean failed : Quarantine failed : Access denied


I have taken all the suggested measures to clean my computer. Nothing indicated that I had any sort of virus or trojan. Below is my Hijackthis log. Many thanks to anyone who can assist.


Logfile of HijackThis v1.99.1
Scan saved at 8:09:11 AM, on 4/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\AEIWLSTA.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\verclsid.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pulproxy.princeton.edu :8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...tupv2.0.0.9.cab?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princeton.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princeton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princeton.edu
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:23 PM

Posted 22 April 2006 - 09:03 AM

Hello rst21 and welcome to the BC HijackThis forum. The only thing i see in the log are a couple of search re-directors which we will clean out below. I do not see any signs of viruses or malware.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Let's also do a little standard cleanup and clean out the temporary internet files and other temporary files locations.

Download CleanUp! and install it.

Start CleanUp! and do the following:
  • Click the Options button.
  • Make sure only the following are checked:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files (XP only)
    • Cleanup! All Users
  • Click the Ok button to close the Opetions dialog.
  • Click the CleanUp! button to run the cleanup. It may take a while depending on the size of the hard drive so be patient.
  • When it has finished, close CleanUp!.
Ok. You should be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 rst21

rst21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 22 April 2006 - 06:34 PM

Thanks Old Timer. I ran and fixed using HijackThis, but CleanUp! wouldn't download properly so I was unable to run it.

Before I drop this topic - from my reading on Downloader.Trojan, it sounds like it can appear as regular or innocuous looking files. Do you know if this is true, and if so, would HijackThis have caught it?

Thanks for your help. Donation on the way.

Edited by rst21, 22 April 2006 - 06:35 PM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:23 PM

Posted 23 April 2006 - 08:40 AM

Hi rst21. Try this cleaner instead.

Download CCleaner and install it. Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

As for alot of malware, much of it trys to look like a normal or even necessary file. That way even if you see it you might not know what it is or does. They will have names or descriptions that make them look like necessary operating system files or important files that should be left alone.

As for the downloader.trojan, it isn't really a single file, it's a family or grouping of a type of malware that downloads other malware. HijackThis does not look for any specific malware, it is only a reporting tool. It looks at various registry entries and reports what it finds. These are the most common places that software is started from and the majority of what HJT finds is legitimate. There are additional, less used locations that HJT does not look at and when we cannot find anything through HJT there are other scanners available that look at those locations. And in some instances, certain types of malware actually modify legitimate operating system files so that there is no sign of them at all. That's when the only thing that will point to an infection is an anti-virus, anti-spyware or other specialized program.

In your case, Norton was pointing to a file in the Temporary Internet files folder. This type of malware comes from an infected website or popup on a website. Cleaning out the temp files locations will remove it and hence we run a cleaner for that. It's also just good housekeeping to occasionally run a cleaner. I normally do that once a week just to clean off the junk that accumulates through day to day computing.

So there's the malware 101 lesson for the day :thumbsup:. Let me knowif you have any other questions.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users