1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trojan Question

Discussion in 'Security and Privacy' started by roy66, 2004/06/08.

Thread Status:
Not open for further replies.
  1. 2004/06/08
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Over the past 3 days I have probably been trojan infected 3 times.

    I have noticed in postings that others also have been infected by this Keenval Trojan.

    In each instance with me it has been associated with an updater file.

    Does anyone have an explanation as to how or why this Keenval Trojan associates itself with this file or actually gets into my PC.

    I am running AVG6 and Zonealarm6 and update files daily and sometimes more frequently.

    Just wondering if there is some loophole that I am not aware of.

    I also am up with all Microsoft critical updates.

    JUST WONDERING????????????????????

    roy66
     
  2. 2004/06/08
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,889
    Likes Received:
    386

  3. to hide this advert.

  4. 2004/06/08
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    That Trojan is a downloader, and you got it by a driveby install of some toolbar or you installed some sort of adware [do not mean Ad-Aware] program on your computer.
    You didn't mention your OS, but the loophole you may not be aware of is your System Restore if you have ME or XP. You can remove the trojan all you want, but if it is in there, it gets put back. You need to disable System Restore, reboot, then enable it again.
    But follow this recommendation. Get CWShedder, Spybot, and HijackThis, all free and the links are below. First run CWS with the Fix Option with all browsers closed, then reboot. Install Spybot, update it, then do the scan, have it remove everything already checked off.
    Then use HJT to do a scan, and post the log on here. Don't do anything with HJT yet, wait for advice. It is just a tool, it doesn't tell you what is bad.
     
  5. 2004/06/08
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks guys,

    I just removed a Trojan from Program/Common/Updater sui.exe and thought I was pretty clever 'cause I used HJT and eliminated the 04 that related to the updater file and then use Move On Boot to snuff it out then rebooted.

    It seems my action has created a problem for me 'cause now I have a/this Trojan in Program/Common/Updater delupdate.exe but when I look for the Updater file it is now not there so I am lost as to how I can locate it to remove it.

    The other thing is...Is one able to determine if the Trojan is in System Restore or is that a trial and error approach.....yu know sorta guess work !!!

    Roy 66
    Current log
    Logfile of HijackThis v1.97.7
    Scan saved at 7:06:39 PM, on 8/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\AVG6\avgcc32.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\RoboForm\RoboTaskBarIcon.exe
    D:\ALL of C March 22 04\AutoSizer\AutoSizer.exe
    C:\Program Files\World Clock\zsWldClk.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\RoboForm\RoboTaskBarIcon.exe "
    O4 - HKCU\..\Run: [AutoSizer] "D:\ALL of C March 22 04\AutoSizer\AutoSizer.exe" /h
    O4 - HKCU\..\Run: [TClockEx] D:\ALL of C March 22 04\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
    O4 - Startup: World Clock 2001.LNK = C:\Program Files\World Clock\zsWldClk.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17932D31-5BDB-41D8-829A-D10C7B0AFDA9}: NameServer = 203.12.160.35,203.12.160.36
     
    Last edited: 2004/06/08
  6. 2004/06/08
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    If you did a full scan [all files and folders] with AVG, and a virus is found in C:\System Volume Information\etc, that is one way you know, and AVG cannot get it out, XP will not let it. Only XP can do it for you, by disabling System Restore, rebooting, then enabling it again. The Restore Points are deleted and then recreated new by doing this.

    About the file in C:\Program Files\Common Files\Updater, have MoveOnBoot delete the entire folder, you do not need that folder.

    Your HJT log looks clean to me, only one thing need fixing that I see.

    R3 - Default URLSearchHook is missing
     
  7. 2004/06/08
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    That should have read Updater folder.......it has gone but I had an AVG readout that I had a Trojan in there Updater/delapdate.exe and when I went to load it into Move On Boot of course I couldn't find the Folder/file.

    Thanks for your tip on SVI 'cause believe it or not AVG says I've got one there now "Downloader.Keenval.C" and in future when I get an SVI readout at least I'll know where to go to deal with the critter and so will many others who take a peek at this posting.

    For the life of me I haven't a clue how and/or why I am being infected so consistently.

    OK away I go to exterminate this critter and hopefully I don't get a read out from AVG to go to Updater folder as it ain' ther any more.

    I am posting this at 7:48pm Tues June 8....what time is it in Texas
     
  8. 2004/06/08
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    I did an online scan with RAV and it suggested 1 infection being:
    C/Program Files/Incredifind/BHO/IncFindBHO.dll-TrojanDownloader:win32/????.bx

    Well I did an AVG on this and it came up clean so I did some online searching and found that it was a useless bit of add on that wasn't helpful at all so I have sent it to the Recycle bin..the whole IncrediFind folder.

    Perhaps that could be the trojan encourager..eh!

    Goodnight.

    roy66
     
  9. 2004/06/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks like I dropped the ball in your last thread and failed to have you do after-fix-cleanups and protections. My apologies. :eek: First, update Ad-aware again.
    Assuming that the updater folder is gone, disable system restore.
    You will need to show hidden files and folders.
    Open C:\Windows\Prefetch, select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
    Open and run Ad-aware configured for a custom full scan. Delete all it finds.
    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
    Reboot and enable system restore.

    Do you have Spybot Version 1.3? If not, download it from my signature and install. Allow it to load SD Helper. Open it up and click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update.
    Download and install IESpyads.

    That will give you an added layer of protection against unwanted parasites.
     
  10. 2004/06/08
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Probably not, and not worth the effort to find it unless you knew the date of the initial infection. If you have repeated infections because the trojan hasn't been fully removed, then, because of the daily SR points being created,
    the trojan gets "backed up ". In that case, shut down SR and then re-enable. This should be done once you're clean.

    SR will re-infect you ONLY if restores are done by you, otherwise the trojan just sits there in SR's restore files, a potential re-infection source.

    Regards - Charles
     
  11. 2004/06/08
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    There are a few things you can check. Go into Internet Options, go to Advanced tab. In the list of items there, make sure both Install On Demand's are unchecked. The On Demand is not your demand but on the website's demand.
    Then go to the Security Tab, with Internet highlighted, click on the Custom button. For the ActiveX controls, which begins at the top, have them set in this fashion, going down the line.
    Prompt
    Disable
    Disable
    Enable
    Enable
    The 016's in the HJT log are these controls, your Macromedia Flash/Shockwave will still work.
    Then go into Spybot and use the Immunize feature, with 1.3 version you are protected against 1622 threats. Some of these threats involve the Trojan.Downloaders.
    If you want further protection, get the IESpyads file from my Signature below, it will put a bunch of websites into your Restricted Sites Zone. This will only work if you go into the Restricted Zone, and set everything to Disable, if no Disable select High, set Password to Prompt, and these sites will not be able to put so much as a cookie on you. Just take a read through the webpage you download it from.
     
  12. 2004/06/08
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks Guys,

    Only Install on demand (other) was ticked so I removed that, though I don't really know its purpose/function or why it's there.

    The ActiveX controls were as you suggested.

    Immunization with Spybot came up with 1914 items 1161 blacklisted.

    All a bit over my head.

    roy66

    THANKS
     
  13. 2004/06/08
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Only Install on demand (other) was ticked so I removed that, though I don't really know its purpose/function or why it's there.
    So a webpage can install just about anything it pleases, the Install on Demand [other] is how so many people get driveby installs.

    The ActiveX controls were as you suggested.
    Good, that means the Install on Demand [other] was one culprit.

    Immunization with Spybot came up with 1914 items 1161 blacklisted.
    Click on the green cross with the word Immunize next to it. Then down below where it says Browser Helper, put a checkmark for the box next to "Enable Permanent blocking of bad addresses in Internet Explorer ".
    Down below that, it may say "Block all bad pages silently ", this is fine.

    When both are done correctly, you should see two green circle icons with a white check.
     
  14. 2004/06/08
    dan239

    dan239 Inactive

    Joined:
    2002/10/07
    Messages:
    187
    Likes Received:
    0
    Roy66

    To answer your question about what time it is in Texas. When you posted at 7:48PM the time in Texas was 4:48AM June 8.

    Daniel
     
    Last edited: 2004/06/08
  15. 2004/06/09
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    As a point of interest when I run Spybot, each time it brings up a DSO Exploit with reference to 5 Registry settings.

    It suggests there is a security hole in IE allowing websites to execute code without asking.

    I have downloaded ALL critical updates that Microsoft recomends following its search of my PC.

    Am I then according to Spybot, still vunerable even after putting in place the reccomendations from these postings ?????

    Roy66
     
  16. 2004/06/09
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    For an explanation on DSO: http://forums.net-integration.net/index.php?showtopic=15308

    This thread is at SSD's forum hosting site.

    Regards - Charles
     
  17. 2004/06/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Excellent find Charles! Noted :)
     
  18. 2004/06/09
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    here, here.

    Excellent find.

    It never ceases to amaze that the wealth of knowledge contributed through these postings not only provides solutions to a persons problem but enables thousands of people to visit and accumulate knowledge as well.

    Gotta finish off here before my desktop freezes again....another post to another section

    Thanks
    roy66
     
  19. 2004/06/09
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    It is an excellent link.

    Why do I think LowWaterMark is sorry it was ever brought up though? :eek: :eek:

    No matter how many times and how many ways he tries to say, this really is not a problem if your PC is patched he keeps getting ignored.

    And even with the specific contents for a .reg file that will patch the glitch, folks seem to want to keep trying to manually editing their registry and messing it up.
     
  20. 2004/06/09
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Yes, very excellent link.
    Reading all the way through it reminds me when I used the EICAR file on someone's computer to show them that their AV program was working. The AV program says one thing, and here I am telling them the file is harmless.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.