Win32 Trojan downloader/LimeWire - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 06-22-2006, 05:48 AM   #1 (permalink)
Newb Techie
 
Join Date: May 2006
Posts: 27
Default Win32 Trojan downloader/LimeWire

I had recently been using a file sharing program LimeWire Pro. There was a particular program that I tried to download. Unfortunately, upon trying to run the program I discovered several viruses in the program. I've run virus scans repeatedly, and the virues are being identified. I've got WindowsLive OneCare w/Windows Defender, Ad-Aware SE, Registry Mechanic, and Spyware Doctor from PCTools. These programs are finding the viruses and placing them in quarantine files. Once quarantined, is it safe to delete them from my computer? Should I do this through the virus scan program or manually (by finding the location of the file and 'right-click' deleting it)?
I am also observing that when I run virus scans and the files are listed as they are scanned, I keep seeing a C:/Win32Trojan downloader file there. I believe this is the virus, isn't it? My scans seem to be only identifying the components to this and quarantining them, but not erasing the acutal virus itself.

Also, I've uninstalled Limewire in order to clean the viruses. At one point it looked like they were gone so I tried to reinstall Limewire. After this, it's obvious that the virus is still there (Limewire will start itself automatically, and viruses will popup everywhere!). What should I do? The Limewire support team says I have been infected with Alcra virus.
__________________

dirgeKananga is offline  
Old 06-22-2006, 07:58 AM   #2 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Follow these instructions carefully

Download ALL 10 programs and update if needed.

Ad Aware SE Personal Free

Ad-aware Messenger Service Plugin

Ad-Aware VX2 Cleaner Plug-In 2.0

Spybot Search and Destroy Free

Windows Defender 2 Beta

HijackThis

Ewido

CCleaner

Cleanup!

Follow these steps

Delete the prefetch folder C:\WINDOWS\Prefetch, this folder will come back on next reboot.

Delete all cookies and temporary internet files in the control panel, Internet Options.

Go to Start, run, type msconfig, go to startup, disable everything except your antivirus, Firewall, click apply, don¡¦t reboot yet.

Download Msconfig Cleanup below

Msconfig Cleanup

Run Msconfig Cleanup after you unchecked the items you were told to uncheck and recheck, click "Select All", then click "Clean up Selected", then click "Quit". Make sure your antivirus and firewall are not checked.

Now run each Spyware program 1 by 1. Running all 3 at the same time will slow most systems down.

When each program has finished scanning, remove everything.

Now go to the recycle bin and delete everything that is in it.

Then run CCleaner „² make sure you run the Cleaner section of Windows and Applications and then the Registry Cleaner. Make a backup if you wish while running the Registry Cleaner when it asks you.

When finished with the scans, reboot, and go into Safe Mode and run these scans again, remove everything they find, and then reboot back into Windows in normal mode.

Then run HiJackthis!

Save the log, copy and paste the log on www.techist.com
Do not attach the log, copy and paste always. This will make things go much faster.
__________________

Osiris is offline  
Old 06-22-2006, 08:13 AM   #3 (permalink)
Master Techie
 
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher
Default

This is a great little write up Warez..Did you write it? Mind if I also borrow this?
Win2kpatcher is offline  
Old 06-22-2006, 08:37 AM   #4 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

yea I wrote it, anyone can use it or tell other people to use it, thats what its for

I'm always updating it so it might change from time to time
Osiris is offline  
Old 06-25-2006, 08:32 PM   #5 (permalink)
Newb Techie
 
Join Date: May 2006
Posts: 27
Default

Here is the log file from HijackThis. Your instructions seem to have worked. I found and deleted a ton of infected files. What next?





Logfile of HijackThis v1.99.1
Scan saved at 8:26:24 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Documents and Settings\Preferred Customer\My Documents\Programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/insta...SSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
dirgeKananga is offline  
Old 06-25-2006, 09:08 PM   #6 (permalink)
Mr Beans Sidekick
 
Join Date: Apr 2006
Location: Canada
Posts: 563
Send a message via MSN to Max Power
Default

I wouldnt suggest downloading programs on lw everyone time i tried i got viruses...
__________________
Max Power is offline  
Old 06-26-2006, 01:27 AM   #7 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

the log looks good. do you see anything else happening like popups, etc?
__________________
Osiris is offline  
Old 06-26-2006, 01:35 AM   #8 (permalink)
Newb Techie
 
Join Date: May 2006
Posts: 27
Default

Nope. Everythings is running fine. Thanks, man.
dirgeKananga is offline  
Old 06-26-2006, 07:50 AM   #9 (permalink)
Monster Techie
 
MrCoffee's Avatar
 
Join Date: Feb 2006
Location: UK
Posts: 1,858
Default

not sure if anyone has mentioned but if you get viruses comming back as if out of nowhere the you may need to clear your system restore.
Also scan for rootkits with something like blacklight &| rootkitreveler.
__________________
Intel core I7 920
GA-EX58-UD3R
6GB OCZ platinum 1600
XFX HD4890
Noctua nh-u12p
Corsair HX520
Antec 300
Samsung 1TB F1 Spinpoint
Samsung SM2443BW 24"
MrCoffee is offline  
Old 06-26-2006, 05:44 PM   #10 (permalink)
Ultra Techie
 
Join Date: Aug 2005
Posts: 506
Default

You have to watch out for stuff like that on the P2P networks. Sometimes companies will put those files out there on purpose to discourage people from sharing it. I tried to download a program once and ever search result LW gave me was of the same file. Best thing to do is after you download something, right click on the file and scan it for viruses.
__________________

cedjunior is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 04:29 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.