Win32 Trojan downloader/LimeWire - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Closed Thread
Thread Tools Display Modes
Old 06-22-2006, 04:48 AM   #1 (permalink)
Newb Techie
Join Date: May 2006
Posts: 27
Default Win32 Trojan downloader/LimeWire

I had recently been using a file sharing program LimeWire Pro. There was a particular program that I tried to download. Unfortunately, upon trying to run the program I discovered several viruses in the program. I've run virus scans repeatedly, and the virues are being identified. I've got WindowsLive OneCare w/Windows Defender, Ad-Aware SE, Registry Mechanic, and Spyware Doctor from PCTools. These programs are finding the viruses and placing them in quarantine files. Once quarantined, is it safe to delete them from my computer? Should I do this through the virus scan program or manually (by finding the location of the file and 'right-click' deleting it)?
I am also observing that when I run virus scans and the files are listed as they are scanned, I keep seeing a C:/Win32Trojan downloader file there. I believe this is the virus, isn't it? My scans seem to be only identifying the components to this and quarantining them, but not erasing the acutal virus itself.

Also, I've uninstalled Limewire in order to clean the viruses. At one point it looked like they were gone so I tried to reinstall Limewire. After this, it's obvious that the virus is still there (Limewire will start itself automatically, and viruses will popup everywhere!). What should I do? The Limewire support team says I have been infected with Alcra virus.

dirgeKananga is offline  
Old 06-22-2006, 06:58 AM   #2 (permalink)
Techie Beyond Description
Osiris's Avatar
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris

Follow these instructions carefully

Download ALL 10 programs and update if needed.

Ad Aware SE Personal Free

Ad-aware Messenger Service Plugin

Ad-Aware VX2 Cleaner Plug-In 2.0

Spybot Search and Destroy Free

Windows Defender 2 Beta





Follow these steps

Delete the prefetch folder C:\WINDOWS\Prefetch, this folder will come back on next reboot.

Delete all cookies and temporary internet files in the control panel, Internet Options.

Go to Start, run, type msconfig, go to startup, disable everything except your antivirus, Firewall, click apply, don¡¦t reboot yet.

Download Msconfig Cleanup below

Msconfig Cleanup

Run Msconfig Cleanup after you unchecked the items you were told to uncheck and recheck, click "Select All", then click "Clean up Selected", then click "Quit". Make sure your antivirus and firewall are not checked.

Now run each Spyware program 1 by 1. Running all 3 at the same time will slow most systems down.

When each program has finished scanning, remove everything.

Now go to the recycle bin and delete everything that is in it.

Then run CCleaner „² make sure you run the Cleaner section of Windows and Applications and then the Registry Cleaner. Make a backup if you wish while running the Registry Cleaner when it asks you.

When finished with the scans, reboot, and go into Safe Mode and run these scans again, remove everything they find, and then reboot back into Windows in normal mode.

Then run HiJackthis!

Save the log, copy and paste the log on
Do not attach the log, copy and paste always. This will make things go much faster.

Osiris is offline  
Old 06-22-2006, 07:13 AM   #3 (permalink)
Master Techie
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher

This is a great little write up Warez..Did you write it? Mind if I also borrow this?
Win2kpatcher is offline  
Old 06-22-2006, 07:37 AM   #4 (permalink)
Techie Beyond Description
Osiris's Avatar
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris

yea I wrote it, anyone can use it or tell other people to use it, thats what its for

I'm always updating it so it might change from time to time
Osiris is offline  
Old 06-25-2006, 07:32 PM   #5 (permalink)
Newb Techie
Join Date: May 2006
Posts: 27

Here is the log file from HijackThis. Your instructions seem to have worked. I found and deleted a ton of infected files. What next?

Logfile of HijackThis v1.99.1
Scan saved at 8:26:24 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Documents and Settings\Preferred Customer\My Documents\Programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page ={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
dirgeKananga is offline  
Old 06-25-2006, 08:08 PM   #6 (permalink)
Mr Beans Sidekick
Join Date: Apr 2006
Location: Canada
Posts: 563
Send a message via MSN to Max Power

I wouldnt suggest downloading programs on lw everyone time i tried i got viruses...
Max Power is offline  
Old 06-26-2006, 12:27 AM   #7 (permalink)
Techie Beyond Description
Osiris's Avatar
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris

the log looks good. do you see anything else happening like popups, etc?
Osiris is offline  
Old 06-26-2006, 12:35 AM   #8 (permalink)
Newb Techie
Join Date: May 2006
Posts: 27

Nope. Everythings is running fine. Thanks, man.
dirgeKananga is offline  
Old 06-26-2006, 06:50 AM   #9 (permalink)
Monster Techie
MrCoffee's Avatar
Join Date: Feb 2006
Location: UK
Posts: 1,858

not sure if anyone has mentioned but if you get viruses comming back as if out of nowhere the you may need to clear your system restore.
Also scan for rootkits with something like blacklight &| rootkitreveler.
Intel core I7 920
6GB OCZ platinum 1600
XFX HD4890
Noctua nh-u12p
Corsair HX520
Antec 300
Samsung 1TB F1 Spinpoint
Samsung SM2443BW 24"
MrCoffee is offline  
Old 06-26-2006, 04:44 PM   #10 (permalink)
Ultra Techie
Join Date: Aug 2005
Posts: 506

You have to watch out for stuff like that on the P2P networks. Sometimes companies will put those files out there on purpose to discourage people from sharing it. I tried to download a program once and ever search result LW gave me was of the same file. Best thing to do is after you download something, right click on the file and scan it for viruses.

cedjunior is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities

Copyright 2002-2015 Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 01:39 AM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2016, vBulletin Solutions, Inc.