Re: Trojan horse Downloader.Generic.ML

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 06/17/05


Date: Fri, 17 Jun 2005 09:47:49 -0700

OK, Ron - If you got that from A2 then I would believe a real infection
which, when you're ready, you can have A2 try and clean. I would recommend
two additional steps at this point if you wish to continue to investigate.

First, download and run Mark Russinovich's rootkitrevealer from
www.sysinternals.com.

Then, I would also download and run HiJackThis and post your results to one
of the forums. There are experts there who can help you considerably with
this:

Download HijackThis, free, here:

http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)

You may also get it here if that link is blocked:

http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
or here: http://thespykiller.co.uk/files/HJTsetup.exe

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt.

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

or Jim Eshelman's site here: http://forum.aumha.org/

or Bleepingcomputer here: http://www.bleepingcomputer.com/

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular sites HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post "What problem(s) you're trying to solve" and
"What steps you've already taken."

-- 
Regards, Jim Byrd, MS-MVP
My, Blog Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/
"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:BZxse.330543$cg1.129848@bgtnsc04-news.ops.worldnet.att.net
> So I ran A2 and it found ~130 things....mostly cookies which don't
> really count as everything finds cookies.  It also found my same old
> c:\null(Trojan-Downloader.Win32.QDown.s) and two dialers plus
> (TrojanSpy.Win32.KeyLogger.t).   I gonna leave c:\null there awhile
> and try to determine the circumstances that it's detected next time.
>
> "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> news:1Pvse.973993$w62.568999@bgtnsc05-news.ops.worldnet.att.net...
>> Correction:  below in my prior post where I say 'extract as' should
>> read 'restore as'.
>>
>> UPDATE:  'restore as' in AVG continues to hang.  'restore' works.
>> So I got c:\null back and after some fussing around I got it on a
>> floppy.  Then I had www.virustotal.com have a look at it and about
>> half identified it and the other half did NOT(included after these
>> comments).  At www.virustotal.com the AVG was the day's before AVG
>> version(6/14/05) and it did NOT find it so the theory that a sudden
>> identification of c:\null was due to the fact that AVG's 6/15/05
>> def-s had just been downloaded seems more probable.  After getting
>> auto updates from AVG does AVG automatically and immediately go out
>> and check the root(c:\) for virus files?  I still don't understand
>> exactly why the identification occurred at the moment it did OTHER
>> THAN actual file I/O to c:\null at that moment?
>>
>> Following the above mentioned steps involving using a DOS boot
>> floppy to copy to c:\null to another floppy,  I've now have booted
>> back to W98SE and c:\null still sits there and AVG has NOT noticed
>> it yet??  Of course there's been no new AVG download/update in the
>> last hour.
>>
>> Is there anything special about the filename 'null' that would stifle
>> registry searches etc. for it?  In DOS the filename 'nul' IS
>> special. There seems to be nothing in the registry relevant to a
>> filename 'null'.
>>
>> This is a report processed by VirusTotal on 06/17/2005 at 09:16:56
>> (CET) after scanning the file "Null" file.
>> Antivirus Version Update Result
>> AntiVir 6.31.0.7 06.16.2005 TR/Dldr.QDown.S
>> AVG 718 06.14.2005 no virus found
>> Avira 6.31.0.7 06.16.2005 TR/Dldr.QDown.S
>> BitDefender 7.0 06.17.2005 Trojan.Downloader.Qdown.S
>> ClamAV devel-20050501 06.16.2005 Trojan.Downloader.Delf-94
>> DrWeb 4.32b 06.17.2005 Trojan.DownLoader.2632
>> eTrust-Iris 7.1.194.0 06.16.2005 no virus found
>> eTrust-Vet 11.9.1.0 06.16.2005 no virus found
>> Fortinet 2.35.0.0 06.17.2005 W32/QDown.S-tr
>> Ikarus 2.32 06.16.2005 no virus found
>> Kaspersky 4.0.2.24 06.17.2005 Trojan-Downloader.Win32.QDown.s
>> McAfee 4515 06.16.2005 no virus found
>> NOD32v2 1.1143 06.16.2005 Win32/TrojanDownloader.QDown.S
>> Norman 5.70.10 06.15.2005 no virus found
>> Panda 8.02.00 06.16.2005 Spyware/ISTbar
>> Sybari 7.5.1314 06.17.2005 Trojan-Downloader.Win32.QDown.s
>> Symantec 8.0 06.16.2005 no virus found
>> TheHacker 5.8-3.0 06.17.2005 no virus found
>> VBA32 3.10.3 06.16.2005 Trojan-Downloader.Win32.QDown.s
>>
>>
>> "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
>> news:LBtse.329877$cg1.76114@bgtnsc04-news.ops.worldnet.att.net...
>>>
>>> "Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
>>> news:taedneZAP-vkoi_fRVn-vw@adelphia.com...
>>>
>>> -snip but not ignored
>>>
>>> This instance is W98se.
>>>
>>>> I did a little research about this Trojan, Downloader.Generic.ML,
>>>> but couldn't find any information under that name from _any_ of my
>>>> available resources (including Grisoft, BTW),
>>>
>>> Me too.  Google groups and web shows only this thread as I said in
>>> an earlier post.  Grisoft and Trend show nothing.
>>>
>>>> nor about your aberrant c:\null file.
>>>
>>> Me too including following someone's advice and checked the date
>>> 5/5/5 and found NO other files on the system of that date.  I may
>>> be a target of something and next year they'll do me on 666<g>.
>>> As I mentioned earlier,  the file(c:\null) is still in AVG's virus
>>> vault. Last night before the overnight SysClean run AVG 'extract
>>> as' hung while trying to see if I could get c:\null out to forward
>>> to the url provided in a post early in this thread.  Just tried
>>> 'extract as' again and it's hanging again.  There's a dialog box,
>>> that I assume is the normal file save/open dialog box,  that has
>>> border and internal margins painted but otherwise is all white.  I
>>> continue to compose this message while it's just sitting there.
>>> Ctl-Alt-Del shows the task AVG virus vault (not responding). ANYONE?
>>>
>>> Is there any way to clean boot access AVG's virus vault?
>>>
>>>>  I
>>>> would wonder if this is any sort of possible byproduct of some
>>>> legitimate software heuristically detected by a (recent?) AVG
>>>> update.
>>>
>>> Yes but then there's that sudden detection that appears NOT to
>>> correspond to any event related to that theory.  It was the AVG
>>> resident shield after W98SE is all up but only a little while
>>> thereafter.  I had time to go into OE6 and into NGs(AMD K6+
>>> 450Mhz, 256MB).
>>>
>>> Is AVG periodically checking c:\ or must that kind of -on the run-
>>> detection by AVG due to it's having detected some file I/O with the
>>> file c:\null at that moment?  The file c:\null is unknown to me nor
>>> does 5/5/5 mean anything to me except for the numerology of it and
>>> there was NO system activity that related to the issue EXCEPT
>>> possibly that was when AVG finished doing it's daily def update.
>>> BUT even then what triggered the detection at that moment?  I
>>> didn't run anykind of manual scan or such.
>>>
>>>> Anyhow, try A2 and post back, please.
>>>
>>> OK!


Relevant Pages

  • Re: Adobe gone crazy?
    ... helpdesk workers) to download it, by copying the text into two parts ... AVG sees a virus in the setup.exe file!!! ... throughout the net for giving false positives. ...
    (rec.photo.digital)
  • Re: Cannot download AVG update
    ... >> I seem to have a virus which keeps re-installing invaders such as Golden ... >> free version of the AVG anti-virus program. ... >> What happens is, the AVG dialog box comes up, saying "You are now ... >> Please establish a connection to download your update. ...
    (microsoft.public.security.virus)
  • Re: OT-- need virus advice
    ... it said it deleted both and put it in the virus ... I rebooted and ran AVG again and nothing was detected. ... As for free AV apps, Avast has, in my experience, a better detection ... Sysclean - "If you are not a Trend Micro Customer" is around 3.6Mb ...
    (alt.sys.pc-clone.dell)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> virus or Trojan, in real time, when done from a remote PC. ... ;) The AVG ... detection didn't occur at the time of the NULL file creation. ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> virus or Trojan, in real time, when done from a remote PC. ... ;) The AVG ... detection didn't occur at the time of the NULL file creation. ...
    (alt.computer.security)