Re: Trojan horse Downloader.Generic.ML
From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: Fri, 17 Jun 2005 13:56:33 -0700
Hi Ron - No, if you've already let A2 clean things (except c:\null?), then
that's OK, although I'd at least run it again and be sure it's still clean
in Safe or Clean Boot, then again after a normal boot (if you didn't already
do this). These things can often re-infect themselves.
As to rootkitresponder - it would be good IMO to increase your confidence
that this (a rootkit) hasn't happened, given the atypical circumstances of
your infection. But of course running this and using the HiJackThis
approach are entirely your choice. Those were just my recommendations,
since in my experience multiple tools can give more complete confidence in a
clean system, particularly when starting from an unknown infection point.
(For well know infections there often exist specific tools which are very
efficient in clean up that specifc malware.)
-- Regards, Jim Byrd, MS-MVP My, Blog Defending Your Machine, here: http://defendingyourmachine.blogspot.com/ "Ron Reaugh" <email@example.com> wrote in message news:D5Gse.firstname.lastname@example.org > "Jim Byrd" <email@example.com> wrote in message > news:9u-dnXsZisElYy_fRVn-2Q@adelphia.com... >> OK, Ron - If you got that from A2 then I would believe a real >> infection which, when you're ready, you can have A2 try and clean. > > Well I thought it was already cleaned...well. It wanted to delete > c:\null but I said no for now. I did let it delete all the other > stuff. Is there some whole other step that I'm missing? I will say > that after the A2 run and deletions that something is > different....BETTER. Does it do more than advertised? > >> I would recommend >> two additional steps at this point if you wish to continue to >> investigate. > > OH SHIT, you're trying to send me on a whole new career path. I was > pleased as punch when Gates saved the world from NetRoom and Stacker > hell....I did that career path fully. Please Billy save us all and > start including a robust equivalent set of tools/fixes in SP3 or > maybe that new service that's coming! This is going out of control. > How can the average PC user hope to survive? Billy needs to save em > all again. In the mean time the Geek Squad can't hope to handle such > so they'll just have to keep payin folks like me $100/hr. to keep > there PCs running. Most don't. Most don't keep running....they just > buy a new PC.....I wonder if mikey is financing the malware > industry<G>? > >> First, download and run Mark Russinovich's rootkitrevealer from >> www.sysinternals.com. > > I DON'T WANNA! But the I really didn't wanna screw with A2 either > and look what happened. I have fastidiously avoided HiJackThis for > several years now. I don't wanna go here. I want something to just > handle it all...damnit. > >> Then, I would also download and run HiJackThis and post your results >> to one of the forums. There are experts there who can help you >> considerably with this: >> >> >> Download HijackThis, free, here: >> >> http://18.104.22.168/~merijn/files/HijackThis.exe (Always download >> a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED >> frequently.) >> >> You may also get it here if that link is blocked: >> >> > http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13 >> or here: >> http://www.bleepingcomputer.com/files/spyware/hijackthis.zip >> or here: http://thespykiller.co.uk/files/HJTsetup.exe >> >> There's a good "How-to-Use" tutorial here: >> http://computercops.biz/HijackThis.html >> >> In Windows Explorer, click on Tools|Folder Options|View and check >> "Show hidden files and folders" and uncheck "Hide protected >> operating system files". (You may want to restore these when you're >> all finished with HijackThis.) >> >> Place HijackThis.exe or unzip HijackThis.zip into its own dedicated >> folder at the root level such as C:\HijackThis (NOT in a Temp folder >> or on your Desktop), reboot to Safe mode, start HT (have ONLY HT >> running - IE MUST be closed) then press Scan. Click on SaveLog when >> it's finished which will create hijackthis.log. Now click the Config >> button, then Misc Tools and click on Generate StartupList.log which >> will create Startuplist.txt. >> >> Then go to one of the following forums: >> >> Spyware and Hijackware Removal Support, here: >> http://22.214.171.124/~swicom/forums/ >> >> or Net-Integration here: >> > http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949 >> >> or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx >> >> or Jim Eshelman's site here: http://forum.aumha.org/ >> >> or Bleepingcomputer here: http://www.bleepingcomputer.com/ >> >> >> Register if necessary, then sign in and READ THE DIRECTIONS at the >> beginning of the particular sites HiJackThis forum, then copy and >> paste both files into a message asking for assistance, Someone will >> answer with detailed instructions for the removal of your >> parasite(s). Be sure you include at the beginning of your post >> "What problem(s) you're trying to solve" and "What steps you've >> already taken." >> >> >> -- >> Regards, Jim Byrd, MS-MVP >> My, Blog Defending Your Machine, here: >> http://defendingyourmachine.blogspot.com/ >> >> "Ron Reaugh" <firstname.lastname@example.org> wrote in message >> news:BZxse.email@example.com >>> So I ran A2 and it found ~130 things....mostly cookies which don't >>> really count as everything finds cookies. It also found my same old >>> c:\null(Trojan-Downloader.Win32.QDown.s) and two dialers plus >>> (TrojanSpy.Win32.KeyLogger.t). I gonna leave c:\null there awhile >>> and try to determine the circumstances that it's detected next time. >>> >>> "Ron Reaugh" <firstname.lastname@example.org> wrote in message >>> news:1Pvse.email@example.com... >>>> Correction: below in my prior post where I say 'extract as' should >>>> read 'restore as'. >>>> >>>> UPDATE: 'restore as' in AVG continues to hang. 'restore' works. >>>> So I got c:\null back and after some fussing around I got it on a >>>> floppy. Then I had www.virustotal.com have a look at it and about >>>> half identified it and the other half did NOT(included after these >>>> comments). At www.virustotal.com the AVG was the day's before AVG >>>> version(6/14/05) and it did NOT find it so the theory that a sudden >>>> identification of c:\null was due to the fact that AVG's 6/15/05 >>>> def-s had just been downloaded seems more probable. After getting >>>> auto updates from AVG does AVG automatically and immediately go out >>>> and check the root(c:\) for virus files? I still don't understand >>>> exactly why the identification occurred at the moment it did OTHER >>>> THAN actual file I/O to c:\null at that moment? >>>> >>>> Following the above mentioned steps involving using a DOS boot >>>> floppy to copy to c:\null to another floppy, I've now have booted >>>> back to W98SE and c:\null still sits there and AVG has NOT noticed >>>> it yet?? Of course there's been no new AVG download/update in the >>>> last hour. >>>> >>>> Is there anything special about the filename 'null' that would >>>> stifle registry searches etc. for it? In DOS the filename 'nul' IS >>>> special. There seems to be nothing in the registry relevant to a >>>> filename 'null'. >>>> >>>> This is a report processed by VirusTotal on 06/17/2005 at 09:16:56 >>>> (CET) after scanning the file "Null" file. >>>> Antivirus Version Update Result >>>> AntiVir 126.96.36.199 06.16.2005 TR/Dldr.QDown.S >>>> AVG 718 06.14.2005 no virus found >>>> Avira 188.8.131.52 06.16.2005 TR/Dldr.QDown.S >>>> BitDefender 7.0 06.17.2005 Trojan.Downloader.Qdown.S >>>> ClamAV devel-20050501 06.16.2005 Trojan.Downloader.Delf-94 >>>> DrWeb 4.32b 06.17.2005 Trojan.DownLoader.2632 >>>> eTrust-Iris 184.108.40.206 06.16.2005 no virus found >>>> eTrust-Vet 220.127.116.11 06.16.2005 no virus found >>>> Fortinet 18.104.22.168 06.17.2005 W32/QDown.S-tr >>>> Ikarus 2.32 06.16.2005 no virus found >>>> Kaspersky 22.214.171.124 06.17.2005 Trojan-Downloader.Win32.QDown.s >>>> McAfee 4515 06.16.2005 no virus found >>>> NOD32v2 1.1143 06.16.2005 Win32/TrojanDownloader.QDown.S >>>> Norman 5.70.10 06.15.2005 no virus found >>>> Panda 8.02.00 06.16.2005 Spyware/ISTbar >>>> Sybari 7.5.1314 06.17.2005 Trojan-Downloader.Win32.QDown.s >>>> Symantec 8.0 06.16.2005 no virus found >>>> TheHacker 5.8-3.0 06.17.2005 no virus found >>>> VBA32 3.10.3 06.16.2005 Trojan-Downloader.Win32.QDown.s >>>> >>>> >>>> "Ron Reaugh" <firstname.lastname@example.org> wrote in message >>>> news:LBtse.email@example.com... >>>>> >>>>> "Jim Byrd" <firstname.lastname@example.org> wrote in message >>>>> news:taedneZAP-vkoi_fRVnemail@example.com... >>>>> >>>>> -snip but not ignored >>>>> >>>>> This instance is W98se. >>>>> >>>>>> I did a little research about this Trojan, Downloader.Generic.ML, >>>>>> but couldn't find any information under that name from _any_ of >>>>>> my available resources (including Grisoft, BTW), >>>>> >>>>> Me too. Google groups and web shows only this thread as I said in >>>>> an earlier post. Grisoft and Trend show nothing. >>>>> >>>>>> nor about your aberrant c:\null file. >>>>> >>>>> Me too including following someone's advice and checked the date >>>>> 5/5/5 and found NO other files on the system of that date. I may >>>>> be a target of something and next year they'll do me on 666<g>. >>>>> As I mentioned earlier, the file(c:\null) is still in AVG's virus >>>>> vault. Last night before the overnight SysClean run AVG 'extract >>>>> as' hung while trying to see if I could get c:\null out to forward >>>>> to the url provided in a post early in this thread. Just tried >>>>> 'extract as' again and it's hanging again. There's a dialog box, >>>>> that I assume is the normal file save/open dialog box, that has >>>>> border and internal margins painted but otherwise is all white. I >>>>> continue to compose this message while it's just sitting there. >>>>> Ctl-Alt-Del shows the task AVG virus vault (not responding). >>>>> ANYONE? >>>>> >>>>> Is there any way to clean boot access AVG's virus vault? >>>>> >>>>>> I >>>>>> would wonder if this is any sort of possible byproduct of some >>>>>> legitimate software heuristically detected by a (recent?) AVG >>>>>> update. >>>>> >>>>> Yes but then there's that sudden detection that appears NOT to >>>>> correspond to any event related to that theory. It was the AVG >>>>> resident shield after W98SE is all up but only a little while >>>>> thereafter. I had time to go into OE6 and into NGs(AMD K6+ >>>>> 450Mhz, 256MB). >>>>> >>>>> Is AVG periodically checking c:\ or must that kind of -on the run- >>>>> detection by AVG due to it's having detected some file I/O with >>>>> the file c:\null at that moment? The file c:\null is unknown to >>>>> me nor does 5/5/5 mean anything to me except for the numerology >>>>> of it and there was NO system activity that related to the issue >>>>> EXCEPT possibly that was when AVG finished doing it's daily def >>>>> update. BUT even then what triggered the detection at that >>>>> moment? I didn't run anykind of manual scan or such. >>>>> >>>>>> Anyhow, try A2 and post back, please. >>>>> >>>>> OK!