Re: TrojanDownloader.ImLoad.100

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 06/24/05 

Date: Fri, 24 Jun 2005 13:07:48 -0400

From: "Joseph" <philippeoget@hotmail.com>

| please see my comments to symantec at bottom:
| ISSUE
|
| Applications do not respond to user's input
| Excel attempting to copy cells while user is only trying to scroll trhu the
| document
| PC also not responding as it should, long delays between clicks and effects
| requested by user
| STEP TAKEN
| running a virus scan
| also running symantec W32.Novar@mm removal tool
| Installed and run spybot, spyware found.
|
| deleted c:\progra~1\webfun folder - browser MUST be closed or else a dll
| remains in memeory
|
| remove smileys, MyWebSearch toolsbar, and webshots screen saver (after
| ending the process in taskmgr)
|
| removed HKLM\Software\Funwebproducts registry key
| removed HKLM\Software\MyWebSearch registry key
| removed HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Dialer.exe
| registry key
| Reopening TT
|
| Unfortunately problem has reoccurred:
|
| Problems:
|
| When working on a shared excel work***, (she is the only user seemingly
| affected by these problems)
| user looses control over the application, the excel window flashes,
| Outlook is closed without user intervention, happened right now as I speak
| with her, whether other apps are opened or not.
| the Start folder opens in a windows explorer window all by itself
|
| Yesterday we did all we could regarding spyware, please see above log.
| Could not connect to her PC this morning, after many attempts, her
| PCAnywhere
| cannot start: 'unable to start the pcanywhere host service', was fine
| yesterday though.
| Please note that there are no problems in Device Manager
| Yesterday as the problems happened, I ran taskmanager and saw that
| cscript.exe is running for no apparent reason.
| Terminated the cscript process: note I could not - while it was running -
| copy a file from my PC to user's PC.
|
| Running SAP & Outlook while watching Task Manager for reappearance of
| cscript.exe.
| No problems for the moment.
| installed and ran Microsoft antispyware which found:
| SearchSquire (High risk)
| MyWebSearch (Mild) Still there!
|
| Installed TrojanHunter which found TrojanDownloader.ImLoad.100
| "Renamed file C:\WINNT\Downloaded Program Files\imloader.exe to
| C:\WINNT\Downloaded Program Files\imloader.exe.tcf
| Trojan cleaning finished."
| To Symantec
| I don't know how much money you make from my employers, but I solved what
| was a major problem, which was componded by the fact that there was no one
| onsite. All done remote and solved with a free software. well done symantec!
|
| Joseph
| Helpdesk analyst
|
| http://www.misec.net/trojanhunter/
|

Besides galens advice, you may want to try my Multi AV Command Line Scanner front end
utility. It will automate and simplify the execution of the Sophos and McAfee Command Line
Scanners and Trend Micro's Sysclean utility.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * * 

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm