Trojan horse Downloader.Keenval.E

[unison]

Ok, this is my problem. I have just installed AVG and with my first scan I found that Trojan horse Downloader.Keenval.E is infecting this file: C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
and AVG can't remove the virus nor delete de file. I have tried deleting the file manually, but a nottice says something as if the application was running. I don't know what application responds to this file and I can't close it because my ctrl-alt-del doesn't work ('cause my sister ruined the keyboard). I have scanned the system with Ad-aware 6 Personal, Build 6.181 following the instructions given by you, and during the scan a notice appears several times saying:
"Virus
Trojan horse Downloader.Keenval.E
is found in file
C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
To remove this virus, please run AVG for Windows."
Ha-ha.
Ok, so here you have the HijackThis log. I hope you can help me.

Logfile of HijackThis v1.97.7
Scan saved at 02:53:15 a.m., on 19/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\VIVID\VIVID.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe
C:\ARCHIV~1\GRISOF~1\avgcc32.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\ARCHIV~1\GRISOF~1\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\ARCHIV~1\WinZip\winzip32.exe
C:\DOCUME~1\Vanina\CONFIG~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Archivos de programa\Startup Mechanic\StartupScanner.exe
O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOF~1\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419...dxIE601_es.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab

Thanks.

[Pieter_Arntz]

Hi unison,

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)

O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419...dxIE601_es.cab

Then reboot into safe mode and delete:
C:\Archivos de programa\Common files\updmgr <= entire folder
C:\Archivos de programa\PERFECTNAV <= entire folder

Regards,

Pieter

[unison]

OH MY GOD! Thank you so very much!!!!! You saved my life Now i'm gonna try to play some .rm files with RealOne, maybe this fuc*ing virus was causing all the trouble... If it works, you're GOD!
Kisses

[unison]

Damn! Your instructions worked But now it reappeared infecting another file! And I wonder if I can do the same thing that you told me to with the other files. The weird thing is that AVG doesn't detect it, though very frequently a notice comes up telling me to run AVG to solve the problem. I'm going crazy. Please, help me?

This time, the file is:
C:\System Volume Information\_restore{50E1DE69-AD51-4064-B977-A7C39147FD2A}\RP155\A0019547.exe

Another thing: is there a way to stop this definitely?

tnx

[Pieter_Arntz]

Hi unison,

It didn't infect a new file. It just ended up in your Restore Points.
Disable System Restore, reboot and re-enable System Restore.
Disabling or enabling Windows XP System Restore

Regards,

Pieter