Downloader.MSCache

swetbak · Mar 2, 2004

Norton Antivirus found this trojan on my computer after installing SpywareGuard and SpywareBlaster. This happened on two machines in my home network. Both machines are XP Pro and were patched, with antivirus and spybot. I carry my spyware tools on a flash drive (which scans clean by Norton) and have installed these same app's at work to protect about a half doz. computers. Not getting the same problem at work. I suppose something else could be downloading this trojan, but it's detected almost immediately after installing these two app's and running their updates.
Anyone have any insight on this?

Paul Wilders · Mar 2, 2004

Welcome, whodat.

SpywareGuard as well as SpywareBlaster have been downloaded millions of times without any alert - provided they are downloaded from the original website links.

Thus, I suspect false alarms here. Do you have a log file available, and if so, please post it.

regards.

paul

Pieter_Arntz · Mar 2, 2004

Hi whodat,

Welcome at Wilders.

Downloader.MSCache is a collection of spywareinstallers, where items get added for detection regularly.

Do you have the scan reports of those two computers?
If so, let us know the full path and filenames that were found by NAV.
We should be able to tell you some more about where they came from then.

Regards,

Pieter

Pieter_Arntz · Mar 2, 2004

LOL. 3 seconds apart, Paul.
We should practice some more.

Pieter

Paul Wilders · Mar 2, 2004

Grin...the pleasure is yours, Pieter

regards.

paul

swetbak · Mar 2, 2004

I'm impressed.
I don't have any log files and have since cleaned both computers from the infection. The file name and location were the same on each machine.
c:\windows\downloaded program files\hnkmugzv.dll

Pieter_Arntz · Mar 2, 2004

Oh bugger, random looking filename in the DPF folder.

I dare to claim 90% accuracy that it was Searchbarcash. Stealth-installs using ActiveX.
Which indeed belongs to that "family" of malware: http://www.doxdesk.com/parasite/ISTbar.html

Oh, hang on. Make that almost 100%

{56269A74-91CC-F76B-2DDA-B355F51CCCFD}
Class file: hnkmugzv.dll
Attributes: archive
Date: 10/22/2003 7:40:10 PM
MD5: 0D5A5884B8D17BC2C1CC107B3A884A03
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 36864 bytes
Version: 0.1.0.0
Class name: DownloadUL Class
Contains file: hnkmugzv.dll
Attributes: archive
Date: 10/22/2003 7:40:10 PM
MD5: 0D5A5884B8D17BC2C1CC107B3A884A03
Path: C:\WINDOWS\Downloaded Program Files\
Short name:
Size: 36864 bytes
Version: 0.1.0.0
Download location: hxxp://public.searchbarcash.com/cab/034/hnkmugzv.cab
Last modified: Sun, 21 Dec 2003 03:09:54 GMT
Version: 1,0,0,1

Well, since you installed SpywareBlaster. It won't bother you again. In the database as SearchBarCash (26)

Regards,

Pieter

swetbak · Mar 2, 2004

Thank you

Pieter_Arntz · Mar 2, 2004

My pleasure.

Or actually, thank Javacool for adding over 50 different CLSID's for this pest.

Regards,

Pieter

Log in or Sign up

Downloader.MSCache

swetbak Registered Member

Paul Wilders Administrator

Pieter_Arntz Spyware Veteran

Pieter_Arntz Spyware Veteran

Paul Wilders Administrator

swetbak Registered Member

Pieter_Arntz Spyware Veteran

swetbak Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

Downloader.MSCache

swetbak Registered Member

Paul Wilders Administrator

Pieter_Arntz Spyware Veteran

Pieter_Arntz Spyware Veteran

Paul Wilders Administrator

swetbak Registered Member

Pieter_Arntz Spyware Veteran

swetbak Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches