Downloader.keenvTrojan Horse Downloader.Keenval.E

Discussion in 'adware, spyware & hijack cleaning' started by Simon_duffers, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. Simon_duffers

    Simon_duffers Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    3
    Trojan Horse Downloader.Keenval.E

    I was using AVG but it couldn't do it so followed the directions in the forum the trogan.downloader thing in the title is the virus found by avg

    Logfile of HijackThis v1.97.7
    Scan saved at 21:13:31, on 08/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    D:\WINDOWS\System32\CTSvcCDA.EXE
    D:\WINDOWS\System32\MsPMSPSv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Altnet\Points Manager\Points Manager.exe
    D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    D:\WINDOWS\System32\vnmispoisn_downloader.exe
    D:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    D:\Program Files\Opera75\opera.exe
    D:\Documents and Settings\Simon Duffield\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [updmgr] D:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [searchbar] D:\WINDOWS\System32\vnmispoisn_downloader.exe
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A1E102-6A9E-4AAB-8EA3-EAB28CCB8483}: NameServer = 212.74.114.129 212.74.114.193
     
    Last edited: Jun 8, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: Trojan Horse Downloader.Keenval.E

    Hi Simon_duffers,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [updmgr] D:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s

    O4 - HKLM\..\Run: [searchbar] D:\WINDOWS\System32\vnmispoisn_downloader.exe

    O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot into safe mode and delete:
    D:\Program Files\Common Files\GMT <= entire folder
    C:\Program Files\Altnet\Points Manager <= entire folder
    D:\Program Files\MyWay <= entire folder
    D:\Program Files\PERFECTNAV <= entire folder
    D:\Program Files\Common files\updmgr <= entire folder

    And if you could please mail a (preferably zipped) copy of D:\WINDOWS\System32\vnmispoisn_downloader.exe (sounds like a Alice Cooper song. LOL ) to the address in my profile?

    Regards,

    Pieter
     
  3. Simon_duffers

    Simon_duffers Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    3
    Thanks, I'll go do those things now! What's that thing i'm sending?!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My guess is it's Keenvalue spyware as well, but I like to have a closer look, before we decide to delete it.

    Regards,

    Pieter
     
  5. Simon_duffers

    Simon_duffers Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    3
    Yeah it was, well it had a virus on it at least!
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    o_O

    I did not receive anything untill now. Am I to understand it was intercepted by your provider?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.