Downloader.MSCache

Discussion in 'malware problems & news' started by swetbak, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. swetbak

    swetbak Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Norton Antivirus found this trojan on my computer after installing SpywareGuard and SpywareBlaster. This happened on two machines in my home network. Both machines are XP Pro and were patched, with antivirus and spybot. I carry my spyware tools on a flash drive (which scans clean by Norton) and have installed these same app's at work to protect about a half doz. computers. Not getting the same problem at work. I suppose something else could be downloading this trojan, but it's detected almost immediately after installing these two app's and running their updates.
    Anyone have any insight on this?
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome, whodat.

    SpywareGuard as well as SpywareBlaster have been downloaded millions of times without any alert - provided they are downloaded from the original website links.

    Thus, I suspect false alarms here. Do you have a log file available, and if so, please post it.

    regards.

    paul
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi whodat,

    Welcome at Wilders. :)

    Downloader.MSCache is a collection of spywareinstallers, where items get added for detection regularly.

    Do you have the scan reports of those two computers?
    If so, let us know the full path and filenames that were found by NAV.
    We should be able to tell you some more about where they came from then.

    Regards,

    Pieter
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    LOL. 3 seconds apart, Paul.
    We should practice some more. ;)

    Pieter
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Grin...the pleasure is yours, Pieter ;)

    regards.

    paul
     
  6. swetbak

    swetbak Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    I'm impressed.
    I don't have any log files and have since cleaned both computers from the infection. The file name and location were the same on each machine.
    c:\windows\downloaded program files\hnkmugzv.dll
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Oh bugger, random looking filename in the DPF folder.

    I dare to claim 90% accuracy that it was Searchbarcash. Stealth-installs using ActiveX.
    Which indeed belongs to that "family" of malware: http://www.doxdesk.com/parasite/ISTbar.html

    Oh, hang on. Make that almost 100%

    {56269A74-91CC-F76B-2DDA-B355F51CCCFD}
    Class file: hnkmugzv.dll
    Attributes: archive
    Date: 10/22/2003 7:40:10 PM
    MD5: 0D5A5884B8D17BC2C1CC107B3A884A03
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 36864 bytes
    Version: 0.1.0.0
    Class name: DownloadUL Class
    Contains file: hnkmugzv.dll
    Attributes: archive
    Date: 10/22/2003 7:40:10 PM
    MD5: 0D5A5884B8D17BC2C1CC107B3A884A03
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 36864 bytes
    Version: 0.1.0.0
    Download location: hxxp://public.searchbarcash.com/cab/034/hnkmugzv.cab
    Last modified: Sun, 21 Dec 2003 03:09:54 GMT
    Version: 1,0,0,1

    Well, since you installed SpywareBlaster. It won't bother you again. In the database as SearchBarCash (26)

    Regards,

    Pieter
     
  8. swetbak

    swetbak Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Thank you
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. :)

    Or actually, thank Javacool for adding over 50 different CLSID's for this pest. :eek:

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.