Downloader.Trojan in XP

Discussion in 'malware problems & news' started by Stablecannon, Mar 26, 2005.

Thread Status:
Not open for further replies.
  1. Stablecannon

    Stablecannon Registered Member

    Joined:
    Mar 26, 2005
    Posts:
    1
    I believe I may have a trojan lingering in my system. NAV 2005 told me I had a Downloader.Trojan virus (filename 0g1sa.dll). So I used the trojan removal instructions I found on another forum and the anti trojan program Trojan Hunter found the virus (0g1sa) and deleted it. Then I ran TDS-3 and it found a bunch of Hidden ADS streams, so I deleted those and some of the host files. So after everything was done, I restarted my computer in normal mode and everything seemed to run a little better (the HDD light wasn't on all the time). Then after a short time, it started again, so I tried to find the program in Task manager and came up with two processes I hadn't heard of before, crtv32.exe and msjz.exe. I was able to stop the process crtv32 process, but the msjz process kept reappearing as soon as I stopped it. Eventually so did the crtv32 process. I then happened to come across this log called f2install.log in my root directory:
    >>Install Start...
    Include to Autorun
    >>TestModule(496949607)
    Event:0x000300F6:36:0:11659880
    Event:0x000300F6:129:0:11659852
    Event:0x000300F6:131:0:11659912
    Event:0x000300F6:1:0:11659816
    >>SaveModule(0)
    Old Path: C:\WINDOWS\apppn.dll
    New Path: C:\WINDOWS\COM+.log:eddroi
    <<SaveModule
    >>TestModule(496949607)
    Before Service Found:1785121754
    Service File Mapping Found
    Service Found
    >>SaveModule(1)
    Old Path: C:\WINDOWS\system32\msjz.exe
    New Path: C:\WINDOWS\cthlr.txt:wwwxil
    <<SaveModule
    <<Install

    Does that mean anything to me? And does anybody have suggestions on how I get rid of this thing?
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    crtv32.exe is apparently detected by About Buster-nr 15 on the list, so you could download and update/run it. An online scan or two wouldn't hurt (links in my signature).

    When this is done, then i would download HiJackThis and post your log at CastleCops and let them have a look it, because you definitely have a problem.

    Hope this helps.:)
     
Thread Status:
Not open for further replies.