Hidden Trojan in This App !

Since it's a clicker and not a downloader, I would say it is not a real danger or of major concern, but is still not something you want on your pc. I doubt that the infection was in the program, but instead was installed at/by the download site. If you get those types of downloads from mainstram sites you probably won't have that problem:

http://www.majorgeeks.com/search.php

http://www.snapfiles.com/

 

Can't agree with you there Sultan. This is what Viruslist has to say about 'Clickers':- http://www.viruslist.com/en/viruses/encyclopedia?chapter=152540521#clickers

Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

Clickers are used:

1) To raise the hit-count of a specific site for advertising purposes
2) To organize a DoS attack on a specified server or site
3) To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans).

It is (3) above that is the main concern of course, but I'm not too keen on the others either!

Spanner, is that info from WinPatrol, 'Plus' members info, or is it generally available?

 

According to my observation....this is what happened in this case also.

Once you are at the startupmechanic page and click on the start-up mechanic gif....it actually takes you to what appears to be a lop site. Since the download is not available @ the moment....or it has been removed....that's as far as my testing could go.

download link view source code at startupmechanic.com site:

Code:

hxxp://[B]dw.com.com[/B]/redir?
pid=10349821&merid=6244207&mfgid=6244207&ltype=
dl_dlnow&[B]lop[/B]=link&edId=3&siteId=4&oId=
3120-2086_4-10349821&ontId=2086_4&destUrl=
hxxp://[b]www.download.com[/B]%2F3001-2086_4-10349821.html

 

Spanner, I wish I had something constructive to add to Bubba's excellent detective work, but I'm afraid I don't!

It was good of you not to be suckered by this thing in the first place, I suspect most people would not have been so alert to the danger and would have ended up being redirected to a site where a juicy, spyware filled, forced download awaited them! Mind you, with your browser settings, you probably could have avoided that debacle in any case!

 

Actually....strict browser settings....no matter the browser of choice....played no part in this download. The download itself....mechanic-2[2].2.exe....was flagged @ Jotti's as having Trojan.Clicker.VB.DN by Kav, Bitdefender and MKS-vir.

So my advice to others is no different than what many other security minded individuals would say and that is that now-a-days downloaded files should be scanned before they are even executed....no matter the download source.

 

I downloaded a copy (MD5 - 458E8CA2377563C3CEECCEC97219624) from PCWorld and installed it. TDS3, BOClean, F-Prot's monitor, and Outpost Pro are keeping quiet. PG so far only alerts on the execution of startupmechanic.exe. I do think their database needs some serious review...

Nick

 

Still unable to get a copy from download.com (server busy error, try later...). Is the MD5 of your copy different?

Nick

 

Hi Spanner,

I restored the image I made before I tried it. I saw no security issues. Its memory load was over 22Mb, which seemed excessive for what it does. It appears to scan your autostarts when you run it, and makes recommendations based on its database file (mine was dated December 2004). It also classified Process Guard and CursorXP as "useless" (besides classifying BOClean as a trojan). I tracked the install and saved the InCtrl5 report if you ever need it.

Nick