Toolbardom4 trojan?

Yesterday I was downloading a file (the 1by1 MP3 player - via one of the mainstream download sites) when a trojan alert popped up from BoClean. The alert was for "Toolbardom4 trojan variant". Boclean deleted the 1by1 download.

Then my internet connection died. Something had deleted the DNS entries in my TCP/IP settings. I tried to run AdAware, but AdAware said its database had been corrupted.

However I can find no other evidence of infection. My antivirus software (ETrust) says I'm clean, I'm getting no alerts from my firewall (Kerio v2) or any more from BoClean. I ran the latest version of Stinger, downloaded from another machine, and that also gives the "infected" machine a clean bill of health. Any more suggestions?

The BoClean web site lists Toolbardom4, and says it deletes it automatically, but I can't find any other web references to it. Could the trojan (presuming it was one) have deleted my DNS settings before BoClean got to it?

JohnK

 

There is an option in Boclean config, automatic cleanup of winsock conectivity.
This is what messed with your DNS, I am guessing.

The other option that would have helped is to tic KEEP copy of trojan as evidence.

Kevin has an exe you can run and send the txt file to him. I am sure if you contact him, he will be able to help.

con

 

You can also click examine report in Boclean GUI.

Hope Kevin doesn't mind but her is a quote from his support site.

"When the "Automatic cleanup of winsock connectivity" checkbox is checked, upon a detection of a nasty, BOClean will completely delete the HOSTS file from its location in order to circumvent corruption of the data present. The HOSTS file if used, will have to be replaced with a good copy. For anyone using a HOSTS file, it is therefore recommended that a backup copy be kept in order to replace the original if "file not found." This function ALSO removes any settings that are placed into the "ZONES" registry keys for "Domains," "Ranges" and "Protocol Defaults settings since these are often populated with redirects to bad places or worse.

Finally, the "Automatic cleanup of winsock connectivity" will ALSO examine the WINSOCK2 keys and if a trojan is removed which affects the LSP stack, BOClean will completely reshuffle the winsock subkeys to eradicate the "missing link" which causes internet connectivity to fail, which in turn requires completely reloading networking on the machine or reformatting it. BOClean will do this automatically in a manner similar to the "geek tool" known as "LSPFIX" without the need to do so manually. If unchecked, then any trojan which affects any of these items would require manual repair. We explain this in detail because any "network connectivity" issues have been a major portion of support requirement for us as a result of some nasties out there, and a major focus of BOClean 4.12 and later was a means of automating this most difficult cleanup since it seems no two internet providers setup the winsock the same way twice. As a result, when network connectivity was lost due to a trojan, we had to refer the victim to their ISP to help them remove and then reinstall "networking." In addition, any DNS-tampering trojans will have any changes to "NameServer" and other connectivity issues automatically resoved when this item is checked."

con

 

Thank you, Controler, that's very helpful. Of course, if I'd engaged the brain, the BoClean help file should have been my first port of call...

I guess it's fairly safe to re-connect the machine to the outside world, in that case. The only remaining mystery is why the Adaware database would have become corrupted. It could just have been the trojan's best efforts in the milliseconds it was alive, I guess. Or just a co-incidence. Thanks again.

JohnK

 

Hello JonhK

I am always happy to try help

Here is a thread from not long ago on this issue, including Kevin's comments on HOSTS files. This will be more informative

https://www.wilderssecurity.com/showthread.php?t=108368

controler