Trojan horse Downloader.Keenval.E

Discussion in 'adware, spyware & hijack cleaning' started by unison, May 19, 2004.

Thread Status:
Not open for further replies.
  1. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    Ok, this is my problem. I have just installed AVG and with my first scan I found that Trojan horse Downloader.Keenval.E is infecting this file: C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
    and AVG can't remove the virus nor delete de file. I have tried deleting the file manually, but a nottice says something as if the application was running. I don't know what application responds to this file and I can't close it because my ctrl-alt-del doesn't work ('cause my sister ruined the keyboard). I have scanned the system with Ad-aware 6 Personal, Build 6.181 following the instructions given by you, and during the scan a notice appears several times saying:
    "Virus
    Trojan horse Downloader.Keenval.E
    is found in file
    C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
    To remove this virus, please run AVG for Windows."
    Ha-ha.
    Ok, so here you have the HijackThis log. I hope you can help me.

    Logfile of HijackThis v1.97.7
    Scan saved at 02:53:15 a.m., on 19/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\twain_32\VIVID\VIVID.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe
    C:\ARCHIV~1\GRISOF~1\avgcc32.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\ARCHIV~1\GRISOF~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\ARCHIV~1\WinZip\winzip32.exe
    C:\DOCUME~1\Vanina\CONFIG~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Archivos de programa\Startup Mechanic\StartupScanner.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOF~1\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419b1de6e8efe01/netzip/RdxIE601_es.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

    Thanks.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi unison,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

    O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)

    O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419b1de6e8efe01/netzip/RdxIE601_es.cab

    Then reboot into safe mode and delete:
    C:\Archivos de programa\Common files\updmgr <= entire folder
    C:\Archivos de programa\PERFECTNAV <= entire folder

    Regards,

    Pieter
     
  3. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    OH MY GOD! Thank you so very much!!!!! You saved my life :D Now i'm gonna try to play some .rm files with RealOne, maybe this fuc*ing virus was causing all the trouble... If it works, you're GOD!
    Kisses :-*
     
  4. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    Damn! Your instructions worked :D But now it reappeared infecting another file! And I wonder if I can do the same thing that you told me to with the other files. The weird thing is that AVG doesn't detect it, though very frequently a notice comes up telling me to run AVG to solve the problem. I'm going crazy. Please, help me?

    This time, the file is:
    C:\System Volume Information\_restore{50E1DE69-AD51-4064-B977-A7C39147FD2A}\RP155\A0019547.exe

    Another thing: is there a way to stop this definitely?

    tnx :)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.