Trojan horse Downloader.Keenval.E

Discussion in 'adware, spyware & hijack cleaning' started by unison, May 19, 2004.

Thread Status:
Not open for further replies.
  1. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    Ok, this is my problem. I have just installed AVG and with my first scan I found that Trojan horse Downloader.Keenval.E is infecting this file: C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
    and AVG can't remove the virus nor delete de file. I have tried deleting the file manually, but a nottice says something as if the application was running. I don't know what application responds to this file and I can't close it because my ctrl-alt-del doesn't work ('cause my sister ruined the keyboard). I have scanned the system with Ad-aware 6 Personal, Build 6.181 following the instructions given by you, and during the scan a notice appears several times saying:
    "Virus
    Trojan horse Downloader.Keenval.E
    is found in file
    C:\Archivos de Programa\Common Files\updmgr\updmgr.exe
    To remove this virus, please run AVG for Windows."
    Ha-ha.
    Ok, so here you have the HijackThis log. I hope you can help me.

    Logfile of HijackThis v1.97.7
    Scan saved at 02:53:15 a.m., on 19/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\twain_32\VIVID\VIVID.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe
    C:\ARCHIV~1\GRISOF~1\avgcc32.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\ARCHIV~1\GRISOF~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\ARCHIV~1\WinZip\winzip32.exe
    C:\DOCUME~1\Vanina\CONFIG~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Archivos de programa\Startup Mechanic\StartupScanner.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOF~1\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419b1de6e8efe01/netzip/RdxIE601_es.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

    Thanks.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi unison,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL

    O2 - BHO: (no name) - {3D933ECB-B42F-9986-B68E-ECD402F70BA9} - (no file)

    O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [KAZAA] C:\Archivos de programa\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cad419b1de6e8efe01/netzip/RdxIE601_es.cab

    Then reboot into safe mode and delete:
    C:\Archivos de programa\Common files\updmgr <= entire folder
    C:\Archivos de programa\PERFECTNAV <= entire folder

    Regards,

    Pieter
     
  3. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    OH MY GOD! Thank you so very much!!!!! You saved my life :D Now i'm gonna try to play some .rm files with RealOne, maybe this fuc*ing virus was causing all the trouble... If it works, you're GOD!
    Kisses :-*
     
  4. unison

    unison Registered Member

    Joined:
    May 19, 2004
    Posts:
    15
    Damn! Your instructions worked :D But now it reappeared infecting another file! And I wonder if I can do the same thing that you told me to with the other files. The weird thing is that AVG doesn't detect it, though very frequently a notice comes up telling me to run AVG to solve the problem. I'm going crazy. Please, help me?

    This time, the file is:
    C:\System Volume Information\_restore{50E1DE69-AD51-4064-B977-A7C39147FD2A}\RP155\A0019547.exe

    Another thing: is there a way to stop this definitely?

    tnx :)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.