TrojanDownloader Win32/Swizzor

Hi,
Dell Dimension 4400
Intel Pentium 4, 1600 MHz
Windows XP Home v:5.1.2600 SP 1.0
Internet Explorer v:6.0 SP1.0

I've recently been through the Swen.A and Worm.Automat.AHB and I seem to be finally clean. As a result of paranoia I am doing frequent NortonAV (2002), Panda ActiveScan, TrendMicro HC, NOD32, AVG 6.0, Spybot, SpywareBlaster, SpyGuard, and HJT scans as well as RAV. Just recently installed ZoneAlarm firewall and I know this was identified by RAV prior to that.

One of the AV scans (and the only one)....RAV ....keeps picking up the following Trojandownloader. I can do a Google and get info on the Win32/Swizzor but still haven't figured out a course of action to get it off my computer. Even though I check "Auto Clean" on RAV it's report shows Zero (0) Disinfected.

C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf - TrojanDownloader:Win32/Swizzor -> Infected

A computer file search fails to find this file path.

Any suggestions would be greatly appreciated!

Thanks,
Telstar

 

Hi Telstar,

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Hi Pieter_Arntz,

HiJackThis log follows. I maintain a HJT ignorelist so for this log I deleted the ignorelist and ran a new scan after verifying latest version of HJT. Therefore, depending on what items you want me to fix I will create a new ignorelist. Makes it easier to track newly found suspicious items.

Thank you for your attention,
Telstar

Logfile of HijackThis v1.97.0
Scan saved at 7:49:03 AM, on 10/5/2003
Platform: Windows XP Home SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthisv1.97\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37601.710787037
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0E54D7F-874B-43B4-AC0B-683140C4A929}: NameServer = 198.6.1.150 198.6.100.150

 

Hi Telstar,

I don't know what RAV finds wrong, but the O16 entries in a HijackThis log show the elements in your Downloaded Program Files folder.
So if we would have seen something like this one:
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - h..p://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe
I would have understood, but as you can see neither the CLSID nor the filename are present. As you may know lop.com uses several filenames and CLSID's, but I can´t find any other lop.com related entries either.

Regards,

Pieter

 

Hi, the The_Ultimate_Browser_Enhancer.exe.tcf means TrojanHunter has killed it, and renamed it, the .tcf extensions can't be executed, so you can't be infected, you just need to navigate to C:\WINDOWS\Downloaded Program Files then delete the file The_Ultimate_Browser_Enhancer.exe.tcf

 

Hi, ty for your replies,
Pieter says,

Could this then fall into the "false positive" category? As I said, none of the other scans are picking it up so I don't think I'll get too concerned about it. Unfortunately, because I use the RAV on-line scan I am not priviledged to use their Forum to raise this question with them.

Pieter, if you do not see anything else on my HJT to fix I'm going to make that Ignorelist.

WhyMe2 says:

Well, I've just tried that again and do NOT see The_Ultimate..........
amongst the .dll's, .ocx's, .inf's, ActiveX and OSD files. I've checked Properties on each file so it's pretty well imbedded somewhere.

Also WhyMe2 says,

If this is the case I have no worries just have NO proof.

I'm not going to let this make me nervous. Just one of those 'loose ends" that needs closure.

Still open for ideas.

Thank you folks,
Telstar

 

The_Ultimate_Browser_Enhancer.exe.tcf is the proof, the file is called The_Ultimate_Browser_Enhancer.exe just look for the file and delete it.

Only TrojanHunter adds the.tcf extension to files it renames.

 

Hi Telstar,

Your log is clean, so you can make an Ignore list.
Whyme2 is a Trojan Hunter user, so he would know where the extra (.tcf) extension came from.
Maybe he can also tell us if Trojan Hunter hides these files in some manner.

Regards,

Pieter

 

Great! thank you Pieter.

Whyme2 says,

Well, don't know where else to look. Just did a File Search again and comes up empty..."no results to display" Tried both...the .exe as well as the .exe .tcf.

Could there be any other alias the file may be under?

Telstar

 

You have to set up your pc to show hidden files, and extensions the file is hidden in C:\WINDOWS\Downloaded Program Files\ once you unhide your files and extensions just go to C:\WINDOWS\Downloaded Program Files\ and delete it.

 

That adds to the mystery WhyMe2. I have had checked (radio) Explorer>Folder Options>View>Show Hidden Files and Ext .....I just looked again and it is still enabled to show hidden files.

Here is latest TrojanHunter scan. Anything in those "Warnings" to be concerned about?
I see this "gibefsfx" in one of them. I know there's been a Gibe Worm making the rounds. But again, none of my other scans are finding this.

Content.IE5\M1LEFATO\gibefsfx[1].exe

TrojanHunter Full Scan 10-4-3
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan

Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\Unused
Desktop Shortcuts\nentenst.exe

Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\M1LEFATO\gibefsfx[1].exe

Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\nentenst.exe

No trojan files found

I'll keep looking for that Downloaded Program File.

Thanks,
Telstar

 

Actually, that folder is "special" and you cant view the contents from explorer. Just use a DOS prompt to get there, assuming you know how to use the DOS command cd

First try opening Windows Explorer and browsing to that folder, then from there go to the address bar and type the path to your CMD.EXE, like this -

C:\WINDOWS\System32\cmd.exe

.. this should open it IN that folder already

Make sure your DOS prompt is in the correct folder...


now try
dir *.tcf

If its the only one, you can del *.tcf
..and it surely must be the only one being .tcf

 

Hi Gavin / DiamondCS,

Thank you for your reply,

Coincidently, while receiving your reply I was doing a Google search for "finding hidden files". Indeed, many of the articles reference using the DOS command to find files hidden as a result of a virus attack.

e.g. an exerpt from one of them:
"When I say these files are hidden well, I really mean it. If you don't have any knowledge of DOS then don't plan on finding these files on your own. I say this because these files/folders won't be displayed in Windows Explorer at all -- only DOS. (Even after you have enabled Windows Explorer to "show all files.") And to top it off, the only way to find them in DOS is if you knew the exact location of them. Basically, what I'm saying is if you didn't know the files existed then the chances of you running across them is slim to slimmer."

Unfortunately, like I do not attempt to adjust valves or install timing belts on my car and leave that to a qualified mechanic, similarly I don't have experience with DOS commands to be very effective.

However, I am very good at following clear and specific step by step instructions (e.g. "insert square peg into square hole").

If there is too great a chance that I could muck something up, I'd rather leave well enough alone. I just ran another Panda ActiveScan and unlike previous scans this one did not pick up the C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf - TrojanDownloader:Win32/Swizzor -> Infected
as it had previously.

So I guess the question is, if this file is (hopefully) lying dormant could it cause any damage in the future? Or, on the other hand, should I proceed to immediately try and eradicate it from my system?

Thanks again,
Telstar

 

You can ignore that file as it is indeed "dormant"

I would like to see a copy if its easy for you to send it, I believe it is only a spyware downloader though

 

Hi Gavin,

What would you like a copy of?

Telstar

 

The_Ultimate_Browser_Enhancer.exe.tcf

I think Outlook or other email will attach it even if you cant see it, just hit attach, and then in the filename box paste the full path. It should attach

C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf

 

Gavin,
I want to be sure I'm understanding.

An interesting suggestion though. In my OE I opened a "New Message" email and sure enough I posted the file path and there is a 10.4 KB file attachment.

I didn't try to open it for fear of reinfecting.

What would you suggest I do with it now?
Telstar

 

Send away submit@diamondcs.com.au

You can then safely ignore it after this as the .tcf extension wont ever be executed.

 

Gavin
you should have it. Failed to put a Subject however.
Since the .tcf extension won't execute, can I attempt to open it from the attachment to see what it's all about?
Thanks,
Telstar

 

Definitely not

You'll need a hex editor if you want to examine the file, but I would just ignore it for now. If you are a TDS user delete it when detected after the next update, and you can consider the case closed

 

Gavin,
Ok, thanks very much for your help. Hopefully that's the end of my experience and exposure to this particular invader.

Telstar