TrojanDownloader Win32/Swizzor

Discussion in 'malware problems & news' started by Telstar, Oct 5, 2003.

Thread Status:
Not open for further replies.
  1. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi,
    Dell Dimension 4400
    Intel Pentium 4, 1600 MHz
    Windows XP Home v:5.1.2600 SP 1.0
    Internet Explorer v:6.0 SP1.0

    I've recently been through the Swen.A and Worm.Automat.AHB and I seem to be finally clean. As a result of paranoia I am doing frequent NortonAV (2002), Panda ActiveScan, TrendMicro HC, NOD32, AVG 6.0, Spybot, SpywareBlaster, SpyGuard, and HJT scans as well as RAV. Just recently installed ZoneAlarm firewall and I know this was identified by RAV prior to that.

    One of the AV scans (and the only one)....RAV ....keeps picking up the following Trojandownloader. I can do a Google and get info on the Win32/Swizzor but still haven't figured out a course of action to get it off my computer. Even though I check "Auto Clean" on RAV it's report shows Zero (0) Disinfected.

    C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf - TrojanDownloader:Win32/Swizzor -> Infected

    A computer file search fails to find this file path.

    Any suggestions would be greatly appreciated!

    Thanks,
    Telstar
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Pieter_Arntz,

    HiJackThis log follows. I maintain a HJT ignorelist so for this log I deleted the ignorelist and ran a new scan after verifying latest version of HJT. Therefore, depending on what items you want me to fix I will create a new ignorelist. Makes it easier to track newly found suspicious items.

    Thank you for your attention,
    Telstar

    Logfile of HijackThis v1.97.0
    Scan saved at 7:49:03 AM, on 10/5/2003
    Platform: Windows XP Home SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Iconoid\iconoid.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\SETI@home\SETI@home.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthisv1.97\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.netscape.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe"
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
    O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
    O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37601.710787037
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0E54D7F-874B-43B4-AC0B-683140C4A929}: NameServer = 198.6.1.150 198.6.100.150
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    I don't know what RAV finds wrong, but the O16 entries in a HijackThis log show the elements in your Downloaded Program Files folder.
    So if we would have seen something like this one:
    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - h..p://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe
    I would have understood, but as you can see neither the CLSID nor the filename are present. As you may know lop.com uses several filenames and CLSID's, but I can´t find any other lop.com related entries either.

    Regards,

    Pieter
     
  5. Whyme2

    Whyme2 Guest

    Hi, the The_Ultimate_Browser_Enhancer.exe.tcf means TrojanHunter has killed it, and renamed it, the .tcf extensions can't be executed, so you can't be infected, you just need to navigate to C:\WINDOWS\Downloaded Program Files then delete the file The_Ultimate_Browser_Enhancer.exe.tcf
     
  6. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi, ty for your replies, :)
    Pieter says,
    Could this then fall into the "false positive" category? As I said, none of the other scans are picking it up so I don't think I'll get too concerned about it. Unfortunately, because I use the RAV on-line scan I am not priviledged to use their Forum to raise this question with them.

    Pieter, if you do not see anything else on my HJT to fix I'm going to make that Ignorelist.

    WhyMe2 says:
    Well, I've just tried that again and do NOT see The_Ultimate..........
    amongst the .dll's, .ocx's, .inf's, ActiveX and OSD files. I've checked Properties on each file so it's pretty well imbedded somewhere.

    Also WhyMe2 says,
    If this is the case I have no worries just have NO proof.

    I'm not going to let this make me nervous. Just one of those 'loose ends" that needs closure.

    Still open for ideas.

    Thank you folks,
    Telstar
     
  7. Whyme2

    Whyme2 Guest

    The_Ultimate_Browser_Enhancer.exe.tcf is the proof, the file is called The_Ultimate_Browser_Enhancer.exe just look for the file and delete it.

    Only TrojanHunter adds the.tcf extension to files it renames.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Telstar,

    Your log is clean, so you can make an Ignore list.
    Whyme2 is a Trojan Hunter user, so he would know where the extra (.tcf) extension came from.
    Maybe he can also tell us if Trojan Hunter hides these files in some manner.

    Regards,

    Pieter
     
  9. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Great! thank you Pieter.

    Whyme2 says,
    Well, don't know where else to look. Just did a File Search again and comes up empty..."no results to display" Tried both...the .exe as well as the .exe .tcf.

    Could there be any other alias the file may be under?

    Telstar
     
  10. Whyme2

    Whyme2 Guest

    You have to set up your pc to show hidden files, and extensions the file is hidden in C:\WINDOWS\Downloaded Program Files\ once you unhide your files and extensions just go to C:\WINDOWS\Downloaded Program Files\ and delete it.
     
  11. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    That adds to the mystery WhyMe2. I have had checked (radio) Explorer>Folder Options>View>Show Hidden Files and Ext .....I just looked again and it is still enabled to show hidden files.

    Here is latest TrojanHunter scan. Anything in those "Warnings" to be concerned about?
    I see this "gibefsfx" in one of them. I know there's been a Gibe Worm making the rounds. But again, none of my other scans are finding this.

    Content.IE5\M1LEFATO\gibefsfx[1].exe

    TrojanHunter Full Scan 10-4-3
    Registry scan
    No suspicious entries found
    Inifile scan
    No suspicious entries found
    Port scan
    No suspicious open ports found
    Memory scan
    No trojans found in memory
    File scan

    Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\Unused
    Desktop Shortcuts\nentenst.exe

    Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\M1LEFATO\gibefsfx[1].exe

    Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\nentenst.exe

    No trojan files found

    I'll keep looking for that Downloaded Program File.

    Thanks,
    Telstar
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Actually, that folder is "special" and you cant view the contents from explorer. Just use a DOS prompt to get there, assuming you know how to use the DOS command cd

    First try opening Windows Explorer and browsing to that folder, then from there go to the address bar and type the path to your CMD.EXE, like this -

    C:\WINDOWS\System32\cmd.exe

    .. this should open it IN that folder already

    Make sure your DOS prompt is in the correct folder...


    now try
    dir *.tcf

    If its the only one, you can del *.tcf
    ..and it surely must be the only one being .tcf

    :D
     
  13. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Gavin / DiamondCS,

    Thank you for your reply,

    Coincidently, while receiving your reply I was doing a Google search for "finding hidden files". Indeed, many of the articles reference using the DOS command to find files hidden as a result of a virus attack.

    e.g. an exerpt from one of them:
    "When I say these files are hidden well, I really mean it. If you don't have any knowledge of DOS then don't plan on finding these files on your own. I say this because these files/folders won't be displayed in Windows Explorer at all -- only DOS. (Even after you have enabled Windows Explorer to "show all files.") And to top it off, the only way to find them in DOS is if you knew the exact location of them. Basically, what I'm saying is if you didn't know the files existed then the chances of you running across them is slim to slimmer."

    Unfortunately, like I do not attempt to adjust valves or install timing belts on my car and leave that to a qualified mechanic, similarly I don't have experience with DOS commands to be very effective.

    However, I am very good at following clear and specific step by step instructions (e.g. "insert square peg into square hole").

    If there is too great a chance that I could muck something up, I'd rather leave well enough alone. I just ran another Panda ActiveScan and unlike previous scans this one did not pick up the C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf - TrojanDownloader:Win32/Swizzor -> Infected
    as it had previously.

    So I guess the question is, if this file is (hopefully) lying dormant could it cause any damage in the future? Or, on the other hand, should I proceed to immediately try and eradicate it from my system?

    Thanks again,
    Telstar
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You can ignore that file as it is indeed "dormant"

    I would like to see a copy if its easy for you to send it, I believe it is only a spyware downloader though :)
     
  15. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Hi Gavin,

    What would you like a copy of?

    Telstar
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The_Ultimate_Browser_Enhancer.exe.tcf :)

    I think Outlook or other email will attach it even if you cant see it, just hit attach, and then in the filename box paste the full path. It should attach

    C:\WINDOWS\Downloaded Program Files\The_Ultimate_Browser_Enhancer.exe.tcf
     
  17. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Gavin,
    I want to be sure I'm understanding.

    An interesting suggestion though. In my OE I opened a "New Message" email and sure enough I posted the file path and there is a 10.4 KB file attachment.

    I didn't try to open it for fear of reinfecting.

    What would you suggest I do with it now?
    Telstar
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Send away :) submit@diamondcs.com.au

    You can then safely ignore it after this as the .tcf extension wont ever be executed.
     
  19. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Gavin
    you should have it. Failed to put a Subject however.
    Since the .tcf extension won't execute, can I attempt to open it from the attachment to see what it's all about?
    Thanks,
    Telstar
     
  20. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Definitely not :D

    You'll need a hex editor if you want to examine the file, but I would just ignore it for now. If you are a TDS user delete it when detected after the next update, and you can consider the case closed :)
     
  21. Telstar

    Telstar Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    45
    Location:
    Oregon USA
    Gavin,
    Ok, thanks very much for your help. Hopefully that's the end of my experience and exposure to this particular invader.

    Telstar
    :)
     
Thread Status:
Not open for further replies.