Home > General > Win32/SillyDl.QBC

Win32/SillyDl.QBC

You can also Download Free Trial Version of ExterminateIt! The worm terminates multiple processes associated with the following .exe files and injects its code in these files in order to ensure it is executed when the newly infected file is In addition to using updated antivirus software, file system monitoring tools can also be used to detect changes to the file system and alert administrators. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx Use caution with attachments and file transfers Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when http://internetpasswordpro.com/general/win32-sillydl-pxa.html

No VirusTotal Community member has commented on this item yet, be the first one to do so! Advanced Search Forum Security Discussions AntiVirus Discussions Help me investigate trojan from 206.58.237.248 If this is your first visit, be sure to check out the FAQ by clicking the link above. The time now is 03:45 AM. Enable a firewall on your computer Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall. their explanation

While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. To turn on the Internet Connection Firewall in Windows XP Click Start, and click Control Panel. Click OK.

skip to main | skip to sidebar Virus Description Here You can found descriptions for many viruses, trojans, malware. Use caution with attachments and file transfers. DAT files 4498 and later are available at the following link: McAfee The Sophos Virus Analysis forTroj/Bancban-CW is available at the following link: Virus Analysis. Use caution with attachments and file transfers.

It will eliminate the possibility of any malware that is known to the vendors. Interesting properties The studied file contains at least one Portable Executable. I assume it was some Windows/IE exploit, but I system should have all the recent MS patches on it. Reply With Quote October 27th, 2004,10:51 AM #7 markml View Profile View Forum Posts Junior Member Join Date Oct 2004 Posts 14 Yeah, I know.

Sign in Join the community No votes. AdAware found a CAB file with SyncroAdX.dll in it, but I don't think this is infecting my system. Contained files This file is a compressed stream containing 4 files. [+] cadbdzs/CAD\ufffd\ufffd\ufffd\ufffd\u05e8\u0271.exe Portable Executable 404480 Bytes SHA256 dd59715af3d5c20f72399dff33892c9cbe25e9dd594d5ded4336643f5c58788b Datetime 2010-06-07 16:20:42 Detection ratio 34 / 56 when this report was To detect and remove this Trojan downloader, as well as other software it may have installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner

Reply With Quote October 27th, 2004,06:21 AM #2 djscribble View Profile View Forum Posts Senior Member Join Date Jun 2004 Posts 460 here is what symantec says about this virus (which I think it's a good walkthrough, and I have had a lot of success with the non-malware literate. Perhaps it would be better to suggest using a non-IE based browser and an email program that users can disable HTML rendering in emails received (I would imagine Thunderbird or Eudora Only registered users can leave comments, sign in and have a voice!

The red color spreads throughout the disc to indicate whether a threat is moderate, high or severe.PreviousNextSummaryWhat to do nowTechnical informationSymptoms Symptoms The following symptoms may be indication of an infection http://internetpasswordpro.com/general/win32-ctx.html First name Last name Username * Email * Password * Confirm password * * Required field Cancel Sign up × Sign in Username or email Password Forgot your password? To turn on Automatic Updates in Windows XP Click Start, and click Control Panel.  Click System. If you do not see Network and Internet Connections, click Switch to Category View.

Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Compressed file Inner file SHA256: e6628b6c62625dfa23fbd9f80399c666bbd1365f782d8a8e8c6e5f2c3c2ef554 File name: output.12856310.txt Detection ratio: 31 / 47 Analysis date: 2013-09-15 11:48:06 UTC ( 3 years, 6 months ago ) View latest Analysis File detail The primary purpose of downloaders is to install malicious code on a user's computer. click site The trojan injects a portion of its code into the Windows explorer.exe process and  runs within that process context.

Conservatively configure mail perimeter servers, routers, firewalls and personal computers. Click Network and Internet Connections. However, they can enable other malicious uses.

There is a chance that you're infections are not handled by the vendors, I do see that happening more and more often (especially w/ hijackers).

The trojan conceals itself and bypasses local software firewall policies by injecting a portion of its code into the Windows explorer.exe process and running from within that process context. Personal firewalls may display a notification message when the worm attempts to connect to the Internet and download files.Technical InformationAnalysisEnsure virus scan engines are updated with current definitions. k,Downloader-VC,Generic Downloader.k,Generic.dl,Downlaoder-ASK,Generic.dk,Generic.dp,Downloader-JU,Downloader-NV,Downloader-BCJ,Generic Downloader.j;
[F-Prot]W32/Downloader.SS,W32/Delf.DB;
[Panda]Trj/Downloader.GK,Trj/Downloader.NG,Trj/Donn.A,Trj/Agent.AO,Trj/Downloader.DC,Adware/IPInsight,Adware/Twain-Tech,Trj/Downloader.HE,Spyware/TVMedia,Trj/Downloader.SV,Trj/Delnetdall.A,Spyware/Overpro;
[Computer Associates]Win32.SillyDL.DL,Win32.SillyDL.DM,Win32.SillyDl.DW,Win32.SillyDl.DX,Win32/SillyDL.37888!Trojan,Win32/SillyDL.DW!Trojan,Win32/SillyDL.DX!Trojan,Win32.SillyDl.BX,Win32.SillyDl.AK,Win32/Gloogle.55174!Trojan,Win32.SillyDl.O,Win32.SillyDl.DV,Win32/SillyDL.DV!Trojan,Win32.SillyDl.DG,Win32/SillyDl.69632!Trojan,Win32.SillyDl,Win32/Ecip.143360!Downlaoder!Tro,Win32.SillyDl.H,Win32/Gloogle!Downloader.52626!T,Win32.SillyDl.EN,Win32.SillyDl.EW,Win32/EliteBar!BHO!Dropper,Win32/EliteBar!BHO!Trojan,Win32.SillyDl.CS,Win32/SillyDl.CS!Trojan,Win32.SillyDl.CM,Win32/Sillydl.EL!Trojan,Win32.Dent.A;
[Other]Downloader,Win32/SillyDl.ATS,Win32/SillyDl.ATM,Win32/SillyDl,Win32/SillyDl.ATV,Downloader.Trojan,Win32/SillyDl.AUS,Win32/SillyDl.AUO,Win32/SillyDl.AVE,Win32/SillyDl.AUW,Win32/SillyDl.AVM,Win32/SillyDl.AVH,Win32/SillyDl.AMZ,Win32/SillyDl.AVN,Win32/SillyDl.AUH,Win32/SillyDl.AZA,Trojan-Downlaoder.Win32.Small.dsv,Win32/sillyDl.AZC,Win32/SillyDl.AOY,Trojan-Downlaoder.Win32.Small.czs,Win32/DillDL.4mga!,Win32/SillyDl.PW,Win32/SillyDl.ATF,Dialer.DialPlatform,MediaMotor,Adware.Medload,Trojan.Adclicker,Trojan.Dropper,enbrowser,Win32/SillyDl.AZV,Generic Downloader.ab,Downloader-ACV,visfx,Win32/SillyDl.AWZ,Win32/SillyDl.AUK,Win32/SillyDl.ATP,Win32/SillyDl.AUA,Win32/SillyDl.ATU,coolwebsearch (cws),Win32/SillyDl.BBO,W32/Smalldrp.GOJ,Win32/SillyDl.XF,W32/Smalldrp.FBZ,Downlaoder,Trojan.KillAV,Trojan.StartPage,Win32/SillyDl.W,Win32/SillyDl.CLI,Win32/SillyDl.EE,Adware.JustFindIt,Trojan.Delf,Troj/Delf-DV,Win32/SillyDl.EC,xpehbam dialer,Win32/SillyDl.SZ,Backdoor.Trojan,Win32/SillyDl.ZN,Trojan Horse,Trojan:Win32/Meredrop,W32/Smalldrp.FIE,TROJ_Generic.Z,Troj/Delf-JZ SillyDl Symptoms: Files:
[%INTERNET_CACHE%]\Content.IE5\4LM3S9IZ\L2[1].exe
[%INTERNET_CACHE%]\content.ie5\K3TRUY71\tool3[1].txt
[%INTERNET_CACHE%]\content.ie5\VYSFJHOX\ms1[1].txt
[%PROFILE_TEMP%]\1245934_4056_580_3468_79.41.tst
[%PROFILE_TEMP%]\1311928_2992_580_2720_79.41.tst
[%PROFILE_TEMP%]\131658_2360_200_2420_79.41.tst
[%PROFILE_TEMP%]\131658_2360_200_2448_79.41.tst
[%PROFILE_TEMP%]\131736_1332_348_1076_79.41.tst
[%PROFILE_TEMP%]\131802_3512_1848_3668_79.41.tst
[%PROFILE_TEMP%]\1376672_4056_580_3668_79.41.tst
[%PROFILE_TEMP%]\1835924_4056_580_1172_79.41.tst
[%PROFILE_TEMP%]\1901206_236_224_3244_79.41.tst
[%PROFILE_TEMP%]\1966774_4056_580_2888_79.41.tst
[%PROFILE_TEMP%]\2097914_1300_580_4064_79.41.tst
[%PROFILE_TEMP%]\262708_236_224_1640_79.41.tst
[%PROFILE_TEMP%]\328360_3512_1848_3552_79.41.tst
[%PROFILE_TEMP%]\590892_1968_580_1572_79.41.tst
[%PROFILE_TEMP%]\6226776_2992_580_2932_79.41.tst
[%PROFILE_TEMP%]\656248_616_2024_3032_79.41.tst
[%PROFILE_TEMP%]\656268_3512_1848_2256_79.41.tst
[%PROFILE_TEMP%]\656432_1968_580_3636_79.41.tst
[%PROFILE_TEMP%]\66306_1016_224_2100_79.41.tst
[%PROFILE_TEMP%]\66326_1332_348_612_79.41.tst
[%PROFILE_TEMP%]\66362_2568_212_3020_79.41.tst
[%PROFILE_TEMP%]\66534_2360_200_3400_79.41.tst
[%PROFILE_TEMP%]\6YQoWs.exe
[%PROFILE_TEMP%]\7340640_616_2024_2116_79.41.tst
[%PROFILE_TEMP%]\787048_2568_212_3896_79.41.tst
[%PROFILE_TEMP%]\983876_2992_580_3020_79.41.tst
[%PROFILE_TEMP%]\984042_2992_580_3184_79.41.tst
[%PROFILE_TEMP%]\btgrab.inf
[%PROFILE_TEMP%]\ceQau6.exe
[%PROFILE_TEMP%]\E2f8oD.exe
[%PROFILE_TEMP%]\GLF35GLF35.EXE
[%PROFILE_TEMP%]\ICD2.tmp\m67m.inf
[%PROFILE_TEMP%]\ICD6.tmp\elite.inf
[%PROFILE_TEMP%]\ICD6.tmp\elite.ocx
[%PROFILE_TEMP%]\istsv_.exe
[%PROFILE_TEMP%]\kmGc9H.exe
[%PROFILE_TEMP%]\localNrd.inf
[%PROFILE_TEMP%]\ma11x1dd12111v.game
[%PROFILE_TEMP%]\mmxsnet.exe
[%PROFILE_TEMP%]\polmx.exe
[%PROFILE_TEMP%]\polmx2.inf
[%PROFILE_TEMP%]\polmx3.exe
[%PROFILE_TEMP%]\poltt.cab
[%PROFILE_TEMP%]\poltt.exe
[%PROFILE_TEMP%]\poltt.inf
[%PROFILE_TEMP%]\pre.exe
[%PROFILE_TEMP%]\temp.fr????\istsvc.exe
[%PROFILE_TEMP%]\THI1E47.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI2855.tmp\btgrab.inf
[%PROFILE_TEMP%]\THI30CA.tmp\polall1m.exe
[%PROFILE_TEMP%]\THI3263.tmp\polall1m.exe
[%PROFILE_TEMP%]\THI3B2A.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI3E66.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI411B.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI4313.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI4EFD.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI50FB.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI598C.tmp\btgrab.inf
[%PROFILE_TEMP%]\THI5A06.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI62BF.tmp\polall1t.exe
[%PROFILE_TEMP%]\THI62BF.tmp\twaintec.cab
[%PROFILE_TEMP%]\ts_8_new.exe
[%PROFILE_TEMP%]\xI8bHF.exe
[%PROFILE_TEMP%]\Y7TDSp.exe
[%PROGRAM_FILES%]\epicenter\snuninst.exe
[%SYSTEM%]\0.exe
[%SYSTEM%]\aaa00000.dll
[%SYSTEM%]\aaa00000.sys
[%SYSTEM%]\big5_gb2312.exe
[%SYSTEM%]\bpara.dll
[%SYSTEM%]\Cache\us4.0-2.exe
[%SYSTEM%]\cpoepnkf.exe
[%SYSTEM%]\dllhost32.exe
[%SYSTEM%]\elitedoolsav.dat
[%SYSTEM%]\laesbpfl.exe_
[%SYSTEM%]\m1ax1d1213216143v.exe
[%SYSTEM%]\my_update.exe
[%SYSTEM%]\oiimvtre.exe
[%SYSTEM%]\polall1m.exe
[%SYSTEM%]\start32.exe
[%SYSTEM%]\systf.dll
[%SYSTEM%]\TheMatri1HasYou.exe
[%SYSTEM%]\ujscvhfh.exe
[%SYSTEM%]\vbefsspc.exe
[%SYSTEM%]\winsrv32.exe
[%SYSTEM%]\xplugin.dll
[%SYSTEM%]\xvlqqfbx.exe
[%WINDOWS%]\1.exe
[%WINDOWS%]\109uninst.exe
[%WINDOWS%]\alchem.exe
[%WINDOWS%]\BTGrab.dll
[%WINDOWS%]\Downloaded Program Files\m67m.inf
[%WINDOWS%]\etb\etl
[%WINDOWS%]\etb\nt_hide79.dll
[%WINDOWS%]\etb\pokapoka79.exe
[%WINDOWS%]\etb\xml\adult.tbr
[%WINDOWS%]\etb\xml\images\50kwincash2.bmp
[%WINDOWS%]\etb\xml\images\casino.bmp
[%WINDOWS%]\etb\xml\images\dating.bmp
[%WINDOWS%]\etb\xml\images\findemails.bmp
[%WINDOWS%]\etb\xml\images\ringtones.bmp
[%WINDOWS%]\etb\xml\images\searchpeople.bmp
[%WINDOWS%]\etb\xml\images\virus.bmp
[%WINDOWS%]\inf\btgrab.inf
[%WINDOWS%]\inf\localNrd.inf
[%WINDOWS%]\localNRD.dll
[%WINDOWS%]\mousepad12.exe
[%WINDOWS%]\ms044779575-1262006.exe
[%WINDOWS%]\polmx.exe
[%WINDOWS%]\preinsln.exe
[%WINDOWS%]\TEMP\b.com
[%WINDOWS%]\temp\backups\backup-20060602-131510-617.inf
[%WINDOWS%]\TEMP\bl4ck.com
[%WINDOWS%]\TEMP\ma11x1dd12111v.game
[%WINDOWS%]\thin.exe
[%WINDOWS%]\videoc.ocx
[%WINDOWS%]\win32105-1264779572006.exe
[%PROFILE_TEMP%]\conscorr.exe
[%PROFILE_TEMP%]\msshed32.exe
[%PROFILE_TEMP%]\suicidetb.exe
[%PROFILE_TEMP%]\temporary directory 1 for jcrea250[1].zip\setup.exe
[%PROFILE_TEMP%]\thi14a5.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi15e8.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi174f.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi1832.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi1f8d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi2357.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi23f0.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi261a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi261a.tmp\twaintec.dll
[%PROFILE_TEMP%]\thi261a.tmp\twaintec.inf
[%PROFILE_TEMP%]\thi2e2b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi334f.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi36e.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi390d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi3a0.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi3c79.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi400a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4020.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi406.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4941.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4a64.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4e3b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4e88.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi5249.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi5291.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi542b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi565d.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi5755.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi58e1.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi5c06.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6513.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi659c.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi67dd.tmp\btgrab.dll
[%PROFILE_TEMP%]\thi67dd.tmp\btgrab.inf
[%PROFILE_TEMP%]\thi686d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi69c9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6b86.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6ea2.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi734b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi76c9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7caf.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7fc9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7fd.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi98a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thia59.tmp\polall1m.exe
[%PROFILE_TEMP%]\thib58.tmp\polall1m.exe
[%PROFILE_TEMP%]\thib6f.tmp\polall1m.exe
[%SYSTEM%]\12345.exe
[%SYSTEM%]\akazafex.exe
[%SYSTEM%]\avtapi.exe
[%SYSTEM%]\deinst_qfe002.exe
[%SYSTEM%]\elitefmj32.exe
[%SYSTEM%]\elitekck32.exe
[%SYSTEM%]\elitexdx32.exe
[%SYSTEM%]\hrbogl.exe
[%SYSTEM%]\ixsso.exe
[%SYSTEM%]\mirindaspk.exe
[%SYSTEM%]\mssaru.exe
[%SYSTEM%]\msshed32.exe
[%SYSTEM%]\PID.EXE
[%SYSTEM%]\systp.exe
[%SYSTEM%]\w3b384d1.dll
[%SYSTEM%]\w3b69adb.dll
[%SYSTEM%]\wfusqayn.exe
[%SYSTEM%]\wiascr.exe
[%SYSTEM%]\wmicsmgr.dll
[%SYSTEM%]\zrupga.exe
[%SYSTEM%]\zshf5459.dll
[%WINDOWS%]\btgrab.dll
[%WINDOWS%]\conscorr.exe
[%WINDOWS%]\dmvkx.exe
[%WINDOWS%]\down.exe
[%WINDOWS%]\file1.exe
[%WINDOWS%]\file2.exe
[%WINDOWS%]\INF\CDLMAIL.EXE
[%WINDOWS%]\INF\system_oper.exe
[%WINDOWS%]\INF\SYS_REQ.EXE
[%WINDOWS%]\java\classes\cmmon.scr
[%WINDOWS%]\java\classes\explorer.scr
[%WINDOWS%]\java\classes\smsss.scr
[%WINDOWS%]\localnrd.dll
[%WINDOWS%]\mstray.exe
[%WINDOWS%]\odbint.dll
[%WINDOWS%]\polmx3.exe
[%WINDOWS%]\Sloopy7.exe
[%WINDOWS%]\syskey.ini
[%WINDOWS%]\system32\win.ini.t00
[%WINDOWS%]\system\coreak.dll
[%WINDOWS%]\system\evjpfd.exe
[%WINDOWS%]\system\fabmax.exe
[%WINDOWS%]\system\ihpxtg.exe
[%WINDOWS%]\system\odrosh.exe
[%WINDOWS%]\system\oocdngv.exe
[%WINDOWS%]\system\qmdkkp.exe
[%WINDOWS%]\system\xewobv.exe
[%WINDOWS%]\system\xwxnwhcw.exe
[%WINDOWS%]\system\ypojlw.exe
[%WINDOWS%]\temp\alchem.exe
[%WINDOWS%]\temp\polmx.exe
[%WINDOWS%]\temp\polmx3.exe
[%WINDOWS%]\temp\thi677c.tmp\polall1t.exe
[%WINDOWS%]\terra.exe
[%INTERNET_CACHE%]\Content.IE5\4LM3S9IZ\L2[1].exe
[%INTERNET_CACHE%]\content.ie5\K3TRUY71\tool3[1].txt
[%INTERNET_CACHE%]\content.ie5\VYSFJHOX\ms1[1].txt
[%PROFILE_TEMP%]\1245934_4056_580_3468_79.41.tst
[%PROFILE_TEMP%]\1311928_2992_580_2720_79.41.tst
[%PROFILE_TEMP%]\131658_2360_200_2420_79.41.tst
[%PROFILE_TEMP%]\131658_2360_200_2448_79.41.tst
[%PROFILE_TEMP%]\131736_1332_348_1076_79.41.tst
[%PROFILE_TEMP%]\131802_3512_1848_3668_79.41.tst
[%PROFILE_TEMP%]\1376672_4056_580_3668_79.41.tst
[%PROFILE_TEMP%]\1835924_4056_580_1172_79.41.tst
[%PROFILE_TEMP%]\1901206_236_224_3244_79.41.tst
[%PROFILE_TEMP%]\1966774_4056_580_2888_79.41.tst
[%PROFILE_TEMP%]\2097914_1300_580_4064_79.41.tst
[%PROFILE_TEMP%]\262708_236_224_1640_79.41.tst
[%PROFILE_TEMP%]\328360_3512_1848_3552_79.41.tst
[%PROFILE_TEMP%]\590892_1968_580_1572_79.41.tst
[%PROFILE_TEMP%]\6226776_2992_580_2932_79.41.tst
[%PROFILE_TEMP%]\656248_616_2024_3032_79.41.tst
[%PROFILE_TEMP%]\656268_3512_1848_2256_79.41.tst
[%PROFILE_TEMP%]\656432_1968_580_3636_79.41.tst
[%PROFILE_TEMP%]\66306_1016_224_2100_79.41.tst
[%PROFILE_TEMP%]\66326_1332_348_612_79.41.tst
[%PROFILE_TEMP%]\66362_2568_212_3020_79.41.tst
[%PROFILE_TEMP%]\66534_2360_200_3400_79.41.tst
[%PROFILE_TEMP%]\6YQoWs.exe
[%PROFILE_TEMP%]\7340640_616_2024_2116_79.41.tst
[%PROFILE_TEMP%]\787048_2568_212_3896_79.41.tst
[%PROFILE_TEMP%]\983876_2992_580_3020_79.41.tst
[%PROFILE_TEMP%]\984042_2992_580_3184_79.41.tst
[%PROFILE_TEMP%]\btgrab.inf
[%PROFILE_TEMP%]\ceQau6.exe
[%PROFILE_TEMP%]\E2f8oD.exe
[%PROFILE_TEMP%]\GLF35GLF35.EXE
[%PROFILE_TEMP%]\ICD2.tmp\m67m.inf
[%PROFILE_TEMP%]\ICD6.tmp\elite.inf
[%PROFILE_TEMP%]\ICD6.tmp\elite.ocx
[%PROFILE_TEMP%]\istsv_.exe
[%PROFILE_TEMP%]\kmGc9H.exe
[%PROFILE_TEMP%]\localNrd.inf
[%PROFILE_TEMP%]\ma11x1dd12111v.game
[%PROFILE_TEMP%]\mmxsnet.exe
[%PROFILE_TEMP%]\polmx.exe
[%PROFILE_TEMP%]\polmx2.inf
[%PROFILE_TEMP%]\polmx3.exe
[%PROFILE_TEMP%]\poltt.cab
[%PROFILE_TEMP%]\poltt.exe
[%PROFILE_TEMP%]\poltt.inf
[%PROFILE_TEMP%]\pre.exe
[%PROFILE_TEMP%]\temp.fr????\istsvc.exe
[%PROFILE_TEMP%]\THI1E47.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI2855.tmp\btgrab.inf
[%PROFILE_TEMP%]\THI30CA.tmp\polall1m.exe
[%PROFILE_TEMP%]\THI3263.tmp\polall1m.exe
[%PROFILE_TEMP%]\THI3B2A.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI3E66.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI411B.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI4313.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI4EFD.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI50FB.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI598C.tmp\btgrab.inf
[%PROFILE_TEMP%]\THI5A06.tmp\localNrd.inf
[%PROFILE_TEMP%]\THI62BF.tmp\polall1t.exe
[%PROFILE_TEMP%]\THI62BF.tmp\twaintec.cab
[%PROFILE_TEMP%]\ts_8_new.exe
[%PROFILE_TEMP%]\xI8bHF.exe
[%PROFILE_TEMP%]\Y7TDSp.exe
[%PROGRAM_FILES%]\epicenter\snuninst.exe
[%SYSTEM%]\0.exe
[%SYSTEM%]\aaa00000.dll
[%SYSTEM%]\aaa00000.sys
[%SYSTEM%]\big5_gb2312.exe
[%SYSTEM%]\bpara.dll
[%SYSTEM%]\Cache\us4.0-2.exe
[%SYSTEM%]\cpoepnkf.exe
[%SYSTEM%]\dllhost32.exe
[%SYSTEM%]\elitedoolsav.dat
[%SYSTEM%]\laesbpfl.exe_
[%SYSTEM%]\m1ax1d1213216143v.exe
[%SYSTEM%]\my_update.exe
[%SYSTEM%]\oiimvtre.exe
[%SYSTEM%]\polall1m.exe
[%SYSTEM%]\start32.exe
[%SYSTEM%]\systf.dll
[%SYSTEM%]\TheMatri1HasYou.exe
[%SYSTEM%]\ujscvhfh.exe
[%SYSTEM%]\vbefsspc.exe
[%SYSTEM%]\winsrv32.exe
[%SYSTEM%]\xplugin.dll
[%SYSTEM%]\xvlqqfbx.exe
[%WINDOWS%]\1.exe
[%WINDOWS%]\109uninst.exe
[%WINDOWS%]\alchem.exe
[%WINDOWS%]\BTGrab.dll
[%WINDOWS%]\Downloaded Program Files\m67m.inf
[%WINDOWS%]\etb\etl
[%WINDOWS%]\etb\nt_hide79.dll
[%WINDOWS%]\etb\pokapoka79.exe
[%WINDOWS%]\etb\xml\adult.tbr
[%WINDOWS%]\etb\xml\images\50kwincash2.bmp
[%WINDOWS%]\etb\xml\images\casino.bmp
[%WINDOWS%]\etb\xml\images\dating.bmp
[%WINDOWS%]\etb\xml\images\findemails.bmp
[%WINDOWS%]\etb\xml\images\ringtones.bmp
[%WINDOWS%]\etb\xml\images\searchpeople.bmp
[%WINDOWS%]\etb\xml\images\virus.bmp
[%WINDOWS%]\inf\btgrab.inf
[%WINDOWS%]\inf\localNrd.inf
[%WINDOWS%]\localNRD.dll
[%WINDOWS%]\mousepad12.exe
[%WINDOWS%]\ms044779575-1262006.exe
[%WINDOWS%]\polmx.exe
[%WINDOWS%]\preinsln.exe
[%WINDOWS%]\TEMP\b.com
[%WINDOWS%]\temp\backups\backup-20060602-131510-617.inf
[%WINDOWS%]\TEMP\bl4ck.com
[%WINDOWS%]\TEMP\ma11x1dd12111v.game
[%WINDOWS%]\thin.exe
[%WINDOWS%]\videoc.ocx
[%WINDOWS%]\win32105-1264779572006.exe
[%PROFILE_TEMP%]\conscorr.exe
[%PROFILE_TEMP%]\msshed32.exe
[%PROFILE_TEMP%]\suicidetb.exe
[%PROFILE_TEMP%]\temporary directory 1 for jcrea250[1].zip\setup.exe
[%PROFILE_TEMP%]\thi14a5.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi15e8.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi174f.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi1832.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi1f8d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi2357.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi23f0.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi261a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi261a.tmp\twaintec.dll
[%PROFILE_TEMP%]\thi261a.tmp\twaintec.inf
[%PROFILE_TEMP%]\thi2e2b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi334f.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi36e.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi390d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi3a0.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi3c79.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi400a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4020.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi406.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4941.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4a64.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4e3b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi4e88.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi5249.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi5291.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi542b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi565d.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi5755.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi58e1.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi5c06.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6513.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi659c.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi67dd.tmp\btgrab.dll
[%PROFILE_TEMP%]\thi67dd.tmp\btgrab.inf
[%PROFILE_TEMP%]\thi686d.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi69c9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6b86.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi6ea2.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi734b.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi76c9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7caf.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7fc9.tmp\polall1m.exe
[%PROFILE_TEMP%]\thi7fd.tmp\polall1t.exe
[%PROFILE_TEMP%]\thi98a.tmp\polall1m.exe
[%PROFILE_TEMP%]\thia59.tmp\polall1m.exe
[%PROFILE_TEMP%]\thib58.tmp\polall1m.exe
[%PROFILE_TEMP%]\thib6f.tmp\polall1m.exe
[%SYSTEM%]\12345.exe
[%SYSTEM%]\akazafex.exe
[%SYSTEM%]\avtapi.exe
[%SYSTEM%]\deinst_qfe002.exe
[%SYSTEM%]\elitefmj32.exe
[%SYSTEM%]\elitekck32.exe
[%SYSTEM%]\elitexdx32.exe
[%SYSTEM%]\hrbogl.exe
[%SYSTEM%]\ixsso.exe
[%SYSTEM%]\mirindaspk.exe
[%SYSTEM%]\mssaru.exe
[%SYSTEM%]\msshed32.exe
[%SYSTEM%]\PID.EXE
[%SYSTEM%]\systp.exe
[%SYSTEM%]\w3b384d1.dll
[%SYSTEM%]\w3b69adb.dll
[%SYSTEM%]\wfusqayn.exe
[%SYSTEM%]\wiascr.exe
[%SYSTEM%]\wmicsmgr.dll
[%SYSTEM%]\zrupga.exe
[%SYSTEM%]\zshf5459.dll
[%WINDOWS%]\btgrab.dll
[%WINDOWS%]\conscorr.exe
[%WINDOWS%]\dmvkx.exe
[%WINDOWS%]\down.exe
[%WINDOWS%]\file1.exe
[%WINDOWS%]\file2.exe
[%WINDOWS%]\INF\CDLMAIL.EXE
[%WINDOWS%]\INF\system_oper.exe
[%WINDOWS%]\INF\SYS_REQ.EXE
[%WINDOWS%]\java\classes\cmmon.scr
[%WINDOWS%]\java\classes\explorer.scr
[%WINDOWS%]\java\classes\smsss.scr
[%WINDOWS%]\localnrd.dll
[%WINDOWS%]\mstray.exe
[%WINDOWS%]\odbint.dll
[%WINDOWS%]\polmx3.exe
[%WINDOWS%]\Sloopy7.exe
[%WINDOWS%]\syskey.ini
[%WINDOWS%]\system32\win.ini.t00
[%WINDOWS%]\system\coreak.dll
[%WINDOWS%]\system\evjpfd.exe
[%WINDOWS%]\system\fabmax.exe
[%WINDOWS%]\system\ihpxtg.exe
[%WINDOWS%]\system\odrosh.exe
[%WINDOWS%]\system\oocdngv.exe
[%WINDOWS%]\system\qmdkkp.exe
[%WINDOWS%]\system\xewobv.exe
[%WINDOWS%]\system\xwxnwhcw.exe
[%WINDOWS%]\system\ypojlw.exe
[%WINDOWS%]\temp\alchem.exe
[%WINDOWS%]\temp\polmx.exe
[%WINDOWS%]\temp\polmx3.exe
[%WINDOWS%]\temp\thi677c.tmp\polall1t.exe
[%WINDOWS%]\terra.exe Folders:
[%WINDOWS%]\elitetoolbar
[%WINDOWS%]\etb Registry Keys:
HKEY_CLASSES_ROOT\btgrabdll.btgrabdllobj
HKEY_CLASSES_ROOT\btgrabdll.btgrabdllobj.1
HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-AD0300000000}
HKEY_CLASSES_ROOT\clsid\{0a1d22c3-37be-470c-9c29-e3074ee0574b}
HKEY_CLASSES_ROOT\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
HKEY_CLASSES_ROOT\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
HKEY_CLASSES_ROOT\clsid\{be8d0059-d24d-4919-b76f-99f4a2203647}
HKEY_CLASSES_ROOT\clsid\{ed103d9f-3070-4580-ab1e-e5c179c1ae41}
HKEY_CLASSES_ROOT\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
HKEY_CLASSES_ROOT\interface\{665abe65-2c16-4341-b4b8-01ff799e8f4c}
HKEY_CLASSES_ROOT\typelib\{8e0d8965-b97b-468d-8306-a05929e439c1}
HKEY_CURRENT_USER\software\btgrab
HKEY_LOCAL_MACHINE\software\elitum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\elitebar Get your FREE copy of Insight Newsletter||MsMittens' HomePage Reply With Quote Page 1 of 3 123 Last Jump to page: Quick Navigation AntiVirus Discussions Top Site Areas Settings Private Messages Subscriptions

Downloads an executable file from a URL that is specified in the Trojan code.  Saves the downloaded program to the C:\temp folder as a file named tmp.exe. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM Reply With Quote October 27th, 2004,04:09 PM #9 kr5kernel View Profile View Forum Posts Senior Member Join Date Mar 2004 kr5kernel (kr5kernel at hotmail dot com) Linux: Making Penguins Cool Since 1994. navigate to this website Page 1 of 3 123 Last Jump to page: Results 1 to 10 of 29 Thread: Help me investigate trojan from 206.58.237.248 Tweet Thread Tools Show Printable Version Subscribe to this

I'd like to find out what. Good luck, malware rarely escapes safe mode! Antivirus software is available from several sources. If you require support, please visit the Microsoft Answer Desk.If you suspect that a file has been incorrectly identified as malware, you can submit the file for analysis.Other Microsoft sitesWindowsOfficeSurfaceWindows PhoneMobile

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic, and limiting network services to only those required for business operations. Protection has been included in virus definitions for Intelligent Updater since May 23, 2005. Follow this doc: http://www.antionline.com/attachment...achmentid=4913 Make sure you follow the steps accurately, especially when it explains updating. [off topic] If anyone has any problems with me practically whoring this link, let me Configure auto-update features to update daily, or manually update antivirus signatures at least weekly.

To turn on Automatic Updates in Windows XP Click Start, and click Control Panel.  Click System. Given that he is a home user (general assumption on my part based on the first post) this may not be a practical option. Select On. I've noticed myself linking it a lot more, I don't want anyone to think it's spamming.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan three levels deep on compressed files. The trojan conceals itself and bypasses local software firewall policies by injecting a portion of its code into the Windows explorer.exe process and running from within that process context. Get some decent AV and spyware removal.

More votes Blog | Twitter | | Google groups | ToS | Privacy policy × Recover your password Enter the email address associated to your VirusTotal Community account and we'll send More specifically, it is a ZIP file. I found two files, both called "update", in my Temporary Internet Files. Click Automatic Updates.

With our help you can remove it from your computer. The latest virus definitions are available at the following link: Symantec Revision History Show Less Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY