Win32 Trojan detected while downloadiing comboFix

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tkjdnow, Jan 1, 2009.

  1. tkjdnow

    tkjdnow Private E-2

    I am following your read and Run procedures, and downloading tools for Windows Xp. MS Forefront security detected an active Win32 Trojan while combofix was downloading. I told it to secure it, and combo fix continued to download. All tools were saved to C/Geeks/toolname. This new alert does not show up in the MS Forefront History page. What now?

    The reason I am following read and run is below:


    On Dec. 31, I went to hxxp//www.rwilsonart.com and Microsoft forefront security detected a Trojan. I clicked the disable button, and the security system gave a “succeeded” message.

    I ran Kaspersky’s online scanner, and it found 2 infected files:

    C:\Documents and Settings\mhannon\Local Settings\Temporary Internet Files\Content.IE5\45F2XVJY\show[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1

    C:\Documents and Settings\mhannon\Local Settings\Temporary Internet Files\Content.IE5\O0DZ587R\placeholder-1413647-651572025[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1

    The ETrust EZ scanner found

    04421734 Generic Trojan C:\Documents and Settings\Default User\Desktop\CtmWeb36917-59923.zip[ntagent.exe]
    And 3 other files where Default user is replaced by the log in names of the three users – everything the same except the username between Settings and Desktop

    I used CCcleaner and deleted all temp files, and emptied the recycle bin.
    I uninstalled all Java files, and reinstalled the latest version

    I ran the following scans in succession in normal boot mode:

    Microsoft Forefront security, found 0 results
    AdAware, found 7 tracking cookies; deleted
    Panda online, found 0 results
    Ewido online, found 28 tracking cookies; deleted
    Trend HouseCall, found 8 tracking cookies, deleted
    Symantec online, 0 results


    I ran Kaspersky’s online this morning, and it found

    File name / Threat name / Threats count
    C:\Documents and Settings\mhannon\Local Settings\Temp\prun.tmp Infected: Trojan.Win32.Agent.bcbh 1
    C:\WINDOWS\system32\prunnet.exe Infected: Trojan.Win32.Agent.bcbh 1

    The History folder for Microsoft Forefront Security shows

    Trojan Win32/Vundo.gen!C etc. Jan 1 remove succeeded

    C:\WINDOWS\system32\opnnMdBU.dll->(UPX)

    containerfile:
    C:\WINDOWS\system32\opnnMdBU.dll

    TrojanWin32/Punad.B Jan 1 remove succeeded

    C:\Documents and Settings\mhannon\Local Settings\Temp\xpre.tmp

    TrojanDownloader:Win32/Re Jan1 remove succeeded

    C:\Documents and Settings\mhannon\Local Settings\Temp\winvsnet.tmp

    Trojan:Win32/Alureon.gen!J Jan 1 quarantine succeeded

    C:\Documents and Settings\mhannon\Local Settings\Temp\incosnet.tmp

    TrojanDownloader:HTML/Ag Dec 31 remove succeeded

    C:\Documents and Settings\mhannon\Local Settings\Temp\incosnet.tmp



    This is probably too much information.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    None of the tools we have you download and use are infected. MS ForeFront is wrong. You need to shutdown any protection that you are running and just continue with the READ & RUN ME and then attach the logs we request.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds