Thanks for the File's Thomas,
I've passed them on to Lavasoft, Ewido & Symantec, Ewido does detect the
first file but not the second so Ive sent that to them, I assume Bill will
pass the file to the MS Team,
Its a Trojan Clicker Variant and would be difficult to remove especially
with hardly any scanners detecting the files and not being able to remove
them untill the processes it stopped. The trojan when executed connect's to a
website and click's on alot of different banner advertisements which then
shows on the infected system. This makes the site alot of money from "click
per view" schemes. Using a packet sniffer showed it sent over 28000 packets
out from my pc within 5 minutes so thats a very busy trojan,
Here's the results from Malware scanners for both files :
actx1.exe
(Original Filename - URLBrowserNew.exe)
MD5 52378c476f03da6bd5d310c34eaca1be
Ad-Aware SE Found nothing
AntiVir Found nothing
ArcaVir Found Trojan.Clicker.Vb.Is
Avast Found nothing
AVG Antivirus Found Clicker.RE
Avira Found nothing
BitDefender Found nothing
CAT-QuickHeal Found TrojanClicker.VB.is
ClamAV Found nothing
Dr.Web Found Trojan.Click.686
eTrust Found Win32/AdClicker!Trojan
Ewido Security Suite Found Spyware.Hijacker.Generic
F-Prot Antivirus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.VB.is
McAfee Found Generic AdClicker.a
Microsoft Antispyware Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Agent.ISY
Panda Found nothing
Sophos Found nothing
Symantec Found nothing
TheHacker Found nothing
UNA Found nothing
VBA32 Found nothing
zqactx1.exe
(Original Filename - ChameleonSearch.exe)
MD5 bb539f431629a1f888cedaac1d97774e
Ad-Aware SE Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
Avira Found nothing
BitDefender Found nothing
CAT-QuickHeal Found nothing
ClamAV Found nothing
Dr.Web Found nothing
eTrust Found nothing
Ewido Security Suite Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
McAfee Found Generic.Downloader.a
Microsoft Antispyware Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Found nothing
Sophos Found nothing
Symantec Found nothing
TheHacker Found nothing
UNA Found nothing
VBA32 Found nothing
You can use MS Antispy/ Hijack This or regedit to delete the start up
entries,
In Microsoft Antispyware click 'Advanced tools' and then 'System Explorers',
Choose 'Startup Programs' and in the Local Machine Run area press both the
file entries and from the bottom right choose 'Permanently Remove StartUp
Program'
In Hijack This place a check next to these entries and press "Fixed Checked"
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\TEMP\actx1.exe
O4 - HKLM\..\Run: [ZQHelper] C:\WINDOWS\TEMP\zqactx1.exe
In Regedit Navagate to the run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Left click run and in the right pane right click Contextual Tool and
ZQHelper and press remove.
Next either reboot which would stop them running as the run entries have
just been removed or use Task Manager (Right click the system tray and choose
task manager or press Control,Alt & Delete together) end the process for
actx1.exe and zqactx1.exe then remove the files from the C:\WINDOWS\TEMP\
folder
Thanks again for sending the files, hopefully it will prevent other people
being infected if MS and the other protection companies can add them to thier
definitions soon.
All The Best
Andy
