How to get rid of trojan downloader

  • Thread starter Thread starter geronimo
  • Start date Start date
G

geronimo

Every time Wondows XP boots, AVG finds trojan downloader
Win32.generic.zie and generic.zoy. the filename is hocen.dll, and it
is in Windows/complus applications. You can delete this find or put in
vault. Either way, this trojan will be back thenext time Widows boots.
I thik it is because there is a registry Key loading it, putting it
back on the system each time. But I am reluctiant to search the
registry for a reference to it and delete the key. IS risky to delete
keys when you are not sure what you are doing. Avg is updating each
day....it obviously is incapable of dealing with it. I have searched
for info on this particular trojan, and Google finds next to nothing,
nothing of any help. But surely I am not the only on ein the world
with this trojan. What to do?
 
What to do?
Click to expand...


First, find another anti-virus. This should be an indicator to you
just how much AVG sucks. Kaspersky will and does remove it entirely.
Second, when you do scan, turn off your system restore first.
 
From: <geronimo>

| Every time Wondows XP boots, AVG finds trojan downloader
| Win32.generic.zie and generic.zoy. the filename is hocen.dll, and it
| is in Windows/complus applications. You can delete this find or put in
| vault. Either way, this trojan will be back thenext time Widows boots.
| I thik it is because there is a registry Key loading it, putting it
| back on the system each time. But I am reluctiant to search the
| registry for a reference to it and delete the key. IS risky to delete
| keys when you are not sure what you are doing. Avg is updating each
| day....it obviously is incapable of dealing with it. I have searched
| for info on this particular trojan, and Google finds next to nothing,
| nothing of any help. But surely I am not the only on ein the world
| with this trojan. What to do?


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
Do what I did. Download and install Kaspersky Anti-Virus 30 day trial. It
detected the trojan horse downloaders and removed them! -- Mike
 
And don't forget to get KAV/KIS through Art --- he needs the money.

(http://home.epix.net/~artnpeg)

BTW, Art, KAV's PDM doesn't like your frog. ;)
Click to expand...

Well, I'll be a chimp's uncle!! Kaspersky is now alerting on a few
more of my froggy samples. I see what you mean about the neutered
froggy at my web site. Not only is KAV now alerting but it's producing
false positives as well :) Oh well. I'll be damned if I'm going to
submit the neutered froggie to their analysts. I'm tired of banging
them about not alerting and I just don't feel like banging them
about a FP.

BTW, it's not KAV's PDM that produces the neutered froggie
FP. You can disable the PDM and KAV still alerts. Also,
KAVDOS32 alerts as well.

Art
http://home.epix.net/~artnpeg
 
Art said:
Well, I'll be a chimp's uncle!! Kaspersky is now alerting on a few
more of my froggy samples. I see what you mean about the neutered
froggy at my web site. Not only is KAV now alerting but it's producing
false positives as well :) Oh well. I'll be damned if I'm going to
submit the neutered froggie to their analysts. I'm tired of banging
them about not alerting and I just don't feel like banging them
about a FP.

BTW, it's not KAV's PDM that produces the neutered froggie
FP. You can disable the PDM and KAV still alerts. Also,
KAVDOS32 alerts as well.
Click to expand...

Art,

1) You are correct. With or without PDM, KAV doesn't like it. I wasn't
paying attention when I got the first alert. Still learning the KAV 6 UI.

2) It was evidently added to the signatures sometime Tuesday. I had
downloaded your frog sometime ago, and last night's overnight KAV scan
was the first one to complain about it.

3) I submitted your frog to KL in a password protected file. What a
PITA! I had to disable all KAV protection in order to create the
zipped file. KAV wouldn't even let me look at the sub-directory in
which I had placed it. LOL.

Ron :)
 
3) I submitted your frog to KL in a password protected file. What a
PITA! I had to disable all KAV protection in order to create the
zipped file. KAV wouldn't even let me look at the sub-directory in
which I had placed it. LOL.
Click to expand...

I'm curious to know if they respond, and if so, what they have to
say. Please let us know.

Art
http://home.epix.net/~artnpeg
 
geronimo said:
Every time Wondows XP boots, AVG finds trojan downloader
Win32.generic.zie and generic.zoy. the filename is hocen.dll, and it
is in Windows/complus applications. You can delete this find or put in
vault. Either way, this trojan will be back thenext time Widows boots.
Click to expand...


A friend brought me his daughter's laptop computer with a similar problem just a
couple of days ago. She was getting numerous popup windows saying that NAV had
detected a file infected with the downloader virus. It didn't say which one,
which complicated looking for a removal tool. Just using Windows Explorer,
right clicking on the infected file's name (in this case
C:\windows\system32\CONaig.dll) and selecting "delete" would reward me with
another popup saying the file was in use by another program or process and
couldn't be deleted.

Of course, Norton's couldn't fix it. Norton's couldn't quarantine or delete it
either, even if run from safe mode after disabling the restore feature. All
Norton's could do was find it and warm me.... continually. Very annoying.

Visits to Symantec's website were a waste of time. None of their suggested
fixes fixed.

What I finally did was disable restore, delete the internet temp files and
history, delete the files in the recycle bin and in Norton's protected trash
bin, then downloaded a handy free utility program called Unlocker at
http://ccollomb.free.fr/unlocker/unlocker1.8.3.exe. After installing it, I went
into safe mode, used Windows Explorer to find the infected file and right
clicked. This time I selected "Unlock". It came up with three different
processes that were involved. I told it to delete all three first, then clicked
on the "Unlock All" down at the bottom of the window.

I immediately got the Blue Screen of Death and Windows (XP Home) cut off. I
rebooted (to normal mode) and didn't get any warnings this time. I went into
the System32 directory and didn't find any incidents of that damned dll file. I
ran a full scan with Norton's and it didn't find it any more either.

I rebooted and looked again. Nothing. As best as I can tell, the bastard is
finally gone. The computer seems to function normally again. Somebody owes me
a beer.
 
Art said:
I'm curious to know if they respond, and if so, what they have to
say. Please let us know.
Click to expand...

Art, from KL:

***quote***

Hello.

This file is clear.

Sincerely yours,
Pavel Zelensky
Virus analyst

Kaspersky Lab Ltd
Moscow, Russia
Tel/Fax: +7 (495) 797-8700
E-mail: (e-mail address removed)
Internet: http://www.kaspersky.com, http://www.viruslist.com

***endquote***

The KAV File-AV and Web-AV still don't like the frog. Let's see what
happens overnight.

FWIW, from Virus Total:

STATUS: FINISHED
Complete scanning result of "Neutered_Frog.jpg", received in
VirusTotal at 07.31.2006, 03:32:08 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.30.2006 no virus found
Authentium 4.93.8 07.29.2006 no virus found
Avast 4.7.844.0 07.29.2006 no virus found
AVG 386 07.28.2006 no virus found
BitDefender 7.2 07.31.2006 no virus found
CAT-QuickHeal 8.00 07.29.2006 no virus found
ClamAV devel-20060426 07.31.2006 no virus found
DrWeb 4.33 07.30.2006 no virus found
eTrust-InoculateIT 23.72.82 07.30.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 Win32/Vxidl
Ewido 4.0 07.30.2006 no virus found
Fortinet 2.77.0.0 07.30.2006 no virus found
F-Prot 3.16f 07.28.2006 no virus found
F-Prot4 4.2.1.29 07.28.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.31.2006 Trojan-Downloader.Win32.Tibs.gc
McAfee 4817 07.28.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1684 07.29.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.30.2006 no virus found
Sophos 4.08.0 07.30.2006 no virus found
Symantec 8.0 07.31.2006 no virus found
TheHacker 5.9.8.183 07.30.2006 no virus found
UNA 1.83 07.28.2006 no virus found
VBA32 3.11.0 07.31.2006 no virus found
VirusBuster 4.3.7:9 07.30.2006 no virus found

Aditional Information
File size: 1738 bytes
MD5: 1e0cc6a87918a4c24cb94a8b28b323d7
SHA1: ff8e78489a667d8b06ac085e134f0bfd9c7a110c

Ron :)
 
Art said:
I'm curious to know if they respond, and if so, what they have to
say. Please let us know.

Art
http://home.epix.net/~artnpeg
Click to expand...

I re-posted this after removing KL's telephone number. It is
commercial, but then again it is Usenet.

Art, from KL:

***quote***

Hello.

This file is clear.

Sincerely yours,
Pavel Zelensky
Virus analyst

Kaspersky Lab Ltd
Moscow, Russia
Tel/Fax: +n (nnn) nnn-nnnn
E-mail: (e-mail address removed)
Internet: http://www.kaspersky.com, http://www.viruslist.com

***endquote***

The KAV File-AV and Web-AV still don't like the frog. Let's see what
happens overnight.

FWIW, from Virus Total:

STATUS: FINISHED
Complete scanning result of "Neutered_Frog.jpg", received in
VirusTotal at 07.31.2006, 03:32:08 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.30.2006 no virus found
Authentium 4.93.8 07.29.2006 no virus found
Avast 4.7.844.0 07.29.2006 no virus found
AVG 386 07.28.2006 no virus found
BitDefender 7.2 07.31.2006 no virus found
CAT-QuickHeal 8.00 07.29.2006 no virus found
ClamAV devel-20060426 07.31.2006 no virus found
DrWeb 4.33 07.30.2006 no virus found
eTrust-InoculateIT 23.72.82 07.30.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 Win32/Vxidl
Ewido 4.0 07.30.2006 no virus found
Fortinet 2.77.0.0 07.30.2006 no virus found
F-Prot 3.16f 07.28.2006 no virus found
F-Prot4 4.2.1.29 07.28.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.31.2006 Trojan-Downloader.Win32.Tibs.gc
McAfee 4817 07.28.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1684 07.29.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.30.2006 no virus found
Sophos 4.08.0 07.30.2006 no virus found
Symantec 8.0 07.31.2006 no virus found
TheHacker 5.9.8.183 07.30.2006 no virus found
UNA 1.83 07.28.2006 no virus found
VBA32 3.11.0 07.31.2006 no virus found
VirusBuster 4.3.7:9 07.30.2006 no virus found

Aditional Information
File size: 1738 bytes
MD5: 1e0cc6a87918a4c24cb94a8b28b323d7
SHA1: ff8e78489a667d8b06ac085e134f0bfd9c7a110c

Ron :)
 
I re-posted this after removing KL's telephone number. It is
commercial, but then again it is Usenet.

Art, from KL:

***quote***

Hello.

This file is clear.

Sincerely yours,
Pavel Zelensky
Virus analyst

Kaspersky Lab Ltd
Moscow, Russia
Tel/Fax: +n (nnn) nnn-nnnn
E-mail: (e-mail address removed)
Internet: http://www.kaspersky.com, http://www.viruslist.com


***endquote***
Click to expand...

Thanks for the info, Ron. Clearly, by "clear" Pavel has stated
that the neutered froggie is harmless, which, of course, it is.

The situation reminds me of a subject that interested me a
great deal some years back when Nick Fitzgerald posted on
acv regularly. Nick accused KAV of being a "crud detector".
Among the various kinds of crud that exists in virus collections
(nowdays malware collections) is the (somewhat botched)
disinfected file virus which has some semblence of a signature
left in the file, yet it's unviable (no longer capable of infecting
other files and "spreading").

Stupid vxers who don't know any better include such non-viable
and harmless samples in their collections of "virii" which are
or were offered for download from their "skull and crossbones"
web sites :) Naive testers of av products will unknowingly
include such crud in their test beds and penalize av products
that don't alert on them even though the alerts are actually
false positives. It's said that even the best of collections
usually include at least a small percentage of crud that
hasn't been culled out.

McAfee DOS and F-Prot DOS had their own unique ways
of handling the "testing game" and crud. McAfee av is
based on the former Dr. Solomon scan engine that NAI
purchased. Dr. Solomon av was all the rage as THE BEST
av of them all some years ago. McAfee DOS (and Dr. Solomon)
had/has a detection mechanism built into it such that when it finds
itself being testing in a collection (after so many contiguous
detections) it switches to "crud detection" mode. Experienced
testers know to use the /VID switch to disable that delightful
"feature" :) F-Prot uses a different method whereby a
/COLLECT switch can be set, and Frisk used to insist
that it be used when tested. With the /COLLECT switch
on, F-Prot will do amazingly well at distingushing crud
from viable malware (which it identifies as "exact"), and
it reports crud very descriptively. In fact, F-Prot is so
good at this, that it's often used as a "first cut" tool in
separating crud out of test collections.

If you get the idea that av, generally speaking, cannot
really separate viable from non-viable code, you're
right. Most av can't, though there are a few like
Norman that can "sandbox" malware to check for
viability. Frisk's /COLLECT switch doesn't operate that
way ... it simply causes F-prot to recognize and
describe likely crud and known crud ... but F-prot
doesn't actually establish viability versus non-viability.

Now, my neutered froggy is a good example of a
purposely created "crud file". I took the original
infested file into a hex editor and I over-wrote
the malicious code appendage with a constant ...
simply a repetition of some same byte over the
most of it and then I truncated at some point,
reducing the original file length. But I left the
"MZ" (ASCII) header intact and in the same
location, just after the End of Image marker.
That's enough of a "signature" to trigger my
JPG-SCAN proggy, and the idea is that the
neutered froggy can be used as a check on
my scanner ... it should alert.

However, mainstream av should not alert since
there is no malicious code at all in the neutered
froggie. One would expect something a bit more
sophisticated in the way of detection from
mainstream av. So the fact that KAV alerts is a
bit surprising, in a way. I would hope that they
do redesign their sig and remove the FP. But
who knows? Maybe since I have this file up
publically, they might know about it and want
to alert on it since it could wind up in test
collections. No doubt Kaspersky plays the
"testing game" by purposely alerting on all
kinds of crud :)

Personally, I don't have any problem with the
idea that KAV might be choosing to alert on this
example of "known crud". I've used Kaspersky
scanners for many years, and I can barely remember
back to the last time their scanner produced a
a FP or questionable alert on some file on one of
my machines. I simply don't see their "Super Crud
Detection" capabilty as any kind of actual problem
in my own experience. Possibly others might have
botched virus disinfections that KAV and some others
(falsely) alert on. But I doubt if it's a probem of any
major significance. In fact, I've argued that at least
some crud detections shouldn't be classified as
"real" false positives, though strictly speaking they
are FPs. I've argued that testing agencies could
have a separate category for this sort of thing.
File-AV and Web-AV still don't like the frog. Let's see what
happens overnight.

FWIW, from Virus Total:

STATUS: FINISHED
Complete scanning result of "Neutered_Frog.jpg", received in
VirusTotal at 07.31.2006, 03:32:08 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.30.2006 no virus found
Authentium 4.93.8 07.29.2006 no virus found
Avast 4.7.844.0 07.29.2006 no virus found
AVG 386 07.28.2006 no virus found
BitDefender 7.2 07.31.2006 no virus found
CAT-QuickHeal 8.00 07.29.2006 no virus found
ClamAV devel-20060426 07.31.2006 no virus found
DrWeb 4.33 07.30.2006 no virus found
eTrust-InoculateIT 23.72.82 07.30.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 Win32/Vxidl
Ewido 4.0 07.30.2006 no virus found
Fortinet 2.77.0.0 07.30.2006 no virus found
F-Prot 3.16f 07.28.2006 no virus found
F-Prot4 4.2.1.29 07.28.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.31.2006 Trojan-Downloader.Win32.Tibs.gc
McAfee 4817 07.28.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1684 07.29.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.30.2006 no virus found
Sophos 4.08.0 07.30.2006 no virus found
Symantec 8.0 07.31.2006 no virus found
TheHacker 5.9.8.183 07.30.2006 no virus found
UNA 1.83 07.28.2006 no virus found
VBA32 3.11.0 07.31.2006 no virus found
VirusBuster 4.3.7:9 07.30.2006 no virus found

Aditional Information
File size: 1738 bytes
MD5: 1e0cc6a87918a4c24cb94a8b28b323d7
SHA1: ff8e78489a667d8b06ac085e134f0bfd9c7a110c
Click to expand...

As you say, we shall see. Want to place bets one way
or the other on KAV removing the FP? I'd call it 50/50.
I wouldn't bet more than a cup of coffee one way or
the other :) And I won't be surprised either way, though
I have to say I guess I'd be most surprised if they do
remove the FP. I'd actually call it 60/40 in favor of
them continuing to alert on the neutered froggy.

Art
http://home.epix.net/~artnpeg
 
Back
Top