Do I have Downloader.Trojan???

Countryboy · 09-27-2006, 02:52 PM

POADB recently helped me clean up my computer. Today I was looking for some info on the web, I clicked on a web site and a download pop up appeared, something to do with a wmf file. I clicked on the X and closed the window. A few minutes later my Symantec antivirus scanner popped up this message:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.Trojan
File: C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache\_CACHE_002_
Location: C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache

I've rerun a number of the scanners that I was instructed to use recently but nothing was found. So now I'm left wondering whether I do have a trojan or not.

Here is an HJT log I've just run:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:39 PM, on 27-09-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\PROXOMITRON NAOKO-4\PROXOMITRON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab

I apologise for having to request your assistance again so soon

Thanks and regards,

CB.

**POADB** · 09-27-2006, 03:18 PM

Back so soon...

C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache\_CACHE_002_
C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache

These locations are your FF Browser cache. Where IE would store in Temporary Internet Files, FF has Cahce folders.

Open FireFox. Go to Tools > Options - in the Privacy Tab, click to Clear Cache.

I would reboot and then let Symantec do a virus scan.
Again, you have the online scans at your disposal.

Let us know what you find.

Countryboy · 10-02-2006, 08:49 AM

Hi POADB, you can tell how nervous I am that they are out to get me

I did as you suggested and then reran all the scans and tools at my disposal and they all came up clean. I'm left wondering why Symantec found it necessary to show me that message when it appears that my computer isn't infected....

Cheers,

CB.

**POADB** · 10-02-2006, 11:48 AM

Symantec is just doing it's job (*cough*makes a change*cough*).

Take care.

09-27-2006, 02:52 PM	#1 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Do I have Downloader.Trojan??? POADB recently helped me clean up my computer. Today I was looking for some info on the web, I clicked on a web site and a download pop up appeared, something to do with a wmf file. I clicked on the X and closed the window. A few minutes later my Symantec antivirus scanner popped up this message: Scan type: Auto-Protect Scan Event: Threat Found! Threat: Downloader.Trojan File: C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache\_CACHE_002_ Location: C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache I've rerun a number of the scanners that I was instructed to use recently but nothing was found. So now I'm left wondering whether I do have a trojan or not. Here is an HJT log I've just run: Logfile of HijackThis v1.99.1 Scan saved at 9:51:39 PM, on 27-09-06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\DSLAGENT.EXE C:\WINDOWS\SYSTEM\GSICON.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\PROGRAM FILES\PROXOMITRON NAOKO-4\PROXOMITRON.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080 O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab I apologise for having to request your assistance again so soon Thanks and regards, CB.

09-27-2006, 03:18 PM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Back so soon... C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache\_CACHE_002_ C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\pdkpbfjy.default\Cache These locations are your FF Browser cache. Where IE would store in Temporary Internet Files, FF has Cahce folders. Open FireFox. Go to Tools > Options - in the Privacy Tab, click to Clear Cache. I would reboot and then let Symantec do a virus scan. Again, you have the online scans at your disposal. Let us know what you find. __________________

10-02-2006, 08:49 AM	#3 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Thanks for the help (again!!).... Hi POADB, you can tell how nervous I am that they are out to get me I did as you suggested and then reran all the scans and tools at my disposal and they all came up clean. I'm left wondering why Symantec found it necessary to show me that message when it appears that my computer isn't infected.... Cheers, CB.

10-02-2006, 11:48 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Symantec is just doing it's job (coughmakes a changecough). Take care. __________________