1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Generic Downloader.ab - Please help

Discussion in 'Windows - Virus and spyware problems' started by sanathdw, Jul 7, 2007.

  1. sanathdw

    sanathdw Member

    Jul 7, 2007
    Likes Received:
    Trophy Points:
    There is a d.dll in my windows\temp folder and the Local Settings\Temp folder which creates various exes and MacAfee identifies it as General Downloader.ab but is unable to clean the trojan.

    Attahced is the HijackThis log file.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:05:05 PM, on 7/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Virtusa Corporation\VPN Client\cvpnd.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\McAfee\Common Framework\McScript_InUse.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cs-appsvr01:8080/EYE/LeaveApproval.jsp?details=1168916620878_803&status=y
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
    O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Virtusa Corporation VPN Client.lnk = C:\Program Files\Virtusa Corporation\VPN Client\vpngui.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.chneye
    O15 - Trusted Zone: http://*.chnheart
    O15 - Trusted Zone: http://*.chnithelpdesk
    O15 - Trusted Zone: http://*.chnpulse
    O15 - Trusted Zone: http://*.cmbeye
    O15 - Trusted Zone: http://*.cmbheart
    O15 - Trusted Zone: http://*.cmbpulse
    O15 - Trusted Zone: http://*.dashboard
    O15 - Trusted Zone: http://*.dashboardin
    O15 - Trusted Zone: http://*.dashboardsl
    O15 - Trusted Zone: http://*.directoryupdate
    O15 - Trusted Zone: *.elluminate.com
    O15 - Trusted Zone: http://find.galegroup.com
    O15 - Trusted Zone: http://infotrac.galegroup.com
    O15 - Trusted Zone: http://*.heart
    O15 - Trusted Zone: http://*.hydeye
    O15 - Trusted Zone: http://*.hydheart
    O15 - Trusted Zone: http://*.hydithelpdesk
    O15 - Trusted Zone: http://*.hydpulse
    O15 - Trusted Zone: http://*.icontactsvr
    O15 - Trusted Zone: http://*.ms-appsvr01
    O15 - Trusted Zone: http://*.pulse
    O15 - Trusted Zone: http://*.slhelpdesk
    O15 - Trusted Zone: http://*.ttappsl
    O15 - Trusted Zone: http://*.ttappus
    O15 - Trusted Zone: http://*.u21global.com
    O15 - Trusted Zone: http://*.ushelpdesk
    O15 - Trusted Zone: http://scm.virtusa.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183821664723
    O16 - DPF: {92F6C891-8282-4953-9A63-5C712783C668} (eT247.eTMain) - http://ttappsl/pulse/eT247.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\Software\..\Telephony: DomainName = Virtusa.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\System\CS3\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\System\CS4\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = Virtusa.com
    O17 - HKLM\System\CS5\Services\Tcpip\..\{007725DC-2112-427D-8B5C-8CBAC654743E}: NameServer =,
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Virtusa Corporation\VPN Client\cvpnd.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Media Serial Number Services - Unknown owner - C:\WINDOWS\system32\moviemk.exe (file missing)
    O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)

    End of file - 12605 bytes
  2. Auttaja

    Auttaja Guest

    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe

    Close ALL open windows
    Click Fix Checked
    Close HijackThis


    Download and Run ComboFix
    *Download this file from either of the two below listed places :


    *Then double click combofix.exe & follow the prompts.
    *When finished, it shall produce a log for you. Post that log in your next reply
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Share This Page