Help me investigate trojan from 206.58.237.248

[markml]

A while ago, I started noticing strange behavior in Internet Explorer. Whenever I did a search with Google, my search results would be modified to include extra links that I know Google would not return. When using View Source, as I suspected, the extra links were not in the HTML source.

I ran my AV and several spyware programs, which weren't able to detect anything wrong. So then I started to look for suspicious processes running and found one - kbdus.exe (probably random filename). I found the program in my System directory, and determined it to be the Win32/SillyDl trojan. I then did a search with another AV program that detects this trojan, eTrust, and found a copy of SillyDl.AT in my Temporary Internet Files called 77_156_i.abc.

I checked the date that this file was created and searched my computer for other files created on the same date. I found two files, both called "update", in my Temporary Internet Files. When reading these files, the contents of the first one is "none" and the other reads "dl=http://206.58.237.248/content/77_156_i.abc". Apparently, the DNS for this IP corresponds to update.requestlookup.net.

I guessing it's some kind of rogue search engine. However, I am suspicious that SillyDl is not the only trojan on my computer and it may have dropped some other trojans, backdoors or spyware into my system. I'd like to find out what. I'd also like to know exactly how this trojan got on my system. I assume it was some Windows/IE exploit, but I system should have all the recent MS patches on it.

Anyone familiar with this, or have any suggestions?

[djscribble]

here is what symantec says about this virus (which they call download.trojan):

http://securityresponse.symantec.com...ad.trojan.html

just as a reccomendation to you, i would switch to using firefox and also i would make sure your virus protection is updated...

[markml]

Yeah, my virus protection was updated when I did the scan.

According to Symantec:

Download.Trojan does the following:

Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
After the Trojan downloads the files, it executes them.

What I'd like to know is what it downloaded and executed on my system.

[Soda_Popinsky]

You're right, you've probably got bigger problems, I'd advise that you do a harder clean of your system. It will eliminate the possibility of any malware that is known to the vendors. After that, if you still have problems, let us know and we can help you out.

Follow this doc:
http://www.antionline.com/attachment...achmentid=4913

Make sure you follow the steps accurately, especially when it explains updating.

[off topic]
If anyone has any problems with me practically whoring this link, let me know. I've noticed myself linking it a lot more, I don't want anyone to think it's spamming. I think it's a good walkthrough, and I have had a lot of success with the non-malware literate. If anyone has any edit ideas for it, I'll be glad to make those changes.
[/offtopic]

[markml]

Well, as I mentioned in the first post, I've done pretty much everything in that list. I hacen't tried scanning my system in Safe Mode yet, but I somehow doubt it'll turn up anything new. Still, I'll give it a shot.

[Soda_Popinsky]

The reason safe mode is different from booting up normally, is because it forces Windows to boot up bare bones. The reason malware is able to escape scanners, is because it is running code to avoid them. By booting up in safe mode, or going even further and using a boot disc, you are able to scan the files when they aren't being executed. There is a chance that you're infections are not handled by the vendors, I do see that happening more and more often (especially w/ hijackers).

We will be able to handle whatever malware you have, it's just that we don't want to spend our time working on something that is handled by a malware signature. It's safer to let a scanner do it, than to have us work on it manually.

Good luck, malware rarely escapes safe mode!

[markml]

Yeah, I know.

Even in Safe Mode with the latest definitions, I don't think I've found what I'm looking for.

Search & Destroy found nothing. AdAware found a CAB file with SyncroAdX.dll in it, but I don't think this is infecting my system. My AV found Worm/Rbot.LD.1 (in prompt[1].htm) and JS/MediaTickets.B (in mtrslib2[1].js) but I've looked at both of these, and I don't think that they infected my system either.

[djscribble]

what are you using as a virus scanning program??

[kr5kernel]

Switching to firefox, though a good idea won't fix this in my opinion. We have been noticing a lot of the download.trojan coming through emails actually embedded in the messages. Get some decent AV and spyware removal. ClamAV on linux picks this up and cleans it out great.

[MrLinus]

ClamAV on linux picks this up and cleans it out great.

Wouldn't that suggest that he use Linux then instead of Windows? Given that he is a home user (general assumption on my part based on the first post) this may not be a practical option. Perhaps it would be better to suggest using a non-IE based browser and an email program that users can disable HTML rendering in emails received (I would imagine Thunderbird or Eudora having these capabilities) amongst the other standard programs (AV, spyware, process listers, hijack listers, etc) that would be needed.

As for detecting trojans, one of the ol' standbys might help TheCleaner. I have found that it finds many trojans that AVs tend to miss.