Solved

Trojan Horse Downloader.Swizzor.8.B

Posted on 2006-11-23
11
656 Views
Last Modified: 2010-04-11
Help, how do i remove it???

I am using AVG Free which detects and deletes it, but then 20 minutes later its back with a different file name.

The virus files are always found in:

C:\Documents and settings\Amy\Local Settings\Temp\<random number>.exe

<random number> changes every time a virus is found.  After looking in the directory in explorer (win XP) it shows several of them, and avg finds and deletes them all, but then a few minutes they start to appear again.

How do i get rid of it for good?
0
Comment
Question by:NAORC
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 5

Accepted Solution

by:
sg405222 earned 500 total points
ID: 18001715
Hi NAORC,

This downloader installs itself as a browser help object and wil attempt to download files from predetermined URLS and also execute EXE files from a remote website.  This happens as soon as you load IE

Take a look at http://www.spywareremove.com/removeSwizzor.html

As a future precaution I would clear all you browser cache history etc when you exit your broswer inc any off line content


Cheers!
0
 
LVL 2

Expert Comment

by:Zak-R
ID: 18004715

The problem with new boundlers, hoaxs, trojans, and spyware, etc
is that they no longer are in the same old 'RUN Once' in the Registry.

people that do this kind of things, they have learned some other ways to
hide the best as posible all running proccess in the backgraund.

if you look in the running proccess of you computer, you may see the trojan.exe
running, but you can't see from where the program is running or what makes it run.
then even if you close this trojan.exe from all the proccess, the trojans.exe magically
start again :-)... Try this out,

Click Start Menu, then RUN, now type regedit, and go to this key path in the Registry:
'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

Now that u are there, try to locate something not familliar with the rest of the stuff
for example: '\TrojanDir]"StubPath"="C:\Windows\System32:\trojan.exe'
also can be many diferent dir, sub, folders, etc.
another example '\BlaBlaBla]"StubPath"="C:\Windows\trojan.exe'

Sometimes even if you find this and delete it, it will come out again, but
if you find bouth path and delete then, the show will be over for that trojan.

hope u understand my point or my writing :-)

Good luck

0
 
LVL 8

Expert Comment

by:deadite
ID: 18006100
Try removing the following (this will take a while, there's alot)

http://www.spywaredb.com/remove-trojandownloader-win32-swizzor/
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 23

Expert Comment

by:Admin3k
ID: 18006617
A Hijack this log might help here .
0
 
LVL 2

Expert Comment

by:Zak-R
ID: 18008551

i am 90% sure that 'HijackThis and the other spayware remover will not stop this.
i was just suggesting on how to try removing it manually if it exist in the Registry.

0
 
LVL 23

Expert Comment

by:Admin3k
ID: 18008602
Hijack this IS a manual method of removal as opposed to software that depends on malware signatures
with HT you will be able to remove anything that shouldnt be there as long as you know enough about the usual software enviroment of your operating system.
0
 
LVL 2

Expert Comment

by:Zak-R
ID: 18008751

i know that program thats right i give that opinion. I also know Spy Sweeper.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18010012
I second admin3k's suggestion of hijackthis log.

There are many variants of swizzor. Generally they fall into the category of Lop infection.
Hijackthis can't fix an infection but it is very helpful in pointing us to what infection the system has.
The hijackthis log can tell us what tool is needed to fix the system base on the bad entries showing in the log. If it's a variant of Lop then the below tool will fix it,
Hijackthis is one of the best diagnostic tool there is, besides its other functions. I always suggest or ask to look for a hijackthis log so I don't have to do guesswork on what tool to suggest.


Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log



0
 
LVL 30

Expert Comment

by:pgm554
ID: 18012061
You need to run the cleaners while in safe mode.

I would run spybot sd and adaware after updating the signatures.
0
 
LVL 5

Author Comment

by:NAORC
ID: 18018567
Thanks all.. keep the suggestions coming..

I will be trying saturday to fix it when i am next with my client.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18018615
A hijackthis log will be most helpful in our diagnoses.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
rajdeep0081@hotmail.com 3 100
Malware infection with local user rights? 6 47
Powershell 3.0 - Add Group/Username and Enable Full Control permissions 2 32
PGP software 3 37
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
OnPage: Incident management and secure messaging on your smartphone
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question