trojan horse downloader

Backup and Recovery
Current threats
Help Desk
human factors
Installing/upgrading operating systems
Intrusion management
Microsoft Windows
Microsoft Windows Server 2003
PEN testing
Platform Security
Server management
vulnerability management
Windows on Intel
hi i have a win NT4.0 sp6 server.its a DNS and web server. from few days the IE was redirecting the sites to some search engines.when i scaned with AVG it detected some trojan horse downloader.i healed the trojan and restarted the DNS.the problem was solved.but after some hours the problem arise again.since then i have scanned and restarted it more than 50 times but it is the same.i also downloaded some trojan hunter it detected some other files as trojan and removed or renamed them. but the problem is as it is,infact it is growing. the most surprising is that even if i scan it with AVG after every 10 min gap it detects the same files and cures them then again the next time same trojan is caught at the same location. thanks if any helpcould be made...

Answer Wiki

Thanks. We'll let you know when a new response is added.

Newer trojans are getting very smart, will install loaders that run automatically, and can’t really be picked up by AV, as they don’t have any specific signature to work with.
Also can install as part of OS, and prevent removal except in safe mode. To clear your current infection you will need to determine exactly which trojan has infected you, then go to one of the major AV sites to find out best way of dealing with it. On a network these can be really deadly, as they will spread by many means and will not show up on some systems, just sit there ready to re-infect any system you manage to clean. To deal with this type of outbreak you need to take all systems off network, and only bring them back on, one at a time, once you are sure they are clean.


It is actually a trojan horse downloader or spyware programs installed in your browser or computer. This problem could be fixed using your updated and latest anti virus software program or you can reinstall your browser to have a newly installed and virus free internet browser.

Discuss This Question: 15  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Howard2nd
    Concur with PeterMac. Without firewalls internally and externally, this problem may prove very difficult. Windows puts some files in 'Protected' class and will restore them from the cache on the local harddrive. Teh trojan knows this and puts its boot loader in one of those files. You remove the bad files, restart, and Windows restores the infected file, which proceeds to downlod the Trojan all over again. We don't know what size your network is, therefore how much pain this will be. Shut it all down, setup firewalls, bring it back up one machine at a time, obviously that has to start with the server. If you have a good backup from before the problem started use that. If your backup is data only and not applications, a clean install with all patches before connecting to the internet is recommended highly. REMEMBER - IISlockdown and URLscan before attaching to the internet (you mentioned it is used as a webserver). Might be a good time to upgrade.
    30 pointsBadges:
  • Nerdking
    I've had similar problems on our network. Although none of our servers have neen hit w/Trojans, some of the desktops have. Usually by the time you discover there is a problem and get rid of the Trojan, the malicious program the doing the real damage that the Trojan d/l'ed is installed and doing its dirty work. Not only that, it insinuates itself into different parts of the registry so that when you get rid of one instance of it, the next time you restart it loads itself once again. The only way I have gotten the machine back to a safe, stable condition is to first get it off the network, reboot it into safe mode, then run a full virus scan. Next, while still in Safe Mode, run spyware/adware sweepers, getting rid of as much as you can, rebooting back into Safe Mode between each scan. When the spyware/adware sweepers begin to come up "empty", run Hijack This and begin getting tracking down and getting rid the garbage. Be careful with Hijack This! Once you have it get rid of something, it's gone. With Hijack This remember, Google is your best friend. Anything that it finds that seems the least bit suspicious, google it to find out what exactly it is before you mark it for deletion. As with the spyware/adware sweepers, reboot back into Safe Mode after each Hijack This scan and repeat until Hikack This comes up "clean". After all this, restart the machine normally and repeat the process above until there's nothing left except what's supposed to be there. It's a long, drawn out process and if anyone can suggest an easier method please do, because I like to get home most nights before the coming dawn. Also, like the others have suggested, protect your network. Get some firewalls in place, patch, update, and upgrade where you can. Most of all keep a close eye on what is going on on a daily -- hourly if you can -- basis. Good luck
    0 pointsBadges:
  • Bobkberg
    Gee guys! You've already taken the fun parts! :-) Looks like I've got to work a little harder here. The other thing I've found recently (case in point - the new about:blank pest) is that the infector is an innocent-looking DLL somewhere that the AV software rarely catches. All it does is to re-install the pest. Do a complete search (including hidden files/folders) for all new EXE and DLL files added during the time period surrounding the first sign of infection. Surround that by a week, give or take, since some of them deliberately lie in wait so that they don't get found by date association. Then check for their existence in the registry. On a side note, it's only a matter of time (if not already happening) before some new pest matches its own modification date to that of the installed O/S files) Bob
    1,070 pointsBadges:
  • Ramheka
    HI there Download microsoft antispyware it does a good job and it is free ,a firewall won't do you good as most of the hacks are conducted through port 80 and most of trojans are installed surfing the net while logged on as a superuser or a power user. By the I did not mean you should not have a firewall you only have to change you surfing habits and stop install freewares on your production servers
    0 pointsBadges:
  • Redrose
    Thanks for suggestions.Do I need to reinstall the OS?Also do I need to do it on all the systems connected or only on the DNS itself?
    0 pointsBadges:
  • Anannymouse
    Let me start by saying that Trojans are typicaly smarter than virues/worms and can easily be modified to avoid detection by most of the commom tools. The only way to be truely sure you are rid of an infection is the wipe box and reinstall from original maufacturers CD/DVD. Once that is done fully patch the system (even this is no longer good enough for an NT4 install as it is end of life). The patches should be installed from verified clean media rather than connecting to the internet/intranet to download. Now harden the install. Then install any aditional layers of security (firewall, AV, IDS/IPS, anti-spyware). If this approach is not possible due to your business environment then you will have to scan with all available tools to attempt to clear the infection. Remember, no one tool is going to do it all for you and all the tools can be fooled. Improve your chances of success by running as may tools as you can (even if the previous tools found nothing) and run them from safe mode. After all the scans, check yous situation again. If you are still seeing the trojan you must consider that either it is a false possative by the one tool (a very dangerous assuption) or that you need to reinstall. Something that might help us help more is if you could provide names of tools used and the trojan found. I would realy recommend that you start from scratch and that you upgrade to, if not the latest, a supported OS. (Just a quick note - 6 of the patches released in Feb effected NT4 and only one or two of those had patches released to the public. Unpatched vulnerabilities on an NT webserver......sounds perfect for rooting)
    0 pointsBadges:
  • Ch4osworldwide
    The Permenant Solution, would be to Install Linux, with Apache, w/BIND. Seeing you have to reinstall the OS, anyway... The above would take no more than an hour, plus restore. If your new to Linux, use for a GUI to setup your Sites and DNS. I prefer SuSE, the evals are avail on there site, with a 30 day updates serial. I use SuSE 9.2 Pro (50$ for a year of updates) for my sites and pop/smtp/WEBMail, awesome performance, very easy to setup... Don't believe all that hype...
    0 pointsBadges:
  • DaisyPatch
    What do you mean "do I need to reinstall the OS?" How can people tell you whether or not you need to reinstall if you don't report the results of the troubleshooting you have done so far - for example, what exactly are the files you found and what did you learn from running HiJackThis?? Here's a great free util from Mark Russinovich which will help you see if any rootkits have been installed... Having said that, how big a domain are you working with and how confidential and/or important is your data? Is this a member server or a pdc or bdc? Some stuff is trivial to clean up, some is nearly impossible. If I were your security manager, I wouldn't let you have an NT4 server in the first place, but, given that you have one and given that it has been compromised and you don't have a clear picture of what, exactly, has happened to it, I would request that you rebuild it (see tool for backing up your dhcp at
    0 pointsBadges:
  • ExchExpert
    Hi three amigo, First of all as all told you you must have some FW on your systems, even just put a PIX FW or a linux based FW like MANDRAKE SECURITY, then for a full patch service to all stations and servers i Highly recommend that you install Microsoft WUS/SUS server its completly free and very easy to use, Further more, upgrade from NT to at least 2k Server, for a higher security infratructure to your Site. Now regarding the Trojan, there is probebly an extra Dll running it so no you dont have to reinstall just search for that file on startup or on registry, or try msconfig utility from MS it should be helpfull. Best of luck
    0 pointsBadges:
  • Franna81
    Good day. Firstly, are u running your system behind a firewall? Second, Microsoft dosn't support NT4 any more, as u know. Thirdly, are u scanning only with AVG? I suggest that u run a scan with Pestpatrol from CA, try to find the registry entry of that trojan. When taking about IE, are all IE requests redirected from different workstations? Not just from the local system? If it is, whe are taking DNS, and not trojan. It is probably also a service that reschedules the exploit code, monitor all services and if possible disable one by one to narrow down the service name. Search for that name and delete the file. Note when the file is found, run in safe mode for deletion, so that that service wont be reactivated. Hope this will help, Trojans can be a pain in the bud!!!
    0 pointsBadges:
  • Xevier
    Hi, Thanks for all your replies.I have IDS installed along with other servers.Antivirus is only AVG.It found some "trojan-horse.downloader.small.15.AS and ieloader[1].exe,an[1].exe,moo.exe" with it.All the .com sites are redirected to ", and".I tried some trojan hunters from web.All detected some other culprit.But nothing helped .
    0 pointsBadges:
  • Longshanks
    As a further layer of security has anyone reading tried "registry firewalls" (software to protect the registry)? About spyware removers. (I wish I could remember the website) There is a German guy (site in English) who keeps a list of all spyware & trojan hunters and lists the ones that secretly ADD spyware or trojans to your system (you'd be surprised at some of the nasty stuff that pretends to be a spykiller) there is also that does a similar service
    0 pointsBadges:
  • EricHarris
    All the advice has been good and doesn't really need me to add to it. This is more a side reply to ciscocat6's reply. I wanted to point out that sometimes formatting the whole system is the only way to be really sure that you have killed an invasive program. I was reading an article from the Microsoft Research people recently (in Technet Magazine, I think) and they stated unequivocally that you cannot absolutely trust an infected Windows box until you have "flattened the box," even going so far as to recommend deleting and re-creating the partitions. Cleaning will work much of the time but sometimes... Other than that thank you for the batch file. I think I will find it very helpful.
    0 pointsBadges:
  • Andynoff
    I'd advise you to download my freeware script, "Silent Runners.vbs", and run it on this NT4 box. It specializes in identifying how non-viral malware starts up on any given Windows system. You can find it here: If you're able to disinfect this system, you'll certainly need to take additional steps to secure it. The replies above contain excellent advice about the steps to take.
    0 pointsBadges:
  • Microsolve
    Hi, Just a thought. You are running NT4 - incrediblibly user hostile, until you get used to it, but relatively stable for its day. Totally outclassed in most areas by modern OSes, but has one advantage - it's now cheap! Using a bit of intuition on outfits with funding constraints, my guess is that you are running the free version of AVG. Although not licenced for server OSes, it would run on them.... Sadly, version 7 freeware enforces this licencing requirenment by not running on server OSes at all. Although version 6 updates officially ended around the time Santa whizzed by overhead on his sleigh, they did not finally pull the updates until around February. If you are still running AVG 6, there is no telling what you may have running on your system. Trend, Symantec or Panda have some online tools that will scan, and the java-based Trend tool (hosted in Germany) is capable of removing some of the things it finds (and seems more capable than the Symantec version, while not requiring Actice-X). It also has a built-n entertainment function, as you giggle at the pidgin English of it's instructions and associated adverts! As a solution to your problem if you are still running AVG6, try persuading your budget setter to let you protect your assets with some AV - or risk losing those assets! Hope this helps Mike
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: