Tuesday, January 6, 2009

DownloadWare Adware

DownloadWare malware description and removal detail
Categories:Adware,Hijacker,Toolbar,Downloader
Also known as:

[Kaspersky]TrojanDownloader.Win32.BHO,TrojanDownloader.Win32.Realtens.e,TrojanDownloader.Win32.VB.ah;
[Eset]Win32/TrojanDownloader.Realtens.E trojan;
[Panda]Adware/DownloadWare,Trojan Horse;
[Computer Associates]Win32.BettInet.F

Visible Symptoms:
Files in system folders:
[%SYSTEM%]\Gr0ck03.dll
[%WINDOWS%]\digital signature 20020710.htm
[%WINDOWS%]\digital signature 20020802.htm
[%WINDOWS%]\digital signature 20030720.htm
[%WINDOWS%]\digital signature 20030807.htm
[%WINDOWS%]\digital signature 20031120.htm
[%WINDOWS%]\digital signature 20040624.htm
[%WINDOWS%]\digital signature 20040714.htm
[%WINDOWS%]\downloaded program files\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.27\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.2\activeinstall.inf
[%SYSTEM%]\Gr0ck03.dll
[%WINDOWS%]\digital signature 20020710.htm
[%WINDOWS%]\digital signature 20020802.htm
[%WINDOWS%]\digital signature 20030720.htm
[%WINDOWS%]\digital signature 20030807.htm
[%WINDOWS%]\digital signature 20031120.htm
[%WINDOWS%]\digital signature 20040624.htm
[%WINDOWS%]\digital signature 20040714.htm
[%WINDOWS%]\downloaded program files\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.27\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.2\activeinstall.inf

Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista

Detecting DownloadWare:

Files:
[%SYSTEM%]\Gr0ck03.dll
[%WINDOWS%]\digital signature 20020710.htm
[%WINDOWS%]\digital signature 20020802.htm
[%WINDOWS%]\digital signature 20030720.htm
[%WINDOWS%]\digital signature 20030807.htm
[%WINDOWS%]\digital signature 20031120.htm
[%WINDOWS%]\digital signature 20040624.htm
[%WINDOWS%]\digital signature 20040714.htm
[%WINDOWS%]\downloaded program files\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.27\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.2\activeinstall.inf
[%SYSTEM%]\Gr0ck03.dll
[%WINDOWS%]\digital signature 20020710.htm
[%WINDOWS%]\digital signature 20020802.htm
[%WINDOWS%]\digital signature 20030720.htm
[%WINDOWS%]\digital signature 20030807.htm
[%WINDOWS%]\digital signature 20031120.htm
[%WINDOWS%]\digital signature 20040624.htm
[%WINDOWS%]\digital signature 20040714.htm
[%WINDOWS%]\downloaded program files\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.27\activeinstall.inf
[%WINDOWS%]\downloaded program files\conflict.2\activeinstall.inf

Folders:
[%PROGRAM_FILES%]\downloadware
[%PROGRAM_FILES%]\kfh
[%PROGRAM_FILES%]\medch
[%PROGRAM_FILES%]\mlh
[%PROGRAM_FILES%]\downloadware engine
[%PROGRAM_FILES%]\movienetworks
[%PROGRAM_FILES%]\popcorn.net
[%PROGRAM_FILES%]\real-tens

Registry Keys:
HKEY_CURRENT_USER\software\downloadware
HKEY_CURRENT_USER\software\medialoads
HKEY_LOCAL_MACHINE\software\classes\clsid\{000007ab-7059-463e-bd44-101a1750d732}
HKEY_LOCAL_MACHINE\software\classes\interface\{1eb48aa7-d3fe-4e4c-ac8e-b01594496ac0}
HKEY_LOCAL_MACHINE\software\classes\interface\{42bd9965-303d-4cfb-aae0-dcadcb791a55}
HKEY_LOCAL_MACHINE\software\classes\interface\{a351d4b1-bf54-41f1-bec0-8a1c4ecd72c7}
HKEY_LOCAL_MACHINE\software\classes\interface\{f5f0a448-2bcd-459e-8743-c39154ee1ca8}
HKEY_LOCAL_MACHINE\software\classes\typelib\{53f066f0-a4c0-4f46-83eb-2dfd03f938cf}
HKEY_LOCAL_MACHINE\software\classes\typelib\{95b3af07-0e4f-4cdf-acfd-3d4efd9aec0b}
HKEY_LOCAL_MACHINE\software\downloadware
HKEY_LOCAL_MACHINE\software\microgaming
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\downloadware
HKEY_LOCAL_MACHINE\software\mlh
HKEY_CLASSES_ROOT\clsid\{eb6afdab-e16d-430b-a5ee-0408a12289dc}
HKEY_CURRENT_USER\software\pagent
HKEY_LOCAL_MACHINE\software\classes\appid\{d6be4255-97c9-4d5c-9801-91dadda92d81}
HKEY_LOCAL_MACHINE\software\classes\btieinscriptconfigproj.btieinscriptconfig
HKEY_LOCAL_MACHINE\software\classes\clsid\{1717a4a5-d63a-4f70-b373-ae4aa46d1236}
HKEY_LOCAL_MACHINE\software\classes\clsid\{26e8361f-bce7-4f75-a347-98c88b418322}
HKEY_LOCAL_MACHINE\software\classes\clsid\{49de8655-4d15-4536-b67c-2aa6c1106740}
HKEY_LOCAL_MACHINE\software\classes\clsid\{9368d063-44be-49b9-bd14-bb9663fd38fc}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b3be5046-8197-48fb-b89f-7c767316d03c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{c6958acd-d866-4349-9f7b-fdb73384f697}
HKEY_LOCAL_MACHINE\software\classes\interface\{26e8361f-bce7-4f75-a347-98c88b418321}
HKEY_LOCAL_MACHINE\software\classes\interface\{5c40012d-44ca-11d7-8411-0002a5f9d08e}
HKEY_LOCAL_MACHINE\software\classes\interface\{c809ee32-c648-459b-9a99-5cb20f61dcfc}
HKEY_LOCAL_MACHINE\software\classes\interface\{dae6416e-491d-11d5-ab93-00d0b760b4eb}
HKEY_LOCAL_MACHINE\software\classes\interface\{eb29cd69-7020-4d1d-a0be-72130dfba9f7}
HKEY_LOCAL_MACHINE\software\classes\typelib\{26e8361f-bce7-4f75-a347-98c88b418328}
HKEY_LOCAL_MACHINE\software\classes\typelib\{963f349d-8b15-4a3b-ac6a-6e1958b21e20}
HKEY_LOCAL_MACHINE\software\classes\typelib\{a8f92c35-530b-4907-922c-ce31d4b6b14a}
HKEY_LOCAL_MACHINE\software\classes\typelib\{d6be4255-97c9-4d5c-9801-91dadda92d81}
HKEY_LOCAL_MACHINE\software\classes\typelib\{dae64161-491d-11d5-ab93-00d0b760b4eb}
HKEY_LOCAL_MACHINE\software\clipgeniep2p
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{eb6afdab-e16d-430b-a5ee-0408a12289dc}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\[%WINDOWS%]\downloaded program files\activeinstall2.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\downloadware engine
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\medialoads installer
HKEY_LOCAL_MACHINE\typelib\{963f349d-8b15-4a3b-ac6a-6e1958b21e20}
HKEY_USERS\.default\software\downloadware
HKEY_USERS\.default\software\webinstall

Registry Values:
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\hardware\resourcemap\pnp manager\pnpmanager
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\rfc1156agent\currentversi
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\in
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\sh
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\sh
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\sh
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\sh
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\[%WINDOWS%]\downloaded program files
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\un
HKEY_LOCAL_MACHINE\software\wise solutions\wiseupdate\apps\grok
HKEY_LOCAL_MACHINE\software\wise solutions\wiseupdate\apps\grok
HKEY_LOCAL_MACHINE\software\wise solutions\wiseupdate\apps\grok
HKEY_LOCAL_MACHINE\software\wise solutions\wiseupdate\apps\grok
HKEY_LOCAL_MACHINE\software\wise solutions\wiseupdate\apps\grok
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session man
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ws
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\a
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\a
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\kmixer\enu
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\para
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ws2ifsl\en
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ws2ifsl\en
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ws2ifsl\en
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ws2ifsl\se

Removing DownloadWare:

An up-to-date copy of ExterminateIt should detect and prevent infection from DownloadWare.

If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove DownloadWare manually.

To completely manually remove DownloadWare malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with DownloadWare.

  1. Use Task Manager to terminate the DownloadWare process.
  2. Delete the original DownloadWare file and folders.
  3. Delete the system registry key parameters
  4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.

We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.


ExterminateIt effectively and automatically removes DownloadWare from you computer and is a good solution for those who are seeking easy and effective protection for their computer from Trojan Horses, Rootkits, Backdoors, spyware, botnets, keystroke loggers, dialers and other malicious software(malware).

Download ExterminateIt! to instantly get rid of DownloadWare!


Also Be Aware of the Following Threats:
Remove Bancos.GTN Trojan
Remove SillyDl.CKW Trojan
Choprox Backdoor Information
Pigeon.ETU Trojan Removal

No comments: