down1086.exe win7.exe

Last Updated on Monday, 01 February 2010 07:52 Wednesday, 18 November 2009 14:31

Harmful - EXE

down1086.exe, win7.exe, p4037f.exe are file names found to be used by some viruses/ trojans/ worms.  These are misleading names. The virus tries to obfuscate itself as Macromedia Flash player or a media player component. It is a small file of 76 kb which can sneak into your browser as a driveby download.

This installer acts as a trojan, further downloading more virus files from the internet and installing them on the infected computer. 

Legitimate Applications :

The virus creates folders and files with the name Macromedia Flash player, but these folders are in a different location. The current Flash player is called Adobe Flash player, and the mention of Macromedia Flash player on your computer could be found at "C:\Windows\System32\Macromed\Flash\Flashplayer.xpt", 

Virus Installers: 

Installer 1 see report

File size :
76 kb

Files and Folders Created by the virus installer:

Folders: (you can delete these folders)

    C:\Documents and Settings\[UserName]\Application Data\Macromedia
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash Player
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash Player\macromedia.com
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash Player\macromedia.com\support
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
    C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash 

Files:  (you can delete these files)

C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys\#globo.com\settings.sol
C:\Documents and Settings\[UserName]\Application Data\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys\settings.sol
C:\Documents and Settings\[UserName]\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML
C:\Windows\System32\down1086.exe
C:\Windows\System32\p4037f.exe
C:\Windows\System32\win7.exe

These two files are downloaded in the default download directory. Delete them.

download1.exe
download2.exe

Tries to download more files from:

[vemchegando.net/black/download2.exe][vemchegando.net/black/download1.exe] and several other sites. Also tries to connect to several legitimate site in order to appear legitimate.

Other Activities

This installer creates registry entries clearly indicating its intention to obfuscate itself as a media software.You can find the details of the registry modifications in the report given below. Looking at the registry entries below, it seems that you will be safer if you reinstall the Windows Media Player.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{6E47DFCD-32FF-447E-B238-8DCEEB13B879}
HKEY_CURRENT_USER\Software\Microsoft\fXYeIhfV
HKEY_CURRENT_USER\Software\Microsoft\wTSGGpqX

2) Another variation , see report 

 C:\Windows\logfile32.txt
C:\Windows\win7.exe
%Temp%\tmp1.tmp
%Temp%\tmp2.tmp
%Temp%\tmp3.tmp
%Temp%\tmp4.tmp

Removal Steps:
{/slide}{slide=Can I get rid of it by just doing a system restore ?}

Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

Using system restore in windows XP

Using system restore in windows Vista

{/slide}{slide=Are there any free tools available ?}

You could try to clean your computer with any antivirus program installed on your computer or try scanning online , that could be equally helpful. I have listed some  tools. I do not know which one of them is effective for the current threat.

•  Free tools for windows XP
  
  
  • Free tools for windows Vista

{/slide}{slide=Ok Show me the steps!}

These are the steps to be taken, if you want to remove the infected files manually.

Use of Internet Explorer

The malware  infects internet explorer, therefore use another browser such as firefox, at least during the period of removing the virus. It will be safe to reinstall Internet Explorer to remove the infected files. 

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

How to boot in safe in windows XP

How to boot in safe mode in windows Vista

 

 Remove Processes from Task Manager 

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for down1086.exe, win7.exe, p4037f.exe  and other files mentioned above. Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

How to use Windows Defender in windows XP

How to use Windows Defender in windows Vista

Or you can use Sysinternal's Process Explorer for easy detection and removal of virus processes.

• How to use Sysinternal's Process Explorer 

 

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck down1086.exe, win7.exe, p4037f.exe  and any other names mentioned above. Press Apply , Press Close/Ok , Select  "do not restart" at the next prompt.

Windows Services
(find out if Security Center is disabled)

While still in the system configuration utility, select the Services tab. Locate a service named Security Center, if it is Turned Off, that is if it is unchecked, you need to Check in order to turn it On,  If it is running, leave it as it is. 

Also look for "Error Reporting Service" if it is unchecked, check it and press Apply, press Ok/ Close and select "Restart the computer" at the next prompt.

View Hidden Files

Before you could delete down1086.exe, win7.exe and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders

How to Enable to View Hidden Files and Folders in Windows XP

How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search fordown1086.exe, win7.exe, p4037f.exe  and other files mentioned above. Search and delete them from the computer's hard disk.

Run CCleaner

After deleting down1086.exe, win7.exe and its associated files , as there will be leftover entries in the windows registry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry to some extent  as well as remove the temp files . Click here to read more

Edit Registry

You need to remove registry entries of the virus  by manually editing the windows registry. You can see the registry modifications on the threatexpert reports mentioned above

How to edit registry in windows XP

How to edit registry in windows Vista 

{/slide} {slide=What if I have other problems ?} If you are unable to search and delete its files as mentioned in this article, try to do a memory scan using your antivirus application, Also do a scheduled boot time scan in order to find and delete the virus infected files during the boot time. Usually most of the antivirus applications can do a memory scan as well as a scheduled boot scan. 

If you are unable to open Task Manager, registry editor, system restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem.  They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the system file checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

How to run System File checker utility in windows XP

How to run System File checker utility in windows Vista

Unable to access security related sites or sites redirected

It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall. 

 {/slide}{slide=Nothing seems to work for me, what should I do! }

Sometimes the virus infects your computer so badly , that it becomes nearly impossible to practically clean the computer. In that case you sholud reinstall windows on your computer. There is no batter alternative. You need to copy or backup whatever is of any importance to you either using a CD/DVD writer, or an external hard disk, or an pen drive. If your computer is not responding at all, then you can take out the hard disk and connect it as an external hard disk/ or as a slave disk to another computer and then get the data copied. Of course you need to get help from someone to do all that if yo can't do it yourself. But I am explaining all the options you have. It is better to copy all the data from the hard disk, and then delete all the partitions and then repartition the hard disk, so that there are no chances of any trace of the virus. 

{/slide}{slide=Is there anything I can do so that I don't get into this situation again! }
You can take several precautionary measure so that such thing never (hopefully) happens to you ever again. I have found some simple steps that will help you to a great extent.

1) You need to have a functioning antivirus, antispyware and a firewall, free or commercial. Please see the link elsewhere in this article for the list of freeware applications. 

2) Use FireFox browser. It is safer than other browsers. You will require to install some browser plugins for better safety, some of them are WOT - a site advisor plugin from mywot.com. NOSCRIPT - a browser plugin that prevents the javascripts of sites, and allows upon your selection. 

3) Use CCleaner - it is a freeware temp files and registry cleaner. Set it so that it runs every time you start windows. That will save you the efforts to run it manually. It is your choice, you can either run it at the end of your browsing session, or before closing the computer. 

{/slide} {slide=My computer is infected, is there anything I should be worried about! }
Yes, you should be concerned about the safety of your online accounts. If your computer is infected and you have been accessing internet by logging into your mail or banking accounts, I would advise you to change the passwords of your accounts so that they are not misused even if they are stolen by the trojan or the keylogger that might be present on your computer. Also take any additional steps as advised by your banking service, or any online service that you may be using. Use an uninfected computer for that purpose.

Reprinted with permission from ThreatExpert.com

{/slide}