downloader.turown.A

[wenwilder]

AVG says I have a virus called Downloader Turow on my computer..... PC-cillian says I don't have any virus's.

A search for Downloader Turown only shows one reference to it (that I could find - Paul? Mik?) ;)

The question is - is it a virus? A glitch? Or just another one of those enigmatic questions that has no single answer like "what is the meaning of life"?

[ldyguique]

Wen, you do appear to have caught something in a family of semi-trojans -- programs that get onto your machine and then attempt to download the actual trojan. Here are the descriptions from both viruslibrary.com and f-secure. I didn't find much at all about "turow;" however, you may just be on the early wave. Oddly enough, AVG site didn't have anything about downloader.trojan in its knowledge base.

Trojan.Downloader

These kinds of programs are not "Trojans" by themselves, but they are intended to deploy Trojan programs to a victim's computer.

The "TrojanDownloader" programs contain information about names and locations of malware programs to download and install. This information is usually stored as an encrypted block of data at the end of a "TrojanDropper" file.

These programs can be used to install and download newer versions of malware software, or install several Trojan programs without user permission.

Last Modified: September 24, 2003

********

NAME: Trojan Downloader
ALIAS: TrojanDownloader

Trojan downloader is usually a standalone program that attempts to hiddenly download and run other files from remote web and ftp sites. Usually trojan downloaders download different trojans and backdoors and activate them on an affected system without user's approval. Trojan downloader, when run, usually installs itself to system and waits until Internet connection becomes available. After that it attempts to connect to a web or ftp site, download specific file or files and run them.

Most famous trojan downloaders: Aphex, Dlder, Small, WebDL.

[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; July 14th, 2003]

[paulhiles]

I did a similar lookup... covering www.grisoft.com (the makers of AVG), symantec.com, mcafee, etc.. but came up with nothing... other than if it's being reported as a 'downloader' type virus, then it's going to be a trojan, and could potentially be harmful.

Don't suppose you could do a copy 'n paste of the warning could you? I noticed there were some variations in your original post. Do we have the name correct? i.e. downloader.Turow

Paul

[wenwilder]

It's downloader.turown.A. I couldn't see the whole file name until I actually tried too. :( Some days I am truly blonde. lol

Thanks for all the info ldy and paul..... my next question... how do I get rid of it?

[paulhiles]

Hmm.. I suspected as much! ;o) At least we now get some results on searching! A number of forums have reports of this problem. I'll post a couple links here:
http://www.computercops.net/postt17808.html
http://cybertechhelp.com/forums/showthread.php?t=30363

As for treatment, if AVG can't 'clean' the infected files, then you need further help (in the software department!). To be honest, ldyguique is probably the best equipped at helping you with this... I don't want to suggest a course of action that may do more harm than good! :o) Though I would recommend downloading and installing Spybot's Search & Destroy.. it may give you that extra bit of muscle your PC needs right now!

Have you tried PM'ing other members? I can't be the only one still awake surely! :o)

Paul

[ronniethedodger]

Wen - All I have seen so far is the fact that AVG has identified a file having the Turown virus. What else is it saying?

You have not mentioned what the Status of the file that is infected, nor the name of the actual file. Does AVG have the infected file in Quarantine perhaps? And that is why PC-cillian is not reporting anything.

If you could give us the path/filename and what the status of the file is, then we might be able to tell you how to proceed from there. I suspect that AVG has the file under quarantine and it is tucked away for safe keeping....but before you delete the file (and make sure it is not left behind in the recycle bin) it would be nice to know the path and filename. This might give us a hint on how the virus entered into your computer in the first place.

[ldyguique]

Anything that I know about this particular piece of malware, I've learned on the Computer Cops thread. And, she does claim that she's fixed at the end.

[wenwilder]

AVG says it can't be fixed :( And it can't quarentine it....... so as far as I know it's still there.

hmmm file path....

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
C:\Documents and Settings\Wendy Wilder\NTUSER.DAT
C:\Documents and Settings\Wendy Wilder\ntuser.dat.LOG
C:\Documents and Settings\Wendy Wilder\Local Settings\Application Data\Microsoft\Windows/usrclass.dat
C:\Documents and Settings\Wendy Wilder\Local Settings\Application Data\Microsoft\Windows\usrclass.dat.log
C:\Documents and Settings\Wendy Wilder\Local Settings\Temp\ACRB44.TMP
C:\Documents and Settings\Wendy Wilder\Local Settings\Temp\ACRB4A.tmp
C:\Documents and Settings\Wendy Wilder\Local Settings\Temp\ACRBE5.TMP

Does that help any? ;)

[wenwilder]

Sometimes I am such a blonde!

If you remove the file setup_td.exe you remove the virus/problem. Another scan with AVG showed no virus... no bad files, etc. It helps when your mind works..... I'm still waiting for mine too though ;)

Just for fun I ran spybot and adaware along with avg. Never hurts to check and check again. ;)

Thank you ALL for the help, support and quick responses. ;) Don't know what I'd do without ya'll.

[ronniethedodger]

setup_td.exe is a pestware or adware called TurboDownload. It delivers ads that may or may not be targeted, but are "injected" and/or popup, and are not merely displayed within the form of an ad-sponsored application.

Did Spybot or Adaware report any more files? There should be some more in your System32 directory of wherever you have your Windows OS installed. Run it again and see if it reports anything about TurboDownload.

It might be that since you deleted the setup_td.exe file that those programs are overlooking some extra files. Look for these two files in the System32 directory just in case:

• sb.htm
  sx.htm

Also look for this directory, either in your Root Windows installation directory or the System32 directory. If it is there, delete the entire directory and it's contents:

• \iedriver

If you have the above items on your machine, then delete those as well. And now for the nasty, nasty part.....you will also have to delete some entries out of your Windows Registry as well.

Make sure to back up your Registry before doing the next procedure:

Find the following entries in your Registry and delete these as well (remember to backup before doing this):

• HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{1a00c40b-da85-4aa3-a67f-582d9347eecd}
  HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\{1a00c40b-da85-4aa3-a67f-582d9347eecd}
  HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\{bc3bbf86-e4ec-4412-9676-8355468b3b05}
  HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\{f20239cb-33dc-4ec6-959e-73edea0fe4d7}
  HKEY_LOCAL_MACHINE\software\turbodownload

Finally....go to your Recycle bin and either empty it or at least get rid of the files and folders that you deleted previously if they are in there. Especially the setup_td.exe file.

Then reboot your system and write us all back on how well you did. ;0)

[rocky1]

You sound confident that she'll be able too! Did you see all those blonde comments she made about herself up there?

[ronniethedodger]

I am very confident she can do this. I have a lot of faith in her.

But of course....I too can be going through a blonde moment myself right now. ;0)

[wenwilder]

Hey now! I only play the part of the ditzy blonde when it works to my advantage ;)

I edited, deleted, checked and re-checked without a problem what-so-ever. Maybe it was the coffee! Oh wait, I didn't have any coffee today! ;)

[rocky1]

Musta been the Jello Hair Mousse!