Fake Google Toolbar Installer
By secgeeks - Posted on July 22nd, 2007
Tagged:
186
vote
Just came across a poorly detected trojan, which creates a folder named Google in Program Files folder, and copies a file named Googletoolbar1.dll to that folder. This DLL is registered as a BHO in Internet Explorer. This Googletoolbar1.dll is actually a fake file, and is detected as W32/Horst.gen25 by few AVs. Trojan dropper is named as roin.exe and is detected by some AVs as Trojan-Dropper.Win32.Small.ayo or W32/Horst.gen25.dropper.
Files dropped by roin.exe are:CTFRMON.EXE
kd678.exe
temp77726.exe
googletoolbar1.dll
exsetup.mcd
bipsetup.mcd
iexplore_32.exe
spoolw.exe
igfxsvc.exe
imfe.exe
Following HijackThis log extract shows trojan's BHO and startup files:O2 - BHO: Google Toolbar Helper - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\googletoolbar1.dll
O4 - HKLM\..\Run: [crtfmon] C:\WINDOWS\CTFRMON.EXE
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - Startup: imfe.exe
More information about this trojan can be found here.
Bookmark/Search this post with:
Trackback URL for this post:
http://secgeeks.com/trackback/787
Recent comments
30 weeks 5 days ago
33 weeks 2 days ago
1 year 1 week ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 18 weeks ago
1 year 34 weeks ago
2 years 25 weeks ago
2 years 26 weeks ago
2 years 28 weeks ago