Infected: Trojan.patched.t

volrath77

Hello all. Just newly registered with the forum.

Ok, with the intro out of the way, I got infected with the trojan. I've updated BD with the latest signatures and all but the

//-----------------------------------------------------------------

//

// Product: BitDefender 9 Professional Plus

// Version: 9.5

//

// Created on: 13/07/2007 15:15:22

//

//-----------------------------------------------------------------

Statistics

Scan path : C:\Program Files\Microsoft Small Business

Folders : 33

Files : 581

Archives : 3

Packed files : 42

Identified viruses : 1

Infected files : 1

Warnings : 0

Suspect files : 0

Disinfected files : 0

Deleted files : 0

Copied files : 0

Moved files : 1

Renamed files : 0

I/O errors : 0

Scan time : 00:00:08

Scan speed (files/sec) : 72

Virus definitions : 671990

Scan plugins : 14

Archive plugins : 38

Unpack plugins : 6

Mail plugins : 6

System plugins : 1

Scan options

Detection

[X] Scan boot sectors

[X] Scan archives

[X] Scan packed files

[X] Scan email

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

Action

Infected objects

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

Second action

[ ] Ignore

[ ] Delete

[ ] Copy to quarantine

[X] Move to quarantine

[ ] Rename

[ ] Prompt user

Scan options

[X] Enable warnings

[X] Enable heuristics

[X] Show all files in log

[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1184310922.log

Summary:

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Infected: Trojan.Patched.T

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Disinfection failed

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Moved

Scanned files

C:\=>Master Boot Record OK

C:\=>Primary partition 1 OK

C:\=>Primary partition 2 (Active) OK

C:\=>Primary partition 3 OK

[long list of files = all OK]

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Infected: Trojan.Patched.T

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Disinfection failed

C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe Moved

[long list of files = all OK]

I can't seem to clean it and if the file can't be cleaned, would the function enabled by the file be gone as well?

Another funny thing is that after the blocking alert showed, I ran a full system scan & on all files to boot but it didn't detect the trojan. The thing only showed up after I focused the scan on the folder. If it helps, I've also sent the file in quarantine to BD labs.

Help!?

alexcrist

Hi volrath77,

Looking at your log, I see that the file has been moved to quarantine. That means that the virus is not in your system anymore, but it was moved to a safe location, where it cannot be accessed. In other words, your computer is now clean.

Looking at the original path where the infected file was (C:\Program Files\Microsoft Small Business\Business Contact Manager\EnableBCM.exe), it comes to my mind that this could be a false positive.

You said that you sent the file in quarantine to BD Labs. That's good, but you will receive an answer a lot faster if you upload the file on this forum.

If you still have that file in quarantine, do the following:

1) disable BD Realtime Protection

2) retore that file from quarantine (be careful not to open it while BD is disabled!)

3) put that file in a zip file, protected by the password infected and attach it to your next post

4) enable BD Realtime protection and move (again) that file to quarantine

If you do this, you'll get an answer a lot faster. If that file is a false positive, the detection will be removed and you will be able to safely restore the file from quarantine.

Cris.

volrath77

Hi Cris. Thanks for the assist.

Ok, I've followed the steps you've provided and the zip file with password infected is attached. The file is back in quarantine.

Earlier, I've mentioned that it seemed that BD was not able to detect the file in full system scan. However, I tried it again after moving the file into quarantine and it seems that it has jumped into another file. I didn't manage to jot down the info when I stopped BD but I do remember the entry in question having "restore" followed by a string of alphanumeric characters. Kinda looked like a registry entry but I'm not very sure. I'll run a check again tonight.

Also, with the file in quarantine, everytime my Outlook starts, it displays the installation prompt straight away. It still runs after I cancel the installation procedure since I presume enableBCM.exe is only for the Business Contact Manager function and the installation prompt is triggered since Outlook cannot find the file but I'm kinda worried it would cause damage to other files or loss of emails.

Thanks again.

/applications/core/interface/file/attachment.php?id=333" data-fileid="333" rel="">EnableBCM.zip

alexcrist

Earlier, I've mentioned that it seemed that BD was not able to detect the file in full system scan. However, I tried it again after moving the file into quarantine and it seems that it has jumped into another file. I didn't manage to jot down the info when I stopped BD but I do remember the entry in question having "restore" followed by a string of alphanumeric characters. Kinda looked like a registry entry but I'm not very sure. I'll run a check again tonight.

I don't think that was a registry entry. Instead, I think you saw a path pointing to a file stored in a System Restore Point (Windows keeps some files for backup, in case you want to roll-back some applications).

This file might have been added by Windows in one of it's Restore Points. If I'm correct, those files can't be accessed, so even if it is infected, it doesn't represent a risk (at least for now). I hope I'm not wrong about this.

Also, with the file in quarantine, everytime my Outlook starts, it displays the installation prompt straight away. It still runs after I cancel the installation procedure since I presume enableBCM.exe is only for the Business Contact Manager function and the installation prompt is triggered since Outlook cannot find the file but I'm kinda worried it would cause damage to other files or loss of emails.

As I said, it looks that this file is legit.

However, there is a chance that it has been infected by a virus. As soon as a Virus Analyst takes a look at the file you attached, he will tell you if it is clean (in which case, you'll be able to restore the file safely), or if the file is really infected (in which case they will offer a full solution to your problem).

From the application name (Business Contact Manager), I'd say that all it does is to manage your contact list. That means you shouldn't have any problems with your e-mails. I don't use this program, so I might be wrong.

Just to be sure, you could stop using Outlook for a few days (until you get an official response about this problem). Can you use an alternative way to read your e-mails? Maybe an Web-Interface? If you don't have such alternatives, you can always make a backup of all your e-mails, just in case something goes wrong (I doubt it, but it doesn't hurt to be prepared ).

Cris.

Cd-MaN

It was a FP (False Positive) and the detection has been removed.

Best regards.

volrath77

Thanks Cris, Cd-MaN. You guys are lifesavers.

Can I restore the file back?

AndreiASM

Yep, you can go to quarantine and safelly restore the file back. It doesn't contain any malicious code. You have to go to Antivirus -> Quarantine, select the file and click the "Restore" button. The file will be restored.

Andrei

volrath77

Awesome! BD updated, file restored and drives rescanned. All clean now.

Phew. Glad it's all ok now. I was just afraid of unknowingly sending spams or spreading trojans to all in my contact list.

Thanks again guys.

AndreiASM

Glad that we could assist you.

Andrei

alexcrist

You're welcome, volrath77.

If you have any other problems, just ask

Cris.