Trojan Keeps Reappearing

Greetz....


I'm running Windows XP SP3 and BD Total Security 2009. Every time I run a scan, BD "deletes" a file called "backdoor.sinowal.CB" that is says is located in the D:\Master Boot Record. I only have one physical and logical drive C:\ and my D:\ is my CD/RW drive. I've tried using Prevx, which finds no rootkits. I've OVERWRITTEN my Master Boot Record with MBRFIX.EXE, an MBR utility. Even after I did this and I run the BD scan, it shows up AGAIN, is deleted by BD AGAIN, but it keeps reappearing. I'm about ready to just simply wipe my ENTIRE hard drive clean and reinstall everything, but I figured I'd run this by the experts here.


My computer DOES have that hidden partition that contains the factory XP stuff from Lenovo, so I guess there's really TWO logical partitions, but the one is hidden in case of system restore needs. I'm thinking the virus is possibly in that area???? But if it's hidden, why would it keep reappearing?


Yes, I have turned OFF System Restore on all drives to no avail.


Thanks for any input.


Hap

Comments

  • Hello Hap,


    Please make a Deep Scan of your system (make sure you fully update BitDefender before) and after it completes, post the scan log here.


    Also, please download this tool: BitDefender AVIS, unzip it in an empty folder, and run AVIS.exe. Then go to System info and create a complete report:


    avis.jpg


    When the report is generated, send it to me through PM so I can take a look at it.


    Please don't change the options for the log generation.


    Also, please don't make a system scan with AVIS. It's engine is only based on high heuristic scanning and it has a very high false positive rate. It's not recommended to be used for scanning unless specifically told to do so.


    Cris.

  • Hi, Cris. Thanks for the response.


    As you requested, please check your PM for the .XMLs from the Avis.exe run and the Deep System Scan run. The forum wouldn't let me post the Deep System Scan results. It said the post was too long.


    Cheers.... Hap

  • How can I send an attachment through a PM when the options for attachment isn't visible?


    Here's the Deep System Scan attachment. Should I post the Avis report here, too, then?


    Hap

    /applications/core/interface/file/attachment.php?id=5118" data-fileid="5118" rel="">1241286800_1_02.xml

  • alexcrist
    alexcrist
    edited May 2009

    The attachment section is working in PM:


    post-60-1241288716_thumb.jpg


    However, ZIP files are forbidden to be attached on the forum (posts or PMs). So please upload the AVIS archive on a file-sharing server and send me the download link through PM.


    Details about file-sharing servers:


    http://forum.bitdefender.com/index.php?s=&...post&p=1223


    Cris.

  • scan pc in safe mode.

  • scan pc in safe mode.


    I did. Same results.

  • Thinking more and more this is a false positive, as other AV scanners and rootkit detectors find nothing and Prevx finds nothing.


    H

  • Hapster, I didn't notice before, but you said that you have a mbr trojan on your CD drive? Do you have a disc inserted in that drive? Because if you do, BitDefender will not be able to clean it. Nothing can overwrite files written on optical discs...not even malware. And this might be the only logical explanation why the same infection appears over and over again.


    Cris.

  • Cris,


    The trojan is reported to be on my D: drive's Master Boot Record; however, I don't have a disk in there and BD is not scanning that drive physically. In fact, I've even changed the drive letter to F: for the CD drive and BD is still reporting this trojan in the D: Master Boot Record.


    H



    Hapster, I didn't notice before, but you said that you have a mbr trojan on your CD drive? Do you have a disc inserted in that drive? Because if you do, BitDefender will not be able to clean it. Nothing can overwrite files written on optical discs...not even malware. And this might be the only logical explanation why the same infection appears over and over again.


    Cris.

  • OK,I need to know a few things, so I can forward them to the analysis department (because boot record malware is kinda out of my hands...):


    - what type of scan do you run when this detection appears


    - how does BitDefender "see" the D partition? For this, go to BitDefender Security Center (Advanced mode) -> Antivirus -> Virus scan, right click on a User task (by default, you only have "My Documents"... if you removed that task, click New task), and choose the Paths tab. There, see what type of icon does the D partition have.


    - Open Disk Management (Start -> Control Panel -> Administrative Tools -> Computer Management, and select Storage/Disk Management) and see if the hidden partition you spoke about is mounted anywhere, and if it has any letter assigned.


    Cris.