Trojan.Starter.IM
My computer was infected by trojan.starter.IM. Bitdefender has failed to disinfect nor quarantine it. Can any kind souls out there help?
Comments
-
My recent "Full System Scan" has suddenly started detecting Trojan.Starter.IM on two system files. This had never been detected in prior scans. I believe that it is a false positive.
The files are:
C:\i386\rsm.exe
c:\windows\system32\rsm.exe
This detection is only occurring on my WinXP Media Center Edition machine. I have earlier versions of the same files on my WinXP Home Edition machine and the virus is the version of the files on that machine.
In contrast to system files getting quarantined under WinXP Home, when the rsm.exe files got quarantined in WinXP Media Center Edition, the O/S has raised a fit and now wants to restore them from the original operating system CD, which just gives me something else to do in order to clean up this mess.
Any help in resolving this is appreciated.0 -
My recent "Full System Scan" has suddenly started detecting Trojan.Starter.IM on two system files. This had never been detected in prior scans. I believe that it is a false positive.
The files are:
C:\i386\rsm.exe
c:\windows\system32\rsm.exe
This detection is only occurring on my WinXP Media Center Edition machine. I have earlier versions of the same files on my WinXP Home Edition machine and the virus is the version of the files on that machine.
In contrast to system files getting quarantined under WinXP Home, when the rsm.exe files got quarantined in WinXP Media Center Edition, the O/S has raised a fit and now wants to restore them from the original operating system CD, which just gives me something else to do in order to clean up this mess.
Any help in resolving this is appreciated.
I have exactly the same results as you on the same files. Ran a Symantic scan via their web site and all clear. I agree that this has all the hallmarks of a false positive.
Additionally, I get a message that some Windows files have been replaced, and to run a System File Check. Did that with the Windows CD (via sfc /scannow) and all went through fine. However, subsequent scans with BD still showing same result.0 -
I have exactly the same results as you on the same files. Ran a Symantic scan via their web site and all clear. I agree that this has all the hallmarks of a false positive.
Additionally, I get a message that some Windows files have been replaced, and to run a System File Check. Did that with the Windows CD (via sfc /scannow) and all went through fine. However, subsequent scans with BD still showing same result.
I'm currently in the same boat. My "infected" files show as C:\windows\system32\rsm.exe and C:\windows\system32\dllcache\rsm.exe. These did get quarantined though. I'm also getting the prompt that some files have been replaced and they need to be restored from the Windows XP CD-ROM. The problem is, XP came pre-installed on my PC and I was never given the original copy.
Is it safe to assume the files the message is referring to is rsm.exe? Can I just restore these from quarantine and not worry about it?
Edit: Also, what the heck is Trojan.Starter.IM? I can't find anything about it. Does BitDefender make these things up?0 -
All clear suddenly after deleting aforementioned files from BD quarantine, running the afore mentioned Symantec scan, reboot and scan again. Twice had a clear scan now. Don't know if this was a false pos or not, but must have been as you guys had the same.
0 -
The problem I've run into in that when I run the System File Checker, for some reason it eventually asks for the Windows XP Professional CD2 media. I have Windows Media Center Edition. So, thus far, I have been unable to restore the files using the SFC. Luckily, it appears that these files have not been modifed by any hotfixes, so I may be able to copy the rsm.exe file from my XP home machine to the DLLCache folder and go from there.
When I restored it (rsm.exe) from quarantine and checked the properties, it had changed the original file timestamp and also displays the properties as though it is a DOS command file, which is why I went back to the OS installation disk to try to recover the file.
I think I am going to have to take advice I saw in another thread and change the action taken on an infected files to "Ask" instead of "Disinfect" and then "Quarantine". I'm seeing far too many false positives with BD AV10 and I can't be constantly spending my time dealing with restoring from the O/S installation media. If the restore from quarantine simply put the file back without corrupting it somehow, it wouldn't be quite so bad. I guess I'm going to have to babysit this thing whenever I do Full or Deep System Scans in the future.0 -
I think I am going to have to take advice I saw in another thread and change the action taken on an infected files to "Ask" instead of "Disinfect" and then "Quarantine".
How come I'm not seeing the option to "Ask"? I only see "Deny Access", "Disinfect", "Delete", or "Move to Quarantine">0 -
How come I'm not seeing the option to "Ask"? I only see "Deny Access", "Disinfect", "Delete", or "Move to Quarantine">
You're looking at the option for the Real-time Scanning (Antivirus > Shield > Protection Level).
I was referring to the options under the System and User Tasks. (Antivirus > Scan > Deep/Full/Quick/etc System Scan > Scan Level).
I will probably actually choose none since I run these tasks in the wee hours, unatended, and would be there to answer the prompts. I'll just check the logs in the morning and take the appropriate actions.0 -
You're looking at the option for the Real-time Scanning (Antivirus > Shield > Protection Level).
I was referring to the options under the System and User Tasks. (Antivirus > Scan > Deep/Full/Quick/etc System Scan > Scan Level).
Ok, thanks.
Well, I went ahead and restored rsm.exe from Quarantine. It did update the timestamp to today but still shows as an application file. Almost immediately, a warning popped up saying that rsm.exe was infected but the virus was blocked. I then rebooted and did a quick scan which identified rsm.exe as being infected the first time around. This time it came up clean.
Do I need to worry about the updated timestamp and the fact that I didn't restore the file from the original Windows XP CD-ROM as I was prompted to do?0 -
I have the same problem.
BDV10 detected and blocked Trojan.Starter.IM today 29Apr2007
XP also asked to insert the OS CD.
XP is preinstalled so had to ignore the OS recommendation.
A system check with AGV free antivirus scan highlighted:
Windows\system32\kernel32.dll
Windows\system32\user32.dll
Windows\system32]intokrnl.exe
But the AVG scan report came up clean.(even though it highlighted the files)
I wonder has anyone tried to get a clean OS file downloaded from the Microsoft site so it can be reinstalled on the PC.
Also does anyone know of web sites that might be the source of virus. It would be nice to know which sites to avoid, or BD could black list these.
I have found free AVG a good tool to complement BD, since AVG came up clean I think we are ok.
I have had another Trojan virus not so long ago. BD online chat support help me to resolve this quite quickly. All I needed to do was clear the Firefox cache.0 -
Hello to all
You can all temporary try this before the signatures are being removed. Open BitDefender go to antivirus,shield,adjusted level don't scan this path on all levels and now add the files or folders that BitDefender detects as infected to the exclusion list. To do that during a on demand scan : rightclick on the type of scan you wanted to execute choose properties,scan path choose for add file and browse now to the location of these files. After you done that uncheck the items or folders you have added. For further assistance you all have to wait till someone of BitDefender will answer.
Regards
Niels0 -
Thanks so much guys, think we have to live with it for the time being, so long as it doesn't create havoc. However, since this virus is detected by BD, I started to experience difficulties in assessing to some website. Am I paranoid?
0 -
Hi PEWE
Strange which websites can't you visit any more? Have you enabled privacy control? To verify that open BitDefender and go to antispyware,adjusted level, and uncheck privacy control. Then go to antivirus,shield,adjusted level and uncheck scanning http-traffic and confirm by pressing on ok. I think that you will receive an answer tomorrow from one of the virus researchers.
That was gladly done.
Regards
Niels0 -
Hello to all
You can all temporary try this before the signatures are being removed. Open BitDefender go to antivirus,shield,adjusted level don't scan this path on all levels and now add the files or folders that BitDefender detects as infected to the exclusion list. To do that during a on demand scan : rightclick on the type of scan you wanted to execute choose properties,scan path choose for add file and browse now to the location of these files. After you done that uncheck the items or folders you have added. For further assistance you all have to wait till someone of BitDefender will answer.
Regards
Niels
Niels,
For the on-demand scanning, I had tried adding the folder to the list and the unchecking it, but the folder still scanned anyway. (If you may recall, I had a similar thread about exclusions on the bitdforum.com site.) It just doesn't appear to be possible to do individual folder and/or file exclusions in on demand scanning. The only type of exclusions seem to be by file extension.
Gary0 -
Hi Gary
The best thing is that you post that suggestion in the feature request subforum. I thought that it was that easy. You could also try to change the scanlevel but I don't think that it will work. Because programs will still being scanned and also the " so-called" infected files.
Regards
Niels0 -
Hi PEWE
Strange which websites can't you visit any more? Have you enabled privacy control? To verify that open BitDefender and go to antispyware,adjusted level, and uncheck privacy control. Then go to antivirus,shield,adjusted level and uncheck scanning http-traffic and confirm by pressing on ok. I think that you will receive an answer tomorrow from one of the virus researchers.
That was gladly done.
Regards
Niels
Dear Niels,
Thanks for ur prompt reply. Yes, 'privay control and 'scanning http-traffic' were unchecked all the while.
I am not sure if this is a coincidence or merely due to my lack of understanding of how BD works, (I have to admit that I'm not very computer-savvy inthe first place). ever since my laptop was infected with 'Trojan.Starter.IM', several websites started to show 'error on page' , one of them is 'www.tapuz.co.il'. However, my PC which is clean has no such problems.0 -
Dear PEWE
I suggest that you try the following:
If you can download hostsxpert do so : http://www.funkytoad.com/download/HostsXpert.zip Unzip it and run it. Now press on Make Writeable? After that press on restore ms hosts file. Confirm the message. then press on Make Readonly? Normally you don't see any more errormessages while browsing the internet.
Regards
Niels0 -
Trojan.Starter.IM was a false alarm; it has been fixed. It shouldn't be related though to visiting websites, so it may be a coincidence.
0 -
Hi Vlad
He must somehow get infected with something because otherwise he will not be redirected to other websites or sees such error messages. That is most common behaviour of an browser hijacker or other malware. That's my personal opinion. You are more knowledged then me.
Regards
Niels0 -
I've never said there was no infection; I just said Trojan.Starter.IM is unlikely to be related to the infection, if it exists.
0 -
I've never said there was no infection; I just said Trojan.Starter.IM is unlikely to be related to the infection, if it exists.
Ok. Sorry, then I have misread your previous post.
Regards
Niels0 -
Dear PEWE
I suggest that you try the following:
If you can download hostsxpert do so : http://www.funkytoad.com/download/HostsXpert.zip Unzip it and run it. Now press on Make Writeable? After that press on restore ms hosts file. Confirm the message. then press on Make Readonly? Normally you don't see any more errormessages while browsing the internet.
Regards
Niels
Thanks Niels. I got a message - 'C:\windows\system32\Drivers\ETC\Hosts could not be created' at the end. I am now in contact with the respective webmasters and hope that they could of any help. Thanks so much.0 -
Hi PEWE
That was gladly done. You can also manually edit the hosts file by navigating to C:\windows\system32\Drivers\ETC\Hosts Rightclick on hosts and choose open (with) for wordpad. Normally you may not find sites after 127.0.0.1 which you trust. If you see any other address then 127.0.0.1 followed with a website. That is definitely malware because you will always being redirected to that website. An example you type google.com in your browser but because the other address you will get on a malicious website or an commercial website. If you see such line delete it. Don't forget to save the file.
Regards
Niels0