Trojan Found!

my bitdefender hs found a suspected trojan, it hasnt deleted or disinfected it, but it has copied it 4 times, it goes in to my quarantine folder where i have deleted it, but it still shows up on every scan i do, its telling me its in my documents and settings/owner/local settings/temporary internet settings..........how do i find it and is my computer still safe?

Comments

  • rootkit
    rootkit ✭✭✭

    Post here a scan log :)

  • this log might be better crystal!!!!


    //-----------------------------------------------------------------


    //


    // Product: BitDefender 9 Internet Security


    // Version: 9.0


    //


    // Created on: 11/10/2008 10:20:50


    //


    //-----------------------------------------------------------------


    Virus Statistics


    Scan path : C:\


    Folders : 3395


    Files : 132605


    Archives : 1629


    Packed files : 6133


    Identified viruses : 0


    Infected files : 0


    Warnings : 0


    Suspect files : 4


    Disinfected files : 0


    Deleted files : 0


    Copied files : 4


    Moved files : 0


    Renamed files : 0


    I/O errors : 26


    Scan time : 00:38:08


    Scan speed (files/sec) : 57


    Spyware Statistics


    Memory processes scanned : 0


    Memory processes infected : 0


    Registry keyss scanned : 0


    Registry keys infected : 0


    Cookies scanned : 0


    Cookies infected : 0


    Spyware files infected : 0


    Spyware threats detected : 0


    Virus definitions : 1861634


    Scan plugins : 16


    Archive plugins : 43


    Unpack plugins : 7


    Mail plugins : 6


    System plugins : 5


    Virus scan options


    Detection


    [X] Scan boot sectors


    [X] Scan archives


    [X] Scan packed files


    [X] Scan email


    File mask


    [ ] Programs


    [X] All files


    [ ] User defined extensions:


    [ ] Exclude extensions: ;


    Action


    Infected objects


    [ ] Ignore


    [X] Disinfect


    [ ] Delete


    [ ] Copy to quarantine


    [ ] Move to quarantine


    [ ] Rename


    [ ] Prompt user


    Second action


    [ ] Ignore


    [ ] Delete


    [ ] Copy to quarantine


    [X] Move to quarantine


    [ ] Rename


    [ ] Prompt user


    Virus scan options


    [X] Enable warnings


    [X] Enable heuristics


    [ ] Show all files in log


    [X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\aspyscan_1223716850.log


    Spyware scan options


    [X] Memory Processes


    [X] Registry keys


    [X] Cookies


    Summary:


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0I8BEC5S\8bU6l3B8vP[1].htm Suspect: Trojan.HTML.Zlob.AH


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0I8BEC5S\8bU6l3B8vP[1].htm Copied


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IZZUE0AM\AAeP9bhJXS[1].htm Suspect: Trojan.HTML.Zlob.AH


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IZZUE0AM\AAeP9bhJXS[1].htm Copied


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VWK3AIFO\8bU6l3B8vP[1].htm Suspect: Trojan.HTML.Zlob.AH


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VWK3AIFO\8bU6l3B8vP[1].htm Copied


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXWGIN93\AAeP9bhJXS[1].htm Suspect: Trojan.HTML.Zlob.AH


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXWGIN93\AAeP9bhJXS[1].htm Copied

  • rootkit
    rootkit ✭✭✭

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.


    http://www.atribune.org/ccount/click.php?id=1


    Double-click ATF Cleaner.exe to open it


    Under Main choose: Select all


    Then click the Empty Selected button.


    pic1atf.gif


    If you use Firefox:


    Click Firefox at the top and choose: Select All


    Click the Empty Selected button.


    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


    If you use Opera:


    Click Opera at the top and choose: Select All


    Click the Empty Selected button.


    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


    Click Exit on the Main menu to close the program.

  • hi crystal, i done what you said, it took about 3 seconds and said it had cleaned so many files, but when i done a rescan using my bitdefender, its still finding 4 suspect trojans. anymore suggestions? and is my computer safe as it is?

  • Hello hannahboo,


    You need to first close your browser. Please press the windows button together with r now type taskmgr press enter. High light the processes tab. Click 1x on the process name column look for entries that are called iexplore.exe,firefox.exe,opera.exe if found left click on it and press on end task. Retry what crysty2k5 said. The problem is that these temporary files are in use by your browser so they couldn't be removed.


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.


    Kind regards,


    Niels

  • hi niels, and thankyou for your first suggestion, i tried what crystal said after closing my browser, but at the end my bit defender popped up again and said suspect trojan, you computer has not been affected, i have been asked by bitdefender to submit this virus to the lab for analysis, as bit defender doesnt know what it is, where does this leave me? when i look in quarantine the virus is in there, but will bitdefender come up with a solution to this? and everytime i clear my browsing history it pops up 8 times. so do you think the combo fix will work? as its a lengthy process and i dont feel confident doing it. i have been advised by some people to just format my hardrive and reinstall windows, do you think this is is a good idea?

  • Its never a good idea to format your hard drive. It is a DEAD last resort.

  • thanks virus ping for that very informative answer there, i was hoping for a constructive response.

  • Hello hannahboo,


    The problem here is that BitDefender realtime protection is blocking access to the file. Please reboot your pc into safe mode. To boot in safe mode you need to just reboot but keep pressing the F8 button on your keyboard before you see the windows splash screen. Select safe mode by using the arrows on your keyboard press enter to confirm. Now log in with your user account. Now you can try what crysty2k5 said to do.


    Formating a hard disk is like VirusPING said a last resort. I would like that you post a combofix log. That is how I can see were the infection is located and I also can remove them. Combofix can remove some infections by default for the rest somebody need to analysis the logfile. Also I can let you collect the infected files so BitDefender can detect them and remove them from your computer. No security solution can remove all infections. That is impossible.


    Kind regards,


    Niels

  • hi niels,


    i did the safe mode thing, and tried atf cleaner that way but its still there, and im a novice so doing the combo fix as you suggested is a bit of a challenge to me, i dont feel confident enough, is there anything else i can do? i have submitted the suspect trojan to the bit defender lab, shall i just wait and see what they come up with? and also i would like to state that this trojan came through a link to youtube , in my facebook inbox!!

  • Please temporarily disable BitDefender realtime protection, add the detected files to a password protected archive, reenable BitDefender and attach the archive to a post on the forum.

  • Hello hannahboo,


    If you still have that link that would also be very useful. Send me or the virus reseachers a personal message with the link attached.


    I would like to see your combofix log so I can see if there is still anything malicious on your computer. What is difficult for you?


    Kind regards,


    Niels

  • hannahboo
    edited October 2008
    Hello hannahboo,


    If you still have that link that would also be very useful. Send me or the virus reseachers a personal message with the link attached.


    I would like to see your combofix log so I can see if there is still anything malicious on your computer. What is difficult for you?


    Kind regards,


    Niels

  • Theoracle117
    edited October 2008

    A hijackthis log will really help us


    http://forum.bitdefender.com/index.php?showtopic=5668


    just run it, and press scan and save a log file. Then post the log file here. DO NOT press anything else in hijackthis.

  • hannahboo
    edited October 2008

    that link wasnt of any use, it just kept sendidng me back to the same page!!!! which do do i need to click on from the three choices below?


    external mirror 1(exe)


    external mirror 2(exe)


    external mirror 3 (zip)

  • rootkit
    rootkit ✭✭✭
    edited October 2008

    Use the first one ! :)


    external mirror 1(exe)