Trojan Found!

hannahboo

my bitdefender hs found a suspected trojan, it hasnt deleted or disinfected it, but it has copied it 4 times, it goes in to my quarantine folder where i have deleted it, but it still shows up on every scan i do, its telling me its in my documents and settings/owner/local settings/temporary internet settings..........how do i find it and is my computer still safe?

rootkit

Post here a scan log

hannahboo

this log might be better crystal!!!!

//-----------------------------------------------------------------

//

// Product: BitDefender 9 Internet Security

// Version: 9.0

//

// Created on: 11/10/2008 10:20:50

//

//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\

Folders : 3395

Files : 132605

Archives : 1629

Packed files : 6133

Identified viruses : 0

Infected files : 0

Warnings : 0

Suspect files : 4

Disinfected files : 0

Deleted files : 0

Copied files : 4

Moved files : 0

Renamed files : 0

I/O errors : 26

Scan time : 00:38:08

Scan speed (files/sec) : 57

Spyware Statistics

Memory processes scanned : 0

Memory processes infected : 0

Registry keyss scanned : 0

Registry keys infected : 0

Cookies scanned : 0

Cookies infected : 0

Spyware files infected : 0

Spyware threats detected : 0

Virus definitions : 1861634

Scan plugins : 16

Archive plugins : 43

Unpack plugins : 7

Mail plugins : 6

System plugins : 5

Virus scan options

Detection

[X] Scan boot sectors

[X] Scan archives

[X] Scan packed files

[X] Scan email

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

Action

Infected objects

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

Second action

[ ] Ignore

[ ] Delete

[ ] Copy to quarantine

[X] Move to quarantine

[ ] Rename

[ ] Prompt user

Virus scan options

[X] Enable warnings

[X] Enable heuristics

[ ] Show all files in log

[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\aspyscan_1223716850.log

Spyware scan options

[X] Memory Processes

[X] Registry keys

[X] Cookies

Summary:

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0I8BEC5S\8bU6l3B8vP[1].htm Suspect: Trojan.HTML.Zlob.AH

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0I8BEC5S\8bU6l3B8vP[1].htm Copied

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IZZUE0AM\AAeP9bhJXS[1].htm Suspect: Trojan.HTML.Zlob.AH

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IZZUE0AM\AAeP9bhJXS[1].htm Copied

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VWK3AIFO\8bU6l3B8vP[1].htm Suspect: Trojan.HTML.Zlob.AH

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VWK3AIFO\8bU6l3B8vP[1].htm Copied

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXWGIN93\AAeP9bhJXS[1].htm Suspect: Trojan.HTML.Zlob.AH

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXWGIN93\AAeP9bhJXS[1].htm Copied

rootkit

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

http://www.atribune.org/ccount/click.php?id=1

Double-click ATF Cleaner.exe to open it

Under Main choose: Select all

Then click the Empty Selected button.

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

hannahboo

hi crystal, i done what you said, it took about 3 seconds and said it had cleaned so many files, but when i done a rescan using my bitdefender, its still finding 4 suspect trojans. anymore suggestions? and is my computer safe as it is?

Niels

Hello hannahboo,

You need to first close your browser. Please press the windows button together with r now type taskmgr press enter. High light the processes tab. Click 1x on the process name column look for entries that are called iexplore.exe,firefox.exe,opera.exe if found left click on it and press on end task. Retry what crysty2k5 said. The problem is that these temporary files are in use by your browser so they couldn't be removed.

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.

Kind regards,

Niels

hannahboo

hi niels, and thankyou for your first suggestion, i tried what crystal said after closing my browser, but at the end my bit defender popped up again and said suspect trojan, you computer has not been affected, i have been asked by bitdefender to submit this virus to the lab for analysis, as bit defender doesnt know what it is, where does this leave me? when i look in quarantine the virus is in there, but will bitdefender come up with a solution to this? and everytime i clear my browsing history it pops up 8 times. so do you think the combo fix will work? as its a lengthy process and i dont feel confident doing it. i have been advised by some people to just format my hardrive and reinstall windows, do you think this is is a good idea?

Theoracle117

Its never a good idea to format your hard drive. It is a DEAD last resort.

hannahboo

thanks virus ping for that very informative answer there, i was hoping for a constructive response.

Niels

Hello hannahboo,

The problem here is that BitDefender realtime protection is blocking access to the file. Please reboot your pc into safe mode. To boot in safe mode you need to just reboot but keep pressing the F8 button on your keyboard before you see the windows splash screen. Select safe mode by using the arrows on your keyboard press enter to confirm. Now log in with your user account. Now you can try what crysty2k5 said to do.

Formating a hard disk is like VirusPING said a last resort. I would like that you post a combofix log. That is how I can see were the infection is located and I also can remove them. Combofix can remove some infections by default for the rest somebody need to analysis the logfile. Also I can let you collect the infected files so BitDefender can detect them and remove them from your computer. No security solution can remove all infections. That is impossible.

Kind regards,

Niels

hannahboo

hi niels,

i did the safe mode thing, and tried atf cleaner that way but its still there, and im a novice so doing the combo fix as you suggested is a bit of a challenge to me, i dont feel confident enough, is there anything else i can do? i have submitted the suspect trojan to the bit defender lab, shall i just wait and see what they come up with? and also i would like to state that this trojan came through a link to youtube , in my facebook inbox!!

csalgau

Please temporarily disable BitDefender realtime protection, add the detected files to a password protected archive, reenable BitDefender and attach the archive to a post on the forum.

Niels

Hello hannahboo,

If you still have that link that would also be very useful. Send me or the virus reseachers a personal message with the link attached.

I would like to see your combofix log so I can see if there is still anything malicious on your computer. What is difficult for you?

Kind regards,

Niels

hannahboo

Hello hannahboo,

If you still have that link that would also be very useful. Send me or the virus reseachers a personal message with the link attached.

I would like to see your combofix log so I can see if there is still anything malicious on your computer. What is difficult for you?

Kind regards,

Niels

Theoracle117

A hijackthis log will really help us

http://forum.bitdefender.com/index.php?showtopic=5668

just run it, and press scan and save a log file. Then post the log file here. DO NOT press anything else in hijackthis.

hannahboo

that link wasnt of any use, it just kept sendidng me back to the same page!!!! which do do i need to click on from the three choices below?

external mirror 1(exe)

external mirror 2(exe)

external mirror 3 (zip)

rootkit

Use the first one !

external mirror 1(exe)