Trojan.inject.ia =>no Action Possible!

Hi there!


I found a trojan infection in our friends' PC. They called me to help them a bit, since their PC stopped responding. I've run an online scan with BD since I consider it to be the best AV tool out there.


It found the trojan "Trojan.inject.ia". I've tried deleting it, renaming it, changing the .dll into .mov and then I tried to archive it with Winrar and deleting it, but no chance. It doesn't work...


Here's the link to the report created by AVIS: http://forum.bitdefender.com/index.php?sho...adeux&st=20


I've already submitted the file to MCU.


Thanks for your help.


A.

Comments

  • rootkit
    rootkit ✭✭✭

    Please paste here the full scan log. We need to see the file location :)

  • @amadeux


    Have you tried disabling System Restore before trying to remove the Trojan? Many trojans and worms makes sure to infect the System Restore files so after a successfull removal they simply restore themself. Disabling System Restore deletes all restore points on the computer.

  • Hi,


    i`ve been infected with trojan.inject.ia too!


    no attempt to delete it or the like works for me.


    unfortunately my log file is german so i think you guys should have quite a few problems understanding it.


    Is there any news on this problem?


    Hopefully


    Bastian

  • Hi Guys,


    I'm also infected .. any updates on how to successful remove this ?


    the infected file is /windows/system32/svchost.exe (memory & full dump)


    Thanks,


    Mike


    dump of log file :


    BitDefender Log File


    Product : BitDefender Internet Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : windows scan


    Log date : 13:13:39 15/03/2009


    Log path : C:\Documents and Settings\Michael\Application Data\BitDefender\Desktop\Profiles\Logs\user_0001\1237119219_1_02.xml


    Scan Paths:Path 0000: C:\WINDOWS\system32


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 2793184


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 4622


    Infected items : 5


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 5


    Password-protected items : 0


    Individual viruses found : 2


    Scanned directories : 339


    Scanned boot sectors : 2


    Scanned archives : 26


    Input-output errors : 30


    Scan time : 00:16:53


    Files per second : 3


    Scanned processes summaryScanned : 47


    Infected : 0


    Scanned registry keys summaryScanned : 1103


    Infected : 0


    Scanned cookies summaryScanned : 1103


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    [system]=]C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (memory dump) Gen:Trojan.Heur.85B14E1C1C Disinfect Failed


    [system]=]C:\WINDOWS\System32\svchost.exe (memory dump) Trojan.Inject.IA Disinfect Failed


    [system]=]C:\WINDOWS\System32\svchost.exe (full dump) Trojan.Inject.IA Disinfect Failed


    [system]=]C:\WINDOWS\System32\svchost.exe (memory dump) Trojan.Inject.IA Disinfect Failed


    [system]=]C:\WINDOWS\System32\svchost.exe (full dump) Trojan.Inject.IA Disinfect Failed

  • Have you tried running BD in safe mode - it is possible that you need to be in safemode to get rid?


    How about getting Malwarebytes Anti Malware (it's free) updating it to the latest update and then doing a full scan in safe mode.


    In addition to BD I have Malwarebytes Anti Malware and Win Patrol .. both free. They all do a good job. Zone Alarm Pro v 7.4 is the firewall.

  • This is an injector, which means that it will inject its code into one or more processes. In this case, the trojan may have launched svchost into execution, and basically, overwrote the original code with its own. This way, the file remains clean, only its memory image gets infected. However, to make sure and remove any doubt, please attach c:\windows\system32\svchost.exe in a password protected zip/rar archive (using the password infected).


    Best regards!

  • rootkit
    rootkit ✭✭✭

    Please pack the file(s) in an archive, protected with the password infected.


    Upload it on www.rapidshare.com or other server and leave here the download link.



    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\System32\svchost.exe