Trojan.exploit.ms07-017.b
Currently my BitDefender will always detect this virus whenever I use Internet Explorer to go to any website. As for now, I'm using Mozilla Firefox. When I use Mozilla Firefox, this virus wouldn't pop up.
Whenever Bitdefender block this virus, it is located in my local settings\temporary internet files\content.ie5
Everytime I use Internet Explorer to load any files from any website, this virus will continually created and Bitdefender will continually block it. I tried removing all the files in C:\Windows\Temp, Local Settings\Temp, Local Settings\Temporary Internet Files
in safe mode. I still encounter this virus.
Anyone know how to remove this virus? Thanks in advance.
Comments
-
Deactivate temporarly BD real-time protection in normal mode, and clear all tmp folders by deleting their contents. You may also use utilities like CCleaner or Disk Cleanup. The virus shouldn't come up again.
Andrei0 -
Hello hehe86
You should also immediately update your windows by visiting windows update because otherwise you could get infected again.
One warning do not forget to uncheck yahoo toolbar during ccleaner's installation. If you don't wanted to disable realtime protection you can always boot in safe mode. By just rebooting your pc and pressing several times on the F8 button before the windowsloadingscreen. Log in with your account and run ccleaner.
Regards
Niels0 -
Ok. I have downloaded the CCleaner, visited the Windows Update website. I already downloaded all the available updates through that website. I also run CCleaner again through safe mode and run it.
But still...Whenever I want to enter any website, let say, www.google.com, the virus pop up again. It always created at the same location which is local settings/temporary internet files/content.ie5.
I even specifically double check to download this security update from Microsoft, Update for Windows XP (KB925902) to avoid getting affected again....
What should I do now....0 -
Hello hehe86
Normally when you have the fix you can't get infected. Until a new variant occurs. To see if you have other exploits in your software run this scan: software inspector
Enable also thorough system inspection.
Regards
Niels0 -
This malware is a javascript which exploits the ".ANI" vulnerability (MS07-017). Please post the complete detection path (normally simply emptying your IE temporary folder with the realtime protection disabled should fix this).
0 -
I already went to that software inspector website. What it detected was those programs that are outdated. It required me to update only. It doesn't found any particular threats.
I already tried to emty my IE folder with realtime protection disabled. But still... I receive the same virus over and over again....
Here is the path that the virus detected:
C:\Documents and Settings\(user name)\Local Settings\Temporary Internet Files\content.ie5
I have remove it numerous of times and whenever I just enter any website, the virus would come back again....
Any advice?0 -
Hello hehe86
Please do reboot your pc into safe mode by just rebooting your pc. Press several times on the F8 button before the windows loadingscreen choose safe mode press enter. Log in with your account. Go to start,my computer,double click on the letter of your hard disc navigate to Documents and Settings\(user name) go to tools,folder options,display (view), check the option show/view hidden files and folders press on apply and ok. Now you will see a folder called local settings,emporary Internet Files\content.ie5 and delete only the content of this folder.
Which websites do you visit? Because when you will always get infected if you keep visiting that particular website. You should stay away from harmful sites.
Regards
Niels0 -
Hi Neils.
Well I did reboot my pc into safe mode. And I have deleted the specific destination that you just mentioned and deleted the content only. After that, i reboot my PC and enter to windows normally.
The virus did not appear for a while. After a few hours, I restarted my PC , and use Internet Explorer to enter any website and the virus is back again.... As soon as I enter any page of a website, the virus would created. Let say I go to 3 page, at least 3 of this virus would created....
The website I use to enter is Google, Bitdefender or BitdForum.. Even when I enter Google, the virus would appear...
What should I do next...0 -
This doesn't mean that the virus is created each time you browse. This may mean that the virus is located in your temp folder, and since each time you open your browser the temp folder is scanned, the virus shows up being detected by BD. However, since you deleted it already, he shouldn't reappear. I would also recommand you to update Windows with the latest security patches, since it may be a security hole with Internet Explorer. You could also start using Opera or Firefox, which are safer. Until then, you should delete the trojan again, as Niels told you.
Andrei0 -
Everytime after I deleted the temporary files as suggested by Niels, I double check my temporary internet files to see is there any file remaining. The only file remaining is index.dat. So when I open up my Internet Explorer and start to enter any website, the virus pop up again. Mostly is in this type of file name: a[1].js , a[2].js and so on. By the way, my homepage is blank.
So I do not know why does it reappear...
I also went to the Windows update to update. Still, it doesn't solve this problem...
When using Firefox, this virus doesn't appear but there certain websites I can't enter. So does this virus strongly related with the java ******?
Is there any way I can continue using Internet Explorer by solving this virus?0 -
There might be other files which cause the so called infection. Run a complete system scan, and attach the scanning log in your next post.
Andrei0 -
Here is my scan log:
Virus Statistics
Scan path : C:\
Folders : 6254
Files : 30969
Memory processes scanned : 53
Archives : 5
Runtime packers : 2463
Identified viruses : 0
Infected files : 0
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 0
I/O errors : 9
Scan time : 00:15:08
Scan speed (files/sec) : 34
Spyware Statistics
Registry keys scanned : 1791
Registry keys infected : 0
Cookies scanned : 20
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 793248
Scan plugins : 16
Archive plugins : 40
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1187508042.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
After scanning, there is 0 identified virus. However, if I start browsing to any website with Internet Explorer, this virus is back. Everytime this virus is created, I would always remove it at temporary internet files with real protection disabled. I scan it after removing my temporary internet files. That is why there are no virus detected.
So what is the problem of this virus always created?0 -
Try to disable ****** execution temporarly from your browser settings, and see if the problem persists.
Andrei0 -
Erm.. Currently I'm using Internet Explorer 7. Which ****** should I disable? There's lots of them...
0 -
Hello hehe86
Open IE go to tools,internet-options,security,click on custom level,under scripting uncheck everything Active Scripting, Allow paste options via ****** and Scripting of Java applets. Press on ok.
I also suggest that you update the programs that are outdated because these are still vulnerable for attacks.
Regards
Niels0 -
Ok I go IE -> tools -> internet option -> security -> custom level. But I don't understand 'under scripting uncheck everything Active Scripting, Allow paste options via ****** and Scripting of Java applets" ? Bottom of the box, there's scripting. But I can't uncheck it. I can either enable,disable, or prompt. Is it enable Scripting of Java applets and disable Active Scripting?
If I did that, doesn't that means I can't go to websites that require scripting such as gmail?
Sorry, although the steps are pretty clear, but I want to make sure...0 -
Hello hehe86
You have to choose Scripting of Java applets (prompt or disable),Active Scripting (prompt)
If you select disable you can have problems visiting that requires javascript but when you set it on prompt you will able to reach these sites.
Regards
Niels0 -
I had choose the Active Scripting to prompt and Java applets to prompt too. After I did that, the virus never appear again. But website like www.gmail.com has a lot of scripting and so it prompts a lot. This is kinda irritating. At end of the day, what makes my computer infected by this virus? Because if I choot my Active Scripting back to enable, this virus appear again.
How to make this virus dissapear once and for all?0 -
Hello hehe86
I suggest that you also try this go to start,my computer,right click on my computer choose properties,system restore,check disable system restore on all stations press on ok. Confirm the message wait till everything is greyed out. Afterwards uncheck it and confirm by pressing on apply and ok. I also recommend that you do this also. Install the latest version of Java. Check also the temp folder again and delete the .js files if present.
Regards
Niels0 -
Well after I did that, the virus is still reappear. Now I realise even if I check prompt for Active Scripting, the virus can still pop up. I check disable for Active Scripting only then I did not see the virus again. As for the Java Applets, I enable,disable or prompt, it doesn't affect much.
Any other ideas?0 -
Well, I know you are about tired of messing with this, but try this and see if it works. Follow these instructions to set up a bitdefender scan in safe mode:
Open up a text editor, like notepad, and type in the following just as it looks here, or just copy and paste into notepad:
%systemdrive%
cd C:\Program Files\Common Files\Softwin\BitDefender Scan Server
bdc /f /b /r /i /G /N /p
pause
Go to the upper left corner where it says "file" and click on it. There should be a drop down list come down. Click on "save as". That should bring up another box that will let you choose where you want to save the file. The desktop or MyDocuments folder are good choices. Down where it says "file name", type in the name you want for the file with the extension of .bat (example: safemode scan.bat). Make sure the “Save as type” is set to “all files”, then click "save". This should save this file to the location you chose. All you now have to do to run a scan when you are in safe mode is go to where this file is saved and click on it. It should run the scan. This saves you from having to type the commands in each time you want to run the scan in safe mode.
Okay, back to safe mode you go. Run CCleaner once again. Also, go back and turn off system restore once more. You won't be able to turn it back on until you reboot into regular mode, so don't forget to do that when you reboot your computer when you are through with all of this. Now, click on the file you saved to run BitDefender in safe mode and a scan should start. It won't look like much is being done, but if the command line window opens up and the last thing you see looks something like:
BDC/WIN32-Console v7.0 <Build 25555> <i386>.............All rights reserved
then the scan is running. If it finds something, it will prompt you for an action. Once the scan is through, reboot into regular mode. Once again, don't forget to turn system restore back on when you are booted back up.
If all this doesn't work, I don't know what to tell you other than use something other than IE to surf the net with. If the problem comes back up and it's not from visiting one certain website, the you must have some hidden executable on your computer that keeps loading the virus that BD can't find. You might also try scanning with another AV program or an antispyware program too just to be sure. Good luck
Jim0 -
Hello hehe86
So after you clear the java cache you have also deleted the scripts again? If not try it.
I recommend that you download this program Install it perform an update first. Reboot your pc and press several times on the F8 button before the windowsloading screen select safe mode press enter to select. Log in with your account. Start superantispyware and perform a complete scan. I also recommend that you check the follow locations also: start,run,type msconfig press enter go the tab called boot/start up (I am using a non-English windows version) enter the name that you will find under item for boot/startup on this website . If you see an N or X uncheck the item(s). Go to the follow location start,all programs,startup/boot. To finish take a look in the registry : start,run,type regedit press enter. Expand the key hkey_local_machine and the following folders and subfolders: software,microsoft,windows,currentversion,run. Take a look at the rightside and enter the names also on that website. But here you have to delete the items.
Regards
Niels0 -
Well I had try the following methods. By doing the Bitdefender Savemode Scan, it doesnt detect any threats. So is running Superantispyware in safe mode, that is after I run CCleaner. The virus is still there...
However, there's a time where I can surf the net without seeing the virus. I not sure why is it so. Then somehow if I restart my PC, the virus comes back...
Even if I use other web browser such as Firefox, website that require active scripting such as Gmail, I can't load the website. So is hotmail...
So is it time for me to format my PC.... Is there any other possible solution to this?0 -
hehe86,
I am pretty sure that your problem relies in the BHO components of your Internet Explorer, which means the Browser Helper Objects.
Not sure if you're using IE7 or not, but if you do have IE7, you can test this by running IE7 in "no addons" mode.
To do this, rightclick your IE icon on your desktop if present and select "start without add-ons"
If no IE icon on your desktop, go to start > System tools and select "Internet Explorer (No Add-ons)"
This will load IE7 as well with no add-ons. Keep in mind, this will only be once for this Internet Explorer session.
If that indeed "solves" your problem (however, some add-ons may be stubborn and load anyway):
1. Open Internet Explorer.
2. On the Tools menu, click Manage Add-ons.
3. In the Show box, click the set of add-ons that you want to see.
One of them may be malware related and responsible for the problem you are having. As you will see, you can disable them as well.
Anyway, if that solves your problem, let me know what add-on present there was causing this and upload the related file here so detection can be added, because as far as I understand here is, Bitdefender only flags the files present in your Temporary Files, but not the file which is responsible for dropping them.0 -
Yea I am using IE7. I had tested using IE without add-ons, at first, there was no problem, but then after surfing a few website, the virus appear again...
I also notice that there is an error pops up when this virus appear. It was bdmcon error box. It states that a 'required resourse was'. Then I click ok. After I click ok, my bitdefender scan activity bar's word which is file zone disappear. So I have to restart my bitdefender application again...
Any idea how this virus related to the problem mentioned above?0 -
I also used Spybot:Search and Destroy to check my PC. Everytime there is this threats:
HKEY_USERS\S-1-5-21-1731985460-3219537765-863298002-1005\Software\Microsoft\Internet Explorer\Main\Feature Control\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
which is the Microsoft Window Security Internet Explorer.
After I fix it, and I rescan again, this threats appear again. Is the virus got to do with this threat?0 -
Can you tell me what add-ons (Browser Helper Objects) are present there?Yea I am using IE7. I had tested using IE without add-ons, at first, there was no problem, but then after surfing a few website, the virus appear again...
Actually, it may be easier to find out if you posted a HijackThislog.
By default, it should be set to dword 1. !=W=1 means it is not set to dword 1, so in your case that one is set to dword 0.I also used Spybot:Search and Destroy to check my PC. Everytime there is this threats:
HKEY_USERS\S-1-5-21-1731985460-3219537765-863298002-1005\Software\Microsoft\Internet Explorer\Main\Feature Control\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
which is the Microsoft Window Security Internet Explorer.
This means that in your Internet Explorer Options > advanced, the setting under security "Allow active content to run in files on My Computer" is checked, this means.. it allows a Web page to run active content in your computer - so uncheck that one.
You may also want to check your active desktop components... so, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit ok below > apply in previous window.0 -
Can you tell me what add-ons (Browser Helper Objects) are present there?
The add-ons are:
Adobe PDF Reader Link Helper
Bad download locker
BitComet Helper
Diagnose Connection Problems..
FGCatchUrl
FlashGet
FlashGet
FlashGet GetFlash Class
Research
SSV Helper Class
Sun Java Console
Windows MessengerBy default, it should be set to dword 1. !=W=1 means it is not set to dword 1, so in your case that one is set to dword 0.
This means that in your Internet Explorer Options > advanced, the setting under security "Allow active content to run in files on My Computer" is checked, this means.. it allows a Web page to run active content in your computer - so uncheck that one. .
I went to Internet Explorer Options > advanced, the setting under security "Allow active content to run in files on My Computer", it is all the long unchecked. Then to make sure it again, I recan using Spybot, the threat: 'HKEY_USERS\S-1-5-21-1731985460-3219537765-863298002-1005\Software\Microsoft\Internet Explorer\Main\Feature Control\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1' is still detected.You may also want to check your active desktop components... so, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit ok below > apply in previous window
As of the Display properties > Desktop > Customize Desktop... > Web tab, there is nothing there except "My current home page".
Any idea?0 -
I have the same problem
0 -
I think the virus resides on the network, therefore, even after we clean it, it can show up if the infected pc connects to the network.
0 -
The virus resides in the network huh? So there's no way in removing it then?
0 -
this is very late now. but i still feel like sharing
process explorer has a handy little feature that works well with antivirus.
suspend service
I encountered a trojan like that where I could never delete the file because it was tied to winlogon.exe
i suspended all the services the trojan file was tied too
winlogon.exe
rundll.dll
explorer.exe
ran my bitdefender antivirus(file was scheduled to be deleted on reboot)
hard reset the box. no smooth shutdown. press and hold your power button.
on reboot the file was finally purged. For some reason there is a command to reload the trojan dll before the delete on reboot occurs (i think this has to do with the relationship with winlogon). it's a pretty slick design.
the ability to suspend winlogon and do a hard reboot prevents the dll from executing code to save itself from the impending deletion scheduled by the antivirus.
i tried numerous methods from hijack this, vundofix, look2me killers, sysinternal delete on reboot tool, avg, windows defender, bit defender, kaspersky, manual deletion, registry deletion, could not rename file, could not move file, unlocker, spysweeper, ad-aware, etc.
it wasn't until i combined process explorer, bitdefender, and unlocker that i was able to knock out the hardest trojan on the system.
unlocker allowed me to see what services locked the trojan file
process explorer allowed me to suspend the locking services stopping the trojan from executing survival code
bitdefender scheduled the file for deletion on reboot
and doing a hard reboot to not allow the suspended services to process anything after the deletion was scheduled.
this made the file deletion the TOP priority upon reboot. no other code gets to butt in line.
****additional notes****
this dll was tied to an IE7 addon that I disabled to prevent trojan infesting pop ups and redirects to occur0