Avast WEBforum
Other => Viruses and worms => Topic started by: BigTree on December 14, 2009, 08:24:13 PM
-
I keep getting a recurring warning from Avast Home about a Trojan. It hits within 10 minutes of startup. Doesnt matter if email (Outlook) or web browser (Firefox) is running or not as long as my wifi is turned on. Dell notebook with Vista, all up to date. I delete the file every time but it comes back every day. Here is the info....
------------------------------------
File name:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
Malware name:
HTML:IFrame-KT [Trj]
Malware type:
Trojan Horse
VPS version:
091211-0, 12/11/2009
------------------------------------
Any help greatly appreciated...its starting to bug me.
-
:) Hi :
This is a "Situation" where I believe a "2nd Opinion" should be done by using
excellent antiMALWARE programs like Malwarebytes Anti-Malware and
"SUPERAntiSpyware", both of which come in FREE Versions .
-
another good one to try is Hitman Pro trial version will detect and destroy malware for 30 days http://www.surfright.nl/en/hitmanpro
-
Hi BigTree,
Are you getting the avast alert when visiting a specific site with your browser. The flag could be for a re-directing Trojan iFrame exploit on a hacked site. What site do you frequent that could have been injected through malcode?
polonus
-
This happens without visiting any websites, in fact without a browser loaded at all. I have run SupeAntiSpyware and it has found nothing.
-
Welcome fellow Canadian.
Malwarebytes' Anti-Malware (MBAM) is good to use.
Download it then update its definitions the do a Quick scan and let it remove what it finds.
Post its log here if you like.
-
No joy with Malwarebytes either. Here is the log...
---------------------------------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3360
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865
12/14/2009 2:13:23 PM
mbam-log-2009-12-14 (14-13-23).txt
Scan type: Quick Scan
Objects scanned: 108198
Time elapsed: 11 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
I have run a few online scanners as well and nothing shows up but it is still doing it. Avast finds it every time, I delete it every time, and about 3-5 minutes after startup there it is. Could this be a false positive or a file generated by something else?
-
Have you tried deleting your temporary internet files?
-
Have you tried deleting your temporary internet files?
CCleaner is good at cleaning those out:
http://www.ccleaner.com/download/builds <== - Slim - No Toolbar
-
CC Cleaner run and temp internet files deleted in both MSIE and Firefox. Rebooted and problem still exists.
-
From what you have said, I think best to report this file
1. Upload the file to http://www.virustotal.com/
Go to virustotal ---->.Browse for file -----.>Upload and await report----->reply post here
2. I assume from what you have said that you have moved file to the virus chest so it is visible ether in Infected files or User files.
If you go to chest and follow directions.
Right-click file----->choose email to Alwil software------follow directions
The file will be uploaded to avast on the next auto update or you can manual update
Or send a sample to virus@avast.com
- classify file as undetected malware – add link to this topic in the forum
- zip the message and password protect – secure password in the email body
-
I did step 2 as in above.
A curious thing......
This is the location of the file in the Avast log:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
When I try to navigate to the file location above to upload it to VirusTotal there is no location below \Temporary Internet Files. In other words I cannot navigate to "\Content.IE5\DJFZRDGG\ipaddressd[1].htm" it appears to not exist!
-
Use Windows Explorer search
click Start ---go to Search -- type in (without quotations) 'DJFZRDGG' --press OK
-
Nope, Windows Explorer Search can't find it either.
-
Here is the log of the scan done in the quarrantine: folder......
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest
Move files to temporary folder: C:\Users\Earl\AppData\Local\Temp\_avast4_\unp13986436.tmp
FileID: 0000000006 Original file name: C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23P2M67H\newer[1].htm New folder: C:\Users\Earl\AppData\Local\Temp\_avast4_\unp13986436.tmp\6.htm
Scan files in the temporary folder: C:\Users\Earl\AppData\Local\Temp\_avast4_\unp13986436.tmp
C:\Users\Earl\AppData\Local\Temp\_avast4_\unp13986436.tmp\6.htm HTML:IFrame-KT [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!
-
You could try this - you will need to download defraggler, so may have to do so on different clean computer and transfer to your system with a flash drive. So take adequate precautions to prevent virus spread through flash drive having been connected to yr computer.
http://www.filehippo.com/download_defraggler/
Anyways, once defraggler set up and is running, click Analyze for a reading of your system drive (Drive C: - for most people)
This should bring the difficult file to surface - click View Files and look under Filename column for the file.
(screenshot shows files in Content.IE5 on this computer highlighted by red arrows - I will choose file 'prototype [1].js' as my example)
If the file is located, rightclick the file and choose Open Containing Folder.
This will give you a tree hierarchy of your computer in a left hand pane and the files contained in the Folder in a right hand pane. (next screenshot shows file and containing folder in red circles with a red line connected the two. You will now be able to take action)
I have found this method to be one of the best ways to search for files that are contained in Content.IE5 location.
I'm sending this through from a clients computer, so now I continue to clean up his system. This folder 7AI3X128 can be deleted as it it superfluous to the smooth running of the system.
Edited post -
-
Response to the above post....more stuff learned.
Using the above method I was able to locate the Content.IE5 folder and delete all the folders under it except one....33G7C990. I was not able to delete that folder because the system said that a file in that folder was in use by another program. I entered that folder and was able to delete all files but one.....IPADDRESSD[1].HTM.
Again the system says the file is in use by another program. There were no user programs running but the file browser. This is the same file that shows up in the Avast logs. The mystery continues.....
-
Further to above.....
If I use the cmd prompt and navigate to Content.IE5, a DIR command finds nothing.
-
Just run CCleaner and it will clean out IE's Temp files:
CCleaner v2.26.1050 - Slim
- No Toolbar
http://www.ccleaner.com/download/builds
-
I have tried CC Cleaner and it will not remove \Content.IE5\33G7C990\IPADDRESSD[1].HTM
I can find no way to remove that folder/file.
-
hmm. I thought you might target the difficult file and post back before deleting files. But should be okay. I don't delete all files under Content.IE5 but anything that is express needed can be returned by Restart and reconnect. Are you still getting alerts or warnings from avast? If everything otherwise normal, I wouldn't bother trying to improve anything just run the system for a while and see how go.
PS - Make sure empty Recycle bin
-
I have been empying the recycle bin every time I delete something just in case. The problem is stlii there.
I have tried to post a screen capture of the Avast warning as an attachment.
-
See if you can locate difficult file again and this time upload to virustotal
http://forum.avast.com/index.php?topic=52222.msg442296#msg442296
This tool may help
http://forum.avast.com/index.php?topic=19387.msg442474#msg442474
-
File uploaded to VirusTotal and it found nothing. It is happening more often now, maybe once an hour. If I restart my computer with wifi turned off it is fine. Within 5 minutes of turning wifi on I get the first attack, even if I have run no web browser or email.
-
Trouble with worms is Avast needs to run the hard drive scan before windows comes up. You almost can kill a worm in windows
-
one thing that helped me deal with malware and a worm together was to go to system in control panel and under advanced, and then performance is data execution prevention. Turn on DEP for ALL programs. Best way to contain a replicating virus or malware. Like I said above, you need Avast to do that Boot scan to kill a worm, But I am not sure How to do that.
-
You have tried a bootscan haven't you Big Tree? If not, here is guide.
I think always best with System Restore turned off. So check status of you're System Restore and reply post here first.
Perhaps, if first time through, run boot scan with System Restore on and we see what comes up.
Here is guide --
right click icon in system tray lower right hand corner of screen--choose to Start avast!
--scanner comes on screen – right-click body of scanner - choose Schedule boot time scan
To run boot scan ---set thorough---check archive---select move to chest ---check allow move
Restart
Reply post outcome to forum
-
Thanks Mkis, I wasn't sure how to force a boot scan. That is what he has to do to kill a Worm or Trojan. :)
-
Further to above.....
If I use the cmd prompt and navigate to Content.IE5, a DIR command finds nothing.
Try showing ' hidden files' and unchecking ' hide protected system files '
Vista
* Right Click Start
* Select Explore
* Select Organize
* Select Folder and Search Options
* Select the View tab
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide extensions for known file types option.
* Uncheck the Hide protected operating system files (recommended) option.
* Click yes to confirm that you really want to do this.
* Click Apply
* Click OK
Then reboot in safe mode by tapping f8 key, then go to Content.IE5 folder and delete contents
-
More to the ongoing problem of the HTML:IFrame-KT [TRJ] trojan......
I have uninstalled Avast and installed BitDefender, updated it, run a deep scan, BD found nothing.
I uninstalled BD and installed Avast again and did a boot scan. It found HTML:IFrame-KT [TRJ] and I deleted it.
This morning I started up with wifi turned off and let it run for a 1/2 hour, all was well. I turned on wifi and got an Avast hit on HTML:IFrame-KT [TRJ] within a few minutes. I quarantined the virus as usual. Even after the quarantine i get a lot of hard drive activity so something is going on even with wifi turned off again. I am now certain this is not a false positive. I just can't get rid of the sucker and there seems to be no info on HTML:IFrame-KT [TRJ] on the web.
-
Did you manually delete the contents in safe mode.?The content IE5 folder is a protected hidden folder in Vista
Try These two tools
DrWeb ( in safe mode,use f8 key ) http://www.freedrweb.com/cureit/ (http://www.freedrweb.com/cureit/)
Rootrepeal. http://ad13.geekstogo.com/RootRepeal.zip (http://ad13.geekstogo.com/RootRepeal.zip)
Unzip and run,click on report at the bottom > scan > tick all the boxes > ok > C > ok, post the log as an attachment
-
You could start by telling us what file it was detected in and what location it was in ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.
-
Did you manually delete the contents in safe mode.?The content IE5 folder is a protected hidden folder in Vista
Yes.
Try These two tools
DrWeb ( in safe mode,use f8 key ) http://www.freedrweb.com/cureit/ (http://www.freedrweb.com/cureit/)
DrWeb found 3 files it says were bad and quarantined them. I think they were javascript files.
Attached is the log.
Rootrepeal. http://ad13.geekstogo.com/RootRepeal.zip (http://ad13.geekstogo.com/RootRepeal.zip)
Unzip and run,click on report at the bottom > scan > tick all the boxes > ok > C > ok, post the log as an attachment
Attached is the report
Note: On restart and reconnection to the internet Avast reported a virus after about 4 minutes. No apparent changes.
-
Further to the above.....I have tried a direct connection to my cable modem, by passing my wireless router. Both computer and cable modem were reset. The problem persists.
-
Even further to the above.............
If I delete all the folders under \Content.IE5 as soon as I go online the virus hits and 4 new folders are created. I have printed out a listing of these folders and the files in each. I have attached this file listing as a .jpg file.
Maybe now would be a good time to upgrade to Windows 7 after a format! It is just the whole day it would take...grrrr.
-
Your Rootrepeal log was unreadable.You could try again, right click and run as administrator.
Also you could try a couple of rescue discs.
All the download links and instructions are displayed
Avira will burn straight to disc.Kaspersky in an Iso file, and you will need to burn the image using burning software, there is a download link to Imgburn (free )
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/ (http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/)
http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163 (http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163)
It may be wise to use a clean safe pc to change your passwords
-
Here is another try at the RootRepeal log. Looks about the same to me, but then I don't know what I'm looking at. I have also edited the registry to prevent startup of a prg called TDMIC.EXE. It MAY be the culprit....stay tunes. Im going to try one of the cleaners also when I can get my wife's computer away from her for a bit.
-
More to the above. Looks like TDMIC.EXE may be part of the culprit. I have edited it out of the registry on startup and I no longer get a scream from Avast when connection to the internet.
-
You need to find out what tdmic.exe is - or probably better still remove it from your computer altogether.
Seems it may have been a business accounting program, maybe no longer in use but 'live' enough to generate an alert. I would say edit tdmic out of registry, just making sure your registry searches do return properly related entries. Perhaps wait for a second opinion on this.
This is what I search and find --
screenshot - whats running tdmic -
hxxp://www.whatsrunning.net/Processes_Range.aspx?Start=T&Stop=U
screenshot - registry tdmic - hxxp://www.pc1news.com/virus/file-tdmic-exe-365008.html
screenshot - alert tdmic - an alert was generated from a Yahoo link for tdmic.exe - (ust.edu).
Whether this has anything to do with your issue is something else again. But I suggest perhaps that the program tdmic.exe is out of date and likely generates what is (now at least) a false positive. So program is best removed from your computer and this may be solution to your problem. Someone else may have more to offer.
-
I could find almost nothing on the internet for TDMIC.EXE and when I look at the properties for this on my computer it shows a modification date of Nov 11 of this year. I have deleted both TDMIC.EXE and TDMIC.DLL from my computer and will delete any references to them in the registry. So far so good. Stay tuned.....
-
PS both Kasperski and Avira returned no hits.
-
Well. I have deleted all reference to TDMIC.EXE and TDMIC.DLL in the registry and physically deleted the files from the computer and have had no "hits" for 24 hours now. I have also done a complete cleanup of the hd/registry and defreg. So I think we are done. No doubt there are som remnants of the eveil beast still about but I think it is toast now. Thanks for all the help folks it is greatly appreciated!
-
I wnated to make sure you saw that comment. When a worm recreates folders or files after deletion, turning on DEP for ALL files will control or prevent that recreation. Glad you killed it.
"one thing that helped me deal with malware and a worm together was to go to system in control panel and under advanced, and then performance is data execution prevention. Turn on DEP for ALL programs. Best way to contain a replicating virus or malware. Like I said above, you need Avast to do that Boot scan to kill a worm, But I am not sure How to do that."