Author Topic: Recurring worm? (Read 18536 times)

BigTree · « **on:** December 14, 2009, 08:24:13 PM »

I keep getting a recurring warning from Avast Home about a Trojan. It hits within 10 minutes of startup. Doesnt matter if email (Outlook) or web browser (Firefox) is running or not as long as my wifi is turned on. Dell notebook with Vista, all up to date. I delete the file every time but it comes back every day. Here is the info....
------------------------------------
File name:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
Malware name:
HTML:IFrame-KT [Trj]
Malware type:
Trojan Horse
VPS version:
091211-0, 12/11/2009
------------------------------------
Any help greatly appreciated...its starting to bug me.

Spiritsongs · « **Reply #1 on:** December 14, 2009, 08:41:58 PM »

Hi :

This is a "Situation" where I believe a "2nd Opinion" should be done by using
excellent antiMALWARE programs like Malwarebytes Anti-Malware and
"SUPERAntiSpyware", both of which come in FREE Versions .

pinnacle · « **Reply #2 on:** December 14, 2009, 08:49:29 PM »

another good one to try is Hitman Pro trial version will detect and destroy malware for 30 days http://www.surfright.nl/en/hitmanpro

polonus · « **Reply #3 on:** December 14, 2009, 08:55:53 PM »

Hi BigTree,

Are you getting the avast alert when visiting a specific site with your browser. The flag could be for a re-directing Trojan iFrame exploit on a hacked site. What site do you frequent that could have been injected through malcode?

polonus

BigTree · « **Reply #4 on:** December 14, 2009, 10:18:04 PM »

This happens without visiting any websites, in fact without a browser loaded at all. I have run SupeAntiSpyware and it has found nothing.

YoKenny · « **Reply #5 on:** December 14, 2009, 10:23:33 PM »

Welcome fellow Canadian.

Malwarebytes' Anti-Malware (MBAM) is good to use.

Download it then update its definitions the do a Quick scan and let it remove what it finds.

Post its log here if you like.

BigTree · « **Reply #6 on:** December 14, 2009, 11:15:56 PM »

No joy with Malwarebytes either. Here is the log...
---------------------------------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3360
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/14/2009 2:13:23 PM
mbam-log-2009-12-14 (14-13-23).txt

Scan type: Quick Scan
Objects scanned: 108198
Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BigTree · « **Reply #7 on:** December 15, 2009, 07:42:10 PM »

I have run a few online scanners as well and nothing shows up but it is still doing it. Avast finds it every time, I delete it every time, and about 3-5 minutes after startup there it is. Could this be a false positive or a file generated by something else?

scythe944 · « **Reply #8 on:** December 15, 2009, 07:44:09 PM »

Have you tried deleting your temporary internet files?

YoKenny · « **Reply #9 on:** December 15, 2009, 09:37:44 PM »

Quote from: scythe944 on December 15, 2009, 07:44:09 PM

Have you tried deleting your temporary internet files?

CCleaner is good at cleaning those out:
http://www.ccleaner.com/download/builds <== - Slim - No Toolbar

BigTree · « **Reply #10 on:** December 15, 2009, 11:45:57 PM »

CC Cleaner run and temp internet files deleted in both MSIE and Firefox. Rebooted and problem still exists.

mkis · « **Reply #11 on:** December 16, 2009, 12:09:42 AM »

From what you have said, I think best to report this file

1. Upload the file to http://www.virustotal.com/

Go to virustotal ---->.Browse for file -----.>Upload and await report----->reply post here

2. I assume from what you have said that you have moved file to the virus chest so it is visible ether in Infected files or User files.

If you go to chest and follow directions.

Right-click file----->choose email to Alwil software------follow directions

The file will be uploaded to avast on the next auto update or you can manual update

Or send a sample to virus@avast.com
- classify file as undetected malware – add link to this topic in the forum
- zip the message and password protect – secure password in the email body

BigTree · « **Reply #12 on:** December 16, 2009, 12:55:32 AM »

I did step 2 as in above.
A curious thing......
This is the location of the file in the Avast log:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
When I try to navigate to the file location above to upload it to VirusTotal there is no location below \Temporary Internet Files. In other words I cannot navigate to "\Content.IE5\DJFZRDGG\ipaddressd[1].htm" it appears to not exist!

mkis · « **Reply #13 on:** December 16, 2009, 01:14:09 AM »

Use Windows Explorer search

click Start ---go to Search -- type in (without quotations) 'DJFZRDGG' --press OK

BigTree · « **Reply #14 on:** December 16, 2009, 01:20:15 AM »

Nope, Windows Explorer Search can't find it either.

Author Topic: Recurring worm? (Read 18536 times)

BigTree

Recurring worm?

Spiritsongs

Re: Recurring worm?

pinnacle

Re: Recurring worm?

polonus

Re: Recurring worm?

BigTree

Re: Recurring worm?

YoKenny

Re: Recurring worm?

BigTree

Re: Recurring worm?

BigTree

Re: Recurring worm?

scythe944

Re: Recurring worm?

YoKenny

Re: Recurring worm?

BigTree

Re: Recurring worm?

mkis

Re: Recurring worm?

BigTree

Re: Recurring worm?

mkis

Re: Recurring worm?

BigTree

Re: Recurring worm?