Author Topic: Recurring worm?  (Read 18476 times)

0 Members and 1 Guest are viewing this topic.

BigTree

  • Guest
Re: Recurring worm?
« Reply #30 on: December 18, 2009, 04:45:39 PM »
More to the ongoing problem of the HTML:IFrame-KT [TRJ] trojan......
I have uninstalled Avast and installed BitDefender, updated it, run a deep scan, BD found nothing.
I uninstalled BD and installed Avast again and did a boot scan. It found HTML:IFrame-KT [TRJ] and I deleted it.
This morning I started up with wifi turned off and let it run for a 1/2 hour, all was well. I turned on wifi and got an Avast hit on HTML:IFrame-KT [TRJ] within a few minutes. I quarantined the virus as usual. Even after the quarantine i get a lot of hard drive activity so something is going on even with wifi turned off again. I am now certain this is not a false positive. I just can't get rid of the sucker and there seems to be no info on HTML:IFrame-KT [TRJ] on the web.

micky77

  • Guest
Re: Recurring worm?
« Reply #31 on: December 18, 2009, 05:00:08 PM »
Did you manually delete the contents in safe mode.?The content IE5 folder is a protected hidden folder in Vista

Try These two tools
DrWeb ( in safe mode,use f8 key ) http://www.freedrweb.com/cureit/


Rootrepeal. http://ad13.geekstogo.com/RootRepeal.zip
Unzip and run,click on report  at the bottom > scan > tick all the boxes > ok > C > ok, post the log as an attachment

« Last Edit: December 18, 2009, 05:03:37 PM by micky77 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Recurring worm?
« Reply #32 on: December 18, 2009, 05:15:50 PM »
You could start by telling us what file it was detected in and what location it was in ?

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

BigTree

  • Guest
Re: Recurring worm?
« Reply #33 on: December 19, 2009, 06:19:05 AM »
Did you manually delete the contents in safe mode.?The content IE5 folder is a protected hidden folder in Vista
Yes.
Try These two tools
DrWeb ( in safe mode,use f8 key ) http://www.freedrweb.com/cureit/
DrWeb found 3 files it says were bad and quarantined them. I think they were javascript files.
Attached is the log.


Rootrepeal. http://ad13.geekstogo.com/RootRepeal.zip
Unzip and run,click on report  at the bottom > scan > tick all the boxes > ok > C > ok, post the log as an attachment
Attached is the report

Note: On restart and reconnection to the internet Avast reported a virus after about 4 minutes. No apparent changes.

BigTree

  • Guest
Re: Recurring worm?
« Reply #34 on: December 19, 2009, 06:41:04 AM »
Further to the above.....I have tried a direct connection to my cable modem, by passing my wireless router. Both computer and cable modem were reset. The problem persists.

BigTree

  • Guest
Re: Recurring worm?
« Reply #35 on: December 19, 2009, 07:49:11 AM »
Even further to the above.............
If I delete all the folders under \Content.IE5 as soon as I go online the virus hits and 4 new folders are created. I have printed out a listing of these folders and the files in each. I have attached this file listing as a .jpg file.
Maybe now would be a good time to upgrade to Windows 7 after a format! It is just the whole day it would take...grrrr.

micky77

  • Guest
Re: Recurring worm?
« Reply #36 on: December 19, 2009, 03:42:12 PM »
Your Rootrepeal log was unreadable.You could try again, right click and run as administrator.
Also you could try a couple of rescue discs.
All the download links and instructions are displayed
Avira will burn straight to disc.Kaspersky in an Iso file, and you will need to burn the image using burning software, there is a download link to Imgburn (free )

http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/

http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163

It may be wise to use a clean safe pc to change your passwords

BigTree

  • Guest
Re: Recurring worm?
« Reply #37 on: December 19, 2009, 06:28:55 PM »
Here is another try at the RootRepeal log. Looks about the same to me, but then I don't know what I'm looking at. I have also edited the registry to prevent startup of a prg called TDMIC.EXE. It MAY be the culprit....stay tunes. Im going to try one of the cleaners also when I can get my wife's computer away from her for a bit.

BigTree

  • Guest
Re: Recurring worm?
« Reply #38 on: December 19, 2009, 06:48:33 PM »
More to the above. Looks like TDMIC.EXE may be part of the culprit. I have edited it out of the registry on startup and I no longer get a scream from Avast when connection to the internet.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Recurring worm?
« Reply #39 on: December 19, 2009, 09:04:02 PM »
You need to find out what tdmic.exe is - or probably better still remove it from your computer altogether.

Seems it may have been a business accounting program, maybe no longer in use but 'live' enough to generate an alert. I would say edit tdmic out of registry, just making sure your registry searches do return properly related entries. Perhaps wait for a second opinion on this.

This is what I search and find --

screenshot - whats running tdmic  -
hxxp://www.whatsrunning.net/Processes_Range.aspx?Start=T&Stop=U

screenshot - registry tdmic -  hxxp://www.pc1news.com/virus/file-tdmic-exe-365008.html

screenshot - alert tdmic - an alert was generated from a Yahoo link for tdmic.exe - (ust.edu).
Whether this has anything to do with your issue is something else again. But I suggest perhaps that the program tdmic.exe is out of date and likely generates what is (now at least) a false positive. So program is best removed from your computer and this may be solution to your problem. Someone else may have more to offer.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

BigTree

  • Guest
Re: Recurring worm?
« Reply #40 on: December 19, 2009, 09:32:53 PM »
I could find almost nothing on the internet for TDMIC.EXE and when I look at the properties for this on my computer it shows a modification date of Nov 11 of this year. I have deleted both TDMIC.EXE and TDMIC.DLL from my computer and will delete any references to them in the registry. So far so good. Stay tuned.....

BigTree

  • Guest
Re: Recurring worm?
« Reply #41 on: December 19, 2009, 09:34:17 PM »
PS both Kasperski and Avira returned no hits.

BigTree

  • Guest
Re: Recurring worm?
« Reply #42 on: December 20, 2009, 05:05:15 PM »
Well. I have deleted all reference to TDMIC.EXE and TDMIC.DLL in the registry and physically deleted the files from the computer and have had no "hits" for 24 hours now. I have also done a complete cleanup of the hd/registry and defreg. So I think we are done. No doubt there are som remnants of the eveil beast still about but I think it is toast now. Thanks for all the help folks it is greatly appreciated!

jeffj4873

  • Guest
Re: Recurring worm?
« Reply #43 on: December 23, 2009, 12:01:55 AM »
I wnated to make sure you saw that comment. When a worm recreates folders or files after deletion, turning on DEP for ALL files will control or prevent that recreation. Glad you killed it.




"one thing that helped me deal with malware and a worm together was to go to system in control panel and under advanced, and then performance is data execution prevention. Turn on DEP for ALL programs. Best way to contain a replicating virus or malware. Like I said above, you need Avast to do that Boot scan to kill a worm, But I am not sure How to do that."