Trojan

Tivale · ‎03-15-2009

My brother has been using this computer lately and last Sunday, two Trojan got into the computer. Only today did Norton warn him about it and he then called me to check what it was. I've scanned the computer and there wasn't anything since the two files had already been quarantined. The log says they got in on the 24 th though.

Origin:

updater.exeFile created:
firefox.exeFile created:
b9048f6cd01

Do you guys reckon this one might me a fake alert? The other one was already in the recycle bin so I can't really guess what it was.

Anyway, I'm mainly worried about the fact that my mum used this same computer today for banking related stuff. The website encrypts the information before sending it ( Https) like most bank websites nowadays I presume. But anyway, what do you guys think? Norton only warned my brother after my mum had been here so I'm not so sure of what should be done.

I'd appreciate any help.

Note:

d:\$recycle.bin\s-1-5-21-835539555-2870139527-1052894419-1002\$rd9ves8.exe

File actions:

Infected File: d:\$recycle.bin\s-1-5-21-835539555-2870139527-1052894419-1002\$rd9ves8.exe
Removed

c:\users\joão\appdata\local\mozilla\firefox\profiles\z8l675ot.default\cache\b9048f6cd01

File Actions
Infected Files: c:\users\joão\appdata\local\mozilla\firefox\profiles\z8l675ot.default\cache\b9048f6cd01
Removed

My norton is in Portuguese so I thought I'd just copy these parts. Regarding what the file "supposedly" did, nothing shows up besides the name of the file and the fact that it was removed.

floplot · ‎04-11-2009

Hi Tivale

If you think it is a false positive, you can submit the file to Symantec for further analysis

follow the instructuons here https://submit.symantec.com/dispute/false_positive/ to submit the file to Symantec for false positives.

If you think that the file might be infected, please submit it to Symantec over here:

https://submit.symantec.com/websubmit/retail.cgi

If you want a faster (but non-human) analysis, then you can go to Threat Expert:

http://www.threatexpert.com/submit.aspx

If you would like to check to make sure your computer is clean, you can run a full scan with the free version of Malwarebytes and see how that comes out. Please post the log after the scan. Thanks

Download the free version, install and update then run a FULL scan. After the scan completes you should post the logs back to this thread.

You can find Malwarebytes here

http://www.filehippo.com/download_malwarebytes_anti_malware/

It is a safer location to get the program from than malwarebytes themselves because the malware writers some times block the security programs' websites.

Success always occurs in private and failure in full view.

Tivale · ‎03-15-2009

Malwarebytes' Anti-Malware 1.44
Database version: 3642
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26/01/2010 23:09:32
mbam-log-2010-01-26 (23-09-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 186021
Time elapsed: 24 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> No action taken.

Here's the log from malawarebytes. I really am clueless as to what that file is. Can I just delete it?

The file says it was created on the 26 th of March. I installed windows 7 on this before Christmas this year. Shouldn't it have been created around that time?

delphinium · ‎11-21-2008

Go back into Malwarebytes and have it remove the file. That will clear it from your system. Did you install Win 7 over Vista?

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Tivale · ‎03-15-2009

Nope, I formatted and installed seven. I'm just going to reboot in order to remove the file.

Incidentally, do you reckon this might pose a problem to what I've said earlier? (About my mum having used the computer to log into her bank account)

delphinium · ‎11-21-2008

That's a good question, but I don't have an answer for it. MBAM does throw the occasional false positives. It is an odd entry to see in program files. When in doubt, change your password. It's better to be safe than sorry.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Tivale · ‎03-15-2009

Thanks a lot for all the help guys!

floplot · ‎04-11-2009

You're welcome. Come back again if you have any more problems and open up a new thread. Glad you got it checked out ok.

Success always occurs in private and failure in full view.

Quads · ‎07-21-2008

Sometimes files can show a date of before the program was install like some drivers

Since the year 2004 I have had to buy a new Hard Drive and then installed Windows from CD, after that I just recovered and transfered personal data and files over etc.

Yet the file has a date of 2004

Quads

Norton Internet Security / Norton AntiVirus

Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Re: Trojan

Products

Services

Support