Missdetection of a Trojan-Downloader

Complete scanning result of “hldrrr.exe”, received in VirusTotal at 05.15.2007, 22:30:50 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.15.1 05.15.2007 no virus found
AntiVir 7.4.0.15 05.15.2007 no virus found
Authentium 4.93.8 05.15.2007 no virus found
Avast 4.7.997.0 05.15.2007 no virus found
AVG 7.5.0.467 05.15.2007 Downloader.Generic4.OAR
BitDefender 7.2 05.15.2007 Win32.Bagle.SRF@mm
CAT-QuickHeal 9.00 05.15.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.15.2007 no virus found
DrWeb 4.33 05.15.2007 Win32.HLLM.Beagle
eSafe 7.0.15.0 05.15.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3634 05.15.2007 Win32/Glieder.FJ
Ewido 4.0 05.15.2007 no virus found
FileAdvisor 1 05.15.2007 no virus found
Fortinet 2.85.0.0 05.15.2007 suspicious
F-Prot 4.3.2.48 05.15.2007 no virus found
F-Secure 6.70.13030.0 05.15.2007 Trojan-Downloader.Win32.Bagle.bv
Ikarus T3.1.1.7 05.15.2007 no virus found
Kaspersky 4.0.2.24 05.15.2007 Trojan-Downloader.Win32.Bagle.bv
McAfee 5031 05.15.2007 New Poly Win32
Microsoft 1.2503 05.15.2007 no virus found
NOD32v2 2268 05.15.2007 Win32/Bagle.IM
Norman 5.80.02 05.15.2007 W32/Malware.TFJ
Panda 9.0.0.4 05.15.2007 Trj/Mitglieder.OC
Prevx1 V2 05.15.2007 no virus found
Sophos 4.17.0 05.11.2007 no virus found
Sunbelt 2.2.907.0 05.12.2007 VIPRE.Suspicious
Symantec 10 05.15.2007 no virus found
TheHacker 6.1.6.115 05.15.2007 no virus found
VBA32 3.12.0 05.15.2007 no virus found
VirusBuster 4.3.7:9 05.15.2007 no virus found
Webwasher-Gateway 6.0.1 05.15.2007 Win32.Malware.gen (suspicious)

Aditional Information
File size: 225762 bytes
MD5: ca6ae88923b375f0084ffeb866d1f1fb
SHA1: f3a74b2bee4933ffe6ef3b1ff575307963543db0
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Is it something you found on your computer, Tech?

Yes… It’s unbelievable… :-[ :-[ :-[

Do you need help with it?

Where did you find it (location) and what with/how ?

No, apparently it can be deleted and it’s not replicating…
Sorry, I did not mention the path: C:\Windows\System32\ folder
I’ve detected it only with SuperAntispyware and nothing else…

Oh, I need a better avast detection :cry:

You might want to check for a folder named c:/windows/system32/exefld just to play it safe. If present it was created by the worm.

This one could almost be based on file name alone …

I don’t have this folder…

I wonder how it got past DropMyRights unless you aren’t using it for all applications that connect to the internet ?

Sounds good … 8)

Bad news…
I have C:\WINDOWS\exefld :cry:

Could it be time for another acronis restore image ???

I know you already know this but a scan with either SuperAntiSpyware or AVG AntiSpyWare, followed by a HJT log, is in order.

You already have links for SAS and AVG AS - I’ll save you the trouble of finding one for HJT (this is just the canned verbage)

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

But the question is how did it get to your computer ???
Aren’t you using Comdo Firewall ?

Al968

Hi Tech,

After the evaluation og your HJT log and forwarding the infected file to Avast, you could download this removal tool: http://www.softpedia.com/get/Antivirus/WinBagleALmm-free-removal-tool.shtml

polonus

Thanks Polonus, I’ll do it. I’m not used to clean infections on my own computer ;D

Avast still does not detect this one… :cry:
http://forum.avast.com/index.php?topic=28690.msg234628#msg234628

Looks like its time for the New submition system :wink:

Al968