Recurring worm?

I keep getting a recurring warning from Avast Home about a Trojan. It hits within 10 minutes of startup. Doesnt matter if email (Outlook) or web browser (Firefox) is running or not as long as my wifi is turned on. Dell notebook with Vista, all up to date. I delete the file every time but it comes back every day. Here is the info…

File name:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
Malware name:
HTML:IFrame-KT [Trj]
Malware type:
Trojan Horse
VPS version:
091211-0, 12/11/2009

Any help greatly appreciated…its starting to bug me.

:slight_smile: Hi :

This is a “Situation” where I believe a “2nd Opinion” should be done by using
excellent antiMALWARE programs like Malwarebytes Anti-Malware and
“SUPERAntiSpyware”, both of which come in FREE Versions .

another good one to try is Hitman Pro trial version will detect and destroy malware for 30 days http://www.surfright.nl/en/hitmanpro

Hi BigTree,

Are you getting the avast alert when visiting a specific site with your browser. The flag could be for a re-directing Trojan iFrame exploit on a hacked site. What site do you frequent that could have been injected through malcode?

polonus

This happens without visiting any websites, in fact without a browser loaded at all. I have run SupeAntiSpyware and it has found nothing.

Welcome fellow Canadian.

Malwarebytes’ Anti-Malware (MBAM) is good to use.

Download it then update its definitions the do a Quick scan and let it remove what it finds.

Post its log here if you like.

No joy with Malwarebytes either. Here is the log…

Malwarebytes’ Anti-Malware 1.42
Database version: 3360
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/14/2009 2:13:23 PM
mbam-log-2009-12-14 (14-13-23).txt

Scan type: Quick Scan
Objects scanned: 108198
Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have run a few online scanners as well and nothing shows up but it is still doing it. Avast finds it every time, I delete it every time, and about 3-5 minutes after startup there it is. Could this be a false positive or a file generated by something else?

Have you tried deleting your temporary internet files?

CCleaner is good at cleaning those out:
http://www.ccleaner.com/download/builds <== - Slim - No Toolbar

CC Cleaner run and temp internet files deleted in both MSIE and Firefox. Rebooted and problem still exists.

From what you have said, I think best to report this file

  1. Upload the file to http://www.virustotal.com/

Go to virustotal ---->.Browse for file -----.>Upload and await report----->reply post here

  1. I assume from what you have said that you have moved file to the virus chest so it is visible ether in Infected files or User files.

If you go to chest and follow directions.

Right-click file----->choose email to Alwil software------follow directions

The file will be uploaded to avast on the next auto update or you can manual update

Or send a sample to virus@avast.com

  • classify file as undetected malware – add link to this topic in the forum
  • zip the message and password protect – secure password in the email body

I did step 2 as in above.
A curious thing…
This is the location of the file in the Avast log:
C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJFZRDGG\ipaddressd[1].htm
When I try to navigate to the file location above to upload it to VirusTotal there is no location below \Temporary Internet Files. In other words I cannot navigate to “\Content.IE5\DJFZRDGG\ipaddressd[1].htm” it appears to not exist!

Use Windows Explorer search

click Start —go to Search – type in (without quotations) ‘DJFZRDGG’ --press OK

Nope, Windows Explorer Search can’t find it either.

Here is the log of the scan done in the quarrantine: folder…

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\Users\Earl\AppData\Local\Temp_avast4_\unp13986436.tmp
FileID: 0000000006 Original file name: C:\Users\Earl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23P2M67H\newer[1].htm New folder: C:\Users\Earl\AppData\Local\Temp_avast4_\unp13986436.tmp\6.htm

Scan files in the temporary folder: C:\Users\Earl\AppData\Local\Temp_avast4_\unp13986436.tmp
C:\Users\Earl\AppData\Local\Temp_avast4_\unp13986436.tmp\6.htm HTML:IFrame-KT [Trj]

Action was completed successfully!

You could try this - you will need to download defraggler, so may have to do so on different clean computer and transfer to your system with a flash drive. So take adequate precautions to prevent virus spread through flash drive having been connected to yr computer.

http://www.filehippo.com/download_defraggler/

Anyways, once defraggler set up and is running, click Analyze for a reading of your system drive (Drive C: - for most people)

This should bring the difficult file to surface - click View Files and look under Filename column for the file.
(screenshot shows files in Content.IE5 on this computer highlighted by red arrows - I will choose file ‘prototype [1].js’ as my example)

If the file is located, rightclick the file and choose Open Containing Folder.
This will give you a tree hierarchy of your computer in a left hand pane and the files contained in the Folder in a right hand pane. (next screenshot shows file and containing folder in red circles with a red line connected the two. You will now be able to take action)

I have found this method to be one of the best ways to search for files that are contained in Content.IE5 location.

I’m sending this through from a clients computer, so now I continue to clean up his system. This folder 7AI3X128 can be deleted as it it superfluous to the smooth running of the system.

Edited post -

Response to the above post…more stuff learned.
Using the above method I was able to locate the Content.IE5 folder and delete all the folders under it except one…33G7C990. I was not able to delete that folder because the system said that a file in that folder was in use by another program. I entered that folder and was able to delete all files but one…IPADDRESSD[1].HTM.
Again the system says the file is in use by another program. There were no user programs running but the file browser. This is the same file that shows up in the Avast logs. The mystery continues…

Further to above…
If I use the cmd prompt and navigate to Content.IE5, a DIR command finds nothing.

Just run CCleaner and it will clean out IE’s Temp files:
CCleaner v2.26.1050 - Slim