Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rooting Out Trojan.swfdl.a


  • This topic is locked This topic is locked
4 replies to this topic

#1 rogbngp

rogbngp

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 December 2006 - 08:16 AM

Hi there :thumbsup:

Bullguard found this trojan on my wife's computer but can't seem to quarantine or delete it. Found a thread on it here, and here's the Hijackthis log. Hope someone can tell me how to proceed, and thanks in advance for the great work you're all doing here:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:38 AM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\drivers and applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150668537609
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Btw, here are the instructions I have received so far from Bullguard:

I have examined the scan report you have submitted to us. Below
are instructions on how to get rid of the remaining infections
from your computer.

Delete the contents of all folders containing temporary files
(namely the TEMP and Temporary Internet Files folders) by running
the Disk Cleanup utility (Start > All Programs > Accessories >
System Tools > Disk Cleanup), as they are the perfect places for
viruses and other malware to hide.

C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\

To make sure that you find the above mentioned files you need to
enable the "Show hidden files and folders" option.

Just open My Computer, click on Tools > Folder Options and
choose the View tab. Search for the option mentioned above and make
sure it is enabled (checked).

If the files cannot be deleted in Normal Mode, please enter Safe
Mode and delete them from there.

In order to enter Windows Safe Mode, please do the following:

1. Restart your computer.
2. During restart keep the F8 key pressed. A blank screen with
options will appear.
3. Choose the "Safe Mode" option (you will also see "Safe Mode
with Networking" and other options, but please do NOT select
them).
4. Windows will start with a slightly different look, because of
the modified display settings. Do not attempt to change them,
they are temporary.

Also, please follow the instructions from this link in order to
find out how to properly empty the BullGuard Quarantine folder:
http://www.bullguard.com/support/tip_quarantine.aspx


After performing the above actions, make sure you empty the
Recycle Bin folder on each user account (right click on it and
select “Empty Recycle Bin”) so that the virus is completely
removed.

If you encounter any difficulties, please get back to us and we
will do our best to assist.

Thank you for your cooperation.


I was able to delete the temporary files in normal mode, and didn't have to enter safe mode as described above. The procedure didn't work though, as the next virus scan showed trojan.swfdl.a still on the computer.

after sending that scanlog to Bullguard this is their response

I have analyzed the scan report you sent us and here is what you
need to do in order to remove the remaining infections from your
computer:

1. Please open your computer in Safe Mode (to do that, keep
pressing the "F8" key before Windows will load).
2. While in Safe Mode, go to the following locations and
manually delete these infections by selecting them and pressing
Shift+Del:

- the content of this folder:
C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5

After performing all of the above, restart your computer in
Normal Mode.

Also, please:
>> follow the instructions from this link in order to find out
how to properly empty the BullGuard Quarantine folder:
http://www.bullguard.com/support/tip_quarantine.aspx

>> run another full scan of your computer to ensure it is
virus-free.

If the problem persists, do not hesitate to contact us again and
remember to send us the scan report.

Thank you for your cooperation.


which I will have to do when I get home this evening.

Not sure if this is worth noting, but prior to runnning the scan where I first detected the virus, I had just upgraded the computer's browser from a lower version of Internet Explorer (5.0? - it's a 10 year old Dell)) to IE 7.0.

Anyway, thanks for any help you can give me in trying to isolate and delete this pesky file!

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 26 December 2006 - 08:43 AM

Hi,

Can you tell me what exactly Bullguard flags as the Trojan.swfdl.a?
What file and where is it present? Reason I am asking is, it could be possible that this is a false positive, especially when I read that the problem started after you updated your Internet Explorer to version 7.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rogbngp

rogbngp
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 December 2006 - 05:11 PM

Thanks!

Well, here is the Bullgaurd logfile:

2006/12/25 16:34:45 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf [AUTO BLOCKED] [process: 2356.C:\WINDOWS\system32\cleanmgr.exe] [user: Administrator] [op: OPEN]
2006/12/25 16:34:45 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf=>[SWF command] [BLOCKED] [process: 2356.C:\WINDOWS\system32\cleanmgr.exe] [user: Administrator] [virus: Trojan.SwfDL.A] [op: OPEN]
2006/12/25 16:55:44 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf=>[SWF command] [BLOCKED] [process: 2924.C:\Program Files\BullGuard Software\BullGuard\BgNewsUI.exe] [user: Administrator] [virus: Trojan.SwfDL.A] [op: OPEN]
2006/12/25 16:55:44 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf [AUTO BLOCKED] [process: 2924.C:\Program Files\BullGuard Software\BullGuard\BgNewsUI.exe] [user: Administrator] [op: OPEN]
2006/12/25 17:13:09 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf=>[SWF command] [BLOCKED] [process: 3292.C:\WINDOWS\system32\DfrgNtfs.exe] [user: Administrator] [virus: Trojan.SwfDL.A] [op: OPEN]
2006/12/25 18:28:59 | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\sp2-fastclick-300[1].swf=>[SWF command] [BLOCKED] [process: 3292.C:\WINDOWS\system32\DfrgNtfs.exe] [user: Administrator] [virus: Trojan.SwfDL.A] [op: OPEN]


But I am unable to find a folder named "Content.IE5" in C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files. I had just performed Disk Cleanup (deleting the Temprary Internet files) and defragmented C drive prior to the virus scan, FWIW.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 26 December 2006 - 05:38 PM

These logs are confusing from Bullguard.

I guess Bullguard is having problems with deleting swf files. You can easily delete them manually though.

To get in your Content.IE5 cache, just go to start > run and copy and paste next command in the field:

shell:cache\content.ie5

Or alternatively, copy and paste this address in your Windows Explorer addressbar (not you internet explorer addressbar). This is your Explorer addressbar: Posted Image

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

It's in the 2PXEJ6XO subfolder present, so actually you may delete the entire 2PXEJ6XO subfolder there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 04 January 2007 - 12:02 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users