Trojan detected

H4wk13:

Welcome! You did just fine with the post. You could also post this in General, but that doesn't matter at all.

A simple search led to this (and many more) result:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/another-one-slips-through-the-cracks-trojanhiloti/6d9a9bd0-9a63-41f3-8093-1259cc2f0364

More led to this explanation (referenced):

"Trojan.Hiloti is the latest malware you should look out for. Being a form of a Trojan downloader, Trojan.Hiloti will enter into a computer system covertly, to perform the function it was designed to do: to download and install additional and various malware, badware, adware, etc, so as to ensure that the Trojan, as well as the hacker in control of this whole operation, are equip with the full control of the infiltrated machine.

Trojan.Hiloti allows for a hacker from a remote location to change the infiltrated systems’ settings, delete important files, steal passwords and watch the user’s computer activity.

Infiltration methods used frequently by Trojan.Hiloti are as follows:

• Email: via email attachments, Trojan.Hiloti will enter into a system, disguised as a small file, for example: a jpeg or might be downloaded via a website or FTP.
• Websites: Many Trojan infections will exploit browser security vulnerabilities
• Open-Ports: Programs which allow for file-sharing functions, e.g. AIM, MSN messenger, are at risk of being used to install these nefarious infections, as it may ensure the hacker has remote control over the computer in question.

Trojan.Hiloti is designed to open up large security exploits through which hundreds of malicious adware and spyware will be able to infiltrate a system. In addition, Trojan.Hiloti opens a backdoor that allows the remote attacker to get full control over the infected computer.

This in turn leads to the hacker having full access to the user’s financial or banking information stored on the computer. Obviously this puts the user’s personal information in severe jeopardy and represents a serious security risk.

The term Trojan refers to the fact this particular malware, Trojan.Hiloti is installed under deceptive pretences, infiltrating the user’s PC without their approval or knowledge.

Trojan.Hiloti is particularly damaging to a computer system, once it has fully embedded itself within the PC’s system, therefore it is given a high priority security risk status by many computer analysts." - PCThreat.com

You might want to have a security suite on your computer. I'd recommend Kaspersky.

If you can't afford it, AVG or Avast! plus Zone Alarm free firewall might be an 'ok' alternative (only 'ok' because really? You get what you pay for), and add Mamutu 3.0 (free also) to whichever you choose (and firewall Zonealarm).

Don't open emails from people/places you don't know, and be suspicious of any attachments. Be careful where you browse and add a link "sniffer" extension to your browser.... like WOT or Threatfire.

As for the "Should I change my passwords?" question, I'd say "Yes." Why? Because you have no idea how long this malware has existed on your system (if it exists on your system). I say "If", because even software as good as the one which "found" it can be mistaken. False positives happen. However, continuing in the spirit of "playing it safe", it certainly couldn't hurt to change them. Incidentally, if you find an account you can't get into that should be taken as definitive proof you did have the malware infection. You should then contact the account managers and outline what happened. They should freeze the account. Reestablish yourself and use a new, "strong" password.

Hope this helps.

Malwarebytes Anti-Malware if it the payed version   find the files  and run assassin  tool  then re scan

Thank you very much for your time. I did what you said, I changed my passwords.

I was thinking of buying Kaspersky, I was using the trial version long time ago, and when it ended I started using Microsoft Security Essentials. I have no firewall installed, only the Windows Firewall is active, so I think I'm going to use ZoneAlarm, unless I buy Kaspersky.

My question is: Is Microsoft Security Essentials trustworthy???

EDIT: No, I'm using the free version.

Link sniffer extension to browser?  Doc, do they have any for pale moon browser?  You are the best.

As far as it goes, "yes". It is only rated as a middling effort.

@ElanaAhova:

Thank you. As for Pale Moon, generally speaking, Firefox extensions will work with it as it is a version of Firefox tailored for Windows OS's.

Just use "Web of Trust" here: https://addons.mozilla.org/en-US/firefox/extensions/privacy-security/

Did you use the infected PC to change your passwords?

Until your 100% sure your PC is clean you should concider that anything you type is possibly being logged.

Or Comodo Free Firewall (has standard firewall + Host Intrusion Prevention System*). Though its firewall is not quire as simple to use**.

* Which is what Mamutu 3.0 is, though they call it a Behovior Blocker.

** But Comodo Free Firewall comes with 60 free 24/7 chat with computer techs who will help with any computer problem you may have, who can help set it up.

Most definately, as it can be run with other security software (MSE, AVG, Norton, ect)*. And you only need to pay once and the Product Key is good for ever (just enter it into the free version).

* See http://forums.malwarebytes.org/index.php?showtopic=10138 for instructions on how to properly set it up.

It is good at known viruses, which is where anti-virus software is strongest anyways. It is still a good idea to use other things with it for things it has not have a singature for.

Hi again!

First of all I want to thank everyone for your help.

Now, I ran a scan with Spybot Search & Destroy. It detected a cookie, I think, named [email protected]/0.

Anyone knows what this thing is?? Are my passwords safe??

Google it and see.

http://forums.malwarebytes.org/index.php?showtopic=66906

Only issue I have with it is the fact that it turns on automatic updates for Windows when installed and there is no issue to turn of auto updates for the program itself. I like to manually update my programs as turning on auto updates wastes resources.

Strangely, I have MSE and I don't have automatic updates turned on and it hasn't turned it on. I have Windows Updates set to notify me when there are available updates, and I get MSE updates through Windows Updates. Exactly opposite of what you say, if I read correctly, Kona0197.

It turns on Windows auto updates if the auto update is completely turned off. Yours is not. Be that as it may there are better AV programs out there. MSE is slow in detecting intrusions.

Hi again,

I did a search about that trojan, well, I found something pretty interesting.

http://forums.malwarebytes.org/index.php?showtopic=91069

It turned out I wasn't even infected.

Anyway, I want to thank everyone for your time.

Not necessarily, H4wk13.

To me, you haven't proven you haven't been infected. You might or might not have the Trojan.Hiloti.

I would not conclude that because it might be a false positive it definitely is one, just because you'd like for that to be true.

Were I you, I would add a comment to that Forum and ask them if this has been fixed or not, the comment from the IT manager not withstanding.

That's because although that computer was not connected to the internet, usb sticks, disks, etc. from other (possibly infected) computers may have been used with it to load programs, data etc.... so it might have become infected.

That is bothering me, but I cannot find out any further information on HOW it gets a jpeg to infect you.  Do you have any idea on how it does it (buffer overflow in a poorly written image viewer?)

Found this: http://www.pcworld.com/article/101910/first_jpeg_virus_identified.html

and this (old, but possible):  http://www.sophos.com/en-us/press-office/press-releases/2002/06/va_perrun.aspx

Well, I also found this

http://forums.malwarebytes.org/index.php?showtopic=42919

There's a guy who posted that he has been infected by Trojan.Hiloti on 29th July, just like me and the guy from the other link.

It might be a coincidence.

Anyway, because I don't want to create a new post, I going to ask here, does anyone know what Exploit:HTML/IframRef.V is? It must be something new. I didn't find anything here

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AHTML%2FIframeRef.V&ThreatID=-2147319545

MSE detected it twice. If you want I can post where it was located.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AHTML%2FIframeRef.V&ThreatID=-2147319545

Bu this is better:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/exploithtmliframerefv/c8510ed1-c9d6-466b-a2d5-041f425b3c29?msgId=aa83dd51-c2fb-4d65-9e88-7472cbbd2e2e&page=1

I'd pick up Kaspersky if I were you. You also need to be concerned about where and how you picked this up.

Make sure your Adobe Flash, Acrobat and Java are all updated as well as your browsers.

This might help with removal:

http://help.lockergnome.com/windows/Exploit-HTML-IframeRef-gen-rid--ftopict553176.html

This is very good: http://free.antivirus.com/hijackthis/

"Using HijackThis

To analyze your computer, start HijackThis and run a scan. See the Quick Start Guide [link to Quick Start, FAQs and Feedback] for help in running a scan. HijackThis will display a list of areas on your computer that might have been changed by spyware. Do not change any settings if you are unsure of what to do. There are many popular support forums on the web that provide free technical assistance by using HijackThis log files to diagnose an infected computer.

Not an expert? Just save the HijackThis report and let a friend with more troubleshooting experience take a look. A large community of users participates in online forums, where experts help interpret HijackThis scan results to clean up infected computers."

 

 

 

I had no trouble removing, in fact as soon as MSE detected them, they were both removed.

The last thing I remember is that I was performing a google search about something (I don't really remember what) and I visited  a few websites (I don't remember which either), that's when a window popped up, alerting me about this virus. A minute later, an other window pops up alerting me about the same.

Do you think this thing infected my computer through my browser* (I'm using Firefox 5.0 by the way) and MSE detected it as soon as it entered my computer???

*Well, if this is what happened it's strange because I avoid visiting websites that have poor reputation. (I have added the link sniffer extension WOT.)

Anyway, what is this thing?? Is it some kind of adware, spyware etc.??? Is it able to steal passwords or other personal information???

Your browser history should have that information.

Suggestions by DOC are very good; HijackThis can be very helpful, of course posting the log on a forum for diagnose (unless you are very experienced in this sector, but you said you are not).

About Kaspersky, even my suggestion is to buy it (i'm using Kaspersky Internet Security since 2008, and never changed). If you like I can provide you a link to an online store where you can get it at very interesting prize( the store has been checked and is recognized by Kaspersky, of course) .

In case you don't want to spend money, my suggestions are: 

1)remove Spybot Search and Destroy. 2) as Gwenio1 already said, install Comodo firewall (freeware); if you are not so practical with firewall you'll need a little bit of time to know how it works, and all his features, but is an excellent one.

3)download Emsisoft Emergency Kit(ex A-squared free, freeware). It doesn't require installation and, in my opinion, is THE BEST software in detecting any kind of spyware/malware ; besides, it works very fine with viruses as well. Just a couple of thing: to use EEk, first go in Scan tab, select Custom Scan and in the next window check the box for enabling detection of unknown malware. 

With all file detected by EEK, unless you are TOTALLY SURE they are infection or false positive ,best thing is to move to Quarantine. In EEK all quarantined files are re-scanned every time database is updated (this doen't happen with Malwarebytes, that is however a very good one), and if false positive are found you get at once a message, with the option for immediate restore, of course. Alternatively, you can check the suspected file on virustotal.com or send it to Emsisoft Lab (right click on the file from Quarantine tab), that usually answer in a very short time. 

Hope this can help 

There are legal versions of kaspersky for developers .... for which you can get activation key for free. Almost all functionality of kaspersky internet security are turned on. Its even easier to get the key if you know german since website is german but there is always google translate.

I'm not saying to get it but for short period or if you use PC very sporadically it is good option.

On my main desktop I have full purchased KIS 2011 but since i got licence for only 1 PC I use KIS for developers on my second PC which is in use only when desktop hardware breaks down.  

EDIT: I am Kaspersky customer since 2006 and I don't think I would change it if the other one was for free. Had AVG and norton before.