Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Norton reported it encountered a trojan on my system,

Status
Not open for further replies.
kiddpete

kiddpete

MIS
Oct 9, 2003
788
US
but failed to remove it. The report popped up while I was in a forum on the CNET site. It said the trojan is Bloodhound Exploit 52, and is contained in the file CA4NM129.SWF. However, a full Norton anti-virus scan of the system failed to find either a problem or the file. The original report said that the trojan is located at:

C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\4POT6FSP\CA4NM129.swf

However, even after turning on every hidden file viewing option I know of, I still cannot find a Content.IE5 in the Temporary Internet Files directory. I also could not find such a directory on a portable that also runs Windows XP, and is not involved in this incident.

I have restored the system to the day prior to seeing this message, but am wondering if this is sufficient. I'm wondering if I should revert to my latest Ghost image which entails much effort to backup and restore data.

Does anyone have an opinion on what should be done next?
 
Sort by date Sort by votes
Your Content directory is usually a hidden directory. If this file has NOT spread, you can sometime go into IE and clear out your temp files which should get rid of it.


James P. Cottingham
-----------------------------------------
I'm number 1,229!
I'm number 1,229!
 
Upvote 0 Downvote
November 11, 2005
Bloodhound.Exploit.52

Some people are reporting false positives in bloodhound.exploit.52. This is Symantec's heuristic detection for the flash vulnerability. Over at the ISC one person has said this has only been an issue for them with people running Flash 7.0.19. If you haven't upgraded this is probably the version you are running.

At least one person reporting the problem is using rapid release versions of the virus definitions 11/10 rev 39 and 11/22 with unknown revision number. So this means if they've submitted the suspect files to Symantec this false positive could get fixed before the virus defs are widely deployed.
 
Upvote 0 Downvote
I was running a trial version of Flash 7 up until a few weeks ago. I removed it when the trial period ran out, and I installed Flash Pro 8. Add/Remove programs is not showing any Macromedia Flash 7 components.

I have now found CA4NM129.swf in the registry and deleted it. After rebooting, it did not return. I also got into:

C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\4POT6FSP\

via the Command Prompt, but an attempt to delete CA4NM129.swf said there was no such file. A few files were shown, and I backed up a level so I could remove the 4POT6FSP subdirectory. Windows refused to remove it, but, when I reaccessed it, I didn't find any files with the DIR command. It's possible that all files were deleted, but there is a hidden subdirectory that prevents the removal of 4POT6FSP. I can't see anything about the directory structure with the DIR command, but CD does get into the subdirectories if I know what they are.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
292
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
264
2ffat
2ffat
Henry Pence
  • Locked
  • Question
Is Norton Antivirus Necessary?
Replies
2
Views
216
Henry Pence
Henry Pence
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
181
SamBones
SamBones
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
239
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top