Sign in
Microsoft.com
 
Forefront Client Security TechCenter
 
 
 
Forefront Client Security TechCenter > Forefront Client Security Forums > Forefront Client Security Malware Technology and Response > TrojanDropper:Win32/Ilomo.C
Ask a questionAsk a question
Search Forums:
 

QuestionTrojanDropper:Win32/Ilomo.C

  • Friday, October 16, 2009 3:01 PMSysgen Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Anyone have a problem with this one? It keeps coming back again and again and again, well you get the idea.

    And from the same list of computers. It reports it as Successfully Responded and then a couple of days later it will come back with the same message.

    Then I get this

    Source:  Microsoft Forefront Client Security Threat ID = 2147621724
    Name:  Re-Infected Computer (Alert Level 5)
    Description:  Client Security has detected that the computer has been infected several times by the following threat:
                - Threat name: TrojanDropper:Win32/Ilomo.C
                - Window start time: 10/12/2009 12:10:00 PM
                - Window end time: 10/15/2009 12:10:00 PM
                - Reported infection instances: 4

    This happens on computers that are doing nothing!! We have a computer that is used for scanning only and one day I received this same alert from this computer and no one was using it ??

    Here are the details of the event

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Ilomo.C&threatid=2147621724
    Scan ID: {ADC00520-598E-4BD5-AC81-2D4084B63624}
    Agent: On Access
    User: NT AUTHORITY\SYSTEM
    Name: TrojanDropper:Win32/Ilomo.C
    ID: 2147621724
    Severity: Severe
    Category: Trojan Dropper
    Path Found: file:C:\WINDOWS\system32\2.exe
    Alert Type:
    Process Name:
    Detection Type: Concrete
    Status: Suspend

    How could I track how it's getting in?

    Thanks

     

All Replies

  • Tuesday, October 27, 2009 7:56 PMKurt FaldeMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Open up a case with CSS Security on this .. will be a free/non dec case.  Odds are you have an infected workstation that's not getting cleaned up that keeps trying to infect others and this is what those detections are. 
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde