Ad: Manage updates with the Download App
ie8 fix
Click Here

Spyware, viruses, & security forum: Trojan Viruses keep coming back

by: cmc82 June 20, 2012 9:28 PM PDT

Like this

0 people like this thread

Staff pick

Resolved question

Trojan Viruses keep coming back

by cmc82 - 6/20/12 9:28 PM

A few days ago, my computer started acting up. We have 4 accounts on our families computer, mine is the only one having problems so far. My sister downloaded FrostWire last year, I think. I uninstalled it and I went through and deleted all the files I could find. When I logged on the Calculator was pulled up, I closed out of it and it would come back. After about 10 minutes they started multiplying every time I tried closing them. Then random ads would pop up on their own like QuestionSpider, Local.com, 2oosk.com, Adbrite, Plus.Google.com, IntornetDotOrg, ********e, and Depleted.org. Internet Explorer closes on its own, but Google Chrome is fine. The ads stopped after I downloaded Microsoft Security Essentials and ran it a couple of times. The calculator is still popping up though. I keep scanning the computer with Kaspersky AV 2012 and MSC but neither of them are finding anything else so far besides these that MSC removed so far:

Trojan:Win32/AgentBypass.gen!K
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Reid.dll
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Sherlock.dll

Worm:Win32/Ainslot.A
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Microsoft\Windows\Haily.scr
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\037dee56.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\045e2236.exe

Worm:Win32/Gamarue.I
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\041e981f.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\7033.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\7180.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\9261.exe

Exploit:Java/CVE-2010-0840.DY
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.GZ
file:C:\Users\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\20453c1 6-73469f4f

Exploit:Java/CVE-2010-0840.DZ
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.DW
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.DB
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2011-3544.gen!A
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\15038ef4-3e78215a

Adware:Win32/OpenCandy
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\D6097FE4FD074ADF9F0D70E68093443C\
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy_D6097FE4FD074ADF9F0D70E68093443C\
folder:C:\users\chelsey mae\AppData\Roaming\OpenCandy\
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\D6097FE4FD074ADF9F0D70E68093443C\driverscanner win7.exe

TrojanClicker:ASX/Wimad.gen!H
Items: containerfile:C:\Users\Chelsey.Mae.RobertMCoyle-PC\Frostwire\Torrent Data\iTunes Store Top 10 Songs (USA 2012)\We Are Young (feat. Janelle Monae) - Fun.mp3

TrojanDownloader:ASX/Wimad.DT
Items: containerfile:C:\Users\Chelsey Mae.RobertMCoyle-PC\Frostwire\Torrent Data\Fun - We Are Young (ft. Janelle Monae)\Fun - We Are Young (ft.Janelle Monae).mp3


Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: Pentium® Dual-Core CPU E5400 @ 2.70GHz, Intel64 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 5885 Mb
Graphics Card: Intel® G45/G43 Express Chipset, -1281 Mb
Hard Drives: C: Total - 381551 MB, Free - 268835 MB; D: Total - 564118 MB, Free - 563964 MB;
Motherboard: ASUSTeK Computer INC., CM5571
Antivirus: Microsoft Security Essentials, Updated and Enabled


I have the logs from DDS, HiJack This, and Malware but wasn't sure if I should post them


cmc82 has chosen the best answer to his/her question!
Click here to view the answer that was selected.

Answer This
Ask for clarification
Report offensive post
Email to friend
Answers
Answer Best answer as chosen by user cmc82

RE:

by Poultrygeist - 6/20/12 10:24 PM

In Reply to: Trojan Viruses keep coming back by cmc82

Well, first of all, you made a common panic mistake when infected....you downloaded and installed another antivirus, thinking 2 is better than 1. This is a bad idea on a clean PC. On an infected one, it can make a bad situation worse, when the 2 AVs start flagging each other as infected or wrestling over rights to infected files. So for starters, I would remove either MSE or Kasper, take your pick, and make sure to run the removal tool from the vendors website of whichever product you remove, to clean it all up, AV programs never want to fully remove correctly, even less so when installed with another AV simultaneously.

As far as logs, one of the stickies states no HJT logs on this forum, so that idea is out.

From what you posted though, it looks like a Java exploit. My suggestion would be to Run a scan with MSE or Kasper, depending on which one you keep, let it quarantine (NOT DELETE unless there is no other option, the Temp files cant be quarantined for example) what it finds, then follow by installing and updating this>>http://www.malwarebytes.org/products/malwarebytes_free , do a Quick scan with it and see if anything is left. Once that is all done, remove all Java from your system (and reinstall it, if you use it, many have Java but never need it, making it pointless risky baggage).

If after all that, the same infection symptoms return, I would think you have a rootkit then. But cross that bridge when you come to it, for now just go with the above steps.


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

HJT logs are not verboten.

by R. Proffitt Moderator - 6/20/12 10:44 PM

In Reply to: RE: by Poultrygeist

I have asked for them when I volunteer to read them. But unsolicited would usually be ignored as it's not something folk here have signed up to respond to.

There are forums that do nothing but those HJT logs and as you can imagine, they are swamped.
Bob


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close

You are requesting a clarification of the question: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Submit Clarification Request Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close

You are posting an answer to the question: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Submit Answer Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close
close

Click here to be notified via e-mail when someone submits an answer.

Would you like to resolve this question? close

Based on your response, it looks like this question has been answered.



Sorry, there was a problem resolving this question. Please try again.

Resolve Leave unresolved