Spyware, Viruses, & Security forum

Question

Trojan Viruses keep coming back

by cmc82 / June 20, 2012 2:28 PM PDT

A few days ago, my computer started acting up. We have 4 accounts on our families computer, mine is the only one having problems so far. My sister downloaded FrostWire last year, I think. I uninstalled it and I went through and deleted all the files I could find. When I logged on the Calculator was pulled up, I closed out of it and it would come back. After about 10 minutes they started multiplying every time I tried closing them. Then random ads would pop up on their own like QuestionSpider, Local.com, 2oosk.com, Adbrite, Plus.Google.com, IntornetDotOrg, ********e, and Depleted.org. Internet Explorer closes on its own, but Google Chrome is fine. The ads stopped after I downloaded Microsoft Security Essentials and ran it a couple of times. The calculator is still popping up though. I keep scanning the computer with Kaspersky AV 2012 and MSC but neither of them are finding anything else so far besides these that MSC removed so far:

Trojan:Win32/AgentBypass.gen!K
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Reid.dll
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Sherlock.dll

Worm:Win32/Ainslot.A
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\Microsoft\Windows\Haily.scr
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\037dee56.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\045e2236.exe

Worm:Win32/Gamarue.I
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\041e981f.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\7033.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\7180.exe
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Local\Temp\9261.exe

Exploit:Java/CVE-2010-0840.DY
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.GZ
file:C:\Users\Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\20453c1 6-73469f4f

Exploit:Java/CVE-2010-0840.DZ
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.DW
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2010-0840.DB
file:C:\Users\Patrick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b8 54b99-1f1324c6

Exploit:Java/CVE-2011-3544.gen!A
Items: file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\15038ef4-3e78215a

Adware:Win32/OpenCandy
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\D6097FE4FD074ADF9F0D70E68093443C\
folder:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy_D6097FE4FD074ADF9F0D70E68093443C\
folder:C:\users\chelsey mae\AppData\Roaming\OpenCandy\
file:C:\Users\Chelsey.Mae.RobertMCoyle-PC\AppData\Roaming\OpenCandy\D6097FE4FD074ADF9F0D70E68093443C\driverscanner win7.exe

TrojanClicker:ASX/Wimad.gen!H
Items: containerfile:C:\Users\Chelsey.Mae.RobertMCoyle-PC\Frostwire\Torrent Data\iTunes Store Top 10 Songs (USA 2012)\We Are Young (feat. Janelle Monae) - Fun.mp3

TrojanDownloader:ASX/Wimad.DT
Items: containerfile:C:\Users\Chelsey Mae.RobertMCoyle-PC\Frostwire\Torrent Data\Fun - We Are Young (ft. Janelle Monae)\Fun - We Are Young (ft.Janelle Monae).mp3


Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: Pentium® Dual-Core CPU E5400 @ 2.70GHz, Intel64 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 5885 Mb
Graphics Card: Intel® G45/G43 Express Chipset, -1281 Mb
Hard Drives: C: Total - 381551 MB, Free - 268835 MB; D: Total - 564118 MB, Free - 563964 MB;
Motherboard: ASUSTeK Computer INC., CM5571
Antivirus: Microsoft Security Essentials, Updated and Enabled


I have the logs from DDS, HiJack This, and Malware but wasn't sure if I should post them

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: Trojan Viruses keep coming back
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Trojan Viruses keep coming back
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
RE:
by Poultrygeist / June 20, 2012 3:24 PM PDT

Well, first of all, you made a common panic mistake when infected....you downloaded and installed another antivirus, thinking 2 is better than 1. This is a bad idea on a clean PC. On an infected one, it can make a bad situation worse, when the 2 AVs start flagging each other as infected or wrestling over rights to infected files. So for starters, I would remove either MSE or Kasper, take your pick, and make sure to run the removal tool from the vendors website of whichever product you remove, to clean it all up, AV programs never want to fully remove correctly, even less so when installed with another AV simultaneously.

As far as logs, one of the stickies states no HJT logs on this forum, so that idea is out.

From what you posted though, it looks like a Java exploit. My suggestion would be to Run a scan with MSE or Kasper, depending on which one you keep, let it quarantine (NOT DELETE unless there is no other option, the Temp files cant be quarantined for example) what it finds, then follow by installing and updating this>>http://www.malwarebytes.org/products/malwarebytes_free , do a Quick scan with it and see if anything is left. Once that is all done, remove all Java from your system (and reinstall it, if you use it, many have Java but never need it, making it pointless risky baggage).

If after all that, the same infection symptoms return, I would think you have a rootkit then. But cross that bridge when you come to it, for now just go with the above steps.

Collapse -
HJT logs are not verboten.
by R. Proffitt Forum moderator / June 20, 2012 3:44 PM PDT
In reply to: RE:

I have asked for them when I volunteer to read them. But unsolicited would usually be ignored as it's not something folk here have signed up to respond to.

There are forums that do nothing but those HJT logs and as you can imagine, they are swamped.
Bob

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech explained

Do you know what an OLED TV is?

CNET explains how OLED technology differs from regular TVs, and what you need to know to make the right shopping decision.