BleepingComputer.com: MSE Finds Trojan

A few days ago, I downloaded and installed Hotspot Shield, because I liked the idea of a VPN and wanted to try it out. I read up on VPNs and saw that I would be part of a 'network' when using it. I wasn't sure how or whether that would open me up to any security risks, but obviously that didn't stop me.

I am pretty sure I was connected to the 'net via the VPN when MSE flashed into action and told me it had blocked a severe threat and I remember seeing a warning about JAVA. I immediately exited whatever web page I was on and also exited the VPN. Since MSE said it blocked it, I wasn't too worried.

Fast forward 24 to 48 hours (I forget which), and I started a deep scan, then went to sleep. The next morning, when I looked in the 'history' section of MSE, it said it had "removed" three files, all of which were 'SEVERE' threats, and one of them was a Trojan Downloader that could execute code remotely (I looked that sucker up). Great!

Anyway, here are the file names:

Exploit:Java/CVE-2010-0842.AN
Exploit:Java/CVE-2008-5353.AAC
TrojanDownloader:Java/OpenConnection/OI

So I do not know what, if anything, I need to do from here. MSE says they are 'removed'. I have not deleted those files from the history section of MSE just yet because I wanted to know more about them, and also wanted to post the names here.

Here's what I have done so far: I looked up the file names, and saw something about the exploits needing older versions of Java, so I checked my JAVA folder, and sure enough, there were three older versions in there, for the three previous updates before this latest one. I thought I had removed them but I had not. Today, I uninstalled those using a link someone in this forum gave me (on another thread). I now have ONLY the most current version of JAVA in that folder (update #27). Lesson learned.

I also uninstalled Hotspot Shield using Revo. I don't know for sure that using a VPN had anything to do with this problem, but I also realized I really do not fully understand the risks either, so until I do....forget it.

Do I need to do anything else? Is it possible the Trojan Downloader executed some code and I don't know about it? Or that one of the exploits worked? Also, are those separate, independent threats, or does the Trojan work in tandem with the JAVA exploit files?

I do not know how long those files were there or whether they had time to cause any damage. I would guess they were there a few days at most. They did not come up on a quick scan that I did a few days ago; they only came up on the deep scan.

Other info: I was using a 'drop my rights' version of Firefox at the time, and my IE internet security setting was either at 'medium high' or 'high'. A lot of times, if I want to do something and it doesn't work, then I have to lower the Internet security setting in IE to 'medium high' from 'high' (then I can play the video or whatever). The setting in IE seems to control what I can do in Firefox. So I go back and forth between those 2 settings (medium high and high) in IE, but I try to keep the 'net security setting at highest possible most of the time.

Besides the above protection, if I was using the 'drop my rights' version of FF at the time I picked up these exploits/downloader, as is my guess, wouldn't that mean that a Trojan could not have executed any code? Or that a JAVA exploit could not have occurred (if the exploit could not write script)?

My computer appears to be behaving normally.

This is a lot of information and I would really appreciate if someone could give me some direction as to what I need to do, if anything.

Thank you in advance...very much appreciated.

WinXP, Security Pack3, Microsoft Security Essentials, latest versions of Firefox and IE browsers. I use FF almost all the time, and have 'drop my rights version' of the browser that I use...unless I need to download something, in which case I use the regular version of FF.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread.

Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

Thank you. I posted the same info over there and have read through the prep link. I'll wait to see what they say before taking all those steps. Probably not half as hard as it looks (the prepping), but don't want to go through that unless they say it's necessary. Yes, will post back here once resolved.

The MRT is only going to request that you go through those steps.

There are reasons why that's the prep guide.

If you'd like to save time, I suggest completing them as soon as possible.

Thanks for posting back here, and good luck.

Please post the DDS and GMER logs as a reply to your topic in the log forum. If you are unable to produce them, please describe what happens when you try to create them.

Orange Blossom

Ok, thanks to you both. Working on this now...(prepping)..

I am in the midst of installing the Cobian Backup and when I get to 'select the installation directory, which defaults to "c:\program files\cobian backup 10" (the current version), when I click next I get this message: "couldn't create the directory: c:\program files\ cobian backup 10".

As a test, I then tried to install it to a folder on the desktop, which it WOULD let me do. In other words, it let me advance to the next screen where I select 'application and non auto start' or something similar (I forget the exact wording).

Is there some reason I can't save it to the default directory..."program files"? What other directory shoudl I select if the default won't work and still have everything function as it should?

Thank you...

TheShooter93, on 17 October 2011 - 09:10 PM, said:

This post has been edited by Anonix: 18 October 2011 - 04:34 PM

I have no idea.

If you cannot complete a step, skip it and continue.

Ok, thank you. I went back and WAS able to install an earlier version, the Black Moon version (Version 8). Everything is working just fine. I should have learned how to do backups a long time ago, malware or no malware, so thanks!

Orange Blossom, on 18 October 2011 - 05:02 PM, said:

Hello -- I just completed the steps in the prep guide and added the log info to the topic I started in malware removal. I kept running into roadblocks on creating a backup, so I followed OrangeBlossom's suggestion to just skip it. Everything else (scans) seem to work fine. I will attempt a backup (which I need to learn how to do in any case) another day. Thanks again...

TheShooter93, on 17 October 2011 - 07:59 PM, said:

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic423943.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom