Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Emu Download Leads To Trojans Galore


  • Please log in to reply
10 replies to this topic

#1 r3za

r3za

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 24 July 2007 - 07:01 PM

Hello, and thank you for hearing me. 2 days ago, while surfing the world wide web, I had the unfortunate notion that I wanted to download an emulator onto the family laptop. To that point, I had never experienced any problems prior to the download. However, almost immediately after downloading the file, my computer began to slow WAY down, and all of a sudden something seemed wrong. A strange program, called wincleaner or something, started downloading and installing onto the laptop, without me even clicking to download it! I was also accompanied by 2-3 popups, which are usually the same type, and pop up and lag up the screen whenever I go to a new website or I leave the machine idle with a browser open.

I became freaked out that all of this could happen at once from just one download, and quickly downloaded AVG free edition and ran it to see what the problem was, and to my overwhelming suprise, I had over 10 trojans! From just one download. So I deleted them using AVG, and also download Ad-Aware 2007 to run concurrently with AVG. My theory was that either program would invariably get rid of the problems I was experiencing.

To my knowledge, after a day of constant scanning using both AVG and Ad-Aware, as well as some deleting of suspicious program files in my C:/ drive folder, I have managed to get rid of the Win Cleaner program. This was the most important issue, because this thing would start re-installing itself whenever I would uninstall it.

However, the laptop now crawls at a snails pace of what it used to in terms of connection speed. And the fact that I cannot open any browser page on the internet without my machine almost crashing from these same 3 popups has forced me to post this topic on a different computer in the house, since I am practically unable to do it on my laptop.

Any help or suggestions with my dilemma would be greatly appreciated. I know how busy you guys are.

Thanks,
R3ZA

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:35 AM

Posted 24 July 2007 - 07:54 PM

There are two or three things to do, I would like for you to do them one at a time, and let us know how your computer is responding. If we can not fix the issues here, we will ask you to post the hijack this log.

Start with Rogue Remover Free. once you have downloaded, please install and update the program. then click the scan link. If anything is found, please follow the instructions to clean the problem.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 r3za

r3za
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 July 2007 - 09:06 AM

Hello again. I downloaded Rogue Remover Free, 5.1.1, which when installed, gave me no options to update it. All it did was scan, and give me a log of the scanned Dlls. It gave me no option to remove anything, and I am really in doubt as to what to do with this log, because the only options this program gives me is scan or internet help.

Also, as in interesting side note, when I booted up my laptop this morning, there was a new program shortcut on my desktop called "FREE trip to Bahamas!". It's also impossible to right-click this icon to delete it.

I feel as though whatever has plagued my computer manifests itself without the machine even being on.

edit: i realized that i didnt download rogue remover from this post ; I did a web search and downloaded it from some other site. it might not have been the right kind, so im going to try downloading the one from your link.

Edited by r3za, 25 July 2007 - 09:13 AM.


#4 r3za

r3za
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 July 2007 - 09:21 AM

I downloaded, updated, and ran the rogue remover software from your post, and it seemed to pick up 3 items and deleted them. My computer seems to be running a little faster, but i still get popups from Think-adz, and others, albeit not as many, and not as often.

#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:35 AM

Posted 25 July 2007 - 01:21 PM

Good, we are making a little headway next scanner is F Secures online Scanner, this scanner only runs in internet explorer.
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#6 r3za

r3za
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 July 2007 - 03:37 PM

Hello again. I am unable to run F-Secure Online scan, because everytime the download finishes, i get an error message saying that it is unable to run the scan. It says its Id:24. This is also very time consuming, because every time I retry the scan, I must wait about 3 min for the system to produce enough RAM to do anything. Im also having trouble typing

#7 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:35 AM

Posted 25 July 2007 - 03:38 PM

Lets see if Trend Micro's Houscall works TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#8 r3za

r3za
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 26 July 2007 - 08:28 AM

Hey again. I'm so frustrated now because my laptop is so damn slow it takes me over 10 minutes just to get to this site. And then it just locks up from a pop up right when Im about to get to this post. I feel like im about to go crazy.

Is there anything I can do for the moment that doesnt require me to get on the internet? I understand that the internet scan is necessary, but im wasting large amounts of time just trying to just navigate to the site, then having to reboot the whole system because the computer freezes up on me.

Thanks

#9 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:35 AM

Posted 26 July 2007 - 12:11 PM

Do you have a flash drive?


If you do, download Dr Web Cure It, and copy to your hard drive or leave it on the flash drive, you can scan from the flash drive if you leave it plugged in when you restart into safe mode.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#10 r3za

r3za
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 26 July 2007 - 03:38 PM

Hey again. After downloading and running this program, I am starting to see some minor results. Now, I am mostly getting one forced pop up per web site, and things are moving ever so slightly faster. However, it is still slow as molasses . I don't think I clicked the right button after I scanned my computer... I think clicked "Move" before I clicked Move Incurable because I couldnt find that button...

However here is the log from the scan:

cbawx.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
dwdsregt.exe;c:\windows\system32;Adware.ZenoSearch;Moved.;
ljjkigg.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
mndsregj.exe;c:\windows\system32;Adware.ZenoSearch;Moved.;
qwinondt.exe;c:\windows\system32;Adware.Hotbot;Moved.;
TTC.dll;C:\Program Files;Adware.Websearch;Moved.;
A0169285.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP195;Trojan.Fakealert;Deleted.;
A0169303.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP196;Trojan.LowZones.267;Deleted.;
A0170286.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP196;Trojan.Fakealert;Deleted.;
A0170287.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP196;Trojan.DownLoader.10963;Deleted.;
A0173280.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Adware.ClickSpring;Moved.;
A0173282.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.DownLoader.25802;Deleted.;
A0173283.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.DownLoader.25802;Deleted.;
A0173285.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.MulDrop.4522;Deleted.;
A0173286.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.DownLoader.24715;Deleted.;
A0173287.exe\data001;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197\A0173287.exe;Adware.Bagon;;
A0173287.exe\data002;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197\A0173287.exe;Trojan.MulDrop.4522;;
A0173287.exe\data003;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197\A0173287.exe;Adware.ZenoSearch;;
A0173287.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Archive contains infected objects;Moved.;
A0173288.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.DownLoader.26881;Deleted.;
A0173289.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP197;Trojan.MulDrop.6135;Deleted.;
TISKY009.exe;C:\WINDOWS;Adware.ZenoSearch;Moved.;
cbawx.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Will be cured after reboot.;
dwdsregt.exe;C:\WINDOWS\SYSTEM32;Adware.ZenoSearch;Deleted.;
ljjkigg.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Will be cured after reboot.;
mndsregj.exe;C:\WINDOWS\SYSTEM32;Adware.ZenoSearch;Deleted.;
qwinondt.exe;C:\WINDOWS\SYSTEM32;Adware.Hotbot;Deleted.;

#11 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:07:35 AM

Posted 26 July 2007 - 04:13 PM

We need for you to post a hijack this log, please follow the instructions in the Preparation Guide for posting a hijack this log

If you cant complete all the steps, just move on to the next or skip the step if you have already run that particular program.

please reference this thread when you post the hijack this log.

Edited by oldf@rt, 26 July 2007 - 04:15 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users