Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan - TR/dropper.gen or Mal/Sinowa -A


  • Please log in to reply
6 replies to this topic

#1 adamsmb

adamsmb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 07 April 2009 - 09:02 PM

Hello all,

Please forgive my ignorance here, and please let me know if I'm posting in the wrong location. A friend recommended posting here for help.

Basically, I think that I was infected with a trojan. I'm thinking that it is now removed, but am not sure of the damage it may have caused. My scans are coming up clean, but there continues to be suspicious activity. Below is the sequence of events:

1. I get a warning from Avira that TR/Dropper.gen has been detected. I select quarantine, and then my computer starts freezing frequently and seemingly randomly. I can't remember if it was Avira or another scanner, but it was also once identified as mal/sinowa -A.

2. After multiple runs of both Avira and Webroot, I'm getting a detected trojan, but neither can remove the offender.

3. I try multiple free online virus scans, but the only one that seems to work is f-secure, which successfully removes the trojan. Somewhere around this time, every time I open IE or Windows Explorer, Windows Installer comes up asking me to insert my disc for Microsoft Money 2003.

4. After removal, the computer continues to act strangely. Freezing randomly, and hard shutdowns automatically reboot the computer, instead of just shutting it down, as I would expect. I decide that I should go through my msconfig file as well as "add/remove programs" in the control panel and remove items I no longer need, as well as anything suspicious. I used a website providing information on what was in the msconfig file to make my decisions. I can't remember which one it was, but it seemed basic and trustworthy (and familiar, I think I've used it before). I bring this up mainly because I uninstalled multiple HP printer options. After one of my hard shutdowns / reboots, I noticed that the printers were back. I'm not sure if it's possible to force system restores, or if this is a simple case of an uninformed user removing a program incompletely, but thought this could be important.

5. Several of the times I attempt to restart the computer, I get a blue screen forcing "check disk" to run. After I get back into Windows, I get a message that states that "The system has recovered from a major error". Sorry, but I don't have a screenshot.

6. I've run several scans using Webroot, Avira, and Zone Alarm. Each time, the computer either freezes or comes up clean.

I'm not sure if I'm still infected, or if the trojan did damage that is now evident. I've got some files on my machine that I'd like to save if at all possible (photos that can't be replaced). I've copied some of these to an external drive, but I suppose the health of that drive is a separate question.

Please let me know if you have any thoughts on what my problem may be, or how I should proceed.

Thanks,

Matt

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:00 PM

Posted 08 April 2009 - 11:50 AM

Hello if possible plese run this scan..
Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


A forrmat if possible will remove all errors and malware as it will remove all files.
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 08 April 2009 - 01:26 PM

Thank you very much! MBAM found an infected registry key missed by other scanners. I'll reboot and run MBAM again to ensure it was repaired. Please let me know if you think I need to take other steps to repair potential damage, or if this registry key could be the source of my problems.

Below is my MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 1952
Windows 5.1.2600 Service Pack 2

4/8/2009 1:22:06 PM
mbam-log-2009-04-08 (13-22-06).txt

Scan type: Quick Scan
Objects scanned: 91690
Time elapsed: 32 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 08 April 2009 - 03:40 PM

So I went to run another quick scan after rebooting, and the computer shut down to a blue screen in the middle of the scan. I got the following stop message:

STOP: 0X0000008E (0XC0000005,0X805844E7,0XB91C0BDC,0X00000000)

I've seen this message a couple of times, but forgot to mention that in the initial post. After booting back up, I've run another quick scan and come back clean. I'm now running a full scan, which is appearing good so far.

I found an article on Microsoft's site mentioning what to do when you get these types of stop messages (http://support.microsoft.com/kb/329284). I have NOT submitted an error report as indicated by the article, but will the next time it happens unless advised not too. I didn't submit because I didn't want to do anything that would conflict with the path you're helping me down.

Please let me know your thoughts.

Thanks!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:00 PM

Posted 08 April 2009 - 09:02 PM

Hi, thi error is usually driver related. I suggest you look the Event Viewer and post that in a new topic with the description yiou posted above in the XP forum. they will help you fix it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 09 April 2009 - 07:26 AM

Thanks for your help, Boopme! It sounds like I'm in okay shape with the trojan, and will follow your advice and post my new issue in the forum you mentioned.

Thanks again!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:00 PM

Posted 09 April 2009 - 10:02 AM

You're welcome!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users