Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan was blocked - do I need to do anything else?


  • Please log in to reply
24 replies to this topic

#1 Sun&Sea

Sun&Sea

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 06 May 2011 - 08:46 PM

Hello,

I am new here so I hope I put this in the correct forum...please advise if this needs to be moved.

I downloaded a game file from a file share site (link to the file share site was from a "trusted" source) but as it was downloading, I got a message from my Norton Security that it blocked a Trojan ADH virus. I wasn't sure if I should continue to allow the download to complete but assumed all was good with it having been blocked.

After the file downloaded, I then did a quick scan on my computer with Norton as well as for each individual file that came with this download to be sure all was still good and nothing was found. I also have SpyBot and ran that as well and all was good there too.

Not having a full understanding of how these viruses work or exactly where they originate, and even after they are blocked from the download, whether something nefarious could still be in the game itself (possible undetected by my security?), so my question is should I keep this file on my computer or do anything else to be sure all is ok?

Oh and in case you need to know...I have a PC with MS Vista, but let me know if any further info is needed to discern what the best action is to take, if anything.

Thank you!
Sun & Sea

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 06 May 2011 - 10:17 PM

Hello,well it's not impossible for even a faorite and/or trusted site to get hacked. Looks like your AV blocked the infection yhat was included in the download. I gennerally download and save these thing to my desktop and then I scan that folder before I open it.

So if it you can can still scan the download do so or dump it and start over. If in doubt Do NOt open.

I hope I made that clear :) Sun & Sea

We have similar likes
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 07 May 2011 - 01:49 AM

Thanks Boopme! I did do a scan on all individual files associated with the download and also scanned the desktop icon -- though I didn't save it all first to my desktop. I had already opened it too after all was done downloading after I got the blocked virus message, though was a little hesitant to do so and so I also ran a scan after I opened it as well.

I just am not sure how these virus things work exactly in that even if they are blocked, could there be something else that isn't being detected? I have heard Norton isn't the best at detecting everything but I did run a Spybot check too as mentioned, so would it be advised to try something else to be absolutely sure nothing else is infecting my computer? I know...paranoia at it's best here - lol

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 07 May 2011 - 09:41 AM

Sure always better to be safe,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 08 May 2011 - 08:28 PM

Thanks Boopme.....I am scanning now. Meanwhile I have another question if you don't mind.

I came across some info:
"Never download programs, games or applications from malicious websites such as Warez. Most of the downloads are bundled together with Trojan viruses that install entries in the registry"

Warez is not where I got my download from - it was a file share site, but I decided to run a Registry error scan using the Uniblue Registry Booster and it came up with 299 errors. Of course they ask you to pay to fix them which I don't want to do (pay for it, that is). Maybe the ESET scan will show if there is something amiss with any of my registries, but that seems to be a high number of errors. Is that something I need to address? My computer does seem to run fairly normally and I haven't received any registry error messages prior to running that registry error scan. Probably this question needs to go into a different forum but I couldn't figure out where to put that question.

I'll let you know how the ESET scan went.

Oh and one more thing....I tried to uninstall that game - decided it wasn't worth having it sit on my computer with what happened. So I went to my control panel and from the programs menu I found the download and clicked "uninstall". I then got a message saying there was some sort of problem - that either it was already uninstalled or something else was keeping it from uninstalling(can't remember exactly what it said). I hadn't done anything to it prior to that so I am not sure why it won't let me uninstall it. It is still there (in my program file folders and icon shortcut on my desktop) and still comes up when I click the shortcut. That can't be a good sign???

Thanks again for all of your help so far!

Edited by Sun&Sea, 08 May 2011 - 08:35 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 08 May 2011 - 08:44 PM

EDIT/ for the game... see if it is running in the System tray bt the clock. If so rihjt click it there and select some form of stop /end. Also look in the Task Manager to see if it is running there.This is a common reason one cannot uninstalll if it running. Or boot to Safe Mode and then try to uninstall.



This is correct on some bundled software. And definately what can happen ...

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware



Now some more advice on Registry Cleaners..

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:
  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

Edited by boopme, 08 May 2011 - 08:50 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 08 May 2011 - 09:54 PM

oooh, that bundled software info is scary stuff! I learned my lesson and won't be downloading from file share sites anymore.

The ESET scan is still running - not sure if I should be using my computer while it is running but here I am typing away none the less. I won't use any programs while it is running though but just checked it and it is showing 6 infected files so far - all are from Win32 Registry Booster Application. Does that mean that Uniblue Registry Booster thing I just downloaded to run a free scan is infected? I will heed your advice on not fixing any of the errors it showed...thanks for that info. And I will uninstall the Uniblue thing too, but probably should wait till ESET is done. It looks like it might take a while - I am now 1 1/2 hours into it and it is showing only 43% done. I need to do some important things on my computer though soon here and I may have to stop the scan...if I do, will it pick up where it left off when I scan again or start all over again?

And lastly, I checked my system tray for that game - I assume you mean my bottom tool bar? Nothing was showing there for that game. I also checked Task Manager and it isn't running there either.

EDIT: I looked again at my Norton history and saw where the Trojan was found - it was in the uninstall.exe for that game. Even though Norton blocked it and says no action needed, could that be why I can't uninstall it? What do I do if so?

Edited by Sun&Sea, 09 May 2011 - 12:46 AM.


#8 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 09 May 2011 - 12:39 AM

ok boopme, ESET scan completed. It showed 18 infected files and said they were all cleaned/deleted or quarantined.

Here's the report. From here I don't know what to do about the quarantine list. I am going to close out of the ESET results window and hope I can gain access to the quarantine list at a later date but don't know how to do that exactly. :unsure:

Also, please note my question in my previous post about how to uninstall that game....if you know how to help me with that issue. It is not showing up in my programs list from my control panel anymore since I first tried to uninstall it and got that message saying trouble uninstalling, but there is a file folder in my Downloads folder for the game - I don't see the uninstall.exe file in there anymore though. And then also it is on my desktop as a shortcut which if I click takes me to the game so I know it is still on my computer and has not been uninstalled. Thanks kindly!

C:\Program Files\Uniblue\RegistryBooster\Launcher.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rb_ubm.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe || Win32/RegistryBooster application || cleaned by deleting (after the next restart) - quarantined

C:\Users\F\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFXJR1F0\index-functions[1].js || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Mozilla\Firefox\Profiles\xnvc2x2i.default\Cache\36D10AA9d01 || Win32/RegistryBooster application || deleted - quarantined

C:\Users\F\AppData\Local\Temp\NODD6D6.tmp || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\Launcher.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\rbmonitor.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\rbnotifier.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\rb_move_serial.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\rb_ubm.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\Local\Temp\mia8E63.tmp\data\OFFLINE\D038292B\DBD9B16A\registrybooster.exe || Win32/RegistryBooster application || cleaned by deleting - quarantined

C:\Users\F\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-53cd866a || multiple threats || deleted - quarantined

C:\Users\F\Documents\My Games\Install_DC.EXE || a variant of Win32/AdInstaller application || deleted - quarantined

C:\Users\F\Downloads\registrybooster.exe || Win32/RegistryBooster application || deleted - quarantined

Edited by Sun&Sea, 09 May 2011 - 12:54 AM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 09 May 2011 - 07:20 PM

Hi,this looks good all were removed there and if you selected unstalll ESET after close it will remove them first. They are gone.
Use this ,if you still have trouble we'll get it.

Revo Uninstaller:

Please download the Revo Uninstaller to your desktop.

Note ---> Scroll down the page and be sure to download the "freeware" version not the "30d fully functional free trial, called Proffessional"

  • Double click Revo.exe to install and run.
  • Highlight XXXX.
  • Choose Uninstall.
  • Are you sure - Yes
  • Mode - Advanced
  • Are you sure - Yes
  • Initial Uninstall - Next
  • Scanning for leftovers - Next
  • Check the bolded box only!!!! <--- Important!!
  • Delete
  • Yes
  • Finish


I also want to do a quick scan..

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 10 May 2011 - 01:35 AM

Thanks Boopme! I didn't uninstall ESET though...wasn't sure if I was supposed to do that or not and so I x'd out of the results box as I mentioned in my previous post. I see it in my program files and can uninstall from there...is it advised to do so or is it a problem keeping it on my computer for future use?

I installed the Revo Uninstaller and have a few questions:

1. In the Revo window, the game I want to uninstall is not showing up in the list of installations to highlight to remove. As mentioned in my previous post, it isn't listed in my programs from my control panel either which is where I assume Revo is getting this list from, but it is still installed because the desktop icon and the file found in my computer download files are both still there and both still activate the game. How do I proceed in this case?

2. I clicked on "Hunter Mode" and now have that target looking icon on my desktop - could I use that to remove the desktop icon and the file folder in my computer files...will that uninstall them that way?


I will look into doing the malwarebytes thing, thanks for that info!

Edited by Sun&Sea, 10 May 2011 - 02:00 AM.


#11 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 11 May 2011 - 07:28 PM

Hi Boopme,

I had a few questions in my previous post I was waiting to hear back from you about. The Revo isn't detecting that game to uninstall so I am not sure how to proceed with getting rid of the thing. I asked about using the target "Hunter Mode" but didn't want to try it in case it merely got rid of the icon and the file folder but didn't really uninstall and then I'd have no way to find it again to uninstall with another method (hope that makes sense?)

I haven't ran the malwarebytes thing yet because I am leary of turning off my security for 5 hours....will it really take that long to run that program?

Thanks so much for your help!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 11 May 2011 - 08:38 PM

Hello ,,you can run MBAM the quick scan should take 20-60 minutes. You can leave your security on. Do you use Spy Bot?
I am looking at Hunter right now and will be right back.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 11 May 2011 - 09:23 PM

Yes you can use it that way,
Uses of Hunter Mode
How to use Hunter mode of Revo Uninstaller

After click Hunter Mode button from Revo Uninstaller user interface, select the target button appears on the desktop press the left mouse button and drag and drop target button to application icon you want to use Hunter Mode on the desktop.


After using the hunter mode right click on target button and click Exit to turn off hunter mode in Revo Uninstaller.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Sun&Sea

Sun&Sea
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 AM

Posted 11 May 2011 - 10:19 PM

Yes, I do have Spy Bot on my computer. It doesn't do anything automatically unless I manually activate it to do a scan. I didn't get any message from Spy Bot at the time Norton notified me it blocked that Trojan. However, I ran a Spy Bot full system scan after I got the Norton message though (think I mentioned that already) and it didn't detect anything. So, will I still need to disable the Spy Bot for the MBAM?

I'll do the Hunter Mode to uninstall the game before I do the MBAM, unless you advise to do it first before I uninstall the game?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 12 May 2011 - 09:37 AM

We are realy concerned about an App like SpyBot's Teatimer. If it not running then you are OK. That app will prevent any ghanges you make. o in short it's OK to leave alone. Remove the game and then scan with MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users