Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus/trojan confusion, logs included


  • This topic is locked This topic is locked
1 reply to this topic

#1 JugglingJack

JugglingJack

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 19 April 2009 - 04:35 AM

Well, for a bit of background, I had my computer infected with trojans and I ended up confused. Finally I got the AVG antivirus, which before I used Avast! antivirus. Early on, I did a boot scan with avast! and I deleted several files with names such as C:\WINDOWS\system32\nujetepu.dll, C:\WINDOWS\system32\toloposo.dll, and many others. Fortunately, I have not directly noticed any affects of these trojans or any other viruses that were brought along with them except for A at first the administrator disabled my rights to regedit and folder options (Which there is only 1 admin) and B my computer slowed down (not by much) a little bit. I have fixed problem A, however, problem B remains and I am almost sure that there is trojan or virus residue left over, so here is my hijack this log, I would be greatful for any help. I will also post my Avast! log, showing from where it started.

Avast! Antivirus Log

2/15/2009 12:25:00 AM SYSTEM 1712 Sign of "HTML:IFrame-CD [Trj]" has been found in "http://mp3cdt.com/?a=codaformal\?a=codaformal" file.
2/15/2009 5:33:03 PM SYSTEM 1712 Sign of "JS:Packed-T [Trj]" has been found in "http://aqwweohwq.com/xbweriowqa/pdf.php?id=30976" file.
2/15/2009 5:33:03 PM SYSTEM 1712 Sign of "JS:Packed-T [Trj]" has been found in "http://aqwweohwq.com/xbweriowqa/pdf.php?id=30976&vis=1" file.
3/28/2009 1:00:10 PM SYSTEM 1696 Sign of "JS:FakeAV-Q [Trj]" has been found in "http://scanner.av-best.info/scan.php?campaign=mmb_46920772&landid=4\{gzip}" file.
3/28/2009 1:00:32 PM SYSTEM 1696 Sign of "JS:FakeAV-Q [Trj]" has been found in "http://scanner.av-best.info/scan.php?campaign=mmb_46820773&landid=4\{gzip}" file.
3/29/2009 12:11:50 PM SYSTEM 1696 Sign of "Win32:Tiny-II [Trj]" has been found in "C:\Documents and Settings\George\Temporary Internet Files\Content.IE5\CNAN6O4M\tsstduhii[1].htm" file.
3/29/2009 12:12:20 PM SYSTEM 1696 Sign of "Win32:Tiny-II [Trj]" has been found in "C:\Documents and Settings\George\Temporary Internet Files\Content.IE5\JV56MJME\cmjjtkllmv[1].htm" file.
3/29/2009 12:12:35 PM SYSTEM 1696 Sign of "Win32:Tiny-II [Trj]" has been found in "C:\Documents and Settings\George\Temporary Internet Files\Content.IE5\562TKQL5\xdmane[1].htm" file.
3/29/2009 12:12:45 PM SYSTEM 1696 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\wicnin.exe" file.
3/29/2009 12:12:52 PM SYSTEM 1696 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\wicnin.exe" file.
3/29/2009 12:16:42 PM SYSTEM 1696 Sign of "Win32:Lighty [Cryp]" has been found in "C:\DOCUME~1\George\LOCALS~1\Temp\WER682c.dir00\explorer.exe.hdmp" file.
4/17/2009 9:16:59 PM George 5528 Sign of "JS:Warezov-A [Trj]" has been found in "C:\49837875" file.
4/17/2009 9:17:31 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc74" file.
4/17/2009 9:17:50 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc75" file.
4/17/2009 9:17:56 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc76" file.
4/17/2009 9:18:31 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc77" file.
4/17/2009 9:18:37 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc78" file.
4/17/2009 9:20:26 PM SYSTEM 1736 Sign of "JS:Warezov-A [Trj]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc79" file.
4/17/2009 9:20:43 PM George 5056 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\2D.tmp\$INSTDIR\ism.exe" file.
4/17/2009 9:20:51 PM George 5056 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\2D.tmp\$INSTDIR\bndloader.exe" file.
4/17/2009 9:21:07 PM George 5056 Sign of "Win32:AdBand [Adw]" has been found in "C:\2D.tmp\$INSTDIR\BndDrive3.dll" file.
4/17/2009 9:21:14 PM George 5056 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\2D.tmp\$INSTDIR\ISMModule3.exe" file.
4/17/2009 10:59:10 PM SYSTEM 1736 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc86.tmp\$INSTDIR\ism.exe" file.
4/17/2009 10:59:20 PM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc86.tmp\$INSTDIR\bndloader.exe" file.
4/17/2009 10:59:24 PM SYSTEM 1736 Sign of "Win32:AdBand [Adw]" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc86.tmp\$INSTDIR\BndDrive3.dll" file.
4/17/2009 11:00:41 PM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\RECYCLER\S-1-5-21-1586461865-3210436361-2333317282-1005\Dc86.tmp\$INSTDIR\ISMModule3.exe" file.
4/17/2009 11:13:11 PM George 2912 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/17/2009 11:16:27 PM SYSTEM 1736 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/17/2009 11:39:58 PM George 5316 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe\$INSTDIR\PPCToolbar.dll" file.
4/18/2009 12:17:46 AM George 4756 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/18/2009 12:18:37 AM George 4600 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/18/2009 12:18:45 AM George 4880 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/18/2009 12:23:59 AM SYSTEM 1736 Sign of "Win32:RPoly [Cryp]" has been found in "C:\WINDOWS\system32\rt25.exe" file.
4/18/2009 12:25:12 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\NUJETEPU.DLL" file.
4/18/2009 12:27:42 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\paluhoku.dll" file.
4/18/2009 12:28:07 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\system32\nujetepu.dll" file.
4/18/2009 12:28:13 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\windows\system32\nujetepu.dll" file.
4/18/2009 12:28:21 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\PALUHOKU.DLL" file.
4/18/2009 12:28:24 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\TOLOPOSO.DLL" file.
4/18/2009 12:28:45 AM SYSTEM 1736 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\toloposo.dll" file.
4/18/2009 12:29:19 AM George 1788 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
4/18/2009 12:44:44 AM Administrator 348 Sign of "Win32:Trojan-gen {Other}" has been found in "c:\windows\system32\toloposo.dll" file.
4/18/2009 12:45:07 AM Administrator 348 Sign of "Win32:Vupa [Cryp]" has been found in "c:\windows\wsyrsht.dll" file.
4/18/2009 12:53:41 AM Administrator 1596 Sign of "Win32:Vupa [Cryp]" has been found in "c:\windows\wsyrsht.dll" file.
4/18/2009 12:53:55 AM Administrator 1676 Sign of "Win32:Vupa [Cryp]" has been found in "c:\windows\wsyrsht.dll" file.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:07 AM, on 4/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\3.19.0.16\PlaxoHelper_en.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 4795 bytes


Also, I later scanned in normal mode with AVG and it locked up and said that there were huer virus files, which led me to restart and run AVG in safe mode, where a few files were added to the vault. Overall, I am just wondering if there is still a virus, and if so, how can I get rid of it for good.

Thanks

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:51 PM

Posted 19 April 2009 - 12:20 PM

Hello JugglingJack,

We do not analyze HiJack This logs and similar outside of the HiJack This logs forum. I see, however, that you have properly posted here: http://www.bleepingcomputer.com/forums/t/220563/highjack-this-log-file-trend-micro-202/ Because you have a log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

This topic shall disappear in the next 24 hours or so.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users