Author Topic: trojans galore (Read 40503 times)

sasysusie · « **Reply #30 on:** December 30, 2007, 01:29:30 AM »

While running WinPFind3u A virus alert came up saying a trojan ws found, i moved it to the chest but then the WinPFind3u program froze and was not responding. This has happened twice now. First time I stoped the scan and tried it again but the same thing happened. What should i do..
Thanks
Sasy

sasysusie · « **Reply #31 on:** December 30, 2007, 02:51:09 AM »

Im trying to run it in safe mode hopefully that will work.. I'll let you know!
Sasy

sasysusie · « **Reply #32 on:** December 30, 2007, 03:04:36 AM »

It seemed to have worked in safe mode hope that was ok. Im attaching the log I got.
Thanks
Susie

oldman · « **Reply #33 on:** December 30, 2007, 06:23:21 AM »

Can you tell me what avast detected, name and file file path?

In windows explorer navigate to this folder

C:\program files\Alwil Software\Avast4\Data\logs

double click on the warning log in the right hand panel. It will open with notepad. Copy and pste the contents into a new notepad and attach it or post it.

Thanks

sasysusie · « **Reply #34 on:** December 30, 2007, 07:19:17 AM »

11/14/2007   9:24:57 PM   1195097097   SYSTEM   1620   Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\WINDOWS\SYSTEM32\OXEKQEWA.DLL" file.
11/25/2007   8:20:54 PM   1196043654   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.exe" file.
11/25/2007   8:21:06 PM   1196043666   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\RSOIDN8C\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/27/2007   8:18:24 PM   1196216304   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.exe" file.
11/27/2007   8:18:37 PM   1196216317   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\WXMFO1EZ\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/27/2007   8:19:06 PM   1196216346   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\WXMFO1EZ\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/30/2007   7:14:41 PM   1196471681   SYSTEM   1652   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Julia\LOCALS~1\Temp\MWSSETUP.EXE" file.
11/30/2007   7:14:55 PM   1196471695   SYSTEM   1652   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Julia\LOCALS~1\Temp\MWSSETUP.EXE" file.
11/30/2007   7:15:59 PM   1196471759   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.exe" file.
11/30/2007   7:16:02 PM   1196471762   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\ZJU32OVC\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/30/2007   7:16:26 PM   1196471786   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\ZJU32OVC\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/30/2007   7:16:48 PM   1196471808   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.exe" file.
11/30/2007   7:16:51 PM   1196471811   SYSTEM   1652   Sign of "Win32:Dialer-gen [trj]" has been found in "C:\Documents and Settings\Julia\Local Settings\Temporary Internet Files\Content.IE5\584VPD4X\ZwinkyInitialSetup1.0.0.15-3[1].exe" file.
11/30/2007   7:17:29 PM   1196471849   SYSTEM   1652   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Julia\LOCALS~1\Temp\MWSSETUP.EXE" file.
11/30/2007   7:17:31 PM   1196471851   SYSTEM   1652   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Julia\LOCALS~1\Temp\MWSSETUP.EXE" file.
12/1/2007   5:38:28 PM   1196552308   SYSTEM   1652   Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/1/2007   5:38:30 PM   1196552310   SYSTEM   1652   An error has occured while attempting to update. Please check the logs.
12/10/2007   4:33:19 PM   1197325999   Julia   1632   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\cewkcvit.dll" file.
12/10/2007   7:42:32 PM   1197337352   Julia   1600   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\cewkcvit.dll" file.
12/27/2007   7:59:44 PM   1198807184   Julia   1608   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\cewkcvit.dll" file.
12/27/2007   9:13:29 PM   1198811609   Julia   1608   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\wpquwusj.dll" file.
12/27/2007   9:13:59 PM   1198811639   Julia   1608   Sign of "Win32:Agent-NMX [trj]" has been found in "C:\WINDOWS\mrofinu1000106.exe\[UPX]" file.
12/28/2007   4:33:00 PM   1198881180   SYSTEM   1568   Sign of "Win32:Vundo-gen48 [Adw]" has been found in "C:\WINDOWS\system32\qeibqlcy.dll" file.
12/29/2007   11:25:54 AM   1198949154   SYSTEM   1660   Sign of "Win32:Agent-MFL [trj]" has been found in "C:\WINDOWS\tsitra1000106.exe.tmp\[UPX]" file.
12/29/2007   11:26:51 AM   1198949211   SYSTEM   1660   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\retadpu1000106.exe.tmp" file.
12/29/2007   11:27:40 AM   1198949260   SYSTEM   1660   Sign of "Win32:Agent-JOH [trj]" has been found in "C:\WINDOWS\SYSTEM32\hauyuoqd.exe" file.
12/29/2007   4:16:29 PM   1198966589   SYSTEM   1660   Sign of "Win32:Agent-JOH [trj]" has been found in "C:\WINDOWS\SYSTEM32\mcvkkmrb.exe" file.

oldman · « **Reply #35 on:** December 30, 2007, 08:59:10 AM »

Please upload this file to www.virustoal.com

C:\WINDOWS\system32\VFind.exe

Please start WinPFind3U.

Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote

[Files/Folders - Created Within 90 days]
NY -> aweqkexo.ini -> %System32%\aweqkexo.ini
NY -> jsuwuqpw.ini -> %System32%\jsuwuqpw.ini
NY -> pnuwspur.ini -> %System32%\pnuwspur.ini
NY -> tivckwec.ini -> %System32%\tivckwec.ini
NY -> xplhvmyp.ini -> %System32%\xplhvmyp.ini
[Files/Folders - Modified Within 90 days]
NY -> sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm
NY -> sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm
NY -> sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm
NY -> sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm
NY -> sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm
NY -> sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm
NY -> sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm
NY -> sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm
NY -> sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm
NY -> sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm
NY -> sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm
NY -> sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm
NY -> sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm
NY -> sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm
NY -> sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm
NY -> sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm
NY -> sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm
NY -> sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm
NY -> sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm
NY -> sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm
NY -> sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm
NY -> sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm
NY -> sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm
NY -> sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm
NY -> sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm
NY -> sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> aweqkexo.ini -> %System32%\aweqkexo.ini
NY -> jsuwuqpw.ini -> %System32%\jsuwuqpw.ini
NY -> pnuwspur.ini -> %System32%\pnuwspur.ini
NY -> tivckwec.ini -> %System32%\tivckwec.ini
NY -> uambjlan.ini -> %System32%\uambjlan.ini
NY -> xplhvmyp.ini -> %System32%\xplhvmyp.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Boot into safe mode and run Combofix again. Post the combofix log the log from WinPFind3U, a new HJT log and the virustotal results]/b].

sasysusie · « **Reply #36 on:** December 30, 2007, 09:33:37 AM »

Here is the virustoal results for C:\windows\system32\Vfind.exe..now ill do the rest!

File VFind.exe_ received on 12.30.2007 09:26:11 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.29.11 2007.12.29 -
AntiVir 7.6.0.46 2007.12.29 -
Authentium 4.93.8 2007.12.29 -
Avast 4.7.1098.0 2007.12.29 -
AVG 7.5.0.516 2007.12.29 -
BitDefender 7.2 2007.12.30 -
CAT-QuickHeal 9.00 2007.12.29 -
ClamAV 0.91.2 2007.12.30 -
DrWeb 4.44.0.09170 2007.12.29 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5412 2007.12.29 -
Ewido 4.0 2007.12.29 -
FileAdvisor 1 2007.12.30 -
Fortinet 3.14.0.0 2007.12.30 -
F-Prot 4.4.2.54 2007.12.29 -
F-Secure 6.70.13030.0 2007.12.30 -
Ikarus T3.1.1.15 2007.12.30 -
Kaspersky 7.0.0.125 2007.12.30 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.30 -
NOD32v2 2755 2007.12.29 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.30 -
Prevx1 V2 2007.12.30 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.30 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.30 -
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 -
VirusBuster 4.3.26:9 2007.12.29 -
Webwasher-Gateway 6.6.2 2007.12.29 -

Additional information
File size: 49152 bytes
MD5: ab44ccd0fa8e55ef88db941eef95560a
SHA1: 39691a6ec072f05e67eab6a26aa9d37e6264bff4
PEiD: Armadillo v1.71

sasysusie · « **Reply #37 on:** December 30, 2007, 09:58:31 AM »

Ok did it all and now m attachng the combofix log, wnpfind3u log and the new hjt log.
Thank so much for all this help once again.
Hugs ty
Sasy

oldman · « **Reply #38 on:** December 30, 2007, 11:24:32 AM »

Upload these files to www.virustotal.com

C:\WINDOWS\system32\4B6C98AF0D.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Copy and paste the following into a new notepad

Quote

@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt

Click file, click save as. Set the save in box atthe top to save it to your desktop, name it check.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Run WinPFind3U again with the same setting as before, try normal windows this time and post the log.

sasysusie · « **Reply #39 on:** December 30, 2007, 04:49:37 PM »

Here are the results frm the first file ll post the secnd results as soon as it i s done.
File 4B6C98AF0D.sys received on 12.30.2007 16:43:14 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.29.11 2007.12.29 -
AntiVir 7.6.0.46 2007.12.30 -
Authentium 4.93.8 2007.12.30 -
Avast 4.7.1098.0 2007.12.29 -
AVG 7.5.0.516 2007.12.30 -
BitDefender 7.2 2007.12.30 -
CAT-QuickHeal 9.00 2007.12.29 -
ClamAV 0.91.2 2007.12.30 -
DrWeb 4.44.0.09170 2007.12.30 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5412 2007.12.29 -
Ewido 4.0 2007.12.30 -
FileAdvisor 1 2007.12.30 -
Fortinet 3.14.0.0 2007.12.30 -
F-Prot 4.4.2.54 2007.12.29 -
F-Secure 6.70.13030.0 2007.12.30 -
Ikarus T3.1.1.15 2007.12.30 -
Kaspersky 7.0.0.125 2007.12.30 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.30 -
NOD32v2 2756 2007.12.30 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.30 -
Prevx1 V2 2007.12.30 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.30 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.30 -
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 -
VirusBuster 4.3.26:9 2007.12.30 -
Webwasher-Gateway 6.6.2 2007.12.30 -

Additional information
File size: 104 bytes
MD5: 22a5be6a4be26e00e373ccacf778f14b
SHA1: 01f310ca1f842c182ba7692cc30e97e9b42617bd
PEiD: -

sasysusie · « **Reply #40 on:** December 30, 2007, 04:58:52 PM »

Here is the reply to the second one! Now ill go on with the rest.
Than you, thank you

File KGyGaAvL.sys received on 12.30.2007 16:48:35 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.29.11 2007.12.29 -
AntiVir 7.6.0.46 2007.12.30 -
Authentium 4.93.8 2007.12.30 -
Avast 4.7.1098.0 2007.12.29 -
AVG 7.5.0.516 2007.12.30 -
BitDefender 7.2 2007.12.30 -
CAT-QuickHeal 9.00 2007.12.29 -
ClamAV 0.91.2 2007.12.30 -
DrWeb 4.44.0.09170 2007.12.30 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5412 2007.12.29 -
Ewido 4.0 2007.12.30 -
FileAdvisor 1 2007.12.30 -
Fortinet 3.14.0.0 2007.12.30 -
F-Prot 4.4.2.54 2007.12.29 -
F-Secure 6.70.13030.0 2007.12.30 -
Ikarus T3.1.1.15 2007.12.30 -
Kaspersky 7.0.0.125 2007.12.30 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.30 -
NOD32v2 2756 2007.12.30 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.30 -
Prevx1 V2 2007.12.30 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.30 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.30 -
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 -
VirusBuster 4.3.26:9 2007.12.30 -
Webwasher-Gateway 6.6.2 2007.12.30 -

Additional information
File size: 5642 bytes
MD5: 38e62a8f7a0dc2d32a608c8ae05d952a
SHA1: 8a72c20a7f709cfcc3eb174ae7add131506edab3
PEiD: -

sasysusie · « **Reply #41 on:** December 30, 2007, 05:08:38 PM »

Quote from: oldman on December 30, 2007, 11:24:32 AM

Upload these files to www.virustotal.com

C:\WINDOWS\system32\4B6C98AF0D.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Copy and paste the following into a new notepad

Quote
@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt

Click file, click save as. Set the save in box atthe top to save it to your desktop, name it check.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Om having troouble right here... I did all the steps as you said ..I did copy and past i went to file save as... in desk top as check.bat all files and i did get the icon on the dest top looks like yours and says under it check.bat.. but when i double click it and open it the bax that appears is empty inside of it... is that correct???
Tahnks

sasysusie · « **Reply #42 on:** December 30, 2007, 05:12:22 PM »

I take it back i found the note pad .. geesh false alarm sorry... and yes i saved it !
Sasy

sasysusie · « **Reply #43 on:** December 30, 2007, 05:44:16 PM »

While running the WinPfind3u in normal windows I encountered this virus warning with all the bells and whistles frim Avast:
C:\windows\system32\hauyuoqd.exe
win32:agent-joh[trj]
trojan hose
VSP versin: 071229-o 12/29/2007
I moved it to the chest. Im attaching the log it gave me as well.
Im not sure if the check.bat log is working ok with the attachement so am pasting it here as well
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

Hope this all worked.
Thanks
Susie
PS when i went to post this reply it woud not allow me to send the check.bat maybe i did not do it right.. srry but i did paste the results here if that helps at all sorrry!!

oldman · « **Reply #44 on:** December 30, 2007, 08:04:00 PM »

The .bat results where what I hoped they would be.

Sorry I forgot, we can't attach .bat files, forum rules.

I don't see anything in the log. So we'll try a couple of things.

Download and run this utility, copy and paste the results here.

http://www.spywareinfo.com/~merijn/programs.php#adsspy

Create a new folder on your desktop and name it infected

To do this right click on the desktop, select new, click folder.

Open the avast chest by right clicking the "a" icon, click start avast anti virus. Once the it opens, click on the chest icon, click on the infected files button.

Find these files, right click on them one at a time, select extract

C:\WINDOWS\SYSTEM32\mcvkkmrb.exe
C:\WINDOWS\tsitra1000106.exe.tmp
C:\WINDOWS\system32\qeibqlcy.dll

In the box that appears scroll down to the infected folder you created, click on it, click ok.

Submit those files to www.virustotal.com As I'm not sure what the file path will be, use the browse button on their site to get to the files.

Post those results. We may be able to see the characteristics of these files by knowing what other scanners name them.

Author Topic: trojans galore (Read 40503 times)

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

oldman

Re: trojans galore

sasysusie

Re: trojans galore

oldman

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

oldman

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

sasysusie

Re: trojans galore

oldman

Re: trojans galore