Trojans infecting my computer

Norton Security | Norton Internet Security
1

i got those trojans, too. im sad to see that im making the first reply to your topic.

 

so here's a list of what else i got. im pretty for sure its all related:

 

  • trojan.hugipon (super-anti-spyware)
  • the process svchost.exe has been blocked from accessing really naughty and malicious websites. (ad-aware)

 

im getting random pop-ups and my system is really slow. my hjt log seems to be clean. this whole mess started out with a bunch of rogue AV pop-up about 3 weeks ago.

 

im gonna add a hjt log for **bleep**s and giggles:

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:15:09 AM, on 8/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe

--
End of file - 2991 bytes

 

 

[edit: Clarified subject to reflect moved post.]

 

 

2

check out the following link if you also got that **bleep** hugipon virus.

 

 

http://www.bleepingcomputer.com/forums/topic333166.html

 

 

im gonna try to do all that **bleep** on my day off tomorrow. symantec obviously cant handle this problem.

3

mbam log

 

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4382

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/14/2010 8:32:22 AM
mbam-log-2010-08-14 (08-32-22).txt

Scan type: Quick scan
Objects scanned: 139931
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

4

Hello

 

Have you tried doing a scan in safe mode?  Please see this link  http://community.norton.com/t5/Norton-Internet-Security-Norton/Full-system-scan-gets-stuck-on-1-file-processing/m-p/265255

 

Hope this helps.

5
scherrypoppa wrote:

mbam log

 

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4382

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/14/2010 8:32:22 AM
mbam-log-2010-08-14 (08-32-22).txt

Scan type: Quick scan
Objects scanned: 139931
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0

 

 

HI scherrypoppa

 

The Malwarebytes scan you have run was a quick scan and was run using older definitions. You should update Malwarebytes to get the latest definitions (currently 4432) and then run a Full Scan.

6

For some reason, there seems to be two different threads running of this topic, so I am replying to both threads (again, newbie here, so I hope this isn't bad protocol).

 

I'm surprised that it took this long for folks to chime in on getting hit with these (I started the "New Trojans?:" thread on the 6th). Surely, I can't be the fortunate one who was one of the first ever to have gotten hit with this particular bundle of these trojans?

 

I also emptied my Java cache, removed the Java version that was installed and installed the newest vesion. I have run NIS 2x or more a day, plus Microsoft Security Essentials starting last night. Was not familiar with malwarebytes before reading the replies.

 

I think I got lucky, as I mentioned, I do my e-mail online only; don't know if that's what kept my computer from getting bombed. Fortunately also, NIS did remove them that first (or second) day.

 

What is bothering me now is just what are these capable of? Porn site e-mail bombing? Keystroke logging? I spent a couple of days after this happened, from another computer, checking all my bank and credit card accounts multiple times, changed every single user name and password (some multiple times), as I didn't know what to expect from these. Side note....my friend who got the initial e-mails from me that were spam tagged said that as soon as I changed my e-mail passwords (i had him on the phone as I was trying different things), the e-mails quit getting spam tagged.

 

All well and good on changing my user names and passwords, but I am still so paranoid that I do not want to use the computer that got hit for accessing anything of any importance.

 

Sure wish some more info would be forthcoming about these, but am glad that I'm finally seeing some discussion about this.

 

Thanks,

R