Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   help!!! trojandownloader.wigon.BS trojan		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: help!!! trojandownloader.wigon.BS trojan  (Read 11247 times)
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
help!!! trojandownloader.wigon.BS trojan
« on: Mar 31st, 2009, 7:41am »		 Quote Quote  Modify Modify
i have problem with "win32/trojan downloader.wigon.bs trojan". i everytime i connect to the internet it always come out and my eset 4 always detect that there is a trojan. i can delete it but after how many hrs it comes out again. i already done system scan but i dont know where is the root is. i hope someone could help me solve this problem. is it maybe problem with the reg_intries? or in the highjackthis?.. hope anyone could help me. thanks in advance.. sorry for my bad english=)
« Last Edit: Mar 31st, 2009, 11:01am by helpmepls » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #1 on: Mar 31st, 2009, 10:11pm »		 Quote Quote  Modify Modify
Welcome to the forum helpmepls,
 
Would you please post here the scan log for Hijackthis so that I can examine it.  
 
And your English is quite good....no problems.. Smiley
« Last Edit: Mar 31st, 2009, 10:11pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #2 on: Mar 31st, 2009, 10:20pm »		 Quote Quote  Modify Modify
here are the result..
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:09 PM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\{F3B30953-C9E5-4F4D-A73C-227ED87DDB39 }\Sirus_clock.exe
C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\{6A3B4BC9-5AAE-41C6-99CC-E2FED663F408 }\Sirus_calendar.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Mozilla Firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Sirus Calendar.lnk = C:\Documents and Settings\Cy2\My Documents\clock & calendar\Sirus_calendar.exe
O4 - Startup: Sirus Clock.lnk = C:\Documents and Settings\Cy2\My Documents\clock & calendar\Sirus_clock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1238324203921
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
 
--
End of file - 6478 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #3 on: Mar 31st, 2009, 11:30pm »		 Quote Quote  Modify Modify
Your Hijackthis log is not showing any infection.  HOWEVER, that does not mean that you are clean.  It just means that the typical areas of your system do not appear to be infected.
 
1.  Please download/install the Trial Version of TrojanHunter.
 
2.  Once you get it installed, manually update its detection rulesets by following the instructions at the link below.
 
http://www.misec.net/trojanhunter/updating/
 
3.  Then boot your computer into SAFE MODE.
 
4.  Run a FULL SCAN of your system with TrojanHunter.  Note that the Trial Version of TH does not permit removing infections; however, the scan will show if anything malicious is detected.
 
5.  When the TH scan is completed, save the Scan Report.  Click on FILE in the top menu bar of TH and select "Save Scan Report"
 
6.  Reboot your computer back into normal mode.
 
7.  Post the Scan Report of TH back here.  The saved scan report is stored in folder Scan Reports at C:\Program Files\TrojanHunter 5.0\Scan Reports
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #4 on: Apr 1st, 2009, 1:31am »		 Quote Quote  Modify Modify
TrojanHunter Scan Report - Saved 2009-04-01 15:33
 
Found adware file: C:\Program Files\Garena\update.exe (Adware.Vapsup.290)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipvnluyyvi\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipvnluyyvi\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipvdzxfard\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipvdzxfard\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipjumltssu\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipjumltssu\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipiwicccdz\ failed (The directory is not empty)
Error: Removal of temporary directory C:\DOCUME~1\POWERU~1\LOCALS~1\Temp\Zipiwicccdz\ failed (The directory is not empty)
Found trojan file: D:\Games\Warcraft III\War3.exe (Generic.PolyCrypt)
Found trojan file: D:\Games\Warcraft III\worldedit.exe (Generic.PolyCrypt)
Found trojan file: D:\marvin\war3\War3.exe (Generic.PolyCrypt)
Found trojan file: D:\marvin\war3\worldedit.exe (Generic.PolyCrypt)
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #5 on: Apr 1st, 2009, 2:55am »		 Quote Quote  Modify Modify
Okay...let's get a second opinion on the files that TH says is infected.
 
Please go to the Virustotal link below and run a scan on the following files:
 
http://www.virustotal.com/
 
Upload and scan the files below.
 
C:\Program Files\Garena\update.exe
 
D:\Games\Warcraft III\War3.exe
 
D:\Games\Warcraft III\worldedit.exe
 
D:\marvin\war3\War3.exe
 
D:\marvin\war3\worldedit.exe
 
Please be sure that you upload/scan the files from each of the above exact locations...(for the duplicates of War3.exe and worldedit.exe).
 
Report back here the results for each of the files if infected.  Otherwise just tell me that file xx.exe is not found to be infected.
 
« Last Edit: Apr 1st, 2009, 2:55am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #6 on: Apr 1st, 2009, 3:05am »		 Quote Quote  Modify Modify
In addition to my post above:
 
Please download/install freebie program CCleaner from the link below.  CCleaner is used to clean out your TEMP and temporary files and junk files.  It is a good program for keeping your computer disk free of these unneeded files.  You can run it as frequently as you like...2-3 times per day, for example.
 
Download and install the SLIM version so that you do not get any unwanted toolbars.
 
http://www.ccleaner.com/download/builds.aspx
 
Once you get it installed, run CCleaner to clean up your disk.
 
NOTE:  I do not recommend running the REGISTRY cleaner part of this program unless you are familiar with registry cleaners...just to make sure that it does not falsely remove anything from your registry.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #7 on: Apr 1st, 2009, 4:22am »		 Quote Quote  Modify Modify
 C:\Program Files\Garena\update.exe result..
 
File update.exe received on 04.01.2009 11:55:16 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
 
 
 D:\Games\Warcraft III\War3.exe result..
 
 File War3.exe received on 04.01.2009 12:00:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/39 (2.57%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
 
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:  
 
Antivirus Version Last Update Result
a-squared4.0.0.1012009.04.01-
AhnLab-V35.0.0.22009.04.01-
AntiVir7.9.0.1292009.04.01-
Antiy-AVL2.0.3.12009.04.01-
Authentium5.1.2.42009.03.31-
Avast4.8.1335.02009.03.31-
AVG8.5.0.2852009.04.01-
BitDefender7.22009.04.01-
CAT-QuickHeal10.002009.04.01(Suspicious) - DNAScan
ClamAV0.94.12009.04.01-
Comodo10922009.03.31-
DrWeb4.44.0.091702009.04.01-
eSafe7.0.17.02009.04.01-
eTrust-Vet31.6.64292009.04.01-
F-Prot4.4.4.562009.03.31-
F-Secure8.0.14470.02009.04.01-
Fortinet3.117.0.02009.04.01-
GData192009.04.01-
IkarusT3.1.1.49.02009.04.01-
K7AntiVirus7.10.6872009.03.31-
Kaspersky7.0.0.1252009.04.01-
McAfee55702009.03.31-
McAfee+Artemis55702009.03.31-
McAfee-GW-Edition6.7.62009.04.01-
Microsoft1.45022009.04.01-
NOD3239802009.04.01-
nProtect2009.1.8.02009.04.01-
Panda10.0.0.142009.03.31-
PCTools4.4.2.02009.03.31-
Prevx1V22009.04.01-
Rising21.23.22.002009.04.01-
Sophos4.40.02009.04.01-
Sunbelt3.2.1858.22009.04.01-
Symantec1.4.4.122009.04.01-
TheHacker6.3.4.0.2982009.04.01-
TrendMicro8.700.0.10042009.04.01-
VBA323.12.10.12009.03.31-
ViRobot2009.3.31.16702009.04.01-
VirusBuster4.6.5.02009.03.31-
 
 
     D:\Games\Warcraft III\worldedit.exe result..
 
 
File worldedit.exe received on 04.01.2009 12:08:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
 
 
 
 D:\marvin\war3\War3.exe result..  
 
 File War3.exe received on 04.01.2009 12:11:21 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/40 (2.5%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
 
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:  
 
Antivirus Version Last Update Result
a-squared4.0.0.1012009.04.01-
AhnLab-V35.0.0.22009.04.01-
AntiVir7.9.0.1292009.04.01-
Antiy-AVL2.0.3.12009.04.01-
Authentium5.1.2.42009.03.31-
Avast4.8.1335.02009.03.31-
AVG8.5.0.2852009.04.01-
BitDefender7.22009.04.01-
CAT-QuickHeal10.002009.04.01(Suspicious) - DNAScan
ClamAV0.94.12009.04.01-
Comodo10922009.03.31-
DrWeb4.44.0.091702009.04.01-
eSafe7.0.17.02009.04.01-
eTrust-Vet31.6.64292009.04.01-
F-Prot4.4.4.562009.03.31-
F-Secure8.0.14470.02009.04.01-
Fortinet3.117.0.02009.04.01-
GData192009.04.01-
IkarusT3.1.1.49.02009.04.01-
K7AntiVirus7.10.6872009.03.31-
Kaspersky7.0.0.1252009.04.01-
McAfee55702009.03.31-
McAfee+Artemis55702009.03.31-
McAfee-GW-Edition6.7.62009.04.01-
Microsoft1.45022009.04.01-
NOD3239802009.04.01-
Norman6.00.062009.03.31-
nProtect2009.1.8.02009.04.01-
Panda10.0.0.142009.03.31-
PCTools4.4.2.02009.03.31-
Prevx1V22009.04.01-
Rising21.23.22.002009.04.01-
Sophos4.40.02009.04.01-
Sunbelt3.2.1858.22009.04.01-
Symantec1.4.4.122009.04.01-
TheHacker6.3.4.0.2982009.04.01-
TrendMicro8.700.0.10042009.04.01-
VBA323.12.10.12009.03.31-
ViRobot2009.3.31.16702009.04.01-
VirusBuster4.6.5.02009.03.31-
 
 
     D:\marvin\war3\worldedit.exe result..
 
File worldedit.exe received on 04.01.2009 12:14:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
 
i already have a ccleaner and i run it evrytime i use my PC..
i will not run the registry? but i evrytime i run the cleaner i also run the registries.. is it wrong? thanks for the help.. sorry for my bad english again..=)
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #8 on: Apr 1st, 2009, 4:40am »		 Quote Quote  Modify Modify
Quote:
i already have a ccleaner and i run it evrytime i use my PC..  
i will not run the registry? but i evrytime i run the cleaner i also run the registries.. is it wrong? thanks for the help.. sorry for my bad english again..=)

 
If you already use the Registry cleaner of CCleaner, then please continue to do so.  I was just cautioning you as a potential "new user" of CCleaner.
 
It looks like the detections of TrojanHunter for your game programs are all False Positives and not infections.  Would you please follow the instructions in the link below to submit
 
C:\Program Files\Garena\update.exe  
 
D:\Games\Warcraft III\War3.exe  
 
D:\Games\Warcraft III\worldedit.exe  
 
as False Positives so that Gavin can fix TrojanHunter's detection rules.  
 
http://www.misec.net/forum/board/FAQ/1211189968
 
From what I see so far, your computer is currently not infected.  Let's try a remote scan with BitDefender's remote scanner and see if it turns up anything.
 
http://www.bitdefender.com/scan8/ie.html
 
-  Use Internet Explorer to access the above site.  It will need to download an ActiveX component in order to run the remote scan.  Please let it do so.
 
-  Before starting the remote scan, temporarily disable your other security programs except your software firewall.
 
-  Close down as many programs as you can (the icons next to the system clock in the Task Bar)
 
-  Run a complete scan of your system with BitDefender's remote scanner.
 
-  Please post back here the results of the remote scan.  
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #9 on: Apr 1st, 2009, 8:23am »		 Quote Quote  Modify Modify
BitDefender Online Scanner
 
Scan report generated at: Wed, Apr 01, 2009 - 22:17:19
 
Scan path: C:\Grin:\;E:\;
  
Statistics
 
Time
 00:28:09
 
Files
 140273
 
Folders
 15995
 
Boot Sectors
 0
 
Archives
 2800
 
Packed Files
 5412
 
Results
 
Identified Viruses  
 4
 
Infected Files  
 33
 
Suspect Files  
 0
 
Warnings
 0
 
Disinfected
 17
 
Deleted Files
 16
 
Engines Info
 
Virus Definitions
 2816248
 
Engine build
 AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)
 
Scan plugins
 17
 
Archive plugins
 45
 
Unpack plugins
 7
 
E-mail plugins
 6
 
System plugins
 4
 
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
  
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
  
  
 
  Scanned File
  Status
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP1\A0000477. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP1\A0000477. inf
 Deleted
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP1\A0000488. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP1\A0000488. inf
 Deleted
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP2\A0000496. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{A91F12F8-8309-4176-B3BB-362C238B7AF2}\RP2\A0000496. inf
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007812 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007812 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007813 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007813 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007814 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007814 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007830 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP16\A0007830 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP18\A0003666 .exe
 Infected with: Gen:Trojan.Heur.E0D4B5A0B0
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP18\A0003666 .exe
 Disinfection failed
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP18\A0003666 .exe
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003205 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003205 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003217 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003217 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003218 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003218 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003219 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0003219 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016476 .com
 Infected with: Trojan.PWS.OnlineGames.KBOO
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016476 .com
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016477 .inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016477 .inf
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016498 .inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016498 .inf
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016499 .com
 Infected with: Trojan.PWS.OnlineGames.KBOO
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP19\A0016499 .com
 Deleted
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013879 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013879 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013910 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013910 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013912 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013912 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013913 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP21\A0013913 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016634 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016634 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016645 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016645 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016646 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016646 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016647 .exe
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP30\A0016647 .exe
 Disinfected
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP35\A0017211 .EXE
 Infected with: Win32.Sality.OG
 
D:\System Volume Information\_restore{AA7C101D-BC0C-4033-A080-16802D302400}\RP35\A0017211 .EXE
 Disinfected
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP1\A0000007. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP1\A0000007. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP1\A0000032. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP1\A0000032. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP2\A0000046. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP2\A0000046. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP3\A0000074. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP3\A0000074. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP3\A0000099. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP3\A0000099. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0000109. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0000109. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0000118. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0000118. inf
 Deleted
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0001129. inf
 Infected with: Trojan.AutorunINF.Gen
 
D:\System Volume Information\_restore{BFEF3A96-0ACB-4ECC-96BC-2EDC96005F58}\RP4\A0001129. inf
 Deleted
 
 
------------------------------------------------
 
Scan Info
   
 
Scanned Files
 156426
 
Infected Files
 33
 
   
 
Virus Detected
   
   
 
Gen:Trojan.Heur.E0D4B5A0B0
 1
 
Win32.Sality.OG
 17
 
Trojan.AutorunINF.Gen
 13
 
Trojan.PWS.OnlineGames.KBOO
 2
 
-----------------------------------------------------------
   
this is the result after i scan with bitdefender and i think there is too many problems..
 
 
sir about the false positive.. i have some question.. i will make another post about it or i will put it here? and in e-mail section.. where i will put the link? in the new post or here? tnx..
« Last Edit: Apr 1st, 2009, 8:27am by helpmepls » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #10 on: Apr 1st, 2009, 11:39pm »		 Quote Quote  Modify Modify
It looks like BitDefender's scanned infections are all located in your System Restore file.  The only way to truly remove these is to follow the procedure in the link below.  This will clear your System Restore file (System Volume Information) for you.  
 
http://www.misec.net/forum/board/FAQ/1139255588
 
Once you clear your System Restore per the procedure, please scan again with BitDefender to ensure that it scans clean.
 
Quote:
sir about the false positive.. i have some question.. i will make another post about it or i will put it here?

 
You can keep all your posts here in this thread.  
 
Quote:
and in e-mail section.. where i will put the link? in the new post or here? tnx

 
I do not quite understand your question above.  I "think" I know but am not sure.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #11 on: Apr 2nd, 2009, 5:02am »		 Quote Quote  Modify Modify
i check it again using your link http://www.bitdefender.com/scan8/ie.html and no virus found..  
 
 
i already send my false positive result via e-mail..  
 
 
what's the next thing i will do?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #12 on: Apr 2nd, 2009, 5:43am »		 Quote Quote  Modify Modify
Quote:
i already send my false positive result via e-mail..  

 
Thanks very much for your submittal of these false positives.
 
Quote:
i have problem with "win32/trojan downloader.wigon.bs trojan". i everytime i connect to the internet it always come out and my eset 4 always detect that there is a trojan.

 
Are you still getting the above detection by your Eset when you connect?  If so, what is the name of the file that is being detected as malicious?  
 
This is starting to sound that maybe ESET is falsely detecting something.
« Last Edit: Apr 2nd, 2009, 5:46am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #13 on: Apr 2nd, 2009, 6:08am »		 Quote Quote  Modify Modify
In addition to my post above:
 
Would you please post the content of your HOSTS file.
 
1.  Make all your files and folders visible via the procedure in the link below:
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  The HOSTS file is located in folder etc at C:\Windows\System32\drivers\etc.  Please note that the HOSTS file has no extension....it is just HOSTS.
 
3.  Right click on the HOSTS file and open it with NotePad.
 
4.  Copy and Paste the HOSTS file content back here please.
(IF the file is really long, just copy/paste the first 30-40 lines of it.)
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
helpmepls
Newbie
*





   


Gender: male
 Posts: 9
Re: help!!! trojandownloader.wigon.BS trojan
« Reply #14 on: Apr 2nd, 2009, 6:21am »		 Quote Quote  Modify Modify
Since yesterday i don't have any experience that  trojan is been detected by my eset.. the last trojan the added and i deleted to quarantine list was something like this "C:\DOCUME~1\POWERU~1\LOCALS~1\PowerUser.exe"  
 
Some of the virus that eset detected was something like this:
 
Windows\system32\drivers\***.sys
"C:\Doc&Setting\Poweruser\Local Settings\Temp\BN273C.tmp
"C:\Doc&Setting\Poweruser\Local Settings\Temp\*****.tmp
Win32/TrojanDownloader.Wigon.BS trojancleaned by deleting - quarantinedNVIDIA\Power UserEvent occurred on a file modified by the application: C:\WINDOWS\RTHDCPL.exe.
 
i also look at my task manager in process i saw the Poweruser.exe is blinking..^^ it appear then it disappear..  
 
 
but now i dont have a problem with this.. the eset don't give me warning about trojandownloader.wigon.bs unlike the other day that it always give me warning..
 
by the way the "power user" is the name of my user account..  
 
sorry for wrong grammar..=)
« Last Edit: Apr 2nd, 2009, 9:51am by helpmepls » IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »