|
Can't get rid of this Trojan
|
|
Junior Member
|
5. February 2007 @ 14:47 |
Link to this message
|
|
I have Active Virus Shield and it detected Trojan-Downloader.Win32.Agent.bca which keeps on popping up and putting some install.exe on my desktop all the time. The AVS can't get rid of the problem and I have no clue what to do.
Could someone help e get rid of this ?
Tell me what to do or what I should give u so u have better knowledge of what's infected.
|
|
Advertisement
|
 |
|
|
Junior Member
|
5. February 2007 @ 15:13 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 8:12:45 PM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cyjrapblr\winlogon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/custo.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/custo...//www.yahoo.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\cyjrapblr\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\cyjrapblr\winlogon.exe
O1 - Hosts: 217.168.171.52 ts.parrotplaypen.com
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 FTP.f-secure.com
O1 - Hosts: 1.1.1.1 FTP.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\WBInstall32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Startup: Logitech SetPoint.lnk = ?
O4 - Startup: winlogon.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1030680729203
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
|
|
ravens1
Member
|
5. February 2007 @ 15:56 |
Link to this message
|
I suggest you download Avira AntiVir or AVG free and run a scan.
Im not an expert but i think that C:\WINDOWS\system32\cyjrapblr\winlogon.exe - might be a virus because "cyjrapblr" is like a random name, and thats what viruses do, create others with a random name. Also, the winlogon.exe might be imitating the actual thing. So, i wouldnt delete this file yet untill someone else who is more experienced comes along and helps. But for right know i still suggest you download Avira AntiVir or AVG free and run a scan.
This message has been edited since posting. Last time this message was edited on 5. February 2007 @ 16:05
|
|
kateman
Senior Member
|
7. February 2007 @ 20:08 |
Link to this message
|
|
this doesn't realy help with your original problem but i cant see a trojan in your scan.
but i have never seen things like this before:
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
it temps me to say delete it, and well thats what i would do if i were you.
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
bkf
Suspended due to non-functional email address
|
8. February 2007 @ 02:39 |
Link to this message
|
I have never seen those 01 host file entries in any of the logs I have looked at. Seems something tried or did change your host file list and they all seem to be aimed at antivirus and antispyware sites to prevent you from reaching them. That host file list needs to be cleaned out and I see a fist full of other things. This one is bad and you not ever be able to trust your system again even if you fix the virus. Spybot should have prevented any hostfile changes if you had the lock host file box checked in IE tweaks because it would have been set to read only.
This message has been edited since posting. Last time this message was edited on 8. February 2007 @ 03:05
|
Senior Member
|
9. February 2007 @ 17:57 |
Link to this message
|
|
Oh my god man, I looked at your log and you have ALOT of problems, so lets start with the very nasty ones:
C:\WINDOWS\system32\cyjrapblr\winlogon.exe
Theres just too many 01s to name so, I looked and you should put a check next to ALL of them, then click "Fixed Checked"
Now, for some smaller problems, you can fix these entries:
O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
|
|
bkf
Suspended due to non-functional email address
|
10. February 2007 @ 02:07 |
Link to this message
|
|
Waymon: I question is it is worth trying to fix this, Im Sure that you looked up this virus and god knows what might have been changed. I would not trust the system and reload it without a second thought.
He just happened to get a real good one :-(
|
Senior Member
|
10. February 2007 @ 15:57 |
Link to this message
|
|
What do you think of Window's system restore points? This might save some of his data from being deleted by reinstalling windows.
|
|
bkf
Suspended due to non-functional email address
|
11. February 2007 @ 01:14 |
Link to this message
|
|
Depends on how long the virus has been in there, more then 24 hours and it would be in a restore point. From what I have read about this bug it's liking somebody sitting at you keyboard. Tough call what to do. Saving the data to somewhere else would be ok if what gave him the bug was not part of that data somewhere. Only three ways I can think of to get something like this. Open a bad email, click on something bad on a web page or a bad download.
|
|
kateman
Senior Member
|
11. February 2007 @ 21:16 |
Link to this message
|
|
doubt its any of the first two. i'am pretty sure it'd have been a download.
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
Junior Member
|
12. February 2007 @ 05:40 |
Link to this message
|
|
A friend of mine downloaded a song, and didn't notice the difference between .mp3 and .zip and the trojan was just sitting at the .zip file.
Now later on I clicked on some linked on msn, thought i got another thing from it, because now my msn sends msg'es by itself to other ppl with the same link in it. It send it in like split of a second and then closes the window, so u won't see that u'r sending out something. One time msn even tried to start itself when i closed it :)
I'm just so frustrtated that i'm reformatin.
How safe is it to save your stuff on cd's and then put it back on comp ? mostly pics, .exe files and songs.
|
Senior Member
|
12. February 2007 @ 08:04 |
Link to this message
|
Well, I use Firefox, which is rumered to not have as much malware. I think that it is pretty safe for you to save things onto your cds. Just make sure that the things that you are saving dont contain a virus, trojan, etc. because the next time you put the cds on your computer, you will get the malware all over again.
|
|
kateman
Senior Member
|
12. February 2007 @ 20:24 |
Link to this message
|
|
hmm just be careful to make sure that the cd's are backed up on disks that are kept safe from heat, sunlight and any scratches. data storage isnt great. i'd suggest you back them up on usb rather than cd.
but then again its almost impossible to tell if you do have malware on your system
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
Advertisement
|
|
|
|
scorpNZ
AfterDawn Addict
4 product reviews
|
12. February 2007 @ 21:21 |
Link to this message
|
|
Perhaps once you've reformatted you could create a guest account so next time anyone wants to surf with your comp they don't have admin privelages and lastly look into disk imaging (ghost a harddrive) as system restore was installed by microsoft as a practicle joke...lol...
This message has been edited since posting. Last time this message was edited on 12. February 2007 @ 21:22
|
