trojan for me

[mantra]

Backdoor.Win32.VB.ye

can somebody tell the damage that it did to my  pc?

[DavidR]

Have you tried a google search for this?

A search for 'Backdoor.Win32.VB' returns many hits.

[Wight]

Backdoors in general allowes unauthorized entry to infected computers so it is very hard if not impossible to say what damage it has done.

Post your hijackthis log here and we will see what we can do.

Anyway to prevent further damage done by other malicious programs, visit windows update and apply all patches, update avast! definitions and scan your computer in safe mode(press F8 during boot).

[mantra]

Logfile of HijackThis v1.97.7
Scan saved at 19.39.38, on 04/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
G:\Programmi\foobar2000\foobar2000.exe
C:\Programmi\DC++\DCPlusPlus.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\backup cd\SICUREZZA\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jus.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAID Manager.lnk = C:\Programmi\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED15160C-A60E-40CA-91F2-D7396DA10D15}: NameServer = 193.70.192.25,195.70.156.25

[mantra]

have u this file? csrss.exe

[xistenz]

Yes, I have the csrss.exe file.

http://www.neuber.com/taskmanager/process/csrss.exe.html
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
http://www.iamnotageek.com/a/csrss.exe.php

[whocares]

Hi mantra,

- please update to HJT 1.99.1, via internal updater, or via links found here in the board..
and then edit or post a new HJT-log

- where exactly was the trojan found (full path/folder/Filename.) ?


CSRSS.exe should be ok, if found here:
C:\WINDOWS\system32\CSRSS.EXE

->  http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/



 

[mantra]

Logfile of HijackThis v1.99.1
Scan saved at 20.00.05, on 04/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
G:\Programmi\foobar2000\foobar2000.exe
C:\Programmi\DC++\DCPlusPlus.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Outlook Express\msimn.exe
D:\backup cd\SICUREZZA\HijackThis\HijackThis.exe
C:\DOCUME~1\Mantra\IMPOST~1\Temp\Rar$EX00.953\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jus.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAID Manager.lnk = C:\Programmi\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED15160C-A60E-40CA-91F2-D7396DA10D15}: NameServer = 193.70.192.25,195.70.156.25
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[mantra]

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453089442

[Lisandro]

Mantra, if you try an on-line analisys of your Hijackthis log file, will it help?
Try here http://hijackthis.de/index.php

[lee16]

Hi mantra,

About your log, if you do not recognize this address, then delete it from hijackthis:

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED15160C-A60E-40CA-91F2-D7396DA10D15}: NameServer = 193.70.192.25,195.70.156.25

Other then that, its clean.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453089442

If your sure thats the virus you have, then follow the removal instructions on that page.

--lee

[mantra]

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED15160C-A60E-40CA-91F2-D7396DA10D15}: NameServer = 193.70.192.25,195.70.156.25

i don't know what is it?

[lee16]

Well it can belong to one of three things:

Your Company
Your ISP (who you pay your Internet bill to)
Malware provier


Without knowing more about it, i can't know exactly whether you can remove it, thats why i was hoping you would know.

You could try these:

If your on a company network, ask your Admin about it.

If your at home with the internet, phone your ISP and ask them about it.

If none of them know, use hijackthis to remove the entry.

--lee

[mantra]

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

what is it pml driver???

[DavidR]

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

what is it pml driver???

What is a Google search for HPZipm12.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/hpzipm12/ the tools are there to help you learn to use them. Once you find out what it is you can then decide if it is something that should be on your system.