Other > Viruses and worms
Please help...unable to remove JS:TrojDnldr-1 [Trj]. HIjackthis log included...
JLYC:
--- Quote from: whocares on October 07, 2004, 04:26:47 PM ---format c: /flattening the system and setting it up PROPERLY would be probably faster
and definitely more secure
--> read the "BACKDOOR" section in the link below "VirusRemoval"
;)
--- End quote ---
Hello. Thanks for your replies. Does this mean my computer is affected by a backdoor? If yes, is it active?
I tried a bootscam with avast, which detected viruses again, which I deleted but it came back after I restarted windows. I did virus scan, skybot scan, and adaware scan in safemode, but the virus is still there. When I tried to move the virus to chest in safemode, avast still says that it can't process the file.
Is reformatting my C drive my only option left?
JLYC:
here's the new log after doing all the things I described above
Logfile of HijackThis v1.98.2
Scan saved at 12:08:03 PM, on 10/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sysentry.exe
C:\WINDOWS\System32\svh0st.exe
C:\WINDOWS\System32\zpwxv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\crsss.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\dllmanger.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
c:\media.exe
C:\car.exe
C:\car.exe
c:\media.exe
C:\Documents and Settings\Jeff\Application Data\rrsa.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis.exe
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\qagvdv86.slt\prefs.js)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 52.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Uptime Server] sysentry.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Microsoft Help] svh0st.exe
O4 - HKLM\..\Run: [Win service] zpwxv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [Media Player] wmplayer.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Microsoft Help] svh0st.exe
O4 - HKLM\..\RunServices: [Win service] zpwxv.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKLM\..\RunServices: [Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunServices: [Microsoft Connection Manager] dllmanger.exe
O4 - HKLM\..\RunOnce: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Microsoft Connection Manager] dllmanger.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Pcam] C:\Documents and Settings\Jeff\Application Data\rrsa.exe
O4 - HKCU\..\RunOnce: [Windows Messenger] msmsgs.exe
O8 - Extra context menu item: &Download the file(s) in D.S.Code - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_text.html
O8 - Extra context menu item: &Download the file(s) in D.S.Code-File - C:\Documents and Settings\Jeff\Desktop\DSLite2\dl_url.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Jeff\Desktop\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=154b113bf9603f46c731d769ed14a3bf2ae0a757064ee9bd5449e0fdd44e86d07944db10fe19f321ee033a2b9400d793bd2bfc09b6fd8079524c2d257aed07c9:008ad1ceed4ba741c45e80016782b89b
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1436a16ccc5adbd58d03/netzip/RdxIE601.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE02E67C-E7ED-49C3-A6B1-6EF733ADCB72}: NameServer = 198.235.216.110 209.226.175.224
O19 - User stylesheet: (file missing)
Eddy:
Have a look HERE and fix everything that is reported as bad.
And here is the result of my HJT analyzer:
--------------------------------------------------------------------------------
ANALYZER INFORMATION
--------------------------------------------------------------------------------
Log created on : 10-07-2004 18:43:54
Analyzer version : 7
bad.dat version : 20
good.dat version : 22
rec.dat version : 15
dasb.dat version : 4
sus.dat version : 5
--------------------------------------------------------------------------------
CHECKING HIJACKTHIS AND INTERNET EXPLORER :
--------------------------------------------------------------------------------
You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
INMEDIATLY visit http://windowsupdate.microsoft.com and install ALL security patches/updates.
--------------------------------------------------------------------------------
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
--------------------------------------------------------------------------------
\windows\system32\sysentry.exe
\windows\system32\svh0st.exe
\windows\system32\zpwxv.exe
\windows\system32\winmplayer.exe
\windows\system32\crsss.exe
\windows\system32\wmplayer.exe
\windows\system32\dllmanger.exe
\media.exe
\car.exe
\car.exe
\media.exe
r3 - default urlsearchhook is missing
f1 - win.ini: run=c:\windows\..\progra~1\common~1\micros~1\msinfo\msinfo.exe
n3 - netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (c:\documents and settings\jeff\application data\mozilla\profiles\default\qagvdv86.slt\prefs.js)
n3 - netscape 7: user_pref("browser.search.defaultengine", "engine://c%3a%5cprogram%20files%5cnetscape%5cnetscape%5csearchplugins%5csbweb_01.src"); (c:\documents and settings\jeff\application data\mozilla\profiles\default\qagvdv86.slt\prefs.js)
o2 - bho: &elitebar - {28caeff3-0f18-4036-b504-51d73bd81abc} - c:\windows\elitetoolbar\elitetoolbar version 52.dll
o4 - hklm\..\run: [system uptime server] sysentry.exe
o4 - hklm\..\run: [ati video regkey] ati2vid.exe
o4 - hklm\..\run: [microsoft help] svh0st.exe
o4 - hklm\..\run: [win service] zpwxv.exe
o4 - hklm\..\run: [microsoft media services] winmplayer.exe
o4 - hklm\..\run: [windows media service] crsss.exe
o4 - hklm\..\run: [microsoft connection manager] dllmanger.exe
o4 - hklm\..\runservices: [system uptime server] sysentry.exe
o4 - hklm\..\runservices: [ati video regkey] ati2vid.exe
o4 - hklm\..\runservices: [microsoft help] svh0st.exe
o4 - hklm\..\runservices: [win service] zpwxv.exe
o4 - hklm\..\runservices: [microsoft media services] winmplayer.exe
o4 - hklm\..\runservices: [windows media service] crsss.exe
o4 - hklm\..\runservices: [microsoft connection manager] dllmanger.exe
o4 - hkcu\..\run: [ati video regkey] ati2vid.exe
o4 - hkcu\..\run: [microsoft connection manager] dllmanger.exe
o4 - hkcu\..\run: [pcam] c:\documents and settings\jeff\application data\rrsa.exe
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=154b113bf9603f46c731d769ed14a3bf2ae0a757064ee9bd5449e0fdd44e86d07944db10fe19f321ee033a2b9400d793bd2bfc09b6fd8079524c2d257aed07c9:008ad1ceed4ba741c45e80016782b89b
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/quicktimeinstaller.exe
o16 - dpf: {4ed9ddf0-7479-4bbe-9335-5a1edb1d8a21} (mcafee.com operating system class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://207.188.7.150/1436a16ccc5adbd58d03/netzip/rdxie601.cab
o16 - dpf: {86a88967-7a20-11d2-8eda-00600818edb1} (parallelgraphics cortona control) - http://www.parallelgraphics.com/bin/cortvrml.cab
o16 - dpf: {986dde35-e955-11d0-a707-000000521958} - http://69.56.176.75/webplugin.cab
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} (mediaticketsinstaller control) - http://www.mt-download.com/mediaticketsinstaller.cab
o16 - dpf: {bcc0ff27-31d9-4614-a68e-c18e1ada4389} (dwnldgroupmgr class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
o19 - user stylesheet: (file missing)
--------------------------------------------------------------------------------
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
--------------------------------------------------------------------------------
\documents and settings\jeff\application data\rrsa.exe
o4 - hkcu\..\run: [pcam] c:\documents and settings\jeff\application data\rrsa.exe
--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [tkbellexe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
o4 - hklm\..\run: [sunjavaupdatesched] c:\program files\java\j2re1.4.2_04\bin\jusched.exe
o4 - hklm\..\run: [media player] wmplayer.exe
o4 - hklm\..\run: [windows messenger] msmsgs.exe
o4 - hklm\..\runservices: [media player] wmplayer.exe
o4 - hklm\..\runservices: [windows messenger] msmsgs.exe
o4 - hklm\..\runonce: [windows messenger] msmsgs.exe
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
o4 - hkcu\..\run: [mozilla quick launch] "c:\program files\netscape\netscape\netscp.exe" -turbo
o4 - hkcu\..\run: [windows messenger] msmsgs.exe
whocares:
[quoteJ
Is reformatting my C drive my only option left?
--- Quote ---
--- End quote ---
it is the only sensible option, if you value the security of your system/data
because the system is severely compromised
-> you have several active backdoors on your system,
which allow complete control for a malicious user
see for yourself -> Hijackthis-Analysis:
http://hijackthis.de/logfiles/4c0397ab137ed0e373606129306ff83f.html
several of the red nasties are active Backdoor-Worms !!
if you don't want to/can't format:
For a start:
- fix everything with hijackthis that's marked RED in the above analysis,
- and also the F1-entry
(fixing means putting a checkmark to the respective line and then click "fix checked" )
BEFORE fixing, kill any of the processes/files corresponding to the red-entries
in hijackthis via Config -> MiscTools -> processManager
after fixing, schedule a boot-time scan & reboot immediately
but keep in mind that only a format & PROPER re-install of WIN
can assure that your system is clean again
-> reread the above mentioned link "VirusRemoval" -> BACKDOOR
;)
JLYC:
Thank you both so much for your help!! I wish the world has more altruistic individuals like you than the authors of the malware that make ppl's life miserable. >:(
The windows have seem to stopped popping up. I will definitely reformat my drive in the near future. Are there any specific things I should look out for when I reformat (I've never done it before)
Again thank you so much
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version