1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't get rid of this Trojan

Discussion in 'Windows - Virus and spyware problems' started by sumik, Feb 5, 2007.

  1. sumik

    sumik Member

    Joined:
    Mar 20, 2005
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    16
    I have Active Virus Shield and it detected Trojan-Downloader.Win32.Agent.bca which keeps on popping up and putting some install.exe on my desktop all the time. The AVS can't get rid of the problem and I have no clue what to do.

    Could someone help e get rid of this ?
    Tell me what to do or what I should give u so u have better knowledge of what's infected.
     
  2. sumik

    sumik Member

    Joined:
    Mar 20, 2005
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 8:12:45 PM, on 2/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\cyjrapblr\winlogon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    F3 - REG:win.ini: load=C:\WINDOWS\system32\cyjrapblr\winlogon.exe
    F3 - REG:win.ini: run=C:\WINDOWS\system32\cyjrapblr\winlogon.exe
    O1 - Hosts: 217.168.171.52 ts.parrotplaypen.com
    O1 - Hosts: 1.1.1.1 f-secure.com
    O1 - Hosts: 1.1.1.1 www.f-secure.com
    O1 - Hosts: 1.1.1.1 ftp.f-secure.com
    O1 - Hosts: 1.1.1.1 ftp.sophos.com
    O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
    O1 - Hosts: 1.1.1.1 customer.symantec.com
    O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
    O1 - Hosts: 1.1.1.1 download.mcafee.com
    O1 - Hosts: 1.1.1.1 rads.mcafee.com
    O1 - Hosts: 1.1.1.1 mast.mcafee.com
    O1 - Hosts: 1.1.1.1 my-etrust.com
    O1 - Hosts: 1.1.1.1 www.my-etrust.com
    O1 - Hosts: 1.1.1.1 nai.com
    O1 - Hosts: 1.1.1.1 www.nai.com
    O1 - Hosts: 1.1.1.1 networkassociates.com
    O1 - Hosts: 1.1.1.1 secure.nai.com
    O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
    O1 - Hosts: 1.1.1.1 service1.symantec.com
    O1 - Hosts: 1.1.1.1 sophos.com
    O1 - Hosts: 1.1.1.1 www.sophos.com
    O1 - Hosts: 1.1.1.1 support.microsoft.com
    O1 - Hosts: 1.1.1.1 symantec.com
    O1 - Hosts: 1.1.1.1 www.symantec.com
    O1 - Hosts: 1.1.1.1 update.symantec.com
    O1 - Hosts: 1.1.1.1 updates.symantec.com
    O1 - Hosts: 1.1.1.1 us.mcafee.com
    O1 - Hosts: 1.1.1.1 vil.nai.com
    O1 - Hosts: 1.1.1.1 viruslist.com
    O1 - Hosts: 1.1.1.1 www.viruslist.com
    O1 - Hosts: 1.1.1.1 grisoft.com
    O1 - Hosts: 1.1.1.1 www.grisoft.com
    O1 - Hosts: 1.1.1.1 free.grisoft.com
    O1 - Hosts: 1.1.1.1 trendmicro.com
    O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
    O1 - Hosts: 1.1.1.1 www.trendmicro.com
    O1 - Hosts: 1.1.1.1 pandasoftware.com
    O1 - Hosts: 1.1.1.1 www.pandasoftware.com
    O1 - Hosts: 1.1.1.1 usa.kaspersky.com
    O1 - Hosts: 1.1.1.1 ewido.net
    O1 - Hosts: 1.1.1.1 www.ewido.net
    O1 - Hosts: 1.1.1.1 zonelabs.com
    O1 - Hosts: 1.1.1.1 www.zonelabs.com
    O1 - Hosts: 1.1.1.1 bitdefender.com
    O1 - Hosts: 1.1.1.1 www.bitdefender.com
    O1 - Hosts: 1.1.1.1 download.bitdefender.com
    O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
    O1 - Hosts: 1.1.1.1 spywareinfo.com
    O1 - Hosts: 1.1.1.1 www.spywareinfo.com
    O1 - Hosts: 1.1.1.1 merijn.org
    O1 - Hosts: 1.1.1.1 www.merijn.org
    O1 - Hosts: 1.1.1.1 sysinternals.com
    O1 - Hosts: 1.1.1.1 www.sysinternals.com
    O1 - Hosts: 1.1.1.1 onguardonline.gov
    O1 - Hosts: 1.1.1.1 www.onguardonline.gov
    O1 - Hosts: 1.1.1.1 avast.com
    O1 - Hosts: 1.1.1.1 www.avast.com
    O1 - Hosts: 1.1.1.1 safety.live.com
    O1 - Hosts: 1.1.1.1 www.paretologic.com
    O1 - Hosts: 1.1.1.1 paretologic.com
    O1 - Hosts: 1.1.1.1 virusscan.jotti.org
    O1 - Hosts: 1.1.1.1 services.google.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\WBInstall32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
    O4 - Startup: Logitech SetPoint.lnk = ?
    O4 - Startup: winlogon.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1030680729203
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

     
  3. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    I suggest you download Avira AntiVir or AVG free and run a scan.

    Im not an expert but i think that C:\WINDOWS\system32\cyjrapblr\winlogon.exe - might be a virus because "cyjrapblr" is like a random name, and thats what viruses do, create others with a random name. Also, the winlogon.exe might be imitating the actual thing. So, i wouldnt delete this file yet untill someone else who is more experienced comes along and helps. But for right know i still suggest you download Avira AntiVir or AVG free and run a scan.
     
    Last edited: Feb 5, 2007
  4. kateman

    kateman Regular member

    Joined:
    Jul 22, 2006
    Messages:
    574
    Likes Received:
    0
    Trophy Points:
    26
    this doesn't realy help with your original problem but i cant see a trojan in your scan.

    but i have never seen things like this before:

    O1 - Hosts: 1.1.1.1 www.pandasoftware.com

    it temps me to say delete it, and well thats what i would do if i were you.

     
  5. bkf

    bkf Guest

    I have never seen those 01 host file entries in any of the logs I have looked at. Seems something tried or did change your host file list and they all seem to be aimed at antivirus and antispyware sites to prevent you from reaching them. That host file list needs to be cleaned out and I see a fist full of other things. This one is bad and you not ever be able to trust your system again even if you fix the virus. Spybot should have prevented any hostfile changes if you had the lock host file box checked in IE tweaks because it would have been set to read only.
     
    Last edited by a moderator: Feb 8, 2007
  6. Waymon3X6

    Waymon3X6 Regular member

    Joined:
    Mar 9, 2006
    Messages:
    2,193
    Likes Received:
    0
    Trophy Points:
    46
    Oh my god man, I looked at your log and you have ALOT of problems, so lets start with the very nasty ones:

    C:\WINDOWS\system32\cyjrapblr\winlogon.exe

    Theres just too many 01s to name so, I looked and you should put a check next to ALL of them, then click "Fixed Checked"

    Now, for some smaller problems, you can fix these entries:


    O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

     
  7. bkf

    bkf Guest

    Waymon: I question is it is worth trying to fix this, Im Sure that you looked up this virus and god knows what might have been changed. I would not trust the system and reload it without a second thought.
    He just happened to get a real good one :-(
     
  8. Waymon3X6

    Waymon3X6 Regular member

    Joined:
    Mar 9, 2006
    Messages:
    2,193
    Likes Received:
    0
    Trophy Points:
    46
    What do you think of Window's system restore points? This might save some of his data from being deleted by reinstalling windows.
     
  9. bkf

    bkf Guest

    Depends on how long the virus has been in there, more then 24 hours and it would be in a restore point. From what I have read about this bug it's liking somebody sitting at you keyboard. Tough call what to do. Saving the data to somewhere else would be ok if what gave him the bug was not part of that data somewhere. Only three ways I can think of to get something like this. Open a bad email, click on something bad on a web page or a bad download.
     
  10. kateman

    kateman Regular member

    Joined:
    Jul 22, 2006
    Messages:
    574
    Likes Received:
    0
    Trophy Points:
    26
    doubt its any of the first two. i'am pretty sure it'd have been a download.
     
  11. sumik

    sumik Member

    Joined:
    Mar 20, 2005
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    16
    A friend of mine downloaded a song, and didn't notice the difference between .mp3 and .zip and the trojan was just sitting at the .zip file.
    Now later on I clicked on some linked on msn, thought i got another thing from it, because now my msn sends msg'es by itself to other ppl with the same link in it. It send it in like split of a second and then closes the window, so u won't see that u'r sending out something. One time msn even tried to start itself when i closed it :)

    I'm just so frustrtated that i'm reformatin.
    How safe is it to save your stuff on cd's and then put it back on comp ? mostly pics, .exe files and songs.
     
  12. Waymon3X6

    Waymon3X6 Regular member

    Joined:
    Mar 9, 2006
    Messages:
    2,193
    Likes Received:
    0
    Trophy Points:
    46
    Well, I use Firefox, which is rumered to not have as much malware. I think that it is pretty safe for you to save things onto your cds. Just make sure that the things that you are saving dont contain a virus, trojan, etc. because the next time you put the cds on your computer, you will get the malware all over again.
     
  13. kateman

    kateman Regular member

    Joined:
    Jul 22, 2006
    Messages:
    574
    Likes Received:
    0
    Trophy Points:
    26
    hmm just be careful to make sure that the cd's are backed up on disks that are kept safe from heat, sunlight and any scratches. data storage isnt great. i'd suggest you back them up on usb rather than cd.

    but then again its almost impossible to tell if you do have malware on your system
     
  14. scorpNZ

    scorpNZ Active member

    Joined:
    Mar 23, 2005
    Messages:
    4,261
    Likes Received:
    63
    Trophy Points:
    78
    Perhaps once you've reformatted you could create a guest account so next time anyone wants to surf with your comp they don't have admin privelages and lastly look into disk imaging (ghost a harddrive) as system restore was installed by microsoft as a practicle joke...lol...
     
    Last edited: Feb 12, 2007

Share This Page