I have Active Virus Shield and it detected Trojan-Downloader.Win32.Agent.bca which keeps on popping up and putting some install.exe on my desktop all the time. The AVS can't get rid of the problem and I have no clue what to do. Could someone help e get rid of this ? Tell me what to do or what I should give u so u have better knowledge of what's infected.
Logfile of HijackThis v1.99.1 Scan saved at 8:12:45 PM, on 2/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cyjrapblr\winlogon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\mIRC\mirc.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com F3 - REG:win.ini: load=C:\WINDOWS\system32\cyjrapblr\winlogon.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\cyjrapblr\winlogon.exe O1 - Hosts: 217.168.171.52 ts.parrotplaypen.com O1 - Hosts: 1.1.1.1 f-secure.com O1 - Hosts: 1.1.1.1 www.f-secure.com O1 - Hosts: 1.1.1.1 ftp.f-secure.com O1 - Hosts: 1.1.1.1 ftp.sophos.com O1 - Hosts: 1.1.1.1 liveupdate.symantec.com O1 - Hosts: 1.1.1.1 customer.symantec.com O1 - Hosts: 1.1.1.1 dispatch.mcafee.com O1 - Hosts: 1.1.1.1 download.mcafee.com O1 - Hosts: 1.1.1.1 rads.mcafee.com O1 - Hosts: 1.1.1.1 mast.mcafee.com O1 - Hosts: 1.1.1.1 my-etrust.com O1 - Hosts: 1.1.1.1 www.my-etrust.com O1 - Hosts: 1.1.1.1 nai.com O1 - Hosts: 1.1.1.1 www.nai.com O1 - Hosts: 1.1.1.1 networkassociates.com O1 - Hosts: 1.1.1.1 secure.nai.com O1 - Hosts: 1.1.1.1 securityresponse.symantec.com O1 - Hosts: 1.1.1.1 service1.symantec.com O1 - Hosts: 1.1.1.1 sophos.com O1 - Hosts: 1.1.1.1 www.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 symantec.com O1 - Hosts: 1.1.1.1 www.symantec.com O1 - Hosts: 1.1.1.1 update.symantec.com O1 - Hosts: 1.1.1.1 updates.symantec.com O1 - Hosts: 1.1.1.1 us.mcafee.com O1 - Hosts: 1.1.1.1 vil.nai.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 www.viruslist.com O1 - Hosts: 1.1.1.1 grisoft.com O1 - Hosts: 1.1.1.1 www.grisoft.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 trendmicro.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.trendmicro.com O1 - Hosts: 1.1.1.1 pandasoftware.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 zonelabs.com O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 merijn.org O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\WBInstall32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 O4 - Startup: Logitech SetPoint.lnk = ? O4 - Startup: winlogon.lnk = ? O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1030680729203 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
I suggest you download Avira AntiVir or AVG free and run a scan. Im not an expert but i think that C:\WINDOWS\system32\cyjrapblr\winlogon.exe - might be a virus because "cyjrapblr" is like a random name, and thats what viruses do, create others with a random name. Also, the winlogon.exe might be imitating the actual thing. So, i wouldnt delete this file yet untill someone else who is more experienced comes along and helps. But for right know i still suggest you download Avira AntiVir or AVG free and run a scan.
this doesn't realy help with your original problem but i cant see a trojan in your scan. but i have never seen things like this before: O1 - Hosts: 1.1.1.1 www.pandasoftware.com it temps me to say delete it, and well thats what i would do if i were you.
I have never seen those 01 host file entries in any of the logs I have looked at. Seems something tried or did change your host file list and they all seem to be aimed at antivirus and antispyware sites to prevent you from reaching them. That host file list needs to be cleaned out and I see a fist full of other things. This one is bad and you not ever be able to trust your system again even if you fix the virus. Spybot should have prevented any hostfile changes if you had the lock host file box checked in IE tweaks because it would have been set to read only.
Oh my god man, I looked at your log and you have ALOT of problems, so lets start with the very nasty ones: C:\WINDOWS\system32\cyjrapblr\winlogon.exe Theres just too many 01s to name so, I looked and you should put a check next to ALL of them, then click "Fixed Checked" Now, for some smaller problems, you can fix these entries: O3 - Toolbar: (no name) - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Waymon: I question is it is worth trying to fix this, Im Sure that you looked up this virus and god knows what might have been changed. I would not trust the system and reload it without a second thought. He just happened to get a real good one :-(
What do you think of Window's system restore points? This might save some of his data from being deleted by reinstalling windows.
Depends on how long the virus has been in there, more then 24 hours and it would be in a restore point. From what I have read about this bug it's liking somebody sitting at you keyboard. Tough call what to do. Saving the data to somewhere else would be ok if what gave him the bug was not part of that data somewhere. Only three ways I can think of to get something like this. Open a bad email, click on something bad on a web page or a bad download.
A friend of mine downloaded a song, and didn't notice the difference between .mp3 and .zip and the trojan was just sitting at the .zip file. Now later on I clicked on some linked on msn, thought i got another thing from it, because now my msn sends msg'es by itself to other ppl with the same link in it. It send it in like split of a second and then closes the window, so u won't see that u'r sending out something. One time msn even tried to start itself when i closed it I'm just so frustrtated that i'm reformatin. How safe is it to save your stuff on cd's and then put it back on comp ? mostly pics, .exe files and songs.
Well, I use Firefox, which is rumered to not have as much malware. I think that it is pretty safe for you to save things onto your cds. Just make sure that the things that you are saving dont contain a virus, trojan, etc. because the next time you put the cds on your computer, you will get the malware all over again.
hmm just be careful to make sure that the cd's are backed up on disks that are kept safe from heat, sunlight and any scratches. data storage isnt great. i'd suggest you back them up on usb rather than cd. but then again its almost impossible to tell if you do have malware on your system
Perhaps once you've reformatted you could create a guest account so next time anyone wants to surf with your comp they don't have admin privelages and lastly look into disk imaging (ghost a harddrive) as system restore was installed by microsoft as a practicle joke...lol...