Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi,
I picked up trojan dropper virus and trojan download (jjj.exe, jjj[1].exe). I did a full-sys scan, deleted the infected files. I then disabled System Restore, updated the Virus definitions, started the computer in safe mode and ran a full system scan. I then did another full-sys scan and it says I have 0 infected files. However, each time I log on to my username in XP, the System32 file window pops up, which is the file that contained the viruses. Does this mean the virus is installed on my PC even though NAV says 0 files infected? Should I update my AV to NAV 2003 or even McAfee?
(P.S. I have tons of security software currently installed: Trojan Remover, Sygate Personal Firewall, Ad-Aware, HijackThis, and Spyware Blaster. I have NAV 2002 but I do the live updates quite frequently.) Here is my HijackThis Log:Logfile of HijackThis v1.97.7
Scan saved at 10:05:57 PM, on 12/3/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Julie\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Julie\Application Data\Mozilla\Profiles\default\v8g14as7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Julie\Application Data\Mozilla\Profiles\default\v8g14as7.slt\prefs.js)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79403BA0-6FC2-45C6-82FC-CD6DD268C5EA} (InstAXCtrl Class) - http://sojoin.buyersport.com/Install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
At the very least these can be fixed:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dllO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
hth
shep
0 
Hello Julie,
This is not the first time you are requesting help about trojan's or virus in this forum, I remember to have been answering to you about the same question already, remember the guy asking you if you was not a french people using a french name ?
I notice that you don't listen guidance already given to you to rid of problems you are involved with....
So let me ask you this question ? what are you expecting here ?
0
Hey Imp,
"(P.S. I have tons of security software currently installed: Trojan Remover, Sygate Personal Firewall, Ad-Aware, HijackThis, and Spyware Blaster. I have NAV 2002 but I do the live updates quite frequently.)"
http://computing.net/security/wwwboard/forum/7611.htmlYou forgot to say, (make sure IE is updated).
0
"what are you expecting here ?"
I imagine she is wanting help with her problem. There is more to helping someone than just posting a link to the 'not so wonderful' program trojan remover.
Hi Julie,
Open the task manager and end process on the following:
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exeThen run HijackThis again and place a check in the box next to the following entries, close any open browser windows and click 'fix checked'.
You must restart your computer when finished.O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\After restarting delete the following folders:
c:\program files\winfavorites
c:\program files\commonnameThen go here and run an online virus scan and copy the report and paste it in a reply.
0
THello,
Thank you so much everyone. To Imp, Thank you for your past advice-the software that you recommended seems to work. I didn't mean to annoy you with the current post. Sorry-I'm just a computer doofus. To Tom41 and Innocent Bystander, thanks for your help and I will try these pieces of advice. I appreciate it. Happy Holidays.
~Julie
0
Hello, im having the same problem Julie is and im kinda new at fixing computers, i was wondering if you (sxshep) could put that diagnosis in laymans terms. Thank you, I appreciate it immensly.
0
Hey, I am having close to the same problem but on Windows 98. No matter how many times I delete the BHO's and the HKLM's and the HKCU's It keeps coming back. While im just sitting here sometimes C:\WINDOWS\SYSTEM32 will pop-up and jjj.exe will try to access the internet through my firewall. Can somebady help me?
0
ok...i'm at work, and a window from nortons pops up and tells me i have the trojan dropper....this is my first brush with a virus....the window i mentioned says access to the file is denied. The virus name seems to be a link, but i'm afraid to click on it. Currently, i have norton running a scan, no results yet. Also, I am printing this whole page of posts, although most of what i see may as well be in japanese! Do any of you know how i may have caught this virus?
0
I got the trojan dropper virus by clicking on a link on a friends profile. We ran Norton (2002) and it said it could not delete it or quarantine it, but it could close it so it could not be accessed, but about 2 weeks later outlook started sending out infected e-mails. Everytime i do a scan it says the computer is safe and not infected but something apparently is still going on. We have no clue what to do to get rid of it. Any help would be greatly appreciated.
Thanks,
Danielle
0
I JUST did the same thing, I clicked on a link saying "2003 New Years Party" and it said I have the virus also. I also have Norton which isnt doing much at all. Was the New Years link the same as what you clicked on to get the virus???...Im wondering because i want to know if i should prepare for such infected emails.
0
I got the same stupid Trojan last night. I have XP Pro, Symantec AV Corp. 8.1, and Sygate Pro 5.5 - with all the latest updates for each.
Like above, I also viewed a friends AIM profile and it said "2003 New Years Party" so I clicked on it thinking there would be pictures. Soon as I did, a webpage came up located at (I believe) http://www.buddyprofile.com/
Regardless, this page had a series of pop-ups and annoyed me like crazy. I tried closing the windows but more pop-ups! I finally "out-clicked" the pop-ups and closed Internet Explorer. This is the exact moment real-time protection for "Symantec AntiVirus Corporate Edition 8.1" with virus signature file "12/31/2003 rev. 17" poped up with a virus warning. The file could not be QUARENTINED or CLEANED it was simply "left alone".
The virus I got actually infects other files. In my realtime-scan I saw that "new[1].hta" was infected. Although the ACTUAL file that has infected me is located in the "Temporary Internet Files" as a hidden system file. I had to search through this folder looking for "trojan" and tried to delete it... WITH NO SUCCESS!
I finally went to this website for advice:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.dropper.htmlI don't think this actually solved my problem because my "SAFE MODE" scan turned up nothing. I will follow-up when I am satisfied with a fix, but EVERYONE should go visit Symantec Securtity Response.
0
yea i clicked my friends profile and this thing came up "do u want to install so and so program?" so naturally i clicked no...then this thing came up "instillation aborted, you must click yes" so i just ctrl-alt-deleted and my virus thing came up said i had trojan dropper and it didint do anything about it. unfortunatly my virus scan subscription service ran out 1 or 2 days ago so i renewed it and scanned my comp. nothing...? any help would be nice.
0
i was viewing my virus log on norton antivirus and it told me where the trojan was detected, it was called new[1].hta located in a hidden folder. i found the folder and looked throught it carefully but found nothing. i am thinking of simply deleteing the entire folder itself, is this a good idea, or should i just leave things be?
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
