win32: Trojano-324

Viruses and worms
1

avast found this virus… i clicked repair all. did i do the right thing? after i did that… it says… current scanner status: infected. PLESE REPLY ASAP… thanks. :slight_smile:

2

If you have a NT based system, perform a boot time scan.

If you want to make sure all malware is gone, click on one of the links in my signature and follow the instructions in the malware removal section.

3

well i just moved it to the chest instead for now… is that ok?

4

C:\Programfiles\commonfiles\rldnhlap\tjrrnrjn\nctjfrnh.exe was the name

5

sorry for posting so much… would it be ok if just went to the folder and deleted it manually? i know exactly were it is.

6

Removing the file/folder will only remove just that. Very likely there are also registry keys that need to be deleted.
If you are familiair with the registry, go ahead and do it manually.
If not, I suggest you use HijackThis for it.
Info about HijackThis (and a download) can be found in the HijackThis section if you click on my signature.

And don’t worry about posting too much. Better ask and be safe than not asking and having a infected system :wink:

7

what do i with it now if it’s in the chest? just delete it from there? and that will delete the virus?

8

While the file is in the chest, Windows is not able to access it anymore.
So it will not any longer can do harm to your system.

You can safely delete it from the chest, or if needed/wanted you can do more investigation on the file from there.

9

k… i did a scan on hijackthis… and this is the logfile… what should i fix or delete?

Logfile of HijackThis v1.99.0
Scan saved at 7:25:38 AM, on 1/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MSN\MSNIA\DSLMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\WPWIN9.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\TIFFANY’S STUFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU..\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - Startup: Event Reminder.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: http://www.yahoomail.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22e5db107487c14ef516/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} (Dialer Class) - http://www.italyminutes.com/ax/erosmanga.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,14/mcgdmgr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

10

This is the result that my HijackThis Log File Analyzer gives:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r0 - hkcu\software\microsoft\internet explorer\main,local page =
r0 - hklm\software\microsoft\internet explorer\main,local page =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
r3 - urlsearchhook: (no name) - _{8952a998-1e7e-4716-b23d-3dbe03910972} - (no file)
o4 - hklm..\run: [systemtray] systray.exe
o4 - startup: event reminder.lnk.disabled
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o16 - dpf: {f58e1cef-a068-4c15-ba5e-587caf3ee8c6} (msn chat control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
o16 - dpf: {4ed9ddf0-7479-4bbe-9335-5a1edb1d8a21} (mcafee.com operating system class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://207.188.7.150/22e5db107487c14ef516/netzip/rdxie601.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab
o16 - dpf: {f6bf0d00-0b2a-4a75-bf7b-f385591623af} (solitaire showdown class) - http://messenger.zone.msn.com/binary/solitaireshowdown.cab
o16 - dpf: {6a060448-60f9-11d5-a6cd-0002b31f7455} (exentinf class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
o16 - dpf: {17176065-b807-4cf1-bf1c-b85008597878} (dialer class) - http://www.italyminutes.com/ax/erosmanga.cab
o16 - dpf: {bcc0ff27-31d9-4614-a68e-c18e1ada4389} (dwnldgroupmgr class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,14/mcgdmgr.cab
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
o16 - dpf: {f5820ad3-9b20-423e-b2aa-7af2b4055746} (cregistrydownload class) - http://download.paltalk.com/download/0.x/regdload.cab
o16 - dpf: {c3dfa998-a486-11d4-aa25-00c04f72daeb} (msn photo upload tool) - http://sc.groups.msn.com/controls/photouc/msnpupld.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {df780f87-ff2b-4df8-92d0-73db16a1543a} (popcaploader object) - http://www.popcap.com/games/popcaploader_v6.cab
o16 - dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} (msn photo upload tool) - http://by11fd.bay11.hotmail.msn.com/resources/msnpupld.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background

11

how do i make a backup before fixing?

12

HijackThis does it automaticly.

13

hmm… the screen went completely black when i did it and had to restart. are you sure it does a backup automaatically? it said should but ddint say anything about it doin auto. i scanned again… and everything is still there.

14

Making a backup is by default enabled in HijackThis.
So unless you changed it, it will create a backup.

15

I could be wrong, but i think it only makes a back-up if HijackThis is in its own folder.

–lee

16

Hijackthis doesn’t need a ‘own’ folder. It works in any folder. It will create a subfolder where it places the backups.

17

i didnt change it… and if i remmeber right i think i looked back at hijackthis and found backup files… hmm… i have it saved in my own folder… and i dont see any uninstall file… i dunno. i just downloaded firefox and am using it instead of Internet explorer. :slight_smile: