Jump to content


Photo

Backdoor Trojan / msjifi.dll


  • Please log in to reply
2 replies to this topic

#1 jazzyj

jazzyj

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 07:04 PM

If someone can help me on this that would be great. I cannot get rid of this particular Trojan. My Symantec Antivirus program caught a Backdoor.Trojan and the location says it's in c:\winnt\system32\msjifi.dll

Of course I can't delete the dll and symantec does not clean it.

Safe mode symantec scan and Adaware did not work. I even went into the registry to delete the AppInit_Dlls folder that's listed on the last line of the hijackthis log file.

Any ideas? :wtf:

Here's the hijackthis log file:

C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Notes\NLNOTES.EXE
C:\Notes\ntaskldr.EXE
C:\Documents and Settings\chq-angelog\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.yellow-pages.ws
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chq.ei
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://search.yellow-pages.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Expeditors International of WA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxycache.chq.ei:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ei;10.*;192.*;169.254.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.chq.ei
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49...m::/on-line.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chq.ei
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chq.ei
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chq.ei
O20 - AppInit_DLLs: C:\WINNT\System32\msjifi.dll

#2 Mish

Mish

    “I am evil Homer…”

  • Full Member
  • Pip
  • 9 posts

Posted 21 July 2004 - 07:45 PM

jazzyj,

Same suggestion as for others with this problem. Check out the post here for suggestion. You'll need to complete those steps as the evil dll (msjifi.dll in your case) in the Backdoor.Trojan virus will dissapear if you boot to safe mode and won't let you delete/modify/rename it if you find it in normal mode.

for suggested fix try,

http://forums.spywar...showtopic=16790

good luck,
Mish

#3 jazzyj

jazzyj

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 11:01 PM

Thanks so much Mish. I'll try it out and post if it works for me. :bounce:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button