• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jazzyj

Backdoor Trojan / msjifi.dll

3 posts in this topic

If someone can help me on this that would be great. I cannot get rid of this particular Trojan. My Symantec Antivirus program caught a Backdoor.Trojan and the location says it's in c:\winnt\system32\msjifi.dll

 

Of course I can't delete the dll and symantec does not clean it.

 

Safe mode symantec scan and Adaware did not work. I even went into the registry to delete the AppInit_Dlls folder that's listed on the last line of the hijackthis log file.

 

Any ideas? :wtf:

 

Here's the hijackthis log file:

 

C:\WINNT\AGRSMMSG.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\PROGRA~1\SYMANT~1\vptray.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\ISS\BlackICE\blackice.exe

C:\Notes\NLNOTES.EXE

C:\Notes\ntaskldr.EXE

C:\Documents and Settings\chq-angelog\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.yellow-pages.ws

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.chq.ei

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://search.yellow-pages.ws

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Expeditors International of WA

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxycache.chq.ei:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ei;10.*;192.*;169.254.*;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O14 - IERESET.INF: START_PAGE_URL=http://www.chq.ei

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49/420/online.chm::/on-line.exe

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chq.ei

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chq.ei

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chq.ei

O20 - AppInit_DLLs: C:\WINNT\System32\msjifi.dll

Share this post


Link to post
Share on other sites

jazzyj,

 

Same suggestion as for others with this problem. Check out the post here for suggestion. You'll need to complete those steps as the evil dll (msjifi.dll in your case) in the Backdoor.Trojan virus will dissapear if you boot to safe mode and won't let you delete/modify/rename it if you find it in normal mode.

 

for suggested fix try,

 

http://forums.spywareinfo.com/index.php?showtopic=16790

 

good luck,

Mish

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0