Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Trojan (2) msljld.dll


  • Please log in to reply
4 replies to this topic

#1 Nosgoth

Nosgoth

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 22 July 2004 - 03:04 PM

Thanks Grinler.

I ran Bitdefenders online virus scanner
(wouldnt resolve host to housecall.antivirus.com or trend micro. may be down or slammed)

:thumbsup: found 40 infected files, various trojans and dialers, all of which norton decided to not tell me about.

All these were in system32 folder and documents and setting subfolders.

Ill run that Vbs file anyway, i believe msljld.dll is still there.


Note: If AV software has script blocking or warning on, VBs will fail or alert.
------------------------------------------------
These are the Current Active Services:

COMPUTER BROWSER: Browser
C:\WINNT\System32\services.exe

DHCP CLIENT: Dhcp
C:\WINNT\System32\services.exe

LOGICAL DISK MANAGER: dmserver
C:\WINNT\System32\services.exe

DNS CLIENT: Dnscache
C:\WINNT\System32\services.exe

EVENT LOG: Eventlog
C:\WINNT\system32\services.exe

SERVER: lanmanserver
C:\WINNT\System32\services.exe

WORKSTATION: lanmanworkstation
C:\WINNT\System32\services.exe

TCP/IP NETBIOS HELPER SERVICE: LmHosts
C:\WINNT\System32\services.exe

MESSENGER: Messenger
C:\WINNT\System32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINNT\system32\services.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINNT\system32\services.exe

RUNAS SERVICE: seclogon
C:\WINNT\system32\services.exe

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINNT\system32\services.exe

WINDOWS MANAGEMENT INSTRUMENTATION DRIVER EXTENSIONS: Wmi
C:\WINNT\system32\Services.exe

INDEXING SERVICE: cisvc
C:\WINNT\system32\cisvc.exe

COM+ EVENT SYSTEM: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINNT\System32\svchost.exe -k netsvcs

REMOVABLE STORAGE: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINNT\system32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
C:\Program Files\Norton AntiVirus\navapsvc.exe

NVIDIA DISPLAY DRIVER SERVICE: NVSvc
C:\WINNT\system32\nvsvc32.exe

IPSEC POLICY AGENT: PolicyAgent
C:\WINNT\System32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINNT\system32\lsass.exe

REMOTE REGISTRY SERVICE: RemoteRegistry
C:\WINNT\system32\regsvc.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss

TASK SCHEDULER: Schedule
C:\WINNT\system32\MSTask.exe

PRINT SPOOLER: Spooler
C:\WINNT\system32\spoolsv.exe

WINDOWS MANAGEMENT INSTRUMENTATION: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe

WMDM PMSP SERVICE: WMDM PMSP Service
C:\WINNT\System32\mspmspsv.exe

AUTOMATIC UPDATES: wuauserv
C:\WINNT\system32\svchost.exe -k wugroup

Edited by Nosgoth, 22 July 2004 - 03:15 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:23 AM

Posted 22 July 2004 - 03:45 PM

Please confirm if that file is still there?
If it is submit it to :

http://www.virustotal.com/flash/index_en.html

When you get the email from them paste it here as a reply.

#3 Nosgoth

Nosgoth
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 25 July 2004 - 10:48 AM

msljld.dll can no longer be found. :thumbsup:

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:23 AM

Posted 25 July 2004 - 12:36 PM

Ok thats good news. Please post a new log

#5 Nosgoth

Nosgoth
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 26 July 2004 - 09:05 AM

Well i spoke too soon.

After a reboot and a day or 2, it showed back up.

I rescanned with bitdefender online scanner and found 2 virus that i had missed.

1) trojan.dowloader.keenval.a, incrediFind.exe -in documents and setting sub folder

2) backdoor.agent.AQ, 1080496.dll - winnt folder(after clean up this file never scanned a virus again...not sure why, never had to delete)

i found the entry for msljld.dll in the registry and was able to manually remove it by following some tip from symantec securtiy response on backdoor.agent.B.
-----
Adds the value:

"AppInit_DLLs"="%System%\<DLL filename>.dll"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

so that the backdoor is loaded by each Windows-based application running within the current logon session. (why i couldnt delete in either safe mode or normal)
------

also deleted incrediFind.exe.

Ill post the log soon.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users