TechSpot

Please help - winjvd32.dll - Trojan Horse - Acces Denied

By paridocs
Aug 2, 2006
  1. Nortan's came up with the following:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Trojan Horse
    File: C:\WINDOWS\system32\winjvd32.dll
    Location: C:\WINDOWS\system32
    Computer: JK
    User: Johnny Kay
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Wed Aug 02 15:22:02 2006

    I'm concerned because I can't quarantine the virus. How can I fix this before it gets out of hand?

    Right not I am using Norton's Corperate Ed., ZoneAlarm free version, ewido trial, and Spybot Search + Destroy to try and keep my system clean. Is there anything else I should do to prevent future attacks (like this one)?

    My HJT.txt is attached. Many thanks in advance.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with some real nasties.

    Download and run these three tools. Follow the instructions carefully for each tool.

    Tool1. Tool2. Tool3.

    Then go and follow the instructions in this thread Here.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. paridocs

    paridocs TS Rookie Topic Starter

    Ran the three tools and did a full system ewido scan as per your request. New HJT attachted.

    The same file ( C:\WINDOWS\system32\winjvd32.dll ) was again found infected during a realtime protection scan while working on the ewido scan. Eep!

    Thanks for the help, Howard!
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your system is looking much better. Only a few more steps to go.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winjvd32.dll

    Once your system has rebooted, do the following.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll<It will probably say file missing, This means the entry is inactive and the nasty file is gone.

    Click on the fix checked button.

    Close HJT.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard:)

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. paridocs

    paridocs TS Rookie Topic Starter

    Howard,

    I am on this step of your directions:

    "This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winjvd32.dll

    Once your system has rebooted, do the following."


    When I clicked on the X to delete the file, my windows explorer disappeared as if preparing to reboot, and a window popped up saying "This File could not be Deleted"

    I am staring at a black safemode backround with the killbox program and notepad open, with no explorer, taskbar, or anything on my desktop right now. (Posting from another comp).

    What should I do?

    Thanks for all your help!!

    Edit: put exact quote of the Killbox.exe error
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Reboot your computer manually.

    Then post a fresh HJT log from normal mode.

    Regards Howard :)
     
  7. paridocs

    paridocs TS Rookie Topic Starter

    Much appreciation for the lightning fast responses :)
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The nasty entry is still there. This is one stubborn mother to get rid off.

    Download and run this tool HERE. Follow the instructions exactly. This is not the same vundo tool you used before.


    Post a fresh HJT log after doing that.

    Regards Howard :)
     
  9. paridocs

    paridocs TS Rookie Topic Starter

    The tool you gave me didn't find anything. To add insult to injury Norton's popped up with another realtime scan while I was running the tool to remind my virus was there and couldn't be quarentined. :(

    Here's a fresh log nonetheless. Thanks :D
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I want you to run the vundofix again, but this time follow these instructions.

    * Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
    * Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
    * In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\winjvd32.dll
    * Click the “Add Files” button.
    * Click the "Close Window" button.
    * Click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will shutdown your computer, click OK.
    * Turn your computer back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. paridocs

    paridocs TS Rookie Topic Starter

    The tool couldn't delete the file due to the following-- Error 75: File/path access error.

    I think I will have to manually reboot again like before since my explorer/taskbar is gone again.

    Edit: Can we kill it right when windows starts before the system has time to deny access to the file?

    Edit 2: Dammit, my second computer (actually wife's computer) hit me with ANOTHER trojan with an access denied message: C:\System Volume Information\_restore{2E34ABA7-80DA-4C3D-A46F-FFBCED3B29C4}\RP441\A0060895.exe

    Norton's couldn't quarantine this one either. Hopefully we can take care of this after the winjvd32.dll problem :( sorry
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Damn, I was sure that was going to work.

    Try it from safe mode.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    If you have spybot installed, temporarily uninstall it as well as Ewido. This is because these programmes can interfere with the vundo fix.

    Then run the vundofix instructions in my last post.

    Regards Howard :)
     
  13. paridocs

    paridocs TS Rookie Topic Starter

    The vundofix tool is not wanting to run in safemode.

    I try to run it as a task, it says it will open in 1 minute or less, but after it closes itself to do this it is nowhere to be seen even after minutes. Tried this 2 times now.

    : /

    Edit:

    I can scan the computer without running the tool as a 'task'. Comes back clean like it did in normal mode. So I right click and add the file myself as per these directions:

    * Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
    * In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\winjvd32.dll
    * Click the “Add Files” button.
    * Click the "Close Window" button.

    The new window pops up but the file is NOT added to the list to delete as it did in normal mode! I can spam the 'add files' button with no result. Clicking 'remove vundo' without adding the file prompts the tool to close. Help!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    This is very frustrating for me as well as you I suspect.


    I`v been researching this problem and may have found a possible fix.

    Follow these instructions exactly.

    Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

    Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).

    Start the Brute Force Uninstaller by double clicking BFU.exe

    In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
    Press execute and let it do its job.

    Wait for the complete script execution box to popup and press OK.
    Press exit to terminate the BFU program.

    Once that's done, post back a new HijackThis log.

    Regards Howard :)
     
  15. paridocs

    paridocs TS Rookie Topic Starter

    Did what you asked. You mentioned to let it do its job, but it was done instantly. The log for the bfu is sparce:

    "BFU v1.00.9
    Windows XP SP2 (WinNT 5.01.2600 SP2)
    Script started at 6:43:15 PM, on 8/2/2006

    Script completed."

    Fresh HJT attachted.

    Many thanks.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Well done. Your HJT log is now clean. I hope everything`s running ok.

    Just have HJT fix these inactive entries.

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    Don`t forget to reinstall Spybot and Ewido, if you uninstalled them.

    Regards Howard :)
     
  17. paridocs

    paridocs TS Rookie Topic Starter

    You are the best Howard!!!

    I'm going to take a break from this nonsense but in a bit would you mind taking a look at my wife's computer's HJT? Shall I make a new thread or bump this one when I'm ready to do that?

    Thanks again X 1000 :) :)
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No problem mate, I`m glad I could help.

    As regards your wife`s computer, please feel free to post a HJT log into this thread, whenever you`re ready.

    Regards Howard :)

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. paridocs

    paridocs TS Rookie Topic Starter

    Howard,

    Thanks again for all of your help the other day. Here is the other computer. This one has about a year on my first, so it has had a lot longer to collect nasties. *gasp* Please work your magic on this one too. :)

    Thanks!
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Surprisingly enough, your wife`s machine isn`t nearly as bad as your`s was lol.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in the control panel and uninstall anything to do with(if there).

    Viewpoint\Viewpoint Manager
    AOL Toolbar 2.0

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html

    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\AOL\AOL Toolbar 2.0
    C:\Program Files\Viewpoint

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log and let me know how the system is running.

    Regards Howard :)

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. paridocs

    paridocs TS Rookie Topic Starter

    Thanks much Howard.

    I have a quick question: on both computers we try and do most of our computer work on a limited account. I am scanning the HJT and doing all these fixes on the admin account. Will this work for the limited account we spend time on? Should I post HJTs of each limited account? Sorry for having limited knowledge on this stuff (no pun intended) :) thanks much

    Fresh HJT:

    Oh, one last quick question. On the wife's computer, every single time we shut it down it says 'Click Turn off to install important updates' though windows doesn't install anything, and the graphic doesn't change to the normal turn off thing after numerous reboots. Minor annoyance, maybe you can shed some light?
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That HJT log is now clean.

    If you want to post some more HJT logs, please feel free.

    As to the shutdown problem, try turning off automatic updates. Right click my computer and select properties, automatic updates tab and check turn off auto matic updates, click apply ok. Reboot the system.

    See if that helps. You can always turn automatic updates back on later.

    Regards Howard :)

    This thread is for the use of paridocs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.