# JS.Obfuscated.Gen/Hijack Log



## Tallokas (Feb 11, 2004)

I was on the phone with a realtor today and as we spoke he emailed me some info. My virus program Bit Defender picked up a JS.Obfuscated.Gen virus. He said he had pulled the info from another MLS server and it was probably no big deal. He sent it 3 more times and I got the virus warning each time. I never opened any of these emails.

I did a full scan and had this virus 4 times. I did a system restore to yesterday and ran another scan. The virus is still there.

Here is the summary of my Bit Defender summary and also the Hijack This summary.

I would be so grateful if someone could help me.

Bit Defender Summary.........................................................

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 659)=>[Subject: Fwd: 119 SLATE AVENUE][Date: Sun, 5 Oct 2008 12:47:50 -0400]=>(MIME part)=>141755_F23_2008_v2_{521495DE-0E02-4162-=>(JAVASCRIPT)	Infected: JS.Obfuscated.Gen

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 659)=>[Subject: Fwd: 119 SLATE AVENUE][Date: Sun, 5 Oct 2008 12:47:50 -0400]=>(MIME part)=>141755_F23_2008_v2_{521495DE-0E02-4162-=>(JAVASCRIPT)	Disinfection failed

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 659)=>[Subject: Fwd: 119 SLATE AVENUE][Date: Sun, 5 Oct 2008 12:47:50 -0400]=>(MIME part)=>141755_F23_2008_v2_{521495DE-0E02-4162-=>(JAVASCRIPT)	Move failed

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 660)=>[Subject: Fwd: 119 SLATE AVENUE All Attached][Date: Sun, 5 Oct 2008 12:48:23 -0400]=>(MIME part)=>141755_{7F684E47-058A-45E7-B58D-DD55C4F=>(JAVASCRIPT)	Infected: JS.Obfuscated.Gen

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 660)=>[Subject: Fwd: 119 SLATE AVENUE All Attached][Date: Sun, 5 Oct 2008 12:48:23 -0400]=>(MIME part)=>141755_{7F684E47-058A-45E7-B58D-DD55C4F=>(JAVASCRIPT)	Disinfection failed

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 660)=>[Subject: Fwd: 119 SLATE AVENUE All Attached][Date: Sun, 5 Oct 2008 12:48:23 -0400]=>(MIME part)=>141755_{7F684E47-058A-45E7-B58D-DD55C4F=>(JAVASCRIPT)	Move failed

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 662)=>[Subject: Fwd: SLATE AVENUE - Final Draft][Date: Sun, 5 Oct 2008 12:48:59 -0400]=>(MIME part)=>141755_F23_2008_v2_{8D51E35E-F906-46C6-=>(JAVASCRIPT)	Infected: JS.Obfuscated.Gen

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 662)=>[Subject: Fwd: SLATE AVENUE - Final Draft][Date: Sun, 5 Oct 2008 12:48:59 -0400]=>(MIME part)=>141755_F23_2008_v2_{8D51E35E-F906-46C6-=>(JAVASCRIPT)	Disinfection failed

C:\Documents and Settings\Kay\Application Data\Thunderbird\Profiles\ibx1xlwf.default\Mail\mail.mchsi.com\Inbox=>(message 662)=>[Subject: Fwd: SLATE AVENUE - Final Draft][Date: Sun, 5 Oct 2008 12:48:59 -0400]=>(MIME part)=>141755_F23_2008_v2_{8D51E35E-F906-46C6-=>(JAVASCRIPT)	Move failed

C:\Documents and Settings\Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\32dp0152.default\Cache\416E984Dd01=>(JAVASCRIPT)	Infected: JS.Obfuscated.Gen

C:\Documents and Settings\Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\32dp0152.default\Cache\416E984Dd01=>(JAVASCRIPT)	Disinfection failed

C:\Documents and Settings\Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\32dp0152.default\Cache\416E984Dd01=>(JAVASCRIPT)	Move failed

Hijack This Summary................................................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:17 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Kay\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Quick Time\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Kay\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169061318234
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINDOWS\system32\HDDSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7789 bytes

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Tallokas* 

Welcome.

Clearing the *Cache* in *Firefox* should resolve the issue.

Open Firefox. Select *Tools* from the Menu, then click on *Clear Private Data*. Make sure *Cache* is selected and click *OK*.

Re-scan and let us know the outcome.


----------



## Tallokas (Feb 11, 2004)

Well that did it - it's gone. Thanks so much for your help.

What type virus is this? Is it possible it did any damage or was it just sitting there in the cache? And I forgot to mention that the guy that sent me this email contacted the IT dept of the MLS service and they investigated and said there was no problem at their end. So if everybody involved is innocent, where did it come from???

Thanks again for your help.


----------



## JSntgRvr (Jul 1, 2003)

There is no enough information, but it seems you took the right approach and didn't allow it to run.

Congratulations.


----------

