A Dozen Trojans

ropedancer
edited September 2008 in Logs analysis

I don't know quite how, but I ended up with a nasty set of trojans on my main desktop.


I am usually pretty good about conquering beasts like this when they come one at a time.


But this cocktail of hijackers, etc is making browsing impossible and every attempt to scan is thwarted by a new issue.


I think I am doing the tasks I am doing in the wrong order . . .


So I will post a hijack this log here from my laptop in hopes someone can suggest a reasonable order in which to go about removing these viruses.


Thanks.


Bitdefender found at least 8 that it couldn't take action on including:


adware.xpantivirus.aj


application.cleansystemrestore.a


rootkit-hidden items


and


trojans


fake.av.am


fakealert.abb


fakealert.acr


patched.u


peed.gen


there are also lots of corrupt system32 files


Here's a hijackthis log:


Logfile of HijackThis v1.99.1


Scan saved at 04:00:31, on 9/1/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16705)


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\Ati2evxx.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\Ati2evxx.exe


C:\WINDOWS\system32\LEXBCES.EXE


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\system32\LEXPPS.EXE


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\Program Files\Bonjour\mDNSResponder.exe


C:\WINDOWS\system32\CTsvcCDA.exe


C:\WINDOWS\eHome\ehRecvr.exe


C:\WINDOWS\eHome\ehSched.exe


C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


C:\Program Files\iDumpPro\NMSAccessU.exe


C:\WINDOWS\system32\PSIService.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Viewpoint\Common\ViewpointService.exe


C:\WINDOWS\system32\dllhost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\ehome\ehtray.exe


C:\WINDOWS\CTHELPER.EXE


C:\WINDOWS\system32\CTXFIHLP.EXE


C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE


C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe


C:\WINDOWS\System32\DLA\DLACTRLW.EXE


C:\WINDOWS\eHome\ehmsas.exe


C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe


C:\WINDOWS\SYSTEM32\CTXFISPI.EXE


C:\Program Files\QuickTime\QTTask.exe


C:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe


C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


C:\Program Files\iPod\bin\iPodService.exe


C:\Program Files\Logitech\SetPoint\SetPoint.exe


C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe


C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE


C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


C:\WINDOWS\system32\wuauclt.exe


C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe


C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe


C:\WINDOWS\system32\msiexec.exe


C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe


C:\Program Files\Internet Explorer\Iexplore.exe


C:\Documents and Settings\Heidi Gardner\Desktop\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL


O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


O2 - BHO: (no name) - {A388B9FF-952B-42F7-B930-98B58852C5D2} - (no file)


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe


O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE


O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe


O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"


O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r


O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"


O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE


O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE


O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"


O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"


O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE


O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [lphc910j0ep9v] C:\WINDOWS\system32\lphc910j0ep9v.exe


O4 - HKLM\..\Run: [inrhcc10j0ep9v] C:\Documents and Settings\Heidi Gardner\Local Settings\Temp\.ttA9.tmp.exe /CR=7A58C7C65B49562366289DC37768C62BAEA97FC20F57BA13EB875DD0B967B9990F0A13A6376A9


5D14C065419658AD42AB705CCCEE92C26275417CE31B850B5E8B96845EA3101AA769AC259F2651DF


9


F6FC1C48


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H


O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


O4 - Global Startup: Logitech SetPoint.lnk = ?


O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000


O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll


O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll


O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll


O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll


O11 - Options group: [iNTERNATIONAL] International*


O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab


O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll


O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL


O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll


O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL


O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL


O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll


O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


O21 - SSODL: GBqkznV - {BC8C5206-1626-F8AC-8943-54ECA7DC2BD5} - C:\WINDOWS\system32\siuo.dll


O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)


O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service (file missing)

Comments

  • Locate these files i the list below and place them in a password protected archive (preferably with the password "infected" - without the quotes) and attach it to a reply on this thread (you may need to view hidden files to find these):


    lphc910j0ep9v.exe


    siuo.dll


    Run Hijackthis again, check and fix these following entries:


    O4 - HKLM\..\Run: [lphc910j0ep9v] C:\WINDOWS\system32\lphc910j0ep9v.exe
    O4 - HKLM\..\Run: [inrhcc10j0ep9v] C:\Documents and Settings\Heidi Gardner\Local Settings\Temp\.ttA9.tmp.exe /CR=7A58C7C65B49562366289DC37768C62BAEA97FC20F57BA13EB875DD0B967B9990F0A13A6376A9
    5D14C065419658AD42AB705CCCEE92C26275417CE31B850B5E8B96845EA3101AA769AC259F2651DF
    9
    F6FC1C48
    O21 - SSODL: GBqkznV - {BC8C5206-1626-F8AC-8943-54ECA7DC2BD5} - C:\WINDOWS\system32\siuo.dll

  • ropedancer
    edited September 2008

    siuo.dll


    If I try to move this file it says it is in use by another program.


    When I try to archive it it says can't access it because a portion of it has been locked by another process.


    thanks for your assistance . . .

  • siuo.dll


    If I try to move this file it says it is in use by another program.


    When I try to archive it it says can't access it because a portion of it has been locked by another process.


    thanks for your assistance . . .


    UPDATE:


    I downloaded unlocker and got the file out.


    Here are the compressed files...


    /applications/core/interface/file/attachment.php?id=2864" data-fileid="2864" rel="">infected.rar

  • Hello ropedancer,


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.


    Kind regards,


    Niels

  • csalgau
    csalgau ✭✭
    edited September 2008

    Both of those files are detected with no problems by BitDefender. If you were able to use unlocker, you might want to detele them both.