Spotpuff
2006-03-22, 17:56
It appears I've managed to pick up the trojans troj_se and adw_se.
Attempts to remove it manually weren't really successful; most of hte changes seemed to be registry changes in the P3P cookie area which I removed but have since returned.
I have run full system scans with NOD32, Kaspersky, Adaware and Spybot and none of them pick up anything. Trend Micro Housecall (their online free scanner) is the only thing that detects them. I have also tried trojan hunter and trojan remover and neither of them were effective. I ran Ewido, Ad-aware, Spybot and NOD32 all in safe mode and none of them picked up any infections.
If I leave my computer on overnight I notice explorer.exe uses up 99% of the CPU and my VMEM usage shoots up to 2gb+. I can kill the process and this fixes it however obviously this is not the ideal solution. My ISP (rogers) even sent me a warning about having a trojan. Fun times.
Any advice on their removal? This is driving me nuts.
Here's a hijack this log. I cannot see anything obviously out of place compared to what should be running.
Logfile of HijackThis v1.99.1
Scan saved at 19:26:06, on 2006-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTra y.exe
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\Program Files\Logitech\MouseWare\syste m\em_exec.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Acronis\TrueImage\TrueIm ageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedh lp.exe
E:\Installation Files\uTorrent\utorrent.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedu l2.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Maxthon\Maxthon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Intern et Explorer\Main,Search Bar = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Intern et Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Intern et Explorer\Main,Start Page = http://www.techreport.com/
R0 - HKLM\Software\Microsoft\Intern et Explorer\Search,SearchAssistan t = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Intern et Explorer\SearchURL,(Default) = http://www.google.ca/keyword/%s
R0 - HKCU\Software\Microsoft\Intern et Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Intern et Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTra y.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImage\TrueIm ageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedh lp.exe"
O4 - HKLM\..\Run: [THGuard] D:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [µTorrent] "E:\Installation Files\uTorrent\utorrent.exe"
O4 - Startup: SpeedFan.lnk = D:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = D:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\ EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/h...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip \..\{DE109642-851B-4084-8DF2-4999740E58A5}: NameServer = 24.153.22.67,24.153.22.195
O20 - Winlogon Notify: csrcs - C:\WINDOWS\SYSTEM32\csrcs.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedu l2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\ Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Attempts to remove it manually weren't really successful; most of hte changes seemed to be registry changes in the P3P cookie area which I removed but have since returned.
I have run full system scans with NOD32, Kaspersky, Adaware and Spybot and none of them pick up anything. Trend Micro Housecall (their online free scanner) is the only thing that detects them. I have also tried trojan hunter and trojan remover and neither of them were effective. I ran Ewido, Ad-aware, Spybot and NOD32 all in safe mode and none of them picked up any infections.
If I leave my computer on overnight I notice explorer.exe uses up 99% of the CPU and my VMEM usage shoots up to 2gb+. I can kill the process and this fixes it however obviously this is not the ideal solution. My ISP (rogers) even sent me a warning about having a trojan. Fun times.
Any advice on their removal? This is driving me nuts.
Here's a hijack this log. I cannot see anything obviously out of place compared to what should be running.
Logfile of HijackThis v1.99.1
Scan saved at 19:26:06, on 2006-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTra y.exe
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\Program Files\Logitech\MouseWare\syste m\em_exec.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Acronis\TrueImage\TrueIm ageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedh lp.exe
E:\Installation Files\uTorrent\utorrent.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedu l2.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Maxthon\Maxthon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Intern et Explorer\Main,Search Bar = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Intern et Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Intern et Explorer\Main,Start Page = http://www.techreport.com/
R0 - HKLM\Software\Microsoft\Intern et Explorer\Search,SearchAssistan t = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Intern et Explorer\SearchURL,(Default) = http://www.google.ca/keyword/%s
R0 - HKCU\Software\Microsoft\Intern et Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Intern et Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTra y.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImage\TrueIm ageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedh lp.exe"
O4 - HKLM\..\Run: [THGuard] D:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [µTorrent] "E:\Installation Files\uTorrent\utorrent.exe"
O4 - Startup: SpeedFan.lnk = D:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = D:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\ EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/h...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip \..\{DE109642-851B-4084-8DF2-4999740E58A5}: NameServer = 24.153.22.67,24.153.22.195
O20 - Winlogon Notify: csrcs - C:\WINDOWS\SYSTEM32\csrcs.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedu l2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\ Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe