Win32.Ciadoor.cj Trojan infection, please help.

Hi, any help greatly appreciated.

Spybot S&D finds Win32.Ciadoor.cj, with additional info: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XPROTECTOR. It removes it but the next time I re-boot, it's back again!

I think "Xprotector.sys" found in C:\WINDOWS\System32\drivers is associated. I have removed this but Win32.Ciadoor.cj still reappears. (It's back in now as deletion made no difference anyway).

AVG comes back clean (in SAFE mode too).
Stinger is clean.
Malwarebytes' Anti-Malware is clean in quick and full scans.

I'm out of ideas now, so thanks for looking.......

Log as follows:


DDS (Ver_09-02-01.01) - NTFSx86
Run by user at 23:34:48.70 on 07/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.220 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Prevx 2.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Documents and Settings\user.P4\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enable~1.lnk - c:\program files\wireless device\wireless keyboard\Magickey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enable~2.lnk - c:\program files\wireless device\wireless mouse\MouseAp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233270257250
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-24 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-24 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-24 107272]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-2-1 12964]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-5 392824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-5-24 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-24 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 XPROTECTOR;XPROTECTOR;c:\windows\system32\drivers\Xprotector.sys [2007-5-22 42848]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 CA500AI;Easy Pix Sv Still Image Capture;c:\windows\system32\drivers\BULK2NM.sys [2005-2-9 11117]
S3 CA500AV;Easy Pix Sv WDM Video Capture;c:\windows\system32\drivers\ca500av.SYS [2005-2-9 492619]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-2-12 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-2-12 3072]
S4 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]

=============== Created Last 30 ================

2009-03-07 22:55 <DIR> --d----- c:\docume~1\user.p4\applic~1\Malwarebytes
2009-03-07 22:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 22:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 22:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 22:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 16:41 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-16 16:41 1,409 a------- c:\windows\QTFont.for
2009-02-14 00:36 <DIR> --d----- C:\VProRecovery
2009-02-12 22:02 <DIR> --d----- c:\program files\EASEUS
2009-02-12 20:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2009-02-05 21:45 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-01-29 22:54 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 22:54 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:54 107,272 a------- c:\windows\system32\drivers\avgtdix.sys

============= FINISH: 23:35:30.18 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K

Hi, thanks for your assistance.

I think I can cautiously say I’ve sorted out my Trojan problem (Win32.ciadoor.cj). I have not wanted to close my post in case I still have problems.

To summarise, Win32.ciadoor.cj was only detected by Spybot (which removed it temporarily). I worked through: Stinger, CWShredder, MBAM, SAS, A2 and SpywareBlaster. Then looking for rootkits I tried Total Commander (with NT plug-ins), Rootalyzer, Filealyzer2, AVG anti-rootkit and Avira rootkit detection.

Each time I thought I may have had something, a re-start and scan with Spybot, showed Win32.ciadoor.cj back again.

I considered ComboFix and as I have several recent “Ghost” images of my entire system drive I thought it worth a try.

It found and deleted the Xprotector.sys file which I had suspected (thanks to Google) was associated with this Trojan, and deleted a few more “.exe” files as well. I have un-installed Combofix and re-enabled AVG and ZoneAlarm.

Everything appears to be working correctly, and most importantly, Win32.ciadoor.cj is absent from my Spybot scans.

Am I likely to require any registry patches after running Combofix, or is this just the case where there is a pre-existing registry problem?

My ComboFix log is still available if required.

New DDS log as requested:

DDS (Ver_09-02-01.01) - NTFSx86
Run by user at 14:19:17.37 on 20/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.150 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Prevx 2.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Documents and Settings\user.P4\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enable~1.lnk - c:\program files\wireless device\wireless keyboard\Magickey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enable~2.lnk - c:\program files\wireless device\wireless mouse\MouseAp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233270257250
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-24 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-24 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-24 107272]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-2-1 12964]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-16 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-16 394952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-5-24 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-24 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 CA500AI;Easy Pix Sv Still Image Capture;c:\windows\system32\drivers\BULK2NM.sys [2005-2-9 11117]
S3 CA500AV;Easy Pix Sv WDM Video Capture;c:\windows\system32\drivers\ca500av.SYS [2005-2-9 492619]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-2-12 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-2-12 3072]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-3-14 425080]

=============== Created Last 30 ================

2009-03-16 22:00 2,060,320 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-16 22:00 26,024 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-16 21:56 75,248 a------- c:\windows\zllsputility.exe
2009-03-16 21:55 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-03-16 21:55 <DIR> --d----- c:\program files\Zone Labs
2009-03-16 21:55 352,918 a------- c:\windows\system32\vsconfig.xml
2009-03-15 19:58 720,896 a------- c:\windows\iun6002.exe
2009-03-14 20:03 <DIR> --d----- c:\program files\a-squared Free
2009-03-14 19:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-14 19:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-14 18:33 <DIR> --d----- c:\docume~1\user.p4\applic~1\Malwarebytes
2009-03-14 18:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-14 18:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 18:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 18:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-03-16 21:58 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-01-29 22:54 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 22:54 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:54 107,272 a------- c:\windows\system32\drivers\avgtdix.sys

============= FINISH: 14:20:00.59 ===============

Hello.

My ComboFix log is still available if required.

Yes, I would like to see it please.

I assume everything is working well now?

With Regards,
Extremeboy

Hi extremeboy, thanks for taking a look

Everything working very well now. I've noticed a few "changes" since running ComboFix, but nothing significant, only resetting defaults as far as I can see - (hidden files and folders....system restore.......screensaver.....).

Some weeks back some of my desktop icons had been a little slow to appear (and I do mean just a little). I found a fix (tried and tested by others first) was to delete the IconCache.db file and on re-boot it regenerated and next re-boot they all loaded quickly. Since running ComboFix IconCache.db doesn't appear to regenerate after I deleted it but maybe I'm just looking for things a little too hard (I've restored it from back-up anyway). Occasionally I think the system might be "hanging" a little too long on shut-down, but most of the time it's fine.

On the whole I'm pleased with how it's running and relieved the Trojan appears gone. To my "un-trained eye" everything appears clean, but would appreciate a second opinion.

Here's my ComboFix log as requested:

ComboFix 09-03-13.01 - user 2009-03-14 21:20:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.175 [GMT 0:00]
Running from: c:\documents and settings\user.P4\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Prevx 2.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 6775 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\Xprotector.sys
c:\windows\system32\mswinup.exe
c:\windows\system32\winsvcup.exe
c:\windows\system32\winupsvc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XPROTECTOR
-------\Service_XPROTECTOR


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 20:03 . 2009-03-14 21:02 <DIR> d-------- c:\program files\a-squared Free
2009-03-14 19:06 . 2009-03-14 19:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-14 19:05 . 2009-03-14 19:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 18:33 . 2009-03-14 18:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 18:33 . 2009-03-14 18:33 <DIR> d-------- c:\documents and settings\user.P4\Application Data\Malwarebytes
2009-03-14 18:33 . 2009-03-14 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 18:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 18:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 16:41 . 2009-03-07 21:34 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-16 16:41 . 2009-02-16 16:41 1,409 --a------ c:\windows\QTFont.for
2009-02-14 00:36 . 2009-02-14 08:41 <DIR> d-------- C:\VProRecovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 19:06 --------- d-----w c:\documents and settings\user.P4\Application Data\SUPERAntiSpyware.com
2009-02-27 23:18 --------- d-----w c:\program files\SpeedFan
2009-02-17 21:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-14 20:38 --------- d-----w c:\documents and settings\user.P4\Application Data\uTorrent
2009-02-14 20:37 --------- d-----w c:\program files\PeerGuardian2
2009-02-12 22:02 --------- d-----w c:\program files\EASEUS
2009-02-10 21:33 --------- d-----w c:\program files\CCleaner
2009-02-08 22:35 --------- d-----w c:\program files\ABBYY FineReader 4.0 Sprint
2009-02-05 21:42 --------- d-----w c:\program files\Zone Labs
2009-01-29 22:54 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:54 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-29 22:54 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-29 22:54 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-24 21:19 --------- d--h--w c:\program files\InstallShield Installation Information
2007-06-14 19:12 92,064 ----a-w c:\documents and settings\user\mqdmmdm.sys
2007-06-14 19:12 9,232 ----a-w c:\documents and settings\user\mqdmmdfl.sys
2007-06-14 19:12 79,328 ----a-w c:\documents and settings\user\mqdmserd.sys
2007-06-14 19:12 66,656 ----a-w c:\documents and settings\user\mqdmbus.sys
2007-06-14 19:12 6,208 ----a-w c:\documents and settings\user\mqdmcmnt.sys
2007-06-14 19:12 5,936 ----a-w c:\documents and settings\user\mqdmwhnt.sys
2007-06-14 19:12 4,048 ----a-w c:\documents and settings\user\mqdmcr.sys
2007-06-14 19:12 25,600 ----a-w c:\documents and settings\user\usbsermptxp.sys
2007-06-14 19:12 22,768 ----a-w c:\documents and settings\user\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 968696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2007-11-24 172032]
Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2007-11-24 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 22:54 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Enable Wireless Keyboard Driver.lnk]
backup=c:\windows\pss\Enable Wireless Keyboard Driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Enable Wireless Optical Mouse Driver.lnk]
backup=c:\windows\pss\Enable Wireless Optical Mouse Driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express Calendar Checker For My Custom Edition.lnk]
backup=c:\windows\pss\Ulead Photo Express Calendar Checker For My Custom Edition.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soltek

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-10 02:51 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-10 02:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-01 10:23 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"AppMgmt"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"vsmon"=2 (0x2)
"a2free"=2 (0x2)
"PREVXAgent"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-24 107272]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-02-01 12964]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-24 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-24 298264]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
S3 CA500AI;Easy Pix Sv Still Image Capture;c:\windows\system32\drivers\BULK2NM.sys [2005-02-09 11117]
S3 CA500AV;Easy Pix Sv WDM Video Capture;c:\windows\system32\drivers\ca500av.SYS [2005-02-09 492619]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-02-12 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-02-12 3072]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 21:24:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Wireless Device\Wireless Keyboard\OSD.exe
.
**************************************************************************
.
Completion time: 2009-03-14 21:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 21:26:32

Pre-Run: 57,663,856,640 bytes free
Post-Run: 57,608,503,296 bytes free

194 --- E O F --- 2007-11-21 02:50:37

Hello.

Those look good, but I want to have a look at something if you don't mind.

In your next post please post/attach the Attach text document as well for me. Run an online scan after that.

Submit file sample

• Please navigate to your C:\ drive.
• You should see a folder called Qoobox.
• Please right-click on that folder and select Send To>Compressed (Zipped) Folder.
• A zipped file called Qoobox.Zip should be created. Make sure it's created.

• Now open to the Malware Submission Channel.
• Under Link to topic where this file was requested, input:
  

  http://www.bleepingcomputer.com/forums/t/209239/win32ciadoorcj-trojan-infection-please-help/

• Click Browse and select the C:\Qoobox.zip Zipped file.
• Under the comments section, say that ExtremeBoy asked for the submission.
• Then select Send File to send it
• After that you should get a confirmation if it was uploaded successfully.

Let me know if it was uploaded in your next reply please.

2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Prevx 2.0 or AVG Anti-Virus Free.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.

---

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. You will need to install Java for Kaspersky to work. It will ask you to install it before you do a scan with Kaspersky Online Scanner, so it will lead you to the right direction

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
• Open the Kaspersky Scanner page.
• Click on Accept and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

Post back with:
-Kaspersky scan log
-DDS log
-Attach log

With Regards,
Extremeboy

Hi, thanks for prompt reply.

A couple of things to note before I progress further.

i/ I see Prevx 2.0 now, thanks. I would never knowingly run two AVs. I have never heard of Prevx 2.0 before and can only assume it was on my machine from "new" (it was custom built for me and already had applications installed), or it is a remnant from my previous problem in November 2007, see: http://www.bleepingcomputer.com/forums/topic115937.html when I returned it to the person who built it to sort the problem. I always use AVG.

To complicate things further, Prevx 2.0 does not appear in the start menu, add/remove progs or in ccleaners uninstall list. Is it possible it was disabled and deleted from the Program Files rather than being uninstalled? (not by me). How should I get rid of it now?

ii/ my Qoobox folder was automatically deleted when I uninstalled ComboFix. If it is really important that you have a copy of this then I can restore my drive to when the Trojan was present, run ComboFix again, save Qoobox on external drive, restore main drive to "now" and send Qoobox for examination.

over to you...........

Hello.

That's fine.Thanks for letting me know

No. I would never re-activate the infection even if it was very important, that just isn't fair and if it was a very nasty infection it could cause more trouble.. I'm here to remove the infection, if it's already gone then I'll deal with it.

For now, let's just run Kaspersky scan. After it's complete post back with that log along with DDS.txt and Attach.txt

Sometimes it's just a bug and it's already uninstalled but it still shows in the DDS log.

With Regards,
extremeboy

Hi, just a bit more info:

since running ComboFix, A2 has found the following:

Trace.Registry.RealVNC Enterprise Edition!A2
Trace.Registry.KaZaA!A2
Trace.Registry.VNC!A2
Virus.Win32.Agent.UHQ!IK
Trace.Registry.VNCServer!A2
Trace.Registry.VNC Enterprise Edition 4.4!A2
Trace.Registry.RealVNC Enterprise Edition!A2
Trace.Registry.RealVNC Enterprise Edition!A2

the Win32.Agent.UHQ! has presumably been on my system for some time. It was in a .exe file, within a .rar file that I don't think I ever opened and certainly haven't looked at for over 18 months. Presumably just found after updating the A2 database.

All obviously now quarantined.

What about the Prevx 2.0 AV ? just realised - "just a bug and it's already uninstalled"

Regards....

Edited by roadrunner66, 20 March 2009 - 07:39 PM.

Hello.

since running ComboFix, A2 has found the following:

A2 as in AVG anti-virus Free?

All obviously now quarantined.

That's all I needed to know. Make sure they don't re-appear or something like that...

Run the Kaspersky scan and everything I instructed in the previous post please. Thanks for the update

With Regards,
Extremeboy

Hi,

That’s A2 as in a-squared free anti-malware.

A2 has today (after a database update) decided that Virus.Win32.Agent.UHQ was in fact a false positive and allowed it to be restored!!!!!!!!!! Then after a fresh scan it has identified it as a virus again, so it’s staying in quarantine now!!!!!!!

I’m a little cautious about doing an on-line scan. Headlines like:” A flaw in Kaspersky's Online Scanner could be exploited by malicious hackers to compromise a user's system” don’t help. Admittedly this is old news and has presumably been remedied.

The idea of disabling my firewall and AV and allowing a third party access to my hard drive isn’t exactly appealing. This is especially the case as everything appears to be working fine now. I’m not questioning your methods here, really, I realise this is standard practice and I considered it myself before resorting to ComboFix.

If on the other hand you have positively identified a problem from my logs and are trying to identify the cause, then I just might be prepared to consider it further.

Thanks again, I appreciate your help, will the DDS/Attach logs still be useful?

Regards.....

Hello.

Combofix took care of almost everything. An online scan will make sure if there is anything left.

If you don't feel safe just don't disable your AS, AM or AV programs and run Kaspersky scan online scan.

Kaspersky online web scanner is one of the best online scanners out there. Also after running Kaspersky I suggest you run OTlistIT2. Make sure you include both log files in your next reply please.

Download and run OTListIT2

We need to create an OTListIt2 Report

• Please download OTListIt2 from one of the following mirrors:
  • This is the Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Two reports will open, copy and paste them in a reply here:
  
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Post both logs in your next reply please.

With Regards,
Extremeboy

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

Hi Extremeboy,

Sorry for the delay..............everything seems to be working fine, no sign of the initial infection or anything else of concern.

I’m quite happy for you to close this topic now.

Genuinely appreciate your help.

Kind Regards.....roadrunner66.

You're welcome

Glad everything is back to normal!

Prevention tips and I will close the topic shortly.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

• So How did I get infected?
• Miekies' prevention suggestions
• Hardening Windows Security - Part 1 & Part 2.

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!

• Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
• Update ALL Critical updates and any other Windows updates for services/programs that you use.
• If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
• Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck

With Regards,
Extremeboy