Trojan and Infection logs and requested resolution?

#1 Joga!


Posted 06 October 2009 - 12:08 PM

Greetings, salutations, etc. I run on XP SP2. I used AVG and spyware doctor to contend with what my computer caught whilst idle and I slept.

After about half a week of correspondence at the "Am I infected? What do I do?" forums, and many downloads and logs later - I am redirected from (http://www.bleepingcomputer.com/forums/topic261875.html), and ready to present all the logs and information necessary to rid myself of the infection my computer harbours. I've already run Peek.bat, Win32KDiag.exe, and DDS/HJT on request of the user "garmanma". These were all I got to run successfully.

I first encountered some trojans by the name of a.exe, b.exe (etc) in my Temp file, and SHeur2.BILQ and alike soon joined. I don't have lots of major infections springing up, but performance on some applications have degraded, and I can no longer access Photoshop without it collapsing (the details indicate a /Temp/ file is causing the obstruction).

I simply don't want to have to reformat over what seems to be a small, but very well hidden and potentially dangerous set of trojans/malware/scareware, whatever I have.

First the DDS/HJT log created:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 14:22:57.10 on Tue 10/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.633 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\juipio.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://soccernet.espn.go.com/?cc=4716
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [juipio] c:\documents and settings\owner\juipio.exe
uRun: [PopRock] c:\docume~1\owner\locals~1\temp\d.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {FEE3F969-1F86-4036-B270-A3D363316158} =,
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9l5u2njb.default\
FF - prefs.js: browser.startup.homepage - hxxp://soccernet.espn.go.com/?cc=4716
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptidfusionplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\total immersion\dfusionweb\nptidfusionplugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-06 09:24 160,256 a------- c:\windows\msc.exe
2009-10-05 22:15 160,256 a------- c:\windows\msb.exe
2009-10-03 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SYSTEMAX Software Development
2009-10-03 23:00 <DIR> --d-h--- c:\windows\PIF
2009-10-03 17:04 <DIR> --d----- c:\program files\Microsoft
2009-10-03 12:03 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 12:03 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 12:03 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 12:03 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-03 12:03 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 12:03 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-03 12:02 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-03 12:02 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-10-03 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-03 11:44 <DIR> --d----- c:\program files\Trend Micro
2009-10-02 15:57 157,696 a------- c:\windows\msa.exe
2009-10-02 15:57 225,796 a------- c:\windows\system32\msxml71.dll
2009-10-02 15:55 57,344 ---shr-- c:\documents and settings\owner\juipio.exe
2009-09-30 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AIM
2009-09-30 23:50 <DIR> --d----- c:\program files\AIM
2009-09-30 23:50 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-09-30 23:50 <DIR> --d----- c:\program files\common files\AOL
2009-09-30 23:49 458 a---h--- C:\IPH.PH
2009-09-28 17:07 <DIR> --d----- c:\program files\iPod
2009-09-21 21:37 <DIR> --d----- c:\docume~1\owner\applic~1\SYSTEMAX Software Development
2009-09-21 21:31 <DIR> --d----- c:\program files\PaintTool SAI English Pack
2009-09-15 14:30 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\CanonIJScan
2009-09-15 13:56 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-09-15 13:56 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-09-15 13:56 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-09-15 13:56 20,992 a------- c:\windows\system32\dshowext.ax
2009-09-13 16:01 188,416 a------- c:\windows\system32\CNQ2413O.DLL
2009-09-13 16:01 1,339,392 a------- c:\windows\system32\CNQ2413C.DLL
2009-09-13 16:01 585,728 a------- c:\windows\system32\CNQ2413L.DLL
2009-09-13 16:01 98,304 a------- c:\windows\system32\CNQ2413I.DLL
2009-09-11 02:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 13:36 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-06 18:35 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-09-01 22:13 141,147 a------- c:\windows\hpoins14.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-17 08:33 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-17 08:33 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-18 03:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-03-26 23:14 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-10-04 19:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat
2009-02-12 23:33 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-12 23:33 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-12 23:33 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:59:51.72 ===============


Now, the Win32KDiag log:

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


And finally, the results of Peek.bat:

Volume in drive C has no label.
Volume Serial Number is BCB7-4900

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 9,701,900,288 bytes free


Those are all the logs I believe are of any use - hope its not too much. I'll be happy to oblige and upload others (e.g. the Attach.txt doc from the DSS program).

More alerts have appeared on my computer in the past hour about freshly downloaded trojans. Are these logs outdated? My External (E:/) HDD seems to be infected too, according to the above logs - whatever resolution comes, my E:/ drive will probably need the same treatment.

I hope I am of some help, and that there is a speedy resolution out there. Thank you for your patience!

Edited by Joga!, 07 October 2009 - 06:07 AM.

#2 Joga!

Posted 19 October 2009 - 03:56 AM

I know that replying to a topic preetty muuch kills it. Mostly because the official repliers look to reply to topics with NO reply.

This is just to say, I faltered, and stupidly ran Malwarebytes, and it located every file I suspected and more! But after quarratnine, it seems as though I quarrantined files that were vital to my computer's functioning. It died when I tried to turn it on again the next day.

I reformatted my computer's hard-drive, and ran the (Garmanma recommended) Flash Disinfector (with my computer's Autoplay supposedly already disabled) - I (or it) managed to detect the files/worms and i canned them in AVG. I feel as though they're all no longer present in my external! So, in short, I have a clean computer, and a now (apparently) safely accessible backup drive.

Huzzah! (i think...)

Since this topic is solved, It is now closed - MG

Edited by garmanma, 19 October 2009 - 07:31 PM.

