Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Trojan Help Needed Please!

  • 20-12-2008 7:41am
    #1
    ytareh
    Registered Users, Registered Users 2 Posts: 1,107 ✭✭✭


    Ive found this using Spybot S&D:

    Win32.ciadoor.cj


    It seems to be coming from here :


    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\XPROTECTOR

    It is seriously increasing the time it takes me to get online after boot up.From clicking the Internet Explorer icon to being able to use a website is taking 2 or 3 minutes !

    Ive ran FULL scans on AVG ,SpyWare Blaster CCCleaner,EasyCleaner etc and deleted many start up programs

    Heres my Hijack This Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 02:15:02, on 20/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18241)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\spoolsv.exe
    G:\Program Files\Creative\Shared Files\CTAudSvc.exe
    G:\WINDOWS\Explorer.EXE
    G:\Program Files\Creative\Volume Panel\VolPanlu.exe
    G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    G:\WINDOWS\system32\CTXFIHLP.EXE
    G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    G:\WINDOWS\system32\ctfmon.exe
    G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    G:\Program Files\Bonjour\mDNSResponder.exe
    G:\WINDOWS\system32\svchost.exe
    G:\Program Files\Java\jre6\bin\jqs.exe
    G:\Program Files\Common Files\LightScribe\LSSrvc.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\PnkBstrA.exe
    G:\WINDOWS\system32\svchost.exe
    G:\Program Files\ToniArts\EasyCleaner\EasyClea.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Documents and Settings\John H\Desktop\HIJACK THIS\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eircom.net/email
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [VolPanel] "G:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [StartCCC] "G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: g:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro...te.cab?1229726699437
    O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - G:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - G:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - G:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - G:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe


    How bad is this infection?Can it be removed?Is it an issue using Ebay ,Paypal etc?Should I reformat?I make a point of clearing all my cookies ,history etc on the basis that these might be 'transmitted' by the Trojan ?Is there any point in this ?


Comments

  • #2
    stylers
    Registered Users, Registered Users 2 Posts: 188 ✭✭stylers


    you might want to investigate :

    G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    G:\WINDOWS\system32\CTXFIHLP.EXE
    G:\Program Files\ToniArts\EasyCleaner\EasyClea.exe

    and

    O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe

    also, stuff can be running behind svchost processes - look for extra activity with these.

    Is there a service called XPROTECTOR registered ?


  • #3
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    malware forum
    http://www.boards.ie/vbulletin/forumdisplay.php?f=1009


Advertisement