Trojan Help Needed Please!

ytareh

Ive found this using Spybot S&D:

Win32.ciadoor.cj


It seems to be coming from here :


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\XPROTECTOR

It is seriously increasing the time it takes me to get online after boot up.From clicking the Internet Explorer icon to being able to use a website is taking 2 or 3 minutes !

Ive ran FULL scans on AVG ,SpyWare Blaster CCCleaner,EasyCleaner etc and deleted many start up programs

Heres my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 02:15:02, on 20/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Creative\Shared Files\CTAudSvc.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Creative\Volume Panel\VolPanlu.exe
G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
G:\WINDOWS\system32\CTXFIHLP.EXE
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Common Files\LightScribe\LSSrvc.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\PnkBstrA.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\ToniArts\EasyCleaner\EasyClea.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\John H\Desktop\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eircom.net/email
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [VolPanel] "G:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [StartCCC] "G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - G:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: g:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro...te.cab?1229726699437
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - G:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - G:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - G:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - G:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe


How bad is this infection?Can it be removed?Is it an issue using Ebay ,Paypal etc?Should I reformat?I make a point of clearing all my cookies ,history etc on the basis that these might be 'transmitted' by the Trojan ?Is there any point in this ?

stylers

you might want to investigate :

G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
G:\WINDOWS\system32\CTXFIHLP.EXE
G:\Program Files\ToniArts\EasyCleaner\EasyClea.exe

and

O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe

also, stuff can be running behind svchost processes - look for extra activity with these.

Is there a service called XPROTECTOR registered ?

Capt'n Midnight

malware forum
http://www.boards.ie/vbulletin/forumdisplay.php?f=1009