troj_se and adw_se

S

spotpuff

Gawd
Joined
Aug 15, 2001
Messages
522
It appears I've managed to pick up the trojans troj_se and adw_se.

Attempts to remove it manually weren't really successful; most of hte changes seemed to be registry changes in the P3P cookie area which I removed but have since returned.

I have run full system scans with Kaskersky, Adaware and Spybot and none of them pick up anything. Trend Micro Housecall (their online free scanner) is the only thing that detects them. I have also tried trojan hunter and trojan remover and neither of them were effective.

If I leave my computer on overnight I notice explorer.exe uses up 99% of the CPU and my VMEM usage shoots up to 2gb+. I can kill the process and this fixes it however obviously this is not the ideal solution. My ISP (rogers) even sent me a warning about having a trojan. Fun times.

Any advice on their removal? This is driving me nuts.

In case anyone asks for it, here's a hijack this log. I cannot see anything obviously out of place compared to what should be running.

Logfile of HijackThis v1.99.1
Scan saved at 19:26:06, on 2006-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Installation Files\uTorrent\utorrent.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Maxthon\Maxthon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techreport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/ie_rsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ca/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [THGuard] D:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [µTorrent] "E:\Installation Files\uTorrent\utorrent.exe"
O4 - Startup: SpeedFan.lnk = D:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = D:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE109642-851B-4084-8DF2-4999740E58A5}: NameServer = 24.153.22.67,24.153.22.195
O20 - Winlogon Notify: csrcs - C:\WINDOWS\SYSTEM32\csrcs.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 
Have you tried scanning in safe mode? (better chance of detecting and removing bad stuff in safe mode...less services and processes running)

Disabled system restore so you don't keep infecting yourself each time you reboot after removing it?

If Trend Micro House Call detects it...have you jotted down the file name(s) and path...and attempte to manually delete them in safe mode?

Run a scan with Ewido yet?

I see you run P2P software..a sure way to keep hosing your system.
 
No clue what Ewido is.

I haven't tried in safe mode but will later tonight.

Trend Micro House call just notifies of registry entries, but no actual file names (which is why this is so frustrating). I deleted the entries manually but they came back.

uTorrent is good for lots of stuff!
 
Ewido, Spybot, Adaware and NOD 32 full scan all run in safe mode to no effect; the following came back.

adw_se.123473
adw_se.123475
adw_se.123477
adw_se.123481
adw_se.123481

troj_se.85638 seems to have disapppeared.

This is driving me nuts; no virus scanners are picking this up and all the trojan removers I tried were useless.

Any other ideas?

*edit*
System restore was disabled.
 
you gotta find its registries... but thats like finding a needle in a haystack...

also its unlikly.... but go to run and type in msconfig
startup stuff, see if you can find anything out of place, and i mean, Geek squad (for those who havnt heard its a chain computer repair shop (ea chain, as in like mc don don's) they do reformataion for 30bucks. and charge a couple bucks for any files you wanna save. you could do that, i mean unless you wanna do it yourself.

but if you cant find it in registries, and its not listed in applications, and no antivirus can find it... i donno man....

edit: free virus scan here
 
I've checked the registry but it's not immediately apparent where the trojan is. MSconfig was useless.

Also, as exlorer.exe is using 99% of the cpu and 2gb of RAM at random intervals, it seems like the trojan modified it somehow.

I am not entirely sure why trend micro house call can't remove the virus if it detects it. Very annoying.

:T
 
You must log in or register to reply here.
Back
Top