OK, I'm pretty certain I'm infected with the DELF.EP (or is it DELP.EF?) trojan. I have msshed32.exe on my machine, which (according to Google scans) tends to be a good signal of this. I've downloaded and run HijackTHis and XoftSpy since suspecting the infection, and my system has NAV, NIS, Ad-Aware SE and SpywareBlaster on it to try and detect/prevent this sort of infection.

Here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 11:34:09, on 09/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\PDF Printer Pilot SE\PDFPRPRXY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msshed32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nick\Desktop\HiJack THis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dysartes.com/phpBB2/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PDFPrinterPilotAgent] "E:\Program Files\PDF Printer Pilot SE\PDFPRPRXY.EXE"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [piiserviceOE] "C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [atiupdate] C:\DOCUME~1\Nick\LOCALS~1\Temp\msshed32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26de604e0af321ebb700/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098927612875
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E071442-3BF3-4F34-B00A-023C6A884FDA}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E071442-3BF3-4F34-B00A-023C6A884FDA}: NameServer = 194.168.4.100 194.168.8.100

Any suggestions on what to do to kill this little begagr would be much appreciated.

Recommended Answers

All 11 Replies

What version of Xoftspy do you have? If it's prior to 4.0 you shouldn't use it. Personally I don't know if I would even trust the 4.0 version, but you can read the review for yourself here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
Spybot is the best alternative, and it's free.

If you empty your Temp folder you should get rid of msshed32.exe
(http://startup.iamnotageek.com/srch-msshed32.exe.html)
While your at it, you may as well empty all Temp, Temporary Internet folders for all users on the computer, and the C:\Windows\Temp folder. Empty the Recycle Bin afterwards.

Then, close all browser windows, scan with HJT, and post a new log.

I'm running v4.02 of XoftSpy, as was recommended ina similar thread to this one.

I've emptied my Temp & TempInternet folders; does this thing leave any rogue entries in the Registry or StartUp files?

I'm running v4.02 of XoftSpy, as was recommended ina similar thread to this one.

I've emptied my Temp & TempInternet folders; does this thing leave any rogue entries in the Registry or StartUp files?

This is all I could find:

Troj/Dloader-EP may create the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
atiupdate
"Windows system"\msshed32.exe

HKCU\Software\xjado
fr
"random value"

Post a new log when you get a chance so we can make sure you're clean.

I deleted the two keys you mentioned, and I've emptied my Temp directory. A simple search for msshed32.exe turns up a copy in c:\WINDOWS\system32 as well - should I kill that one as well?

I deleted the two keys you mentioned, and I've emptied my Temp directory. A simple search for msshed32.exe turns up a copy in c:\WINDOWS\system32 as well - should I kill that one as well?

Yes, sorry I missed that.

Also, close all windows, scan with HJT, and have it fix the following entry:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26de604...ip/RdxIE601.cab
-Netster

Please post another log.

OK, I think I'm clear now. Time for a fresh log.....

Logfile of HijackThis v1.98.2
Scan saved at 23:45:58, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\PDF Printer Pilot SE\PDFPRPRXY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Trillian\trillian.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\PostalInspectorOE.exe
E:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\Nick\Desktop\HiJack THis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dysartes.com/phpBB2/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PDFPrinterPilotAgent] "E:\Program Files\PDF Printer Pilot SE\PDFPRPRXY.EXE"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [piiserviceOE] "C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098927612875
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E071442-3BF3-4F34-B00A-023C6A884FDA}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E071442-3BF3-4F34-B00A-023C6A884FDA}: NameServer = 194.168.4.100 194.168.8.100

Just out of curiousity:

Your log indicates some programs running from E: and E:\Program Files. Is the E drive just a separate storage drive/partition?

YEah - C:\ is for Windoze and any progs that won't le me change where; e:\ is for other programs. An attempt to keep things tidy(ish) ;)

I figured as much, but we just wanted to be sure.

There are one or two "keylogging" trojans that use the filename "trillian.exe" (the same filename as the "Trillian" IM/chat program), and since your HJT log indicated that you weren't running Trillian from the location that it usually installs to, we had some question about the entry.

We can safely assume that in your case " E:\Trillian\trillian.exe" is the real IM program then, yes?

Yeah, its the real program.

Cool- thanks for the clarification.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.