Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torpig virus keeps coming back


  • This topic is locked This topic is locked
12 replies to this topic

#1 Sergio Baldis

Sergio Baldis

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 14 April 2009 - 09:46 AM

Unfortunately I keep getting my isp suspended due to trojans, initially it was something different but now they are telling me it's Torpig. I thought I had removed a few trojans, and they seem still gone on repeated scans with programs such as Panda, Malbytes and SuperAntispyware but again on April 9th my account got suspended. Here's my Hijack This log, can someone please talk me through what might be the issues and how to remove them? It would be much appreciated.

Hijack This log(updated after removing some things):

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\PskSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\AVENGINE.EXE
c:\program files\panda security\panda internet security 2009\firewall\PSHOST.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2009\PavBckPT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dainews.nu/DAINEWS/boards/index.php?t=thread&frm_id=10&rid=6087
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2009\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237889805718
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2009\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exe

Edited by Sergio Baldis, 14 April 2009 - 07:05 PM.


BC AdBot (Login to Remove)

 


#2 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 15 April 2009 - 09:12 PM

I removed Panda since it seemed to cause havoc with my browsers. Also removed a couple other things that popped up as trojans:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dainews.nu/DAINEWS/boards/index.php?t=thread&frm_id=10&rid=6087
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237889805718
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by Sergio Baldis, 15 April 2009 - 09:54 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:35 AM

Posted 27 April 2009 - 01:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 29 April 2009 - 11:44 AM

Thanks for the response,

Well originally the problem popped up when I visited a website, then some weird popup popped up that I couldn't close, then all of a sudden windows started shutting down randomly and when I tried to reboot I got a blue screen of death that then rebooted my computer. A few times I could get to windows but eventually it just became impossible. I then reinstalled windows, and deleted some partitions that were on my drive, not sure if they were the result of the trojan or not though. After running a few other antivirus programs, such as Panda, and finally AVG, which found a few trojans and successfully removed them, as of right now my computer is running fine, with zero problems, but I am wondering if my computer is actually clean or it just appears clean.

Here's the DSS log you asked for: I'm assuming you don't want attach.txt?

DDS (Ver_09-03-16.01) - NTFSx86
Run by Sergio at 12:37:23.65 on Wed 04/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.528 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\xnews\Xnews.exe
C:\Allaire\HomeSite4\homesite4.exe
C:\Program Files\Winamp\winamp.exe
C:\WS_FTP Pro\wsftppro.exe
C:\Documents and Settings\Sergio.SERGIO-44D3CDCB\Application Data\Chameleon Submitter\chameleon.exe
C:\SJP Software\Gallery Maker Pro\GMP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\movies\created\test\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.dainews.nu/DAINEWS/boards/index.php?t=thread&frm_id=10&rid=6087
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\globet~1.lnk - c:\program files\option\globetrotter connect\GlobeTrotter Connect.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237889805718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergio~1.ser\applic~1\mozilla\firefox\profiles\7lhtj2y9.default\
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-14 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-14 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-14 298264]
R2 GtDetectSc;GtDetectSc;c:\program files\option\globetrotter connect\GtDetectSc.exe [2008-4-30 200704]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-4-6 33256]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-7-7 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-8-20 59008]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2008-6-4 8064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-04-23 06:12 800 a------- c:\windows\hpinfo.lnk
2009-04-23 06:12 797 a------- c:\windows\reg.prm
2009-04-23 06:11 376 a------- c:\windows\mozregistry.dat
2009-04-23 06:07 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-04-23 06:07 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-20 09:07 69 a------- c:\windows\NeroDigital.ini
2009-04-19 14:19 4,767 a------- c:\windows\Irremote.ini
2009-04-19 13:55 <DIR> --d----- c:\program files\Nero
2009-04-19 13:55 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Nero
2009-04-16 01:49 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-16 01:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-16 01:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-16 01:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-16 01:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-16 01:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-16 01:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-16 01:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-16 01:34 <DIR> --d----- C:\89835df7fb70347467e1
2009-04-16 01:33 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-16 01:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 01:27 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 01:27 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:02 3,242 a------- C:\virus.html
2009-04-14 23:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-14 23:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-14 23:15 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-14 14:16 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-14 14:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-14 14:06 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-14 14:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-14 14:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-14 14:06 <DIR> --d----- c:\program files\AVG
2009-04-14 14:06 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8
2009-04-14 13:54 63,049,904 a------- C:\avg_free_stf_en_85_285a1462.exe
2009-04-14 13:29 <DIR> --d----- C:\hijack
2009-04-12 04:14 8,295,688 a------- C:\R163381.EXE
2009-04-12 03:14 <DIR> --d----- c:\program files\Option
2009-04-06 17:24 33,256 a------- c:\windows\system32\drivers\hssdrv.sys
2009-04-06 17:24 <DIR> --d----- c:\program files\Hotspot Shield
2009-04-05 03:40 86,016 a------- c:\windows\system32\xbcdr.dll
2009-04-05 03:39 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\XBCDSU
2009-04-05 03:36 <DIR> --d----- c:\program files\XBCD
2009-04-05 03:27 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-04-05 03:25 1,421,216 a------- c:\windows\system32\WdfCoInstaller01001.dll
2009-04-05 03:25 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2009-04-05 03:25 68,888 a------- c:\windows\system32\xinput1_3.dll
2009-04-05 01:23 0 a------- c:\windows\ATIMMC.INI
2009-04-05 01:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ATI MMC
2009-04-05 01:11 <DIR> --d----- c:\program files\msaccrt
2009-04-05 01:05 38,912 a----r-- c:\windows\system32\drivers\ATIUTD.sys
2009-04-05 01:03 174,592 a----r-- c:\windows\system32\drivers\atinyvxx.sys
2009-04-04 02:09 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-04-03 19:14 2,721,833 a------- C:\Chameleon452.exe

==================== Find3M ====================

2009-04-12 04:26 171,012 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-06 18:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 18:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 02:08 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-27 10:34 86,253,752 a------- C:\IS09.exe
2009-03-27 07:04 9,799,760 a------- C:\SpyHunter-Scanner-Install.exe
2009-03-27 05:47 945,544 a------- C:\ccsetup218_slim.exe
2009-03-26 20:16 175,504 a------- C:\activescan2_en.exe
2009-03-24 17:20 24,758,792 a------- C:\NetFx20SP1_x86.exe
2009-03-24 15:27 1,234,120 a------- C:\wrar380.exe
2009-03-24 14:13 2,876,720 a------- C:\mbam-setup.exe
2009-03-24 13:29 6,068,768 a------- C:\SUPERAntiSpyware.exe
2009-03-24 09:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-24 06:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-24 06:31 122,066,376 a------- C:\179.48_notebook_winxp_32bit_beta.exe
2009-03-24 06:23 11,832 a------- c:\windows\system32\nvModes.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 02:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 02:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 14:56 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 08:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 12:38:11.37 ===============

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 PM

Posted 01 May 2009 - 06:42 PM

Hi Sergio Baldis,

Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic with a fresh dds.txt log and a description how's the system running.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 02 May 2009 - 07:50 PM

It looks like a trojan was found with that scan, here's the report and another dds, the only noticable problem I have on my computer is that sometimes when I try to ftp into a couple of the websites I own it takes a few tries, not sure if it has to do with a trojan, or a conflict with AVG. Also I haven't been using the isp that suspended me. the isp I have been using hasn't sent me any warnings about viruses so far, but maybe they aren't paying attention:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 22:46:04
Records in database: 2121340
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 155644
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:51:42


File name / Threat name / Threats count
C:\Documents and Settings\Sergio.SERGIO-44D3CDCB\Local Settings\Temporary Internet Files\Content.IE5\KU8M0T0P\gga[1].htm Infected: Trojan-Downloader.JS.Iframe.aur 1

The selected area was scanned.





DDS (Ver_09-03-16.01) - NTFSx86
Run by Sergio at 20:44:52.45 on Sat 05/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.854 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Allaire\HomeSite4\homesite4.exe
C:\Program Files\Winamp\winamp.exe
C:\WS_FTP Pro\wsftppro.exe
C:\Documents and Settings\Sergio.SERGIO-44D3CDCB\Application Data\Chameleon Submitter\chameleon.exe
C:\SJP Software\Gallery Maker Pro\GMP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\notepad.exe
C:\movies\created\test\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.dainews.nu/DAINEWS/boards/index.php?t=thread&frm_id=10&rid=6087
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\globet~1.lnk - c:\program files\option\globetrotter connect\GlobeTrotter Connect.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237889805718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergio~1.ser\applic~1\mozilla\firefox\profiles\7lhtj2y9.default\
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-14 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-14 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-14 298264]
R2 GtDetectSc;GtDetectSc;c:\program files\option\globetrotter connect\GtDetectSc.exe [2008-4-30 200704]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-4-6 33256]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-7-7 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-8-20 59008]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2008-6-4 8064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-04-23 06:12 800 a------- c:\windows\hpinfo.lnk
2009-04-23 06:12 797 a------- c:\windows\reg.prm
2009-04-23 06:11 376 a------- c:\windows\mozregistry.dat
2009-04-23 06:07 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-04-23 06:07 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-20 09:07 69 a------- c:\windows\NeroDigital.ini
2009-04-19 14:19 4,767 a------- c:\windows\Irremote.ini
2009-04-19 13:55 <DIR> --d----- c:\program files\Nero
2009-04-19 13:55 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Nero
2009-04-16 01:49 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-16 01:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-16 01:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-16 01:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-16 01:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-16 01:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-16 01:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-16 01:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-16 01:34 <DIR> --d----- C:\89835df7fb70347467e1
2009-04-16 01:33 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-16 01:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 01:27 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 01:27 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:02 3,242 a------- C:\virus.html
2009-04-14 23:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-14 23:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-14 23:15 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-14 14:16 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-14 14:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-14 14:06 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-14 14:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-14 14:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-14 14:06 <DIR> --d----- c:\program files\AVG
2009-04-14 14:06 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8
2009-04-14 13:54 63,049,904 a------- C:\avg_free_stf_en_85_285a1462.exe
2009-04-14 13:29 <DIR> --d----- C:\hijack
2009-04-12 04:14 8,295,688 a------- C:\R163381.EXE
2009-04-12 03:14 <DIR> --d----- c:\program files\Option
2009-04-06 17:24 33,256 a------- c:\windows\system32\drivers\hssdrv.sys
2009-04-06 17:24 <DIR> --d----- c:\program files\Hotspot Shield
2009-04-05 03:40 86,016 a------- c:\windows\system32\xbcdr.dll
2009-04-05 03:39 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\XBCDSU
2009-04-05 03:36 <DIR> --d----- c:\program files\XBCD
2009-04-05 03:27 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-04-05 03:25 1,421,216 a------- c:\windows\system32\WdfCoInstaller01001.dll
2009-04-05 03:25 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2009-04-05 03:25 68,888 a------- c:\windows\system32\xinput1_3.dll
2009-04-05 01:23 0 a------- c:\windows\ATIMMC.INI
2009-04-05 01:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ATI MMC
2009-04-05 01:11 <DIR> --d----- c:\program files\msaccrt
2009-04-05 01:05 38,912 a----r-- c:\windows\system32\drivers\ATIUTD.sys
2009-04-05 01:03 174,592 a----r-- c:\windows\system32\drivers\atinyvxx.sys
2009-04-04 02:09 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-04-03 19:14 2,721,833 a------- C:\Chameleon452.exe

==================== Find3M ====================

2009-04-12 04:26 171,012 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-06 18:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 18:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 02:08 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-27 10:34 86,253,752 a------- C:\IS09.exe
2009-03-27 07:04 9,799,760 a------- C:\SpyHunter-Scanner-Install.exe
2009-03-27 05:47 945,544 a------- C:\ccsetup218_slim.exe
2009-03-26 20:16 175,504 a------- C:\activescan2_en.exe
2009-03-24 17:20 24,758,792 a------- C:\NetFx20SP1_x86.exe
2009-03-24 15:27 1,234,120 a------- C:\wrar380.exe
2009-03-24 14:13 2,876,720 a------- C:\mbam-setup.exe
2009-03-24 13:29 6,068,768 a------- C:\SUPERAntiSpyware.exe
2009-03-24 09:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-24 06:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-24 06:31 122,066,376 a------- C:\179.48_notebook_winxp_32bit_beta.exe
2009-03-24 06:23 11,832 a------- c:\windows\system32\nvModes.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 02:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 02:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 14:56 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 08:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 20:45:30.48 ===============

Edited by Sergio Baldis, 02 May 2009 - 07:52 PM.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 PM

Posted 03 May 2009 - 05:33 AM

Hi

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete C:\Documents and Settings\Sergio.SERGIO-44D3CDCB\Local Settings\Temporary Internet Files\Content.IE5\KU8M0T0P\gga[1].htm file.


I'm not sure about that ftp issue. DDS log itself looks good.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 03 May 2009 - 01:39 PM

Hello,

Ok I've done that. I've actually done that before, basically run Kasp, and manually deleted a file. I'm assuming what I deleted isn't that harmful, since it's in my internet history.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 PM

Posted 04 May 2009 - 09:19 AM

Ok. In that case it looks like your case is about ready :thumbup2:

I noticed that you don't have a software firewall there.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 04 May 2009 - 11:45 PM

I am using a firewall, though it's the default windows one. I was using Panda's firewall, but for some reason Panda was causing all sorts of havoc with my browsers and firefox and ie kept crashing all the time. I've installed Online Armour Free now however. Thanks for the advice.

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 PM

Posted 05 May 2009 - 10:33 AM

You're welcome :thumbup2: I guess we can close the topic now?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Sergio Baldis

Sergio Baldis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 06 May 2009 - 06:45 PM

I hope so :thumbup2: thanks.

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 PM

Posted 07 May 2009 - 12:06 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users