Hi,

My pc is behaving awry and i believe it's a trojan banker. I may be wrong regarding the "species", but i'm sure it's infected. Can you help me?

First i want to warn you of a cople of things (i hope they are irrelevant): i didn't install DDS to the desktop to keep it clean; instead, i installed it in the c:\Arquivos de Programas folder (the Program Files folder in this XP translation). Is that ok?

Second, when i made the backup of the registry, i checked the "Current User Registry" box... Sorry. Is that ok too?

I am attaching the larger txt log of DDS, as instructed by the program...

Thank you!

The DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Pablo Mello at 4:06:43,45 on s*b 01/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.327 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.br/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [WService] WService.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\arquivos comuns\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-05-01 06:35:32 525824 ----a-w- c:\arquivos de programas\dds.scr
2010-05-01 06:34:40 791393 ----a-w- c:\arquivos de programas\erunt-setup.exe
2010-04-29 22:06:20 1150 ----a-w- c:\windows\favicon-vfl147246[1].ico
2010-04-29 22:05:41 1150 ----a-w- c:\windows\favicon[1].ico
2010-04-25 19:49:50 305152 ----a-w- c:\windows\IsUninst.exe
2010-04-25 19:49:49 0 d-----w- c:\documents and settings\pablo mello\WINDOWS
2010-04-25 19:44:20 5455526 ----a-w- c:\arquivos de programas\acrobat_reader_40eng.exe
2010-04-25 19:14:19 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-04-25 19:14:19 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2010-04-25 19:14:19 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-04-25 19:14:19 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-04-25 19:14:16 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-04-25 19:14:16 0 d-----w- c:\arquivos de programas\PDFCreator
2010-04-25 19:11:40 17776464 ----a-w- c:\arquivos de programas\PDFCreator-0_9_9_setup.exe
2010-04-25 18:53:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-25 18:53:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 18:53:53 0 d-----w- c:\arquivos de programas\lib
2010-04-25 18:53:51 0 d-----w- c:\arquivos de programas\bin
2010-04-25 18:01:29 0 d-----w- c:\arquivos de programas\GENIUS TABLET
2010-04-25 18:01:22 583 ----a-w- c:\windows\SETUPEXT.INF
2010-04-25 18:01:22 315392 ----a-w- c:\windows\SETUPX32.EXE
2010-04-25 17:58:36 0 d-----w- c:\arquivos de programas\C-Media 3D Audio
2010-04-25 17:54:22 0 d-----w- c:\arquivos de programas\arquivos comuns\InstallShield
2010-04-25 17:53:51 0 d-----w- c:\arquivos de programas\NVIDIA
2010-04-25 17:39:03 0 d-sh--w- c:\documents and settings\all users\DRM
2010-04-25 17:38:44 0 d--h--w- c:\arquivos de programas\WindowsUpdate
2010-04-25 17:38:40 0 d-----w- c:\arquivos de programas\Serviços on-line
2010-04-25 17:38:04 0 d-----w- c:\arquivos de programas\arquivos comuns\Serviços
2010-04-25 17:38:01 0 d-----w- c:\arquivos de programas\arquivos comuns\MSSoap
2010-04-25 17:36:39 0 d-----w- c:\arquivos de programas\Messenger
2010-04-25 17:36:36 0 d-----w- c:\arquivos de programas\MSN Gaming Zone
2010-04-25 17:36:16 0 d-----w- c:\arquivos de programas\Windows NT
2010-04-25 13:27:10 0 d-----w- c:\arquivos de programas\arquivos comuns\ODBC
2010-04-25 13:27:07 0 d-----w- c:\arquivos de programas\arquivos comuns\SpeechEngines
2010-04-25 13:26:44 0 d--h--w- c:\documents and settings\all users\Modelos
2010-04-25 13:26:44 0 d-----w- c:\documents and settings\all users\Favoritos
2010-04-25 13:26:44 0 d-----r- c:\documents and settings\all users\Menu Iniciar
2010-04-25 13:26:44 0 d-----r- c:\documents and settings\all users\Documentos
2010-04-25 13:26:25 0 d--h--r- c:\documents and settings\all users\Dados de aplicativos

==================== Find3M ====================

2010-05-01 06:43:42 48846 ----a-w- c:\windows\system32\perfc016.dat
2010-05-01 06:43:42 344734 ----a-w- c:\windows\system32\perfh016.dat
2010-04-25 18:53:52 994 ----a-w- c:\arquivos de programas\Welcome.html
2010-04-25 18:53:52 3841 ----a-w- c:\arquivos de programas\COPYRIGHT
2010-04-25 18:53:52 186655 ----a-w- c:\arquivos de programas\THIRDPARTYLICENSEREADME.txt
2010-04-25 18:53:52 16282 ----a-w- c:\arquivos de programas\README.txt
2010-04-25 18:53:52 12981 ----a-w- c:\arquivos de programas\LICENSE
2010-04-25 17:37:32 21844 ----a-w- c:\windows\system32\emptyregdb.dat
2005-01-25 02:53:38 16409960 ----a-w- c:\arquivos de programas\spybotsd162.exe
2001-11-23 04:08:20 712704 ----a-r- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 4:07:02,46 ===============

Dear volunteer,

Will you excuse me, but i think the situation have gone worse, so idecided to post a new DDS log. I appreciate your understanding, and apologise for any time loss. This is not bumping, really. I don't intend to go to the end of the waiting line, if not so because i stop reading my webmail since the start of it all.

Regards,
Tecolote


DDS (Ver_10-03-17.01) - NTFSx86
Run by Pablo Mello at 8:52:56,60 on dom 02/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.351 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WService.EXE
C:\Arquivos de programas\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.br/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de

programas\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [WService] WService.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\arquivos comuns\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-05-01 07:07:55 0 d-----w- c:\arquivos de programas\DDS log
2010-05-01 06:35:32 525824 ----a-w- c:\arquivos de programas\dds.scr
2010-05-01 06:34:40 791393 ----a-w- c:\arquivos de programas\erunt-setup.exe
2010-04-29 22:06:20 1150 ----a-w- c:\windows\favicon-vfl147246[1].ico
2010-04-29 22:05:41 1150 ----a-w- c:\windows\favicon[1].ico
2010-04-25 19:49:50 305152 ----a-w- c:\windows\IsUninst.exe
2010-04-25 19:49:49 0 d-----w- c:\documents and settings\pablo mello\WINDOWS
2010-04-25 19:44:20 5455526 ----a-w- c:\arquivos de programas\acrobat_reader_40eng.exe
2010-04-25 19:14:19 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-04-25 19:14:19 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2010-04-25 19:14:19 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-04-25 19:14:19 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-04-25 19:14:16 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-04-25 19:14:16 0 d-----w- c:\arquivos de programas\PDFCreator
2010-04-25 19:11:40 17776464 ----a-w- c:\arquivos de programas\PDFCreator-0_9_9_setup.exe
2010-04-25 18:53:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-25 18:53:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 18:53:53 0 d-----w- c:\arquivos de programas\lib
2010-04-25 18:53:51 0 d-----w- c:\arquivos de programas\bin
2010-04-25 18:01:29 0 d-----w- c:\arquivos de programas\GENIUS TABLET
2010-04-25 18:01:22 583 ----a-w- c:\windows\SETUPEXT.INF
2010-04-25 18:01:22 315392 ----a-w- c:\windows\SETUPX32.EXE
2010-04-25 17:58:36 0 d-----w- c:\arquivos de programas\C-Media 3D Audio
2010-04-25 17:54:22 0 d-----w- c:\arquivos de programas\arquivos comuns\InstallShield
2010-04-25 17:53:51 0 d-----w- c:\arquivos de programas\NVIDIA
2010-04-25 17:39:03 0 d-sh--w- c:\documents and settings\all users\DRM
2010-04-25 17:38:44 0 d--h--w- c:\arquivos de programas\WindowsUpdate
2010-04-25 17:38:40 0 d-----w- c:\arquivos de programas\Serviços on-line
2010-04-25 17:38:04 0 d-----w- c:\arquivos de programas\arquivos comuns\Serviços
2010-04-25 17:38:01 0 d-----w- c:\arquivos de programas\arquivos comuns\MSSoap
2010-04-25 17:36:39 0 d-----w- c:\arquivos de programas\Messenger
2010-04-25 17:36:36 0 d-----w- c:\arquivos de programas\MSN Gaming Zone
2010-04-25 17:36:16 0 d-----w- c:\arquivos de programas\Windows NT
2010-04-25 13:27:10 0 d-----w- c:\arquivos de programas\arquivos comuns\ODBC
2010-04-25 13:27:07 0 d-----w- c:\arquivos de programas\arquivos comuns\SpeechEngines
2010-04-25 13:26:44 0 d--h--w- c:\documents and settings\all users\Modelos
2010-04-25 13:26:44 0 d-----w- c:\documents and settings\all users\Favoritos
2010-04-25 13:26:44 0 d-----r- c:\documents and settings\all users\Menu Iniciar
2010-04-25 13:26:44 0 d-----r- c:\documents and settings\all users\Documentos
2010-04-25 13:26:25 0 d--h--r- c:\documents and settings\all users\Dados de aplicativos

==================== Find3M ====================

2010-05-01 06:43:42 48846 ----a-w- c:\windows\system32\perfc016.dat
2010-05-01 06:43:42 344734 ----a-w- c:\windows\system32\perfh016.dat
2010-04-25 18:53:52 994 ----a-w- c:\arquivos de programas\Welcome.html
2010-04-25 18:53:52 3841 ----a-w- c:\arquivos de programas\COPYRIGHT
2010-04-25 18:53:52 186655 ----a-w- c:\arquivos de programas\THIRDPARTYLICENSEREADME.txt
2010-04-25 18:53:52 16282 ----a-w- c:\arquivos de programas\README.txt
2010-04-25 18:53:52 12981 ----a-w- c:\arquivos de programas\LICENSE
2010-04-25 17:37:32 21844 ----a-w- c:\windows\system32\emptyregdb.dat
2005-01-25 02:53:38 16409960 ----a-w- c:\arquivos de programas\spybotsd162.exe
2001-11-23 04:08:20 712704 ----a-r- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 8:53:15,96 ===============

Hello Tecolote,


This is not bumping, really. I don't intend to go to the end of the waiting line,

From the forum FAQ:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. :eek:


If you have waited four days or longer for assistance, please start a topic in this sub-forum and post with a link back to your topic in the Malware forum, so that we know who you are and your topic is not archived.Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

Best regards. :)

Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Hello Tecolote :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------


My pc is behaving awry and i believe it's a trojan banker. I may be wrong regarding the "species", but i'm sure it's infected. Can you help me?
What problems are you experiencing? I need more details. Any redirects, pop ups, or other symptoms?


i didn't install DDS to the desktop to keep it clean; instead, i installed it in the c:\Arquivos de Programas folder (the Program Files folder in this XP translation). Is that ok?
You can leave it there for the moment. I will be asking you to use another tool to check later. Please download and save it to the location that I am going to ask you to. We will be cleaning up after we are done, so no worries about messing up your desktop.


Second, when i made the backup of the registry, i checked the "Current User Registry" box... Sorry. Is that ok too?
It is alright.

Your Windows and Internet Explorer are quite outdated. Any reasons it being so? Outdated programs or software are magnets for malware and can be easily exploited.

--------------------

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast (http://www.avast.com/eng/download-avast-home.html)
Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)

Please note that only one AV should be installed at a time.

--------------------

Please download OTL© by OldTimer and save it to your desktop. Click here. (http://oldtimer.geekstogo.com/OTL.exe)

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are six of them.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.

--------------------

Please post back:
1. More details of your problem
2. Reasons for Windows and IE being outdated
3. the OTL logs (OTL.txt and Extras.txt)

Hello Tecolote :),

It has been 2 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 24 hours, this topic will be closed.

Dear Jack&Jill

I'll be posting the logs from OTL soon. For the moment i just wanted to keep this thread alive, i'm not even sure if it's not closed already.

The reason why i use IE 6 is because the new version has less performance on my pc, and its interface really annoys me. But i can update it, if it's completely mandatory...

Same as why i don't use AVs. This is not a very fast machine, and they always slow it down. I believe more in carefull web-surfing than in the power of Avs to prevent anything...

The symptons of infection i detected include temporary impossibility to open my hotmail, and jpg images being saved as bmp. I can enter the webmail now, but the second problem still happens.

Soon to post the logs.

Thank you very much for your time.

Tecolote

Hello Tecolote :),

As tashi mentioned, the thread is still open. I saw that you logged on yesterday, so I thought to leave the topic open for one more day.

Running your computer without AVs and using outdated programs is a big risk with malware rampant these days. Even with the most careful surfing, you will still be exposed to risk higher than that if you have protection. You can never know when a good site will get hacked. By the time you realized your computer has been compromised, it is already too late. There also will be times when you will not even know that your computer has been compromised.

If you are concerned about performance, maybe it is about time to upgrade or get a new computer. However, the choice is yours. The point I am trying to make here is that if you always come to the forums for help due to inadequate protection, no one would take up your topics anymore because it will be a continuous cycle. Have you read through all the sticky topics in this forum? They will enlighten you on some of the things I have mentioned.

I will wait for your logs.

Hello Tecolote :),

Are you still with me?

Due to lack of response, this topic is now closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.