Trojan Detected (Help Requested)

Well the other day I was going to browse espn.com and I accidentally typed espn.c-m (without the dash, I dont want anyone copy/pasting that and having the same thing happen) and avast! gave me a Trojan detected alert (Or Trojan Horse was Found). Anyways, the site apparently redirected me elsewhere to something like viralvideoss.notgoingtotypetherest. I did what avast! wanted and clicked abort connection for each instance of the detection. Now I havent found/seen any adverse effects to this that would hint that the Trojan actually got through, but I was wondering if you guys could self assure me on this issue. UPDATE: Changed the http’s to hxxp, so that no one would can click on links, big oversight on my part, sorry!

Here is the avast! log that was created upon the warning:

7/16/2009 7:27:44 PM 1247786864 SYSTEM 1592 Sign of “JS:Packed-T [Trj]” has been found in “hxxp://laverdad.0fees.net/index.php” file.
7/16/2009 7:27:45 PM 1247786865 SYSTEM 1592 Sign of “JS:Packed-T [Trj]” has been found in “hxxp://laverdad.0fees.net/pdf.php” file.

Also incase it would make any difference, here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:36 AM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Microsoft IntelliType Pro\itype.exe
F:\Program Files\Microsoft IntelliPoint\ipoint.exe
F:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\system32\hphmon05.exe
F:\WINDOWS\system32\CTHELPER.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
F:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\SEC\Natural Color Pro\NCProTray.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Apple Software Update\SoftwareUpdate.exe
F:\WINDOWS\system32\DllHost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [ATICCC] “F:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [itype] “F:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [IntelliPoint] “F:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “F:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “F:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM..\Run: [HPHUPD05] F:\Program Files\Hewlett-Packard{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM..\Run: [HP Component Manager] “F:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HP Software Update] “F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [HPHmon05] F:\WINDOWS\system32\hphmon05.exe
O4 - HKLM..\Run: [SBDrvDet] F:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [CTSysVol] F:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] F:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Windows Defender] “F:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SB Audigy 2 Startup Menu] “F:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE”
O4 - HKCU..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - hxxp://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe


End of file - 7881 bytes

Also, if it would help you to know what type of protection I use, it includes Windows Defender, avast! Home Edition, and Spybot. Thank you all in advance.

Well if Avast! did detect the virus well i dont think its did spreading on your pc. If you want u can do a quick scan with Avast! to see if all is ok. Then if there nothing detected well all should be fine.

:slight_smile: Hi :

Always best to get “2nd Opinion” from other security programs, and nowadays
“Malwarebytes’ Anti-Malware” ( www.malwarebytes.org/mbam.php ) and
“SUPERAntiSpyware” ( www.superantispyware.com ) are the 2 Best Choices
and they come in FREE Version(s) . Much better than the no longer top
Spybot program .

Hi skibo8826,

With HijackThis we found the following, do not fix rather repair using LSPfix, see below:

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll

Check your hard disc drive with LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll

Check your hard disc drive with or LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll

Check your hard disc drive with LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll

Check your hard disc drive with LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

Download LSPfix as a zipfile from here: http://www.cexx.org/lspfix.zip
The file can be unzipped in a folder named lspfix on a USB stick or pendrive.
If your computer cannot handle zip files download the executable here: http://www.cexx.org/LSPFix.exe
together with this txt file from here: http://www.cexx.org/lspfix.txt
Another winsock repair tool can be found here: http://www.iup.edu/house/resnet/WinsockXPFix.exe - Winsock repair utility designed for Windows XP,

polonus


EDIT :

Polonus posted while I was writing. I posted anyway since mine uncluded the tasks that were running when the HJT log was created.

An analysis of your HJT log shows the following problems :

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll
Check your hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

(there are a total of 4 entries in a row for the above)

Overview of running tasks:

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

Ati2evxx.exe
Driver
ATI Display Adapter Assistant

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

Ati2evxx.exe
Driver
ATI Display Adapter Assistant

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

CTsvcCDA.exe
Backgroundtask
Creative CD-ROM Services

svchost.exe
System task
Microsoft Service Host Process

MsPMSPSv.exe
Backgroundtask
WMDM PMSP Service

SearchIndexer.exe
System task
Search Indexer

iTunesHelper.exe
Application
Apple Itunes

hpztsb09.exe
Backgroundtask
Hewlett Packard Taskbar Utility

hpcmpmgr.exe
Application
HP Component Manager

HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler

hphmon05.exe
Application
Hewlett Packard Card Reader

CTHELPER.EXE
System task
CTHELPER is a background task that is a plug-in manager for Creative drivers.

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

CTSysVol.exe
Driver
Creative Volume Manager

CTDVDDet.EXE
Driver
CTDVDDet

ctfmon.exe
System task
Alternative User Input Services

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

svchost.exe
System task
Microsoft Service Host Process

NCProTray.exe
Backgroundtask
NCPro

WindowsSearch.exe
Backgroundtask
Windows Desktop Search Tray

iPodService.exe
Backgroundtask
Apple iTunes

cli.exe
Application
ATI Catalyst

cli.exe
Application
ATI Catalyst

MsMpEng.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

MSASCui.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

firefox.exe
Application
Mozilla Firefox

SoftwareUpdate.exe
Unknown task
Unknown task

DllHost.exe
System task
Microsoft DCOM DLL Host Process

HijackThis.exe
Application
Merijn Hijackthis


Avast! 4.8 Home - Malwarebytes 1.39 Free - Windows Defender and a 2 Ways Firewall would be a great choice and very secure. SAS do the same thing as MBAM but still Tracking Cookies is not dangerous. So if u want u can also choice 2 Browsers of your choice with it like IE8,Safari,Firefox,Chrome,Opera… Like me its IE8 and Safari so u can choice 2 of thems on your list so you can have 2 browsers to surf. Also make sure all your programs are up to date and to make sure your Windows Automatic Update are On and for Windows and Microsoft only.

Hi Mr.Agent,

All good and well, but first the victim has to repair with the given Winsock Repair Utility then later he can check using both SAS and MBAM,

polonus

Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll appears to be a legit entry,why are you recommending removal ? http://www.systemlookup.com/lists.php?list=9&type=filename&search=nvlsp.dll&s=

Well there no point to use MBAM and SAS both. Like me when Windows Defender will be gone its will be another point that i will keep MBAM and Avast! for my scanner. But for now i got Windows Defender so later i wont. But i dont care of SuperAntiSpyware because he do the great job like MBAM so i find also tracking cookies no needed. I got the maximum comfort for my cpu with my current protection. I also play game and do a lot work so i can say all my protection are no annoyed me while i work for now. So all is fine and no slowing down my cpu :smiley:

Hmm, I dl’ed LSPfix and while it shows nvLsp.dll it says there are no problems found, and it does nothing to actually repair the file. After clicking finish, I receive the message that says there are no changes necessary, so unless I misread your instructions wrong and I do need to remove the file, where do I go from here?

This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org. ← That is the part that is confusing me, it says that the entry should not be fixed, but to fix it with LSPFix. Just confuses me a bit thats all.

Leave it alone, its a legit Nvidia entry. Your HJT log is clean

Hi skibo8826 and micky77,

HJT denoted the files for a fix with a winsock repair tool, no one mentioned something should be fixed or removed, right? So if the LSPfix did not turn up anything I would leave it at that. What you could do is check nvlsp.dll against the scanners at virustotal.com, upload nvlsp.dll there and report back here. Then we have to consider a FP, that could also be in the bargain. To remove or delete a file is always the worst option, first check, if good leave, if suspicious put in the chest or quarantine and then after the FP has been solved put back,
Determining whether nvlsp.dll is a virus or a legitimate Windows DLL depends on the directory location it executes or runs from, therefore check at virustotal.com,
nvlsp.dll - this entry is classified as legitimate.
It is either part of a legitimate program or the operating system itself. Removal is not needed,

polonus

Ok, thank you very much Micky, Polonus, Agent, Charley, and Spirit. I appreciate your help/guidance with my issue. Its always better to be reassured by people who know their stuff than just assuming.

Update Going to check the entry at Virustotal to be sure, and then I will get back to you guys.

Your welcome,

Its not us that we did help you but Avast! also :smiley:

I had the same kit you got but my old computer did got owned i would recommand you to do what i said for a nice kit of protection.

2 Ways Firewall (Vista Firewall(only Vista user can have it) - Online Armor - Outpost - PC Tools - Zone Alarm)

If you use XP Firewall its not enough because its only 1 way. So you should use a 2 ways one like i said into up.

Mr.Agent

Polonus, here are the results of the VirusTotal scan:

MD5: 811e21413f1fe69c6bb6af2c7870aae9
First received: 2009.06.15 07:42:07 UTC
Date: 2009.07.17 17:44:04 UTC [>2D]
Results: 0/40

and the link if you wish:

https://www.virustotal.com/analisis/58df81d7ad2060feae18377e4ee5e1589a7c8d07a179077ed395be5f05ab1d44-1247852644

Hi skibo8826,

Then you have established yourself that the dll is safe. According to me and I think also the others I think your computer is now as clean as a whistle. Come here often for consultations and also start to help others, welcome to these here forums. That you will stay safe and secure online and in the real world is the wish and command of,

polonus (malware fighter)


No removal nor fix was suggested. In fact, the suggestion was to not fix the entry.

O10 - Unknown file in Winsock LSP: f:\windows\system32\nvlsp.dll Check your hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org. [b]This entry should not be fixed![/b] [u]Your best bet to repair it is to try the LSPFix[/u] from Cexx.org.

Only a repair was suggested using LSPFix. As Polonus stated above, if nothing was repaired using LSPFix, then all should be OK. Skibo’s last post above confirms this with the VirusTotal results.

The thing is that nvlsp.dll should not show up in HJT in the manner it did in skibo’s HJT log. I have this same dll and when I run HJT, it does not show up in the same manner as it did in skibo’s log which made it seem suspicious to HJT and possibly in need of repair.

In the end, all is OK for skibo where nvlsp.dll is concerned. I would now suggest you follow Spiritsong’s suggestion to use either MBAM or SAS for the possible trojan problem just as an extra measure of safety.


Charley, I know you was not suggesting using HJT to fix the entry.Using LSP-fix, would have removed it.I think,he did not know how to use the program http://www.bleepingcomputer.com/tutorials/tutorial59.html

The fact of the matter is, the probable reason, this ‘unknown’ entry was there, is because, HJT is no longer updated. This is probably a new file from Nvidia. HijackThis is becoming a relic, this is why other forums no longer use it.

Yeah to clarify I was not 100% on how to use the program, however, I did find the instructions a bit confusing just because I normally consider fix and repair to be synonymous. I understand now, that they were simply terms of the programs being used.

Hi micky77,

Agree with you that the developer of HJT left the program in the hands of an av that has not been actually seemed to develop it further, it is still useful for a quick and dirty. Also the tool should be used properly and installed in the right place in C: Programs/etc… Not everyone has gone on to be using Freefixer a similar tool that is still developed. I also would work a Silent Runners, while newer tools have come available like DDS and ComboFix,

polonus