View Full Version : Trojan Horse BHO, Obfustat.ADMO & Smitfraud-C
confuseduser
2007-12-26, 17:50
Hello,
My first time asking for help.
I noticed that my IE was being rerouted to a site that was restricted by IE called daily-search.com when I did a google search. I installed AVG to search for problems and I started getting "Threat Found" warnings about Trojan Horse BHO.
I downloaded HiJack this and clicked "Analyse This" and found your forum to send info to for help.
I followed the instructions from Tashie called "Before you Post".
1) I had Spybot installed already.
2) I ran an online scan with Kaspersky Online Scanner which I have copy/pasted to my request (I turned off the AVG program when I did the search).
3) I ran Spybot in safemode and it got rid of something called "Smitfraud-C". (When I would run Spybot in normal mode it would just show up again and again never getting rid of it. It is gone now though.)
3)I downloaded Trend Micro HijackThis 2.0.2 and saved a log which I have copy/pasted to this request.
Now I am getting a "Threat Found" warning from AVG for another Threat called "Obfustat.Admo"
Since starting all this cleanup the PC has slowed down and I could not connect to the internet so I am sending this request from a laptop I have. My wirless network still seems to be working though. The firewall on the PC has been turned off by something and will not turn back on because a certain service is not running.
Should I wipe the machine and begin again or is there help for me? I have reached the limit of what I know to do.
ConfusedUser
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:46 AM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E644AA3-8B2D-48FF-99C5-C19F0FA92ED2} - C:\WINDOWS\system32\dxtransc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8ADAD768-4AFF-4655-9CF5-424C7AEC3C1B} - c:\windows\system32\browserg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://avery1.mcsk12.net/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137263987614
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - Winlogon Notify: ibajinoi - C:\WINDOWS\SYSTEM32\browserg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 4446 bytes
Hi
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
confuseduser
2007-12-30, 18:32
Thank you for helping.
I followed your instructions and have included the log you requested.
ComboFix 07-12-21.4 - Nathan 2007-12-30 9:33:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246 [GMT -6:00]
Running from: F:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\browserg.dll
C:\WINDOWS\system32\drivers\efnepenm.dat
C:\WINDOWS\system32\dxtransc.dll
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\Tasks.\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CHOSJTCL
-------\LEGACY_ZFTHQORM
-------\chosjtcl
-------\zfthqorm
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.
2007-12-24 10:44 . 2007-12-24 10:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-24 10:44 . 2007-12-24 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 10:41 . 2007-12-24 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 21:26 . 2007-12-23 21:27 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\AVG7
2007-12-23 21:23 . 2007-12-23 21:23 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\AVG7
2007-12-23 21:18 . 2007-12-23 21:20 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVG7
2007-12-23 20:50 . 2007-12-30 09:27 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\AVG7
2007-12-23 20:50 . 2007-12-23 20:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-23 20:49 . 2007-12-23 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 20:49 . 2007-12-23 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-16 19:04 . 2007-12-16 19:04 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-16 19:04 . 2007-12-16 19:04 741,632 --a------ C:\WINDOWS\system32\tgrkwtbn.dat
2007-12-16 19:04 . 2007-12-16 19:04 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-16 19:04 . 2007-12-19 07:12 42,240 --a------ C:\WINDOWS\system32\jzyufsue.dat
2007-12-16 19:04 . 2007-12-16 19:04 36,096 --a------ C:\WINDOWS\system32\eexryvps.dat
2007-12-16 19:04 . 2007-12-16 19:04 35,072 --a------ C:\WINDOWS\system32\ioehbfuh.dat
2007-12-16 10:32 . 2007-12-16 10:32 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2007-12-16 08:48 . 2007-12-23 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 08:48 . 2007-12-16 08:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-16 08:47 . 2007-12-16 08:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Apple Computer
2007-12-12 18:53 . 2007-12-25 11:38 120,576 --a------ C:\WINDOWS\system32\duylarom.dat
2007-12-12 18:47 . 2007-12-23 19:38 84,992 --a------ C:\WINDOWS\system32\browserg.dll.bak
2007-12-12 18:46 . 2007-12-25 11:40 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-01 22:39 . 2007-12-01 22:41 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\CTdeveloping
2007-11-14 19:05 . 2007-07-09 07:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-13 19:29 . 2007-11-13 19:29 0 --a------ C:\Documents and Settings\Kevin\HC4Installer.exe
2007-11-13 19:17 . 2007-11-13 19:17 22,773,742 --a------ C:\BellSouthIW.re~
2007-11-13 19:17 . 2005-07-12 00:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-11-13 19:17 . 2005-07-12 00:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 19:54 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-24 04:39 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-12-24 03:45 --------- d-----w C:\Program Files\Google
2007-12-24 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 03:40 --------- d-----w C:\Program Files\Apple Software Update
2007-12-24 03:40 --------- d-----w C:\Documents and Settings\Michelle\Application Data\Lavasoft
2007-12-24 01:53 --------- d--h--w C:\Documents and Settings\Michelle\Application Data\Move Networks
2007-12-02 04:48 --------- d-----w C:\Program Files\Juno6
2007-11-14 01:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-29 17:57 6,980,738 ----a-w C:\Documents and Settings\Michelle\HC4Installer.exe
2006-01-13 01:06 184,680 ----a-w C:\Documents and Settings\Michelle\Application Data\shb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 20:53]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-23 20:49]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 00:29]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 06:11]
*Newly Created Service* - GTNDIS5
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 09:48:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-12-30 9:51:18 - machine was rebooted
.
2007-12-21 22:53:17 --- E O F ---
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\tgrkwtbn.dat
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\jzyufsue.dat
C:\WINDOWS\system32\eexryvps.dat
C:\WINDOWS\system32\ioehbfuh.dat
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\duylarom.dat
C:\WINDOWS\system32\browserg.dll.bak
Folder::
C:\WINDOWS\system32\AppCert
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
confuseduser
2007-12-30, 19:19
I followed your instructions. Here are the two logs you requested.
ComboFix 07-12-21.4 - Nathan 2007-12-30 12:02:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.284 [GMT -6:00]
Running from: C:\Documents and Settings\Nathan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nathan\Desktop\CFScript.txt
FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\browserg.dll.bak
C:\WINDOWS\system32\duylarom.dat
C:\WINDOWS\system32\eexryvps.dat
C:\WINDOWS\system32\ioehbfuh.dat
C:\WINDOWS\system32\jzyufsue.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\tgrkwtbn.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\AppCert
C:\WINDOWS\system32\AppCert\filter.drv
C:\WINDOWS\system32\AppCert\options.dat
C:\WINDOWS\system32\AppCert\prx93f.dll
C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\browserg.dll.bak
C:\WINDOWS\system32\duylarom.dat
C:\WINDOWS\system32\eexryvps.dat
C:\WINDOWS\system32\ioehbfuh.dat
C:\WINDOWS\system32\jzyufsue.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\tgrkwtbn.dat
.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.
2007-12-24 10:44 . 2007-12-24 10:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-24 10:44 . 2007-12-24 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 10:41 . 2007-12-24 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 21:26 . 2007-12-23 21:27 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\AVG7
2007-12-23 21:23 . 2007-12-23 21:23 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\AVG7
2007-12-23 21:18 . 2007-12-23 21:20 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVG7
2007-12-23 20:50 . 2007-12-30 09:27 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\AVG7
2007-12-23 20:50 . 2007-12-23 20:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-23 20:49 . 2007-12-23 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 20:49 . 2007-12-23 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-16 10:32 . 2007-12-16 10:32 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2007-12-16 08:47 . 2007-12-16 08:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Apple Computer
2007-12-01 22:39 . 2007-12-01 22:41 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\CTdeveloping
2007-11-14 19:05 . 2007-07-09 07:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-13 19:29 . 2007-11-13 19:29 0 --a------ C:\Documents and Settings\Kevin\HC4Installer.exe
2007-11-13 19:17 . 2007-11-13 19:17 22,773,742 --a------ C:\BellSouthIW.re~
2007-11-13 19:17 . 2005-07-12 00:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-11-13 19:17 . 2005-07-12 00:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 19:54 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-24 04:39 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-12-24 03:45 --------- d-----w C:\Program Files\Google
2007-12-24 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-24 03:40 --------- d-----w C:\Program Files\Apple Software Update
2007-12-24 03:40 --------- d-----w C:\Documents and Settings\Michelle\Application Data\Lavasoft
2007-12-24 01:53 --------- d--h--w C:\Documents and Settings\Michelle\Application Data\Move Networks
2007-12-02 04:48 --------- d-----w C:\Program Files\Juno6
2007-11-14 01:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-03-29 17:57 6,980,738 ----a-w C:\Documents and Settings\Michelle\HC4Installer.exe
2006-01-13 01:06 184,680 ----a-w C:\Documents and Settings\Michelle\Application Data\shb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 20:53]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-23 20:49]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 00:29]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 06:11]
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 12:09:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\AppCert\wsil32.dll
.
Completion time: 2007-12-30 12:09:54
C:\ComboFix2.txt ... 2007-12-30 09:51
.
2007-12-21 22:53:17 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:14 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://avery1.mcsk12.net/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137263987614
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 4224 bytes
Good :) Now let's clean some temporary files and then do a final check with Kaspersky scanner.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information and a fresh hjt log in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
PS. ewido anti-spyware 4.0 is nowadays AVG Antispyware. You can grab it here (http://free.grisoft.com/doc/20/us/frt/0). I recommend uninstalling old version first.
confuseduser
2007-12-30, 20:24
I have been able to do the ATFCleaner but cannot get a connection to the internet to do the Kaspersky Scan or the Webscanner.
I have a Linksys compact wireless-G USB Adapter on this PC to connect to my wireless network. It says that it is connected to the network but my IE 7 cannot connect to any websites.
At the bottom of the IE window it says
"waiting for res://ieframe.dll/dnerror/diagoff/htm" before it says done. "Internet Explorer cannot display the webpage"
Hi
Is connection to internet working at all? Since when it hasn't worked?
confuseduser
2007-12-31, 19:25
It stopped working before my first post as I was following the directions Tashi poseted on your forum.
I think it happened after I booted in safe mode and ran Spybot. During that scan Spybot got rid of Smitfraud-C. Since then I have not been able to connect to the internet on that machine. I have Downloaded everything you have asked me to do on a flash drive on my laptop and saved it on the desktop of the PC to run it.
My wireless network is still working because I am using it now. It seems to be something keeping the Internet Explorer application from opening the websites on the PC. The icon in the system tray on the PC showing the Wireless adapter status shows that it is connected to the access point just not seeing the internet.
Hi
It's difficult to say what's causing connection problem. You might want to ask at PC Pitstop (http://forums.pcpitstop.com). They have people who is better with wlan related things than I am. :)
Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.