Options
my pc's problem (with Worm/Generic.DHT)
hello there,
I've been having some problems with my computer. These past 3 hours my router/modem (called Fritz box) has reset itself about 20 times.
My AVG resident shield has popped up 2 times to ask my about a threat detected: once about the Brute Force Uninstaller (which I haven't used in more than a year) and now about Hijack this. More specifically:
While opening file: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Virus identified Worm/Generic.DHT
The weird thing is that at both those times I wasn't (actively) scanning my pc.
Both times I opted for the 'Heal' option and received a succeful heal answer from AVG Free 7.5.
So... I am starting this thread just to not forget it and will eventually post the HJT log after I've done all the things you require I do before that.
PS. Btw, from the Firewall programs you recommend, which is a simple one that is also completely freeware?
I've been having some problems with my computer. These past 3 hours my router/modem (called Fritz box) has reset itself about 20 times.
My AVG resident shield has popped up 2 times to ask my about a threat detected: once about the Brute Force Uninstaller (which I haven't used in more than a year) and now about Hijack this. More specifically:
While opening file: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Virus identified Worm/Generic.DHT
The weird thing is that at both those times I wasn't (actively) scanning my pc.
Both times I opted for the 'Heal' option and received a succeful heal answer from AVG Free 7.5.
So... I am starting this thread just to not forget it and will eventually post the HJT log after I've done all the things you require I do before that.
PS. Btw, from the Firewall programs you recommend, which is a simple one that is also completely freeware?
0
Comments
Step 1
ATF cleaner: done
firefox: cleaned
Step 2
Ad-Aware 2007
Critical Objects NONE
Privacy Objects: 1 -> removed
Spybot Search & Destroy 1.4: up to date - no REDS found - immunized
Javacools SpywareBlaster: okay, I just installed this, as you described
Step 3
Panda ActiveScan's results:
These complete scans take a long time and my router is resetting very often, so I'll eventually complete all the steps and in the end will post here my HJT log.
Kaspersky
its results
I installed Commodo Firewall pro (thoroughly freeware!) with all the recommended options. Then I rebooted my pc, as prompted. On starting windows again the firewall asked me if I should allow 3-4 instances of the svchost.exe file to run. I noticed that I had no internet without them, so I did allow them to execute.
Step 5 - Antivirus
I already had AVG free 7.5 and AVG anti-spyware 7.5, both of which I updated daily. With them I also scan whatever I d/l before I run it. AVG Free 7.5 is fully active and so is its resident shield.
Step 6
I keep my (authentic) Win XP with SP2 updated on a weekly basis.
Step 7
I used to have HJT 1.99 (with which I have made my previous topics on the former version of this forum). Then, I installed the most recent version of HJT, 2.0.2, I think.
One problem with HJT is that yesterday, AVG's resident shield detected (without my running the antivirus program) a virus (Worm/Generic.DHT) in the Hijackthis.exe, even though I hadn't run it for weeks. It then prompted me for what to do and I chose the 'Heal' option and then it reported success on this. I tried uninstalling it, through my control panel, but the .exe was nowhere to be found.
Therefore I re-downloaded the most recent installer (from your site), but I am afraid the last uninstall and the re-install of Hijackthis may be kind of botched.
I will now be posting a log of HJT.
http://icrontic.com/forum/showthread.php?t=43902
My control panel could not uninstall it and then simply asked me if I wanted to have it not appear in the list of 'Add/Remove applications'
Now, when I try to install a 'fresh' version of the HJT installer (taken from the above link), AVG's resident shield pops up with this message:
Therefore, I can't run yet HJT. What do I do?
Note: while running the two online scans, AVG's resident shield popped up with files infected by a virus called Obfurstadt.MAX (spelling?) and other times other files infected with Worm/Generic.DHT.
All those times, I prompted it to heal them and it reported success.
To conclude, this last week my modem-router (called Fritz box... nvm) is resetting often. This morning it was at an all time high, rebooting roughly every 10 minutes. In a couple of trusted forums I visit, I've been having problems with the cookies that keep me logged in - I have to log in again and again and again...
And today AVG's resident shield starts reporting finds with those 2 viruses.
I'd post a HJT log if you could first tell me how to make a clean uninstall of it and then re-install (without AVG popping up and warning me)
Thanks for all your time.
I apologize for not posting in the 72-hour thread, but I can't because I am not allowed to. I can't even see the 'quick reply' form there and when I try to use the 'new reply' button I get this:
Anyway, to recap, things may be a bit serious: my modem/router resets itself unexpectedly often and I have problems with cookies with some forums I have signed up in - which I trust. I log in and can't stay logged in and have to manually log in every time I visit a new page or may refresh the page I am in. AVG Free 7.5's resident shield often detects files infected with several viruses (read in my thread above) and then claims to successfully heal them. I don't know. Especially since after running the 2 online a/v scans you ask in the '8 steps to take before posting a HJT log', the results are that my pc is infected with several viruses, malware and rootkits, not all of which are healed. Furthermore, I can't use HJT. The uninstallation of a previous version was botched and when I try to install the latest version (downloaded from the link you provide) AVG's resident shield pops up and tells me that the HJT .exe (the one already installed, not the one I try to install) is infected (see above in this thread) So, I can't even get HJT to run, or at least, I don't see how.
Thanks for all your help in the past, but, please, help me again.
AVG detecting HijackThis was a false positive. Update AVG, and this problem should be gone.
Delete the Trend Micro folder in C:\Program Files and download a new copy. See if that works.
Scan saved at 11:42:03 πμ, on 13/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 7866 bytes
Please download ComboFix to your Desktop.
- Double click on Combofix.exe & follow the prompts.
- When the scan has finished, it shall produce a log for you. Post that log in your next reply
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix 07-09-14.2 - "GusNukem" 2007-09-14 17:12:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.30.1032.18.725 [GMT 3:00]
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.
2007-09-14 17:11 51,200 --a
C:\WINDOWS\NirCmd.exe
2007-09-13 11:41 <DIR> d
C:\Program Files\Trend Micro
2007-09-08 20:04 <DIR> d
C:\DOCUME~1\GusNukem\APPLIC~1\Comodo
2007-09-08 20:04 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-09-08 20:01 <DIR> d
C:\Program Files\Comodo
2007-09-08 17:13 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2007-09-08 17:13 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-08 15:49 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-09-08 15:39 <DIR> d
C:\Program Files\SpywareBlaster
2007-09-08 14:32 <DIR> d
C:\Program Files\Lavasoft
2007-09-08 14:32 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 13:37 <DIR> d
C:\Program Files\iTunes
2007-09-08 13:37 <DIR> d
C:\Program Files\iPod
2007-08-27 00:47 <DIR> d
C:\DOCUME~1\GusNukem\APPLIC~1\Media Player Classic
2007-08-25 15:09 36,734 --a
C:\WINDOWS\system32\OggDSuninst.exe
2007-08-25 15:06 <DIR> d
C:\Program Files\DirectVobSub
2007-08-25 15:04 <DIR> d
C:\Program Files\K-Lite Codec Pack
2007-08-22 22:54 <DIR> d
C:\Program Files\Elaborate Bytes
2007-08-22 22:48 <DIR> d
C:\DOCUME~1\GusNukem\APPLIC~1\CyberLink
2007-08-22 22:47 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-22 22:45 <DIR> d
C:\Program Files\CyberLink
2007-08-22 17:03 520,192
C:\WINDOWS\system32\ati2sgag.exe
2007-08-22 17:02 <DIR> d
C:\Program Files\ATI Technologies
2007-08-22 17:01 <DIR> d
C:\ATI
2007-08-22 16:24 9,472 -ra
C:\WINDOWS\system32\drivers\sisperf.sys
2007-08-22 16:24 49,024 -ra
C:\WINDOWS\system32\drivers\sisidex.sys
2007-08-22 16:24 4,096 -ra
C:\WINDOWS\system32\drivers\siside.sys
2007-08-22 16:24 36,992 -ra
C:\WINDOWS\system32\drivers\SISAGPX.SYS
2007-08-22 16:12 <DIR> d
C:\DOCUME~1\GusNukem\APPLIC~1\ATI
2007-08-22 16:02 737,280 --a
C:\WINDOWS\iun6002.exe
2007-08-22 16:00 <DIR> d
C:\Program Files\My Company Name
2007-08-22 15:54 11,264 -ra
C:\WINDOWS\system32\drivers\EIO.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 17:43
d
C:\DOCUME~1\GusNukem\APPLIC~1\uTorrent
2007-09-11 14:13
d
C:\Program Files\DC++
2007-09-08 16:27
d
C:\Program Files\QuickTime
2007-09-08 14:32
d
C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 14:31
d
C:\DOCUME~1\GusNukem\APPLIC~1\Lavasoft
2007-08-22 22:45
d--h
C:\Program Files\InstallShield Installation Information
2007-08-07 13:58 8320 --a
C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a
C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-02 14:19
d
C:\DOCUME~1\GusNukem\APPLIC~1\Apple Computer
2007-08-02 14:09
d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-02 14:08
d
C:\Program Files\Common Files\Apple
2007-08-02 14:08
d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-30 19:19 92504 --a
C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a
C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a
C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a
C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a
C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a
C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a
C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a
C:\WINDOWS\system32\wups.dll
2007-07-29 17:51 7680 --a
C:\WINDOWS\system32\ff_vfw.dll
2007-07-25 15:24 1559040 --a
C:\WINDOWS\system32\xvidcore.dll
2007-07-23 16:46
d
C:\Program Files\uTorrent
2007-06-26 09:08 1104896 --a
C:\WINDOWS\system32\msxml3.dll
2007-06-19 16:30 282112 --a
C:\WINDOWS\system32\gdi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 09:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"RegKillElbyCheck"="C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 09:33]
"RegKillTray"="C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-28 00:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-09-08 20:01]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 10:06]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys
R3 usbuhci;Πρόγραμμα οδήγησης Miniport ενιαίου κεντρικού ελεγκτή Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys
S3 atidgllk;atidgllk;\??\C:\Program Files\ASUS\SmartDoctor\atidgllk.sys
S3 USBSTOR;Πρόγραμμα οδήγησης μαζικής αποθήκευσης USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys
S3 Winacusb;Winacusb;C:\WINDOWS\system32\DRIVERS\winacusb.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fddc0e20-343f-11db-80ac-008048295771}]
AutoRun\command- F:\LaunchU3.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-06-06 17:21:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 17:14:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-14 17:15:25
.
--- E O F ---
The log is clean.
It looks like this may not be a malware problem. Is the router still behaving the same?
1. Yes, the router/modem still resets itself often. And I have trouble with staying logged in several of the forums I trust - I may manually have to retype username and password, even though firefox remembers them. This seems to be random, ie. I may visit that homepage and see myself as a visitor, I log in, successfully, and when I refresh, or visit a new page there, I'm again an unregistered visitor. Or I may see myself as unregistered, and I visit there again to find myself logged in. This happens randomly and often and occurs at most of the sites and forums I've registered for and am logged in.
Another problem with my connection is that sometimes it seems to go idle: the leds on the modem/router will show that the DSL line is online and active, and so will my router's 'homepage' if I visit it, but Firefox will be idle for a couple of minutes (but no more). It (Firefox) will show the 'no internet connection found' page and I'll have to reset that page 2-3 times for it to load.
The things that worried me most though were the random 'virus infected file found and healed' from AVG's resident shield (which, strangely, have ended since I run the 8 steps up to posting my HJT log in this thread) and the virus reports by those 2 online A/V programs. In one of them, I think it was Kaspersky, it reported several malware, viruses, spyware and rootkits, and concluded that it (couldn't?) didn't manage to heal all of them. (then prompting me to buy the full A/V package)
2. Connected to the router is a hub, from which my brother's pc gets his internet connection. I don't really have any control over that computer, but I know that my brother isn't as careful about what he browses and downloads/runs. He doesn't even have an antivirus program/resident shield, of any sort. I also know that he can access the router's 'homepage' from his computer (with both Firefox & IE) and he could tamper with it and even reset it if he wanted. Is it possible that some malware his computer is infected with is messing with the (our common) router? Should that computer do 'those 8 safety steps' and then post his HJT log here, too?
3. About the firewall. It's one of the four alternate solutions you guys suggested, Comodo Firewall pro. Quite often it will ask me if it should allow a process (like one of the svchost.exe files) to run. It often will ask me in a row and repeatedly about same named files trying to access different ip's or ports. If I deny those files to do that, then I'll have no internet access (e.x. with Firefox)
The firewall itself will give little or no information on what that process is and if it's malware. Most often, if I deny its internet access (like with the svchost files, or firefox.exe, or explorer.exe), I'll have no internet.
How do I know which processes I should allow and which I shouldn't? By trial and error? Comodo offers little information and if I follow its instructions on blocking stuff, my pc's functions tend to get impaired.
4. Finally, a minor question. After running Combofix, the Internet Explorer icon reappeared on my desktop. It's not a shortcut to IE. How do I make it disappear from my desktop? -without deleting it of course.
This doesn't sound like malware. Have you tried clearing your cache or cookies?
Kaspersky online scan does not clean anything. It also did not find anything malicious, just some items infected in your restore points. You can clean that by doing the following...
- Click Start | Help and Support | Undo changes to your computer with System Restore.
- Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
- Close the Help and Support Center box.
- Click Start | Run and type Cleanmgr
- Select (C: ) then click OK.
- Click the More Options tab.
- Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.Yes, he/you should do the 8 steps on his computer. Without an anti-virus program, who knows what is on it.
Select the option to remember next time you get asked. If you do not about a process, google it and find out what it is. Or come and ask here.
I'm not sure, sorry!
b. ok, done
2. yes, but is it possible his (possibly) malware-infested computer is commanding the router (we share) to reset itself etc?
3. most of these processes are really common stuff, like explorer.exe or firefox.exe -- what troubles me is that this firewall I installed perceives them as high threats (fully red threat bar) and advises me to deny them, which if I do, I then have no internet. To conclude, Comodo seems to me it detects many false positives and I can't trust it. In fact, by my experience with it, all of whatever it detects, should be false positives, and in that case, should I go ahead and allow every possible process is brought up? That's no way to use a firewall.
I haven't known malware to mess with a router, so I would say no.
Next time you get a warning popup, can you take a screenshot and post it here please.
this is not my computer's IP by the way
I denied it and still had internet afterwards
and here are some screen caps of my task manager in case they could be of use:
first one with decreasing CPU usage:
and one with decreasing Memory usage:
Those screenshots look fine too me.
According to your first screenshot, the IP address is related to Level 3 Communications, Inc. Do you know anything about them?
The second screenshot is connecting to the IP if Google.com, so that is fine. I suggest checking the Remember my answer for this application box and click Allow.
1. a. No, I didn't intend to join such a site (Level 3 communications), or had any idea about them. This firewall prompt came just as I was starting my Firefox, whose normal homepage is for Google Greece, as you can see.
b. which site do you recommend to check some ip before joinining or denying them? I usually googled for 'who is ip' and used one of the first five my search turned up, but not always the same.
2. here are some more 'fully red threat bar' from my Comodo firwall.
The first ip is that of my router and the two next belong to microsoft. At the moment, I didn't know that, so I denied them, but still had internet afterwards.
This puzzles me, I mean this many false positives, and false positives to the extent that Comodo is considering as 100% threats... I can't fully trust this program, can I?
3. Can you suggest a program I can buy that will thoroughly protect my pc from all types of malware - viruses, spyware, and rootkits? Does NOD32 fit the bill? Does it include a reliable firewall?
4. If If not, can you suggest one that covers all types of malware and consists of a good firewall too?
5.
a. What happened to the viruses that prompted me to open this new thread?
The Worm/Generic.DHT and Obfurstat.MAX (spelling?)
AVG A/V free claimed it found and successfully healed them, but I have a bad history with this program, meaning that in the past, I've had it repeatedly find one file infected with some malware and then successfully healing it and then re-finding the same file infected with the same malware again and then same thing happening repeatedly. But ever since I started this thread this hasn't happened, so things may have worked out ok this time.
b. what was the desisive element that helped heal my pc of these two viruses? Was it perhaps AVG's resident shield that was competent enough (more than I would have given it credit for) to find them in advance and successfully heal them, or was the measure of resorting to the two online scans of Panda Active Scan and Kaspersky necessary?
Do you perhaps need a fresh HJT log to judge that, or it is unnecessary?
It's not about the site. Maybe you have a product or service related to them on your computer, hence why Comodo asked you if it is OK before giving you access.
I normally use this site: http://www.arin.net/whois/
What did you do before getting that message? Open a program, visit a website?
These are NOT false positives. Comodo is a Firewall, and it is doing its job. You don't lose your Internet everytime you deny access to something. I believe Comodo pop ups when you are about to do something? If so, I suggest ticking the box and pressing Allow like I suggested earlier.
I suggest Kaspersky Internet Security 7.0
That's good!
I can't say as I don't know what the exact files detected by AVG were. Kaspersky online scanner only detects, but does not heal anything so it wasn't that. Panda only detected SmitfraudFix, which you can delete.
Yes, your computer is free of malware. But you can post one more HijackThis log if you wish.
2. I got these exactly after I had booted my pc; I hadn't started any program yet manually. They just popped up by themselves. It happens very often just after I've booted my pc. Mostly with instances of either svchost.exe or explorer.exe
5.b. how do I delete Smitfraudfix ?
6.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:23 μμ, on 17/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 7817 bytes
I don't have an answer for this, but I don't see any malicious activity happening.
Check the box and press apply.
Delete the following in RED:
C:\Documents and Settings\GusNukem\<a folder in your language>\utils misc\SmitfraudFix
C:\SmitfraudFix
C:\rapport.txt
6. Your HijackThis log is clean.
What about your brothers computer? Do you need help with that?
I'll tell my brother to make his own account here, follow the 8 steps and post his own HJT log some time soon. It's strange that my router keeps its weird behaviour; often resets itself, goes idle for a minute and then resets itself and even may need manual reboot since it doesn't quite reestablish successfully the internet connection.
Once again, thank you very much.
Networking is not my strongest points. If you want better answers to your router problem, start a new thread in the Networking forum - just below this one.
Good luck!