unknown trojan

i have avast home 4.0 and i use windows xp
i have been getting a pop up stating that “or computer was infected by unknown trojan it’s dangerous for your system(critical files can be lost) click ok to download the antispyware program to clean your system (recommended)”

now i have run avast and it has found no virus and i have run ad-ware 2007 and it has not found any virus
can anyone help me
P.S I have aslo updated both programs

Most probably you’re running a rogue product.
Can you run RogueRemover?
It is a utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities. Rogue applications are applications that rather than remove spyware, provide false positives, distribute malware or spyware, advertise, or provide useless uninstallers. The main point is that rogue applications are useless and eat up system resources.

Check http://www.malwarebytes.org/rogueremover.php

yes i have rouge remover and have updated and run it
bu i still have not gotten rid of the pop up

Aswell as what tech said, can i ask you to comfirm your version of avast (right click the avast icon in the taskbar and click about avast), as avast 4.0 is a few years old now, the latest version is 4.7.1098 ;D

Also if avast has found a malware file, are you able to tell us the name and directory location of the file?

Also a Hijackthis log posted in this thread could help.

–lee

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

:slight_smile: Hi Cindy :

Ad-Aware is no longer a top antispyware program ( & I used to help out on
the Lavasoft Ad-Aware Support Forums ) ; you be better off using the FREE
Version of “SUPERAntiSpyware” from www.superantispyware.com .

am using avast 4.7
as i have stated that avast did not find the virus

i just keep getting a pop up stating

"your computer was infected by a unknow trojan it’s dangerous for your system ( critical files can be lost)

Click ok to download the anitspyware program to clean your system (recommended) "

this is the warning i get
and aslo when i try to use internet explorer it tries to redirect me to a diffrent website

Do not do that… for sure you’re infected. It’s a pity that avast is nod detecting it.
Please, follow the other suggestions or run on-line scanning with Kaspersky or BitDefender.

give this a shot. The instructions are near the end of the page.

Go to this page, and follow the instructions exactly to use FixIEDef: http://www.malwareteks.com/FixIEDef.php

Post the results of FixIEDef and a hijackthis log for the guys to review.

note:If you have spybot and teatimer is enabled, you will have to turn it off first, as it may interfere with the cleaning.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer”
click allow change

Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

this is the log for rookit results
±---------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
±---------------------------------------------------

–== Dump Hidden File on C:\ ==–
No hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:29 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [IPInSightLAN 02] “C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe” -l
O4 - HKLM..\Run: [IPInSightMonitor 02] “C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe”
O4 - HKLM..\Run: [RoxioDragToDisc] “C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe”
O4 - HKLM..\Run: [PRISMSVR.EXE] “C:\WINDOWS\System32\PRISMSVR.EXE” /APPLY
O4 - HKLM..\Run: [lxdkmon.exe] “C:\Program Files\Lexmark 5300 Series\lxdkmon.exe”
O4 - HKLM..\Run: [lxdkamon] “C:\Program Files\Lexmark 5300 Series\lxdkamon.exe”
O4 - HKLM..\Run: [Lexmark 5300 Series Fax Server] “C:\Program Files\Lexmark 5300 Series\fm3032.exe” /s
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [dcb5bdf7] rundll32.exe “C:\WINDOWS\system32\wbaqlcwi.dll”,b
O4 - HKLM..\Run: [BMdf868e6b] Rundll32.exe “C:\WINDOWS\system32\cbgtuucu.dll”,s
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User ‘Default user’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200783136343
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qomnnkh - qomnnkh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe


End of file - 9273 bytes


  •                                                                          *
    
  •                             FixIEDef Log                                 *
    
  •                         Version 1.2.10.3145                              *
    
  •                                                                          *
    

Created at 14:38:31 on Sunday, March 16, 2008

Time Zone : (GMT-06:00) Central Time (US & Canada)

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
Boot State : Normal boot


!!! Files that have been deleted !!!

No malicious files found


!!! Directories that have been removed !!!

No malicious directories to be removed


!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :slight_smile:

ShadowPuterDude

Safe Surfing!!!

i have posted all 3 logs
first is the rootkit log
second it the hijack this log
third is the fix ied ef log that oldman recommended

it looks like i got rid of it all

Hi, it appears a you also have a bit of vundo happening. So the next step…

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM..\Run: [dcb5bdf7] rundll32.exe “C:\WINDOWS\system32\wbaqlcwi.dll”,b
O4 - HKLM..\Run: [BMdf868e6b] Rundll32.exe “C:\WINDOWS\system32\cbgtuucu.dll”,s
O20 - Winlogon Notify: qomnnkh - qomnnkh.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

See you in a bit. combofix usually takes about 20 minutes. You can attach the logs by using the additional options button on the reply page, Yuo may have to scroll down a bit to see the browse button.

here is the combo fix log as attachment due to the size

Ok so far so good. We’ll run combofix a little diferently this time. Let me know how it is at your end. Please note I will require a combofix log and a HJT log.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\SYSTEM32\roaenwgn.ini C:\WINDOWS\SYSTEM32\iwclqabw.ini C:\amp.bat

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

here is the combo-fix log

here is the hijack this

I do believe it’s gone. If no problems, then clean up the tools you used.

  • Delete FixIEDef rom your desktop

  • Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  • Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

  • Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Take care and keep safe.

did the sets and all is well thank you very much