| I have run Superantispyware and combofix. After I reboot, Superantispyware tells me I have an unclassified Trojan SMVERI32.BHO and references file DFRGSNAPN.DLL. The logs are below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:38 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1202756480\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {B46FE4DB-CEE5-4BE1-A1F6-01FEFB150A92} - c:\windows\system32\dfrgsnapn.dll O2 - BHO: (no name) - {C3CBD61F-B004-4738-8B6D-17EC1C854A2F} - C:\WINDOWS\system32\CNVFATa.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1202756480\ee\AOLSoftware.exe O4 - HKLM\..\Run: [8jakxa73l49] C:\WINDOWS\system32\8jakxa73l49.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [8jakxa73l49] C:\WINDOWS\system32\8jakxa73l49.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: nbufamde - C:\WINDOWS\SYSTEM32\dfrgsnapn.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe --
End of file - 4014 bytes
Generated 04/28/2008 at 07:29 AM
Application Version : 4.0.1154
Core Rules Database Version : 3448
Trace Rules Database Version: 1440
Scan type : Complete Scan
Total Scan Time : 00:16:29
Memory items scanned : 433
Memory threats detected : 0
Registry items scanned : 4619
Registry threats detected : 0
File items scanned : 11397
File threats detected : 7
Adware.Tracking Cookie
C:\Documents and Settings\BAM\Cookies\bam@atdmt[2].txt
C:\Documents and Settings\BAM\Cookies\bam@adnetserver[1].txt
C:\Documents and Settings\BAM\Cookies\bam@doubleclick[1].txt
C:\Documents and Settings\BAM\Cookies\bam@intervarioclick[2].txt
C:\Documents and Settings\BAM\Cookies\bam@msnportal.112.2o7[1].txt
C:\Documents and Settings\BAM\Cookies\bam@specificclick[1].txt
C:\Documents and Settings\BAM\Cookies\bam@revsci[2].txt
ComboFix 08-04-27.2 - BAM 2008-04-28 7:49:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT -4:00]
Running from: C:\Documents and Settings\BAM\My Documents\My eBooks\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\system32\dfrgsnapn.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_lawsrrue
-------\Service_lawsrrue
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-25 15:49 . 2008-04-25 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-25 15:49 . 2008-04-25 15:49 <DIR> d-------- C:\Documents and Settings\BAM\Application Data\SUPERAntiSpyware.com
2008-04-25 15:49 . 2008-04-25 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-25 15:48 . 2008-04-25 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-25 09:28 . 2008-04-25 09:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 09:15 . 2008-04-25 09:15 <DIR> d-------- C:\Program Files\CCleaner
2008-04-25 08:38 . 2008-04-25 08:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\SYSTEM32\vcmgcd32.dll
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\SYSTEM32\iifgfgf.dll
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-04-24 14:48 . 2008-04-24 14:48 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-04-24 14:38 . 2008-04-24 14:39 50 --a------ C:\WINDOWS\Lic.xxx
2008-04-24 14:37 . 2004-08-04 06:00 146,432 --a------ C:\WINDOWS\R.COM
2008-04-24 14:37 . 2004-08-04 06:00 135,680 --a------ C:\WINDOWS\SYSTEM32\T.COM
2008-04-24 08:10 . 2008-04-24 08:10 <DIR> dr-h----- C:\Documents and Settings\BAM\Application Data\yahoo!
2008-04-23 13:50 . 2008-04-23 13:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-23 13:50 . 2008-04-25 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 13:50 . 2008-04-23 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 09:19 . 2008-04-23 09:19 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-23 09:19 . 2008-04-23 09:19 1,015,808 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2008-04-23 09:19 . 2008-04-23 09:19 196,608 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2008-04-23 09:19 . 20,608 C:\WINDOWS\SYSTEM32\DRIVERS\qhhuelnm.dat
2008-04-23 07:41 . 2008-04-23 07:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 07:41 . 2008-04-23 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 07:39 . 2004-08-04 06:00 88,064 --a------ C:\WINDOWS\SYSTEM32\CNVFATa.dll
2008-03-31 13:36 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SONYPVU1.SYS
2008-03-31 13:36 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sonypvu1.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 19:46 --------- d-----w C:\Program Files\SRN Micro
2008-04-24 12:12 --------- d-----w C:\Program Files\Google
2008-04-24 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-24 12:09 --------- d-----w C:\Program Files\Yahoo!
2008-04-23 12:27 --------- d-----w C:\Program Files\3ivx
2008-04-23 12:27 --------- d-----w C:\Documents and Settings\BAM\Application Data\Lavasoft
2008-04-16 15:35 --------- d-----w C:\Documents and Settings\BAM\Application Data\U3
2008-03-04 19:31 10,920 ----a-w C:\aolconnfix.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B46FE4DB-CEE5-4BE1-A1F6-01FEFB150A92}]
2004-08-04 06:00 82432 --a------ c:\windows\system32\dfrgsnapn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3CBD61F-B004-4738-8B6D-17EC1C854A2F}]
2004-08-04 06:00 88064 --a------ C:\WINDOWS\system32\CNVFATa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"8jakxa73l49"="C:\WINDOWS\system32\8jakxa73l49.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-05 10:41 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 14:45 282624]
"HostManager"="C:\Program Files\Common Files\AOL\1202756480\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"8jakxa73l49"="C:\WINDOWS\system32\8jakxa73l49.exe" [ ]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nbufamde]
dfrgsnapn.dll 2004-08-04 06:00 82432 C:\WINDOWS\SYSTEM32\dfrgsnapn.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 09:23 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-27 02:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
--a------ 2004-10-31 06:21 408576 c:\Dell\PreODM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-15 14:45 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-12-05 10:42 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SRN Micro\\SOLOCFG.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\SRN Micro\\SOLOSCAN.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1202756480\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys [2003-01-13 14:18]
R0 odycsgpv;odycsgpv;C:\WINDOWS\system32\drivers\qhhuelnm.dat []
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-13 20:04]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
R3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lawsrrue
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2ded2da-a375-11dc-9c3c-001109f26c0c}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-28 07:58:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odycsgpv]
"ImagePath"="system32\drivers\qhhuelnm.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\WINDOWS\SYSTEM32\BrmfRsmg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2008-04-28 8:01:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 12:01:31
Pre-Run: 22,172,090,368 bytes free
Post-Run: 22,130,896,896 bytes free
182 --- E O F --- 2008-04-15 07:04:03
| 
|