# Trojan Obfustat.Vg



## refresher

No idea what happened but my SupremeCommander.exe became infected somehow(yes it is a legit install). Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:42:39 PM, on 7/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Windows\system32\SearchFilterHost.exe
C:\Users\kevin\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix: 
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


----------



## jedlicka

I just had the same thing happen to me.

This virus supposedly is attached to my SupremeCommander.old.exe file.

A couple days ago I also had the Generic5.BKW Trojan Horse attach to my Generals.exe file.

I am wondering if there is something with these games for online multiplayer that is causing a false virus reading, or if the viruses are starting to target our gaming files for some reason.  The funny thing is, I haven't played either of these two games for at three months or longer.

If anyone one knows whats going on with these viruses please let us know.

Thank you.


----------



## refresher

jedlicka said:


> I just had the same thing happen to me.
> 
> This virus supposedly is attached to my SupremeCommander.old.exe file.
> 
> A couple days ago I also had the Generic5.BKW Trojan Horse attach to my Generals.exe file.
> 
> I am wondering if there is something with these games for online multiplayer that is causing a false virus reading, or if the viruses are starting to target our gaming files for some reason.  The funny thing is, I haven't played either of these two games for at three months or longer.
> 
> If anyone one knows whats going on with these viruses please let us know.
> 
> Thank you.



Interesting, because on my old computer my Generals.exe also had the Generic5 trojan...but I haven't played either for weeks ......thats pretty weird.


----------



## macormick

Hi just wanted to say that the same thing happenned to me,my supreme comander.exe file has that virus too..in fact its the reason i found this site..i  was looking to learn more about it..eh


----------



## Buzz1927

Are you all running Vista? And is it AVG that finds it?


----------



## Lippy

Buzz1927 said:


> Are you all running Vista? And is it AVG that finds it?



Heh, same happened to me. I'm on XP, but it's AVG that is finding it.

It's somewhat strange that we all got hit at the same time, there hasn't been any noticeable effect, obviously, I haven't tried to play SupCom yet, because that would be stupid if it's infected.

I'm running a full virus scan now with intent to purge, if I have to reinstall then so be it.


----------



## jedlicka

yeah, I am running XP and both of mine were found with AVG.  Does anyone else have Generals and if so, did you find a virus attached to that file as well?

Its funny how we are all having the same issue.  This was the only site I was able to find anything about the virus when I did a google search.

I have a feeling there is just something in the code that is not a virus that is setting off the virus detector alarms and triggering it to think these files are infected.  But of course, until I know this for sure, I won't be playing these games.


----------



## jedlicka

this double posted and I can't delete.  Sorry.


----------



## refresher

Buzz1927 said:


> Are you all running Vista? And is it AVG that finds it?



The OS isn't the problem I think because Generals.exe was infected on my XP and SupremeCommander was infected on Vista Home Premium. but I do have avg on both computers. And also, after avg finds the file, the file suddenly gets that file missing icon instead of the original and it will not allow to be uploaded. Any ideas?


----------



## Lippy

I've checked on the GPG forums and they've confirmed that it's not a virus, it's just an error on the part of AVG. When the file is "cleaned", my SupCom executable still worked, so I didn't see it as a problem, just ignore the AVG complaints


----------



## macormick

hi..ok something else hapenned today.i got a virus on my world of warcraft file.
i went on the WOW board and lots of ppl had the same problems. the WOW team say this is only a AVG problem that there is no virus at all in the game, and that AVG is working on a patch right now..
i dont know if this is related or not to the supreme commander virus.since it was not the same virus name.but it might be an AVG problem.
p.s. sorry about my bad grammar,im trying hard to make sense but english is not my natural language 
and i didnt see that last post before posting ..so it is avg then ..good to know.


----------



## ghost

Cool, cheers for the feed back people, good job.


----------



## Buzz1927

I suspected it was a false-positive, glad to know no-ones infected


----------



## jedlicka

thanks for your input.  I had suspected as much.  Although, when I tried to clean them, it wouldn't let me.  Maybe there was just a glitch in my AVG at the time.


----------



## marcomax

*Obfustat Problem fixed.*

I cleared this issue with AVG support, it's a false detection and will corrected in today update: 17 July 2007 10:00 AM GTM+7.


----------



## Lamilia

whew...mine is .asf not .vg but im guessing its the same thing. Either way i'm glad to hear its an AVG thing and not an actual virus.


----------

