The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Download of Bullguard

Posted 9/9/2008 12:21 PM
#65793
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
When I downloaded Bullguard 8 from internet site this came up after installation:
Main page not loaded, Monitoring page and Live update not loaded. I have tried and tried to download Bullguard and this was the furthest I have gotten with it but I don't know if it is working fully for me. When I do a complete scan using Adaware it says that I have 3 critical infections. How do I clean these off my computer. Using Windows xp :shakehead:
Posted 9/9/2008 1:21 PM
#65795
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:




Have you another antivirus program running ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/9/2008 1:27 PM
#65798
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
Posted 9/9/2008 1:31 PM
#65800
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. However, I´ll suggest we´ll see what´s running on the computer -




Please download Combofix:

https://download.bleepingcomputer.com/sUBs/ComboFix.exe





And save to the desktop.


Close all other browser windows.







Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.




Post the contents of that log in your next reply




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/9/2008 2:24 PM
#65802
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
"Touch" wrote:
Hello :smile:




Have you another antivirus program running ?

No I don't have another antivirus program running i am after getting e-mails from support for the past 4 weeks trying to resolve this problem but nothing is working for me.
Please help! :confused:
Posted 9/9/2008 3:28 PM
#65803
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
When i tried to upload the log in notepad form i was told that i can't upload in plain text. What do i do now or how do i do it.
Posted 9/9/2008 4:46 PM
#65805
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
I have sent the file to [url=support@bullguard]support@bullguard[/url] as i haven't heard anything from you since earlier on. I am getting fed up of this.
Posted 9/9/2008 5:54 PM
#65808
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It sound like you were trying to attach the log = "upload in plain text"




Copy and paste the log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/9/2008 6:43 PM
#65809
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
I can't because i don't know how to do that.
Posted 9/10/2008 1:24 AM
#65814
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 8:52 AM
#65841
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
"Touch" wrote:
Ok.


Look here:

https://members.aol.com/jaynecg/private/copy.html

Thanks for your help! Here's the Combofix log hope its what you need.
ComboFix 08-09-05.12 - mclovin 2008-09-09 15:57:21.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.3 [GMT 1:00]
Running from: C:\Documents and Settings\mclovin\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-08 20:12 . 2008-09-08 20:12 <DIR> d-------- C:\Program Files\BullGuard Ltd
2008-09-05 19:40 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-05 19:40 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-04 18:10 . 2008-09-04 18:10 111,703 --a------ C:\WINDOWS\system32\msmshsr.exe
2008-09-03 14:28 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-03 14:26 . 2008-09-03 14:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Program Files\OxigenInstall
2008-08-28 21:15 . 2008-08-28 21:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-28 21:06 . 2008-08-28 21:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-28 15:16 . 2008-08-28 20:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-27 18:15 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\PC Tools
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-22 15:03 . 2008-08-22 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 15:03 . 2008-09-01 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-21 21:13 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-21 21:13 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-21 20:55 . 2008-09-08 19:49 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-08-20 21:36 . 2008-08-20 21:36 111,244 --a------ C:\WINDOWS\system32\savdldfdzss.exe
2008-08-20 21:02 . 2008-08-21 17:10 113,664 --a------ C:\WINDOWS\faceback1001186.exe
2008-08-11 18:54 . 2008-08-20 21:36 <DIR> d-------- C:\WINDOWS\system32\jdk-1_5_0_19-windows-i393-pp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 13:21 65,536 ----a-w C:\WINDOWS\DUMP42d5.tmp
2008-09-05 17:44 65,536 ----a-w C:\WINDOWS\DUMP3940.tmp
2008-09-01 12:54 65,536 ----a-w C:\WINDOWS\DUMP3875.tmp
2008-08-28 20:26 --------- d-----w C:\Program Files\FoneSync
2008-08-28 20:19 --------- d-----w C:\Program Files\Google
2008-08-27 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:57 --------- d-----w C:\Program Files\Logitech
2008-08-26 17:47 65,536 ----a-w C:\WINDOWS\DUMP4bed.tmp
2008-08-25 18:52 65,536 ----a-w C:\WINDOWS\DUMP4083.tmp
2008-08-22 10:00 65,536 ----a-w C:\WINDOWS\DUMP3c3e.tmp
2008-08-21 13:34 65,536 ----a-w C:\WINDOWS\DUMP3884.tmp
2008-08-20 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-20 19:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-20 19:54 --------- d-----w C:\Program Files\Create Your Own Greeting Cards
2008-08-18 18:51 65,536 ----a-w C:\WINDOWS\DUMP3410.tmp
2008-08-15 10:51 65,536 ----a-w C:\WINDOWS\DUMP37e8.tmp
2008-08-13 17:43 65,536 ----a-w C:\WINDOWS\DUMP3529.tmp
2008-08-12 17:33 65,536 ----a-w C:\WINDOWS\DUMP37b9.tmp
2008-08-12 14:06 65,536 ----a-w C:\WINDOWS\DUMP3e22.tmp
2008-08-11 18:10 65,536 ----a-w C:\WINDOWS\DUMP5d33.tmp
2008-08-09 14:25 65,536 ----a-w C:\WINDOWS\DUMP58ce.tmp
2008-08-07 18:53 65,536 ----a-w C:\WINDOWS\DUMP50b0.tmp
2008-08-05 10:08 19,784 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-07-27 11:50 --------- d-----w C:\Program Files\Zylom Games
2008-07-27 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-26 13:11 65,536 ----a-w C:\WINDOWS\DUMP2c7e.tmp
2008-07-25 16:36 65,536 ----a-w C:\WINDOWS\DUMP3eae.tmp
2008-07-24 14:15 65,536 ----a-w C:\WINDOWS\DUMP5ab2.tmp
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-12 16:37 65,536 ----a-w C:\WINDOWS\DUMP3d95.tmp
2008-07-12 15:59 65,536 ----a-w C:\WINDOWS\DUMP38a4.tmp
2008-07-12 15:09 65,536 ----a-w C:\WINDOWS\DUMP3b43.tmp
2008-07-07 18:04 65,536 ----a-w C:\WINDOWS\DUMP3ebe.tmp
2008-07-05 10:20 65,536 ----a-w C:\WINDOWS\DUMP3e60.tmp
2008-07-04 16:29 65,536 ----a-w C:\WINDOWS\DUMP4769.tmp
2008-07-04 16:27 65,536 ----a-w C:\WINDOWS\DUMP443c.tmp
2008-07-03 19:07 65,536 ----a-w C:\WINDOWS\DUMP417d.tmp
2008-07-02 17:27 65,536 ----a-w C:\WINDOWS\DUMP3c3d.tmp
2008-07-02 16:15 65,536 ----a-w C:\WINDOWS\DUMP3da5.tmp
2008-07-02 15:01 65,536 ----a-w C:\WINDOWS\DUMP3b15.tmp
2008-07-02 11:38 65,536 ----a-w C:\WINDOWS\DUMP38c3.tmp
2008-07-02 10:53 65,536 ----a-w C:\WINDOWS\DUMP376b.tmp
2008-07-02 10:34 65,536 ----a-w C:\WINDOWS\DUMP413f.tmp
2008-07-01 17:39 65,536 ----a-w C:\WINDOWS\DUMP416e.tmp
2008-06-30 20:26 65,536 ----a-w C:\WINDOWS\DUMP38b3.tmp
2008-06-30 19:23 65,536 ----a-w C:\WINDOWS\DUMP2e63.tmp
2008-06-30 17:47 65,536 ----a-w C:\WINDOWS\DUMP2b46.tmp
2008-06-28 21:15 198,144 --sh--r C:\WINDOWS\wmssvc.exe
2008-06-28 20:12 558,142 ----a-w C:\WINDOWS\java\Packages\GJVB73H7.ZIP
2008-06-28 20:12 155,995 ----a-w C:\WINDOWS\java\Packages\IEWHZXVJ.ZIP
.

------- Sigcheck -------

2002-08-29 13:00 1013760 66be0215c2896ac95e48860538828719 C:\WINDOWS\explorer.exe
2002-08-29 13:00 1013760 ac80adc21d0feec9fb7791588cbaf983 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-29 13:00 23040 ee17ba6788dff46c984990d8c08d7eef C:\WINDOWS\system32\ctfmon.exe
2002-08-29 13:00 23040 51fe568b2c23b91318bf615a9e3cb77e C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-08-29 13:00 60928 1c6531faf2918ede69bbb727a9a1b3e8 C:\WINDOWS\system32\spoolsv.exe
2002-08-29 13:00 60928 66e616da006cf9995449de9e14187dba C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-08-29 13:00 31744 d9538f49d2028e46048f26b7a5796801 C:\WINDOWS\system32\userinit.exe
2002-08-29 13:00 31744 44f4ec197882e4f7901cad61203965bf C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-09_15.47.07.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-09 12:03:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-09 14:54:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-09 12:03:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-09 14:54:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-09 12:03:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-09 14:54:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-09 14:31:24 237,568 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-09-09 14:56:58 237,568 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2008-06-28 20:22:20 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-09 14:56:00 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-28 20:22:20 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-09 14:56:00 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 1523741]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2002-06-20 737334]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-06-30 41027]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-05-29 532480]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 23040]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
R2 NET Service;NET Service;C:\WINDOWS\wmssvc.exe [2008-06-28 198144]
S2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S2 BsFire;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [ ]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\mclovin\Application Data\Mozilla\Firefox\Profiles\n3m5pc12.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-09 16:00:06
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
Z!!!enFile

scanning hidden processes ...

C:\WINDOWS\wmssvc.exe [1444] 0xFFBB5AB8

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Java (VM) v6.9.3 = C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-09 16:09:29
ComboFix-quarantined-files.txt 2008-09-09 15:09:24
ComboFix2.txt 2008-09-09 14:48:07

Pre-Run: 65,790,873,600 bytes free
Post-Run: 65,553,145,856 bytes free

183
Posted 9/10/2008 10:46 AM
#65845
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
You have some infections there can be the cause to your Bullguard problem. But you have also some Symantes folders -
do you have any other product from Symantec installed ? Otherwise, are they probably leftovers from previous programs.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 11:13 AM
#65847
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
I think they might be leftovers from previous programs. Not sure! Don't remember installing

anything like that unless Bullguard Support told me to when I was e-mailing them about this problem.

What do I do about infections and this other program?



Posted 9/10/2008 11:50 AM
#65849
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. We´ll remove them ;-)




Open notepad and copy/paste the text in the quotebox below into it:




Quote:




[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; MARGIN-LEFT: 21.5pt; BORDER-LEFT: medium none; WIDTH: 585.6pt; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 width=781 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 585.6pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=781]Killall::

[2]C:\WINDOWS\system32\msmshsr.exe[/2]
[2]C:\WINDOWS\system32\savdldfdzss.exe[/2]
[2]C:\WINDOWS\faceback1001186.exe[/2]
[2]C:\WINDOWS\DUMP42d5.tmp[/2]
[2]C:\WINDOWS\DUMP3940.tmp[/2]
[2]C:\WINDOWS\DUMP3875.tmp[/2]
[2]C:\WINDOWS\DUMP4bed.tmp[/2]
[2]C:\WINDOWS\DUMP4083.tmp[/2]
[2]C:\WINDOWS\DUMP3c3e.tmp[/2]
[2]C:\WINDOWS\DUMP3884.tmp[/2]
[2]C:\WINDOWS\DUMP3410.tmp[/2]
[2]C:\WINDOWS\DUMP37e8.tmp[/2]
[2]C:\WINDOWS\DUMP3529.tmp[/2]
[2]C:\WINDOWS\DUMP37b9.tmp[/2]
[2]C:\WINDOWS\DUMP3e22.tmp[/2]
[2]C:\WINDOWS\DUMP5d33.tmp[/2]
[2]C:\WINDOWS\DUMP58ce.tmp[/2]
[2]C:\WINDOWS\DUMP50b0.tmp[/2]
[2]C:\WINDOWS\DUMP2c7e.tmp[/2]
[2]C:\WINDOWS\DUMP3eae.tmp[/2]
[2]C:\WINDOWS\DUMP5ab2.tmp[/2]
[2]C:\WINDOWS\DUMP3d95.tmp[/2]
[2]C:\WINDOWS\DUMP38a4.tmp[/2]
[2]C:\WINDOWS\DUMP3b43.tmp[/2]
[2]C:\WINDOWS\DUMP3ebe.tmp[/2]
[2]C:\WINDOWS\DUMP3e60.tmp[/2]
[2]C:\WINDOWS\DUMP4769.tmp[/2]
[2]C:\WINDOWS\DUMP443c.tmp[/2]
[2]C:\WINDOWS\DUMP417d.tmp[/2]
[2]C:\WINDOWS\DUMP3c3d.tmp[/2]
[2]C:\WINDOWS\DUMP3da5.tmp[/2]
[2]C:\WINDOWS\DUMP3b15.tmp[/2]
[2]C:\WINDOWS\DUMP38c3.tmp[/2]
[2]C:\WINDOWS\DUMP376b.tmp[/2]
[2]C:\WINDOWS\DUMP413f.tmp[/2]
[2]C:\WINDOWS\DUMP416e.tmp[/2]
[2]C:\WINDOWS\DUMP38b3.tmp[/2]
[2]C:\WINDOWS\DUMP2e63.tmp[/2]
[2]C:\WINDOWS\DUMP2b46.tmp[/2]
[2]C:\WINDOWS\wmssvc.exe[/2]
[2]C:\WINDOWS\java\Packages\GJVB73H7.ZIP[/2]
[2]C:\WINDOWS\java\Packages\IEWHZXVJ.ZIP[/2]
Folder::

[2]C:\Program Files\Common Files\Symantec Shared[/2]
[2]C:\Program Files\NoAdware5.0[/2]
[2]C:\Documents and Settings\All Users\Application Data\Symantec[/2]
[2] [/2]
[2]Driver::[/2]
[2]NET Service[/2]
[2] [/2]
[2]FireFox::[/2]
[2] [/2]



Registry::
[2][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
[/2]"wmssvc.exe"=-




[/td][/tr][/table]



Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe


Then post fresh combofix log.




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 1:28 PM
#65852
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
"Touch" wrote:

Ok. We´ll remove them ;-)


Open notepad and copy/paste the text in the quotebox below into it:




Quote:




[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; MARGIN-LEFT: 21.5pt; BORDER-LEFT: medium none; WIDTH: 585.6pt; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 width=781 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 585.6pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=781]Killall::

[2]C:\WINDOWS\system32\msmshsr.exe[/2]
[2]C:\WINDOWS\system32\savdldfdzss.exe[/2]
[2]C:\WINDOWS\faceback1001186.exe[/2]
[2]C:\WINDOWS\DUMP42d5.tmp[/2]
[2]C:\WINDOWS\DUMP3940.tmp[/2]
[2]C:\WINDOWS\DUMP3875.tmp[/2]
[2]C:\WINDOWS\DUMP4bed.tmp[/2]
[2]C:\WINDOWS\DUMP4083.tmp[/2]
[2]C:\WINDOWS\DUMP3c3e.tmp[/2]
[2]C:\WINDOWS\DUMP3884.tmp[/2]
[2]C:\WINDOWS\DUMP3410.tmp[/2]
[2]C:\WINDOWS\DUMP37e8.tmp[/2]
[2]C:\WINDOWS\DUMP3529.tmp[/2]
[2]C:\WINDOWS\DUMP37b9.tmp[/2]
[2]C:\WINDOWS\DUMP3e22.tmp[/2]
[2]C:\WINDOWS\DUMP5d33.tmp[/2]
[2]C:\WINDOWS\DUMP58ce.tmp[/2]
[2]C:\WINDOWS\DUMP50b0.tmp[/2]
[2]C:\WINDOWS\DUMP2c7e.tmp[/2]
[2]C:\WINDOWS\DUMP3eae.tmp[/2]
[2]C:\WINDOWS\DUMP5ab2.tmp[/2]
[2]C:\WINDOWS\DUMP3d95.tmp[/2]
[2]C:\WINDOWS\DUMP38a4.tmp[/2]
[2]C:\WINDOWS\DUMP3b43.tmp[/2]
[2]C:\WINDOWS\DUMP3ebe.tmp[/2]
[2]C:\WINDOWS\DUMP3e60.tmp[/2]
[2]C:\WINDOWS\DUMP4769.tmp[/2]
[2]C:\WINDOWS\DUMP443c.tmp[/2]
[2]C:\WINDOWS\DUMP417d.tmp[/2]
[2]C:\WINDOWS\DUMP3c3d.tmp[/2]
[2]C:\WINDOWS\DUMP3da5.tmp[/2]
[2]C:\WINDOWS\DUMP3b15.tmp[/2]
[2]C:\WINDOWS\DUMP38c3.tmp[/2]
[2]C:\WINDOWS\DUMP376b.tmp[/2]
[2]C:\WINDOWS\DUMP413f.tmp[/2]
[2]C:\WINDOWS\DUMP416e.tmp[/2]
[2]C:\WINDOWS\DUMP38b3.tmp[/2]
[2]C:\WINDOWS\DUMP2e63.tmp[/2]
[2]C:\WINDOWS\DUMP2b46.tmp[/2]
[2]C:\WINDOWS\wmssvc.exe[/2]
[2]C:\WINDOWS\java\Packages\GJVB73H7.ZIP[/2]
[2]C:\WINDOWS\java\Packages\IEWHZXVJ.ZIP[/2]
Folder::

[2]C:\Program Files\Common Files\Symantec Shared[/2]
[2]C:\Program Files\NoAdware5.0[/2]
[2]C:\Documents and Settings\All Users\Application Data\Symantec[/2]
[2] [/2]
[2]Driver::[/2]
[2]NET Service[/2]
[2] [/2]
[2]FireFox::[/2]
[2] [/2]



Registry::
[2][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
[/2]"wmssvc.exe"=-




[/td][/tr][/table]


Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe


Then post fresh combofix log.




OK do I open a new notepad or is it the 1 I have saved for combofix. Can't go any further till I know this.[/quote]
Posted 9/10/2008 1:34 PM
#65854
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open new notepad file

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 2:20 PM
#65858
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
Here's new log:
C:\WINDOWS\DUMP376b.tmp
C:\WINDOWS\DUMP37b9.tmp
C:\WINDOWS\DUMP37e8.tmp
C:\WINDOWS\DUMP3875.tmp
C:\WINDOWS\DUMP3884.tmp
C:\WINDOWS\DUMP38a4.tmp
C:\WINDOWS\DUMP38b3.tmp
C:\WINDOWS\DUMP38c3.tmp
C:\WINDOWS\DUMP3940.tmp
C:\WINDOWS\DUMP3b15.tmp
C:\WINDOWS\DUMP3b43.tmp
C:\WINDOWS\DUMP3c3d.tmp
C:\WINDOWS\DUMP3c3e.tmp
C:\WINDOWS\DUMP3d95.tmp
C:\WINDOWS\DUMP3da5.tmp
C:\WINDOWS\DUMP3e22.tmp
C:\WINDOWS\DUMP3e60.tmp
C:\WINDOWS\DUMP3eae.tmp
C:\WINDOWS\DUMP3ebe.tmp
C:\WINDOWS\DUMP4083.tmp
C:\WINDOWS\DUMP413f.tmp
C:\WINDOWS\DUMP416e.tmp
C:\WINDOWS\DUMP417d.tmp
C:\WINDOWS\DUMP42d5.tmp
C:\WINDOWS\DUMP443c.tmp
C:\WINDOWS\DUMP4769.tmp
C:\WINDOWS\DUMP4bed.tmp
C:\WINDOWS\DUMP50b0.tmp
C:\WINDOWS\DUMP58ce.tmp
C:\WINDOWS\DUMP5ab2.tmp
C:\WINDOWS\DUMP5d33.tmp
C:\WINDOWS\faceback1001186.exe
C:\WINDOWS\java\Packages\GJVB73H7.ZIP
C:\WINDOWS\java\Packages\IEWHZXVJ.ZIP
C:\WINDOWS\system32\msmshsr.exe
C:\WINDOWS\system32\savdldfdzss.exe
C:\WINDOWS\wmssvc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NET_SERVICE
-------\Service_NET Service


((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-10 10:25 . 2008-09-10 10:25 111,709 --a------ C:\WINDOWS\system32\mshsyuiers.exe
2008-09-08 20:12 . 2008-09-08 20:12 <DIR> d-------- C:\Program Files\BullGuard Ltd
2008-09-05 19:40 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-05 19:40 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-03 14:28 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-03 14:26 . 2008-09-03 14:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Program Files\OxigenInstall
2008-08-28 21:15 . 2008-08-28 21:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-28 21:06 . 2008-08-28 21:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-28 15:16 . 2008-08-28 20:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-27 18:15 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\PC Tools
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-22 15:03 . 2008-08-22 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 15:03 . 2008-09-01 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-21 21:13 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-21 21:13 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-11 18:54 . 2008-08-20 21:36 <DIR> d-------- C:\WINDOWS\system32\jdk-1_5_0_19-windows-i393-pp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 20:26 --------- d-----w C:\Program Files\FoneSync
2008-08-28 20:19 --------- d-----w C:\Program Files\Google
2008-08-27 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:57 --------- d-----w C:\Program Files\Logitech
2008-08-20 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-20 19:54 --------- d-----w C:\Program Files\Create Your Own Greeting Cards
2008-08-05 10:08 19,784 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-07-27 11:50 --------- d-----w C:\Program Files\Zylom Games
2008-07-27 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.

------- Sigcheck -------

2002-08-29 13:00 1013760 66be0215c2896ac95e48860538828719 C:\WINDOWS\explorer.exe
2002-08-29 13:00 1013760 ac80adc21d0feec9fb7791588cbaf983 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-29 13:00 23040 ee17ba6788dff46c984990d8c08d7eef C:\WINDOWS\system32\ctfmon.exe
2002-08-29 13:00 23040 51fe568b2c23b91318bf615a9e3cb77e C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-08-29 13:00 60928 1c6531faf2918ede69bbb727a9a1b3e8 C:\WINDOWS\system32\spoolsv.exe
2002-08-29 13:00 60928 66e616da006cf9995449de9e14187dba C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-08-29 13:00 31744 d9538f49d2028e46048f26b7a5796801 C:\WINDOWS\system32\userinit.exe
2002-08-29 13:00 31744 44f4ec197882e4f7901cad61203965bf C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 1523741]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2002-06-20 737334]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-06-30 41027]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-05-29 532480]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 23040]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
S2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S2 BsFire;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [ ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-10 14:57:26
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
Z!!!enFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-10 15:05:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 14:04:56
ComboFix2.txt 2008-09-09 14:48:07

Pre-Run: 65,974,632,448 bytes free
Post-Run: 65,708,564,480 bytes free

171
Posted 9/10/2008 3:40 PM
#65861
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Looks like We have improvement.



Please download Malwarebytes' Anti-Malware:

[color=#0000ff>https://www.spywarefri.dk/downloads1/mbam-setup.exe[/url]



Or here:

[color=#0000ff>https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/url]



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch




Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.







NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.









-------------------------------------------------





Open notepad and copy/paste the text in the quotebox below into it:




Quote:




[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652]Killall::

[/color]

Snapshot::





File::
C:\WINDOWS\system32\mshsyuiers.exe




Registry::


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"=-

[/td][/tr][/table]



Save this as:
CFScript



[color=#0000ff>https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/url]

Refering to the picture above, drag CFScript into ComboFix.exe




Then post fresh combofix log, along with Malwarebytes' Anti-Malware log, and tell how things are running now ?



[/3][/color]
[/color]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 5:11 PM
#65867
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
This is the Combofix log:
ComboFix 08-09-05.14 - mclovin 2008-09-10 17:52:23.4 - NTFSx86
Running from: C:\Documents and Settings\mclovin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mclovin\Desktop\cfscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cnvfa.dll
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\mshsyuiers.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-10 17:07 . 2008-09-10 17:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 17:07 . 2008-09-10 17:07 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\Malwarebytes
2008-09-10 17:07 . 2008-09-10 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-10 17:07 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 17:07 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 15:36 . 2008-09-10 15:36 29 --a------ C:\WINDOWS\system32\gpawtrqs.tmp
2008-09-10 15:35 . 2008-09-10 15:35 96,768 --a------ C:\WINDOWS\system32\paso.el
2008-09-10 15:35 . 2008-09-10 15:35 63,488 --a------ C:\WINDOWS\system32\io.e18
2008-09-10 15:35 . 2008-09-10 15:35 32,768 --a------ C:\WINDOWS\system32\onmac.frv
2008-09-10 15:35 . 2008-09-10 15:35 32,768 --a------ C:\WINDOWS\system32\ffcty.sp
2008-09-10 15:35 . 2008-09-10 15:35 28,672 --a------ C:\WINDOWS\system32\mnax.help
2008-09-10 15:35 . 2008-09-10 15:35 28,672 --a------ C:\WINDOWS\system32\can.sdr
2008-09-10 15:35 . 2008-09-10 15:35 224 --a------ C:\WINDOWS\system32\A.tmp
2008-09-10 15:35 . 2008-09-10 15:35 18 --a------ C:\WINDOWS\system32\10.tmp
2008-09-08 20:12 . 2008-09-08 20:12 <DIR> d-------- C:\Program Files\BullGuard Ltd
2008-09-05 19:40 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-05 19:40 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-03 14:28 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-03 14:26 . 2008-09-03 14:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Program Files\OxigenInstall
2008-08-28 21:15 . 2008-08-28 21:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-28 21:06 . 2008-08-28 21:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-28 15:16 . 2008-08-28 20:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-27 18:15 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\PC Tools
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-22 15:03 . 2008-08-22 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 15:03 . 2008-09-01 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-21 21:13 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-21 21:13 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-11 18:54 . 2008-08-20 21:36 <DIR> d-------- C:\WINDOWS\system32\jdk-1_5_0_19-windows-i393-pp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 14:35 560,128 ----a-w C:\WINDOWS\system32\user32.DLL
2008-08-28 20:26 --------- d-----w C:\Program Files\FoneSync
2008-08-28 20:19 --------- d-----w C:\Program Files\Google
2008-08-27 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:57 --------- d-----w C:\Program Files\Logitech
2008-08-20 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-20 19:54 --------- d-----w C:\Program Files\Create Your Own Greeting Cards
2008-08-05 10:08 19,784 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-07-27 11:50 --------- d-----w C:\Program Files\Zylom Games
2008-07-27 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.
[color=red] C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) [/color]
560,128 2008-09-10 14:35:42 C:\WINDOWS\system32\user32.DLL
560,128 2008-09-10 14:35:42 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2008-09-10 15:35 560128 2434e5831fe33320dae19e27bac0f52e C:\WINDOWS\system32\user32.DLL
2008-09-10 15:35 560128 2434e5831fe33320dae19e27bac0f52e C:\WINDOWS\system32\dllcache\user32.dll

2002-08-29 13:00 1013760 66be0215c2896ac95e48860538828719 C:\WINDOWS\explorer.exe
2002-08-29 13:00 1013760 ac80adc21d0feec9fb7791588cbaf983 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-29 13:00 23040 ee17ba6788dff46c984990d8c08d7eef C:\WINDOWS\system32\ctfmon.exe
2002-08-29 13:00 23040 51fe568b2c23b91318bf615a9e3cb77e C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-08-29 13:00 60928 1c6531faf2918ede69bbb727a9a1b3e8 C:\WINDOWS\system32\spoolsv.exe
2002-08-29 13:00 60928 66e616da006cf9995449de9e14187dba C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-08-29 13:00 31744 d9538f49d2028e46048f26b7a5796801 C:\WINDOWS\system32\userinit.exe
2002-08-29 13:00 31744 44f4ec197882e4f7901cad61203965bf C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44665C55-0AEA-4290-80D3-58D9DA499F1A}]
2002-08-29 13:00 91648 --a------ C:\WINDOWS\System32\cnvfa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
2008-09-10 17:57 3584 --a------ C:\WINDOWS\System32\MYBHO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82499BBB-5AC6-48B1-9F39-FD21881354EC}]
2002-08-29 13:00 91648 --a------ C:\WINDOWS\System32\cnvfa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4C7E96A-394E-47B1-91D1-2168F9BA7D48}]
2002-08-29 13:00 91648 --a------ C:\WINDOWS\System32\cnvfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 1523741]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"advap32"=".\B.tmp/r" [X]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2002-06-20 737334]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-06-30 41027]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-05-29 532480]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]
"services"="C:\WINDOWS\services.exe" [2008-09-10 49664]
"PromoReg"="C:\WINDOWS\system32\alt.exe.exe" [2008-09-10 318464]
"OGKKENFK"="C:\WINDOWS\OGKKENFK.exe" [2008-09-10 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 23040]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]
"neos"="C:\WINDOWS\neos.exe" [2008-09-10 93696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
2008-09-10 17:58 15872 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
2008-09-10 17:58 15872 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R0 Winrv61;Winrv61;C:\WINDOWS\System32\Drivers\Winrv61.sys [2002-08-29 30592]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
S2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S2 BsFire;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]
S3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [ ]

*Newly Created Service* - OSOTRQSU
*Newly Created Service* - WINRV61
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-arrrbcrb - C:\WINDOWS\arrrbcrb.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-10 17:55:59
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
Z!!!enFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\svcp.csv 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\osotrqsu]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\osotrqsu.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\F.tmp
.
**************************************************************************
.
Completion time: 2008-09-10 18:02:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 17:02:21
ComboFix2.txt 2008-09-10 14:05:04
ComboFix3.txt 2008-09-09 14:48:07

Pre-Run: 65,740,435,456 bytes free
Post-Run: 65,724,141,568 bytes free

177



This is the Malware log:

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 1

10/09/2008 17:31:43
mbam-log-2008-09-10 (17-31-43).txt

Scan type: Full Scan (A:\|C:\|E:\|)
Objects scanned: 65450
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 98
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 43

Memory Processes Infected:
C:\WINDOWS\system32\Cpl32ver.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\alt.exe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45080112-43d4-4b43-a8bc-7f1dfbfdceaf} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{45080112-43d4-4b43-a8bc-7f1dfbfdceaf} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wyeqvrvl (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wyeqvrvl (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\promoreg (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\pxpinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neos (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpl32ver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\Windows Update (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MYBHO.DLL (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\alt.exe.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvrsol32.dll (Spyware.Agent.H) -> Delete on reboot.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\mclovin\Desktop\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP17\A0042140.cpl (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP20\A0059448.cpl (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076673.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076675.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076677.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076682.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076685.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076688.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076689.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076696.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D70CC1-CFAC-4B7B-9421-D45F5A1F5BD2}\RP41\A0076703.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\RTNTPVPR.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\WYEQVRVL.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\edown4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\neos.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Cpl32ver.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\back.exe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\crock+mock.config (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.



I hope this is ok and do I need to delete anything from my desktop ie: Malware and all the logs that I have saved

before I can successfully download bullguard again if computer is clean of course.
Posted 9/10/2008 6:08 PM
#65868
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
I´ll suggest you install Bullguard now. Update it, run a complete systemscan, and let Me know how thing goes.


It is possible we´ll need the tools you have downloaded later.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2008 6:14 PM
#65870
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
Ok will do that. Just 1 more thing every time I go onto MSN other pages keep popping up whereas before when I

logged on it it used to go straight into MSN. Has this got anything to do with programs that I have downloaded?
Posted 9/10/2008 7:00 PM
#65874
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
Ok tried to install Bullguard from internet site and 1st time got Antivirus plugin error installing - corrupted installer again.

Installation aborted. Second time got File monitoring drive problem, RUNDLL says error loading couldn't start firewall engine and could not start

live update but yet it said that Bullguard was finished installing but how can it be when not all elements of it were installed?

Do I have to uninstall Malware in order for it to install or does that program make any difference to installing.

Like I said I am getting fed up of this and thought that it was fixed.
Posted 9/11/2008 10:11 AM
#65886
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
I ran a malware scan later on and now I have at least 5 Trojans on the computer. Everytime I go into the internet I get a virus?

Can't install Bullguard as same problems as yesterday. Malware can't remove viruses.

Please Help again.
Posted 9/12/2008 5:24 AM
#65900
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sorry for late reply :blush:




Please post fresh combofix log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/12/2008 11:18 AM
#65913
User avatar

islandprincess Valued member

Date Joined Nov 2016
Total Posts: 24
Here is Combofix log as requested. Hopefully this time I can get Bullguard installed with no problems




ComboFix 08-09-10.04 - mclovin 2008-09-12 12:00:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.4 [GMT 1:00]
Running from: C:\Documents and Settings\mclovin\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\cnvfa.dll
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\F.tmp

.
((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 )))))))))))))))))))))))))))))))
.

2008-09-11 17:50 . 2008-09-11 19:05 <DIR> d-------- C:\Documents and Settings\princess
2008-09-10 18:36 . 2008-09-10 18:36 0 -ra------ C:\WINDOWS\system32\TFTP204
2008-09-10 17:58 . 2008-09-10 15:35 560,128 --a------ C:\WINDOWS\system32\bogxyg
2008-09-10 17:58 . 2008-09-10 17:58 18 --a------ C:\WINDOWS\system32\11.tmp
2008-09-10 17:57 . 2008-09-10 17:57 224 --a------ C:\WINDOWS\system32\8.tmp
2008-09-10 17:07 . 2008-09-10 17:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 17:07 . 2008-09-10 17:07 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\Malwarebytes
2008-09-10 17:07 . 2008-09-10 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-10 17:07 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 17:07 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 15:36 . 2008-09-10 15:36 29 --a------ C:\WINDOWS\system32\gpawtrqs.tmp
2008-09-10 15:35 . 2008-09-10 17:58 96,768 --a------ C:\WINDOWS\system32\paso.el
2008-09-10 15:35 . 2008-09-10 15:35 63,488 --a------ C:\WINDOWS\system32\io.e18
2008-09-10 15:35 . 2008-09-10 15:35 32,768 --a------ C:\WINDOWS\system32\onmac.frv
2008-09-10 15:35 . 2008-09-10 15:35 32,768 --a------ C:\WINDOWS\system32\ffcty.sp
2008-09-10 15:35 . 2008-09-10 15:35 28,672 --a------ C:\WINDOWS\system32\mnax.help
2008-09-10 15:35 . 2008-09-10 15:35 28,672 --a------ C:\WINDOWS\system32\can.sdr
2008-09-10 15:35 . 2008-09-10 15:35 224 --a------ C:\WINDOWS\system32\A.tmp
2008-09-10 15:35 . 2008-09-10 15:35 18 --a------ C:\WINDOWS\system32\10.tmp
2008-09-05 19:40 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-05 19:40 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-03 14:28 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-03 14:26 . 2008-09-03 14:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-29 18:36 . 2008-08-29 18:36 <DIR> d-------- C:\Program Files\OxigenInstall
2008-08-28 21:15 . 2008-08-28 21:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-28 21:06 . 2008-08-28 21:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-28 15:16 . 2008-08-28 20:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-27 18:15 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\mclovin\Application Data\PC Tools
2008-08-27 18:15 . 2008-08-27 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-27 18:12 . 2008-08-27 18:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-22 15:03 . 2008-08-22 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-22 15:03 . 2008-09-01 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-21 21:13 . 2008-09-01 13:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-21 21:13 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 19:49 65,536 ----a-w C:\WINDOWS\DUMP3921.tmp
2008-09-10 19:26 65,536 ----a-w C:\WINDOWS\DUMP2f8b.tmp
2008-09-10 14:35 560,128 ----a-w C:\WINDOWS\system32\user32.DLL
2008-08-28 20:26 --------- d-----w C:\Program Files\FoneSync
2008-08-28 20:19 --------- d-----w C:\Program Files\Google
2008-08-27 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:57 --------- d-----w C:\Program Files\Logitech
2008-08-20 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-20 19:54 --------- d-----w C:\Program Files\Create Your Own Greeting Cards
2008-07-27 11:50 --------- d-----w C:\Program Files\Zylom Games
2008-07-27 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.
[color=red] C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) [/color]
560,128 2008-09-10 14:35:42 C:\WINDOWS\system32\user32.DLL
560,128 2008-09-10 14:35:42 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2008-09-10 15:35 560128 2434e5831fe33320dae19e27bac0f52e C:\WINDOWS\system32\user32.DLL
2008-09-10 15:35 560128 2434e5831fe33320dae19e27bac0f52e C:\WINDOWS\system32\dllcache\user32.dll

2002-08-29 13:00 1013760 66be0215c2896ac95e48860538828719 C:\WINDOWS\explorer.exe
2002-08-29 13:00 1013760 ac80adc21d0feec9fb7791588cbaf983 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-29 13:00 23040 ee17ba6788dff46c984990d8c08d7eef C:\WINDOWS\system32\ctfmon.exe
2002-08-29 13:00 23040 51fe568b2c23b91318bf615a9e3cb77e C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-08-29 13:00 60928 1c6531faf2918ede69bbb727a9a1b3e8 C:\WINDOWS\system32\spoolsv.exe
2002-08-29 13:00 60928 66e616da006cf9995449de9e14187dba C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-08-29 13:00 31744 d9538f49d2028e46048f26b7a5796801 C:\WINDOWS\system32\userinit.exe
2002-08-29 13:00 31744 44f4ec197882e4f7901cad61203965bf C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [url=snapshot@2008-09-10_18.01.52.47]snapshot@2008-09-10_18.01.52.47[/url] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 15:08:16 11,264 ----a-r C:\WINDOWS\Installer\{02400202-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE
+ 2008-06-30 15:08:16 20,992 ----a-r C:\WINDOWS\Installer\{02400202-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE
- 2008-09-10 16:55:36 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-12 09:59:46 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-10 16:55:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-12 09:59:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-10 16:55:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-12 09:59:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-10 13:52:26 237,568 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-09-12 10:59:33 237,568 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2008-08-27 17:23:48 769,020 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-09-11 18:08:20 2,161,324 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 1523741]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2002-06-20 737334]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-06-30 41027]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-05-29 532480]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 23040]
"Java (VM) v6.9.3"="C:\WINDOWS\System32\jdk-1_5_0_19-windows-i393-pp\jav.bat" [2008-03-05 87]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
S2 osotrqsu;osotrqsu;C:\WINDOWS\system32\drivers\osotrqsu.sys [ ]
.
- - - - ORPHANS REMOVED - - - -

BHO-{44665C55-0AEA-4290-80D3-58D9DA499F1A} - C:\WINDOWS\System32\cnvfa.dll
BHO-{82499BBB-5AC6-48B1-9F39-FD21881354EC} - C:\WINDOWS\System32\cnvfa.dll
BHO-{A4C7E96A-394E-47B1-91D1-2168F9BA7D48} - C:\WINDOWS\System32\cnvfa.dll
BHO-{A7B07516-407E-4754-B336-49BB495DF186} - C:\WINDOWS\System32\cnvfa.dll
BHO-{F39EBA94-2B05-4AD7-9C7E-696420E523DF} - C:\WINDOWS\System32\cnvfa.dll
HKLM-Run-OGKKENFK - C:\WINDOWS\OGKKENFK.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\mclovin\Application Data\Mozilla\Firefox\Profiles\n3m5pc12.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-12 12:03:33
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
Z!!!enFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-12 12:07:25
ComboFix-quarantined-files.txt 2008-09-12 11:07:22
ComboFix2.txt 2008-09-10 17:02:32
ComboFix3.txt 2008-09-10 14:05:04
ComboFix4.txt 2008-09-09 14:48:07

Pre-Run: 64,065,236,992 bytes free
Post-Run: 63,968,235,520 bytes free

166





[color=red>We][/color]

Forum Information

Currently it is Thursday, September 29, 2022, 6:47 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
17 Guest(s), 0 Registered Member(s) are currently online.