The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Bogus antivirus software alert redirecting internet and stopping all programmes from running

Posted 5/1/2010 8:24 AM
#85548
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch,

Wakari here. I have another virus downloaded on the back of something. It is giving me bogus anti virus warnings and asking me to download an anti virus programme Antispyware Soft. It is stopping all programs from running and creating havoc with even writing this information.

I have run Mbam and combofix. Mbam has identified trojans but I can't get into it to tell you what they are. It removed some initially but sunsequent scans show nothing.

Here are the HJT and Mbam logs. No it won't let me open the log to copy it into the forum. Will need to reboot to get at the log and post it again.
Posted 5/1/2010 8:30 AM
#85549
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch here are the mbam and HJT logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:04 p.m., on 1/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mtxdkbno] C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf\qvudmnstssd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mtxdkbno] C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf\qvudmnstssd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff Withington\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - https://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152323313593
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - https://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5822 bytes



Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/05/2010 1:10:39 p.m.
mbam-log-2010-05-01 (13-10-39).txt

Scan type: Quick Scan
Objects scanned: 118897
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Posted 5/1/2010 9:57 AM
#85551
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hi wakari :smile:





Please download https://www.raktor.net/exeHelper/exeHelper.com to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.


Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



Post the log, along with a combofix log ->



Even you have a combofix, download new version of combofix: Here
Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.





Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply


The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.





[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/1/2010 10:19 PM
#85568
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch,

Once again most grateful for your input. Here is the exehelper log


exeHelper by Raktor
Build 20100414
Run at 10:18:04 on 05/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
Posted 5/1/2010 11:06 PM
#85570
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch, H, Here is the combo fix log

I downloaded bulguard 9 also and things are looking better already, although it doesn't seem to be working properly and giving an error message. i can link in to the help site to srt that though. At the end of this i would be interested to have your advice as to the mix of anti software i should carry. AVG obviously didn't worl Bullguard was good with the free trial and seems it would be a good purchase. Wot do ya think?

ComboFix 10-05-01.02 - Jeff Withington 02/05/2010 10:41:55.34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.186 [GMT 12:00]
Running from: c:\documents and settings\Jeff Withington\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf\qvudmnstssd.exe
c:\program files\WindowsUpdate
c:\windows\izavawot._sy
c:\windows\PRAGMAdeqrapikpm
c:\windows\PRAGMAdeqrapikpm\PRAGMAc.dll
c:\windows\PRAGMAdeqrapikpm\PRAGMAcfg.ini
c:\windows\PRAGMAdeqrapikpm\PRAGMAd.sys
c:\windows\system32\pragmabbr.dll
c:\windows\system32\pragmaserf.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\VB6KO.DLL
c:\windows\system32\winsusrm.dll

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMADEQRAPIKPM
-------\Service_PRAGMAdeqrapikpm


((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 22:22 . 2010-05-01 22:25 -------- d-----w- C:\32788R22FWJFW
2010-05-01 22:07 . 2010-05-01 22:07 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\BullGuard
2010-05-01 22:01 . 2010-05-01 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2010-05-01 21:54 . 2010-05-01 21:54 -------- d-----w- c:\program files\BullGuard Ltd
2010-05-01 00:47 . 2010-05-01 22:49 -------- d-----w- c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf
2010-04-19 12:16 . 2010-04-19 12:16 150864 ----a-w- c:\windows\system32\BGLsp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 11:39 . 2006-11-26 18:41 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\Eriwa
2010-04-08 11:47 . 2004-12-21 02:12 -------- d-----w- c:\program files\Soulseek
2010-03-18 16:03 . 2010-03-18 16:03 98128 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2010-03-16 21:15 . 2009-11-02 22:05 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 21:15 . 2010-03-16 21:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 21:15 . 2009-11-02 22:05 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 21:15 . 2009-11-02 22:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 09:34 . 2010-03-12 09:34 58448 ----a-w- c:\windows\system32\drivers\BdSpy.sys
2010-02-01 17:42 . 2010-02-01 17:42 123256 ----a-w- c:\windows\system32\BdInstHk.dll
2009-09-10 20:14 . 2009-09-10 20:14 424 ----a-w- c:\program files\vsrjfi.txt
2007-04-03 08:35 . 2007-04-03 08:35 10420936 ----a-w- c:\program files\xlviewer.exe
2005-06-21 23:32 . 2005-06-21 23:32 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2004-04-30 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-30 77824]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2010-04-06 2069840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 21:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SfCtlCom"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\amcap533.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/11/2009 10:05 a.m. 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/11/2009 10:05 a.m. 242696]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [12/03/2010 9:34 p.m. 58448]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [17/03/2010 9:15 a.m. 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/03/2010 9:15 a.m. 308064]
R2 BsBrowser;BullGuard antiphishing service;c:\windows\System32\SvcHost.exe -k BullGuard_LowPriv [1/04/2003 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/12/2009 10:00 p.m. 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/12/2009 10:00 p.m. 256792]
S2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
S2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
S2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe -k BullGuard_Main [1/04/2003 14336]
S2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [9/04/2010 7:31 p.m. 341328]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 BgRaSvc;BgRaSvc;c:\program files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [4/03/2010 8:07 a.m. 120144]
S3 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [4/03/2010 8:07 a.m. 297808]
S3 LcdMini;LcdMini Device;c:\windows\system32\drivers\LcdMini.sys [18/11/2003 11:40 a.m. 50328]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/11/2008 2:03 p.m. 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BsFileScan BsMailProxy BsFire
BullGuard_LowPriv REG_MULTI_SZ BsBrowser
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-18 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = ihug Internet
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jeff Withington\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
LSP: c:\windows\system32\BGLsp.dll
Trusted Zone: healthotago.co.nz\dncag01
Trusted Zone: healthotago.co.nz\dnvcit05
Trusted Zone: healthotago.co.nz\webmail
FF - ProfilePath - c:\documents and settings\Jeff Withington\Application Data\Mozilla\Firefox\Profiles\qpiu1rri.default\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mtxdkbno - c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf\qvudmnstssd.exe
HKLM-Run-mtxdkbno - c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf\qvudmnstssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-05-02 10:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-05-02 10:59:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 22:59
ComboFix2.txt 2010-05-01 01:40
ComboFix3.txt 2010-04-09 21:10
ComboFix4.txt 2010-02-26 19:07
ComboFix5.txt 2010-05-01 22:28

Pre-Run: 81,215,737,856 bytes free
Post-Run: 81,217,126,400 bytes free

- - End Of File - - 5253D6EB43C034CE8A43D543D9EC3A69
Posted 5/2/2010 3:26 AM
#85573
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
the free trial and seems it would be a good purchase. Wot do ya think?



I think it´s a wise decision ;-)

It looks like you have leftovers from AVG I´ll suggest you remove ->

Uninstall your AVG Antivirus
[color=#0000ff]https://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe[/color]



Reboot.





Open notepad and copy/paste the text, including the link, in the quotebox below into it:

Name the file as CFScript
and Save it on the desktop





[color=#0000ff]



https://forum.bullguard.com/forum/9/Bogus-antivirus-software-alert_85548.html[/color][color=#0000ff][/color]

[color=#0000ff]Killall:: [/color]

[color=#0000ff]Snapshot:: [/color]

[color=#0000ff]Collect:: c:\program files\vsrjfi.txt [/color]

[color=#0000ff]Folder:: c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf [/color]

[color=#0000ff]Hosts::
[/color]






User image



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.





When ComboFix has finished its scan / cleaning opens a ComboFix log along with a small message box. Now click OK in the message box to upload the compiled files for further analysis (you must have an Internet connection to upload files).



Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/2/2010 9:00 PM
#85590
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch, Combofix log as requested.

Have deleted AVG, but keep getting a warning that Bullguard is not active and my windows security centre is showing as OFF.



ComboFix 10-05-01.02 - Jeff Withington 03/05/2010 1:06.35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.273 [GMT 12:00]
Running from: c:\documents and settings\Jeff Withington\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff Withington\Desktop\cfscript.txt
AV: BullGuard Antivirus *On-access scanning disabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.

((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-02 00:32 . 2010-05-02 00:32 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\BullGuard
2010-05-02 00:28 . 2010-05-02 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2010-05-02 00:26 . 2010-05-02 00:26 -------- d-----w- c:\program files\BullGuard Ltd
2010-05-01 00:47 . 2010-05-01 22:49 -------- d-----w- c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf
2010-04-19 12:16 . 2010-04-19 12:16 150864 ----a-w- c:\windows\system32\BGLsp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 11:52 . 2009-11-02 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-28 11:39 . 2006-11-26 18:41 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\Eriwa
2010-04-08 11:47 . 2004-12-21 02:12 -------- d-----w- c:\program files\Soulseek
2010-03-18 16:03 . 2010-03-18 16:03 98128 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2010-03-12 09:34 . 2010-03-12 09:34 58448 ----a-w- c:\windows\system32\drivers\BdSpy.sys
2010-02-01 17:42 . 2010-02-01 17:42 123256 ----a-w- c:\windows\system32\BdInstHk.dll
2009-09-10 20:14 . 2009-09-10 20:14 424 ----a-w- c:\program files\vsrjfi.txt
2007-04-03 08:35 . 2007-04-03 08:35 10420936 ----a-w- c:\program files\xlviewer.exe
2005-06-21 23:32 . 2005-06-21 23:32 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2004-04-30 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-30 77824]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2010-04-06 2069840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SfCtlCom"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\amcap533.exe"=

R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [12/03/2010 9:34 p.m. 58448]
R2 BsBrowser;BullGuard antiphishing service;c:\windows\System32\SvcHost.exe -k BullGuard_LowPriv [1/04/2003 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe -k BullGuard_Main [1/04/2003 14336]
R2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [9/04/2010 7:31 p.m. 341328]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/12/2009 10:00 p.m. 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/12/2009 10:00 p.m. 256792]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 BgRaSvc;BgRaSvc;c:\program files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [4/03/2010 8:07 a.m. 120144]
S3 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [4/03/2010 8:07 a.m. 297808]
S3 LcdMini;LcdMini Device;c:\windows\system32\drivers\LcdMini.sys [18/11/2003 11:40 a.m. 50328]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/11/2008 2:03 p.m. 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard_Main REG_MULTI_SZ BsMain
BullGuard REG_MULTI_SZ BsFileScan BsMailProxy BsFire
BullGuard_LowPriv REG_MULTI_SZ BsBrowser
.
Contents of the 'Scheduled Tasks' folder

2010-05-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-18 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = ihug Internet
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jeff Withington\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
LSP: c:\windows\system32\BGLsp.dll
Trusted Zone: healthotago.co.nz\dncag01
Trusted Zone: healthotago.co.nz\dnvcit05
Trusted Zone: healthotago.co.nz\webmail
FF - ProfilePath - c:\documents and settings\Jeff Withington\Application Data\Mozilla\Firefox\Profiles\qpiu1rri.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-05-03 01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\cscdll.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(1376)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-03 02:02:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-02 14:02
ComboFix2.txt 2010-05-01 22:59
ComboFix3.txt 2010-05-01 01:40
ComboFix4.txt 2010-04-09 21:10
ComboFix5.txt 2010-05-02 13:04

Pre-Run: 81,337,991,168 bytes free
Post-Run: 81,348,087,808 bytes free

- - End Of File - - 919BC093D14EF4FB1AFEB3AFE90EBCAC
Posted 5/4/2010 4:21 AM
#85646
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please download https://swandog46.geekstogo.com/avenger2/download.php



by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger2.exe to your desktop



Start Avenger




[code]
Begin copying here:
Folders to delete:
c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf
Files to delete:
c:\program files\vsrjfi.txt

[/code]
Copy/Paste all the text in the above codebox into the main window

Click Execute



The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)



On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.



This log file will be located at C:\avenger.txt





Post C:\avenger.txt in next reply, along with new combofix log.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/4/2010 7:05 AM
#85657
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch,

Avenger log and combo fix.

regards



Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\documents and settings\Jeff Withington\Local Settings\Application Data\ndnpjyasf" deleted successfully.
File "c:\program files\vsrjfi.txt" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.






ComboFix 10-05-01.02 - Jeff Withington 04/05/2010 18:39:33.36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.219 [GMT 12:00]
Running from: c:\documents and settings\Jeff Withington\Desktop\ComboFix.exe
AV: BullGuard Antivirus *On-access scanning enabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 00:32 . 2010-05-03 21:26 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\BullGuard
2010-05-02 00:28 . 2010-05-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2010-05-02 00:26 . 2010-05-02 00:26 -------- d-----w- c:\program files\BullGuard Ltd
2010-04-19 12:16 . 2010-04-19 12:16 150864 ----a-w- c:\windows\system32\BGLsp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 11:52 . 2009-11-02 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-28 11:39 . 2006-11-26 18:41 -------- d-----w- c:\documents and settings\Jeff Withington\Application Data\Eriwa
2010-04-08 11:47 . 2004-12-21 02:12 -------- d-----w- c:\program files\Soulseek
2010-03-18 16:03 . 2010-03-18 16:03 98128 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2010-03-12 09:34 . 2010-03-12 09:34 58448 ----a-w- c:\windows\system32\drivers\BdSpy.sys
2007-04-03 08:35 . 2007-04-03 08:35 10420936 ----a-w- c:\program files\xlviewer.exe
2005-06-21 23:32 . 2005-06-21 23:32 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2004-04-30 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-30 77824]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2010-04-06 2069840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\BgGamingMonitor.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SfCtlCom"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\amcap533.exe"=

R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [12/03/2010 9:34 p.m. 58448]
R2 BsBrowser;BullGuard antiphishing service;c:\windows\System32\SvcHost.exe -k BullGuard_LowPriv [1/04/2003 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe -k BullGuard [1/04/2003 14336]
R2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe -k BullGuard_Main [1/04/2003 14336]
R2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [9/04/2010 7:31 p.m. 341328]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/12/2009 10:00 p.m. 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/12/2009 10:00 p.m. 256792]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 BgRaSvc;BgRaSvc;c:\program files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [4/03/2010 8:07 a.m. 120144]
S3 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [4/03/2010 8:07 a.m. 297808]
S3 LcdMini;LcdMini Device;c:\windows\system32\drivers\LcdMini.sys [18/11/2003 11:40 a.m. 50328]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/11/2008 2:03 p.m. 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard_Main REG_MULTI_SZ BsMain
BullGuard REG_MULTI_SZ BsFileScan BsMailProxy BsFire
BullGuard_LowPriv REG_MULTI_SZ BsBrowser
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-18 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = ihug Internet
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jeff Withington\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
LSP: c:\windows\system32\BGLsp.dll
Trusted Zone: healthotago.co.nz\dncag01
Trusted Zone: healthotago.co.nz\dnvcit05
Trusted Zone: healthotago.co.nz\webmail
FF - ProfilePath - c:\documents and settings\Jeff Withington\Application Data\Mozilla\Firefox\Profiles\qpiu1rri.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-05-04 18:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\BgGamingMonitor.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\BgGamingMonitor.dll
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(3204)
c:\program files\BullGuard Ltd\BullGuard\Spamfilter\LittleHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-04 18:55:23
ComboFix-quarantined-files.txt 2010-05-04 06:55
ComboFix2.txt 2010-05-02 14:02
ComboFix3.txt 2010-05-01 22:59
ComboFix4.txt 2010-05-01 01:40
ComboFix5.txt 2010-05-04 06:38

Pre-Run: 81,286,053,888 bytes free
Post-Run: 81,249,165,312 bytes free

- - End Of File - - 4B629BE07A900D5437050915D15849D0
Posted 5/4/2010 7:21 AM
#85658
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Looks clean. How are BullGuard behaving now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/5/2010 2:26 AM
#85679
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hiya Touch,




Yes the computer is running well now. None of the problems remain.

Bullguard 9 is still not updating and the security centre is still showing a warning that Bullguard is out of date. Bullguard will not update as it cannot connect to the update server. It keeps asking that the internet connection to be checked to be working and try again.




regards




Wakari
Posted 5/5/2010 2:37 AM
#85682
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok.




In the Internet Explorer window, go to Tools > Internet Options > Connections tab > LAN Settings and check what boxes are ticked and if there is any proxy server address entered - Untick it.




See if it help ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/5/2010 6:46 AM
#85697
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Tried that Touch. Doesn't seem to have made a difference. i wonder is it Malwarebytes that is controlling the situation. I have been having difficulty in downloading On Demand TV programmes as well, it seems there is a aseries of adverts that precede the TV show but my computer will not allow them to show. not sure if i am explaining this properly, but something seems to be stopping bullguard updates and AVG was never able to update either, so the costant has been malwarebytes.

regards Wakari
Posted 5/6/2010 2:12 AM
#85703
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi touch,

Further update, this morning i was able to access the TV On Demand programmes. so please disregard the last statrement. surprisingly.
Posted 5/6/2010 2:17 AM
#85704
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s odd :rolleyes:






Click https://www.gmer.net/download.php

and download the installer for Gmer to your desktop, then click that file to run Gmer.


If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


You can break logs into parts and use separate posts here when replying and posting the log files, if needed.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/9/2010 7:11 AM
#85828
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Hi Touch

Four days of absolute mayhem and dispair. the same virus is back presenting in the same way. Plus since subscribing to Bullguard 9, which is not working I have been exchanging with the support people who advised me to download Superantispyware. Which takes such a long time to boot or scan or whatever it does, consequently the virus has loaded and prevents me from running Mbam or Combo fix or anything. I cannot get to uninstall superantispyware, I have tried but it is still there. This is the first time I have got to this website in four days.

I will try and post a Hijack log but I don't realy know what to do, I cannot open any programs
Posted 5/9/2010 7:59 AM
#85829
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
Here's the MBam log,

it detected 2 Trojan.Fraudpack and supposedly removed them but has made no difference to the infected computer.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

9/05/2010 7:45:18 p.m.
mbam-log-2010-05-09 (19-45-18).txt

Scan type: Quick scan
Objects scanned: 115127
Time elapsed: 15 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:



It won't let me open the HJT log. i will post is after i have rebooted.
(No malicious items detected)
Posted 5/9/2010 8:07 AM
#85830
User avatar

wakari Advanced member

Date Joined Nov 2016
Total Posts: 48
hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:42 p.m., on 9/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\SvcHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SvcHost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\xeuuhdogx\ayclirctssd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\xeuuhdogx\ayclirctssd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JEFFWI~1\LOCALS~1\Temp\SSUPDATE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: BGAntiphishingBHO - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" -boot
O4 - HKLM\..\Run: [lhvkiabj] C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\xeuuhdogx\ayclirctssd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [lhvkiabj] C:\Documents and Settings\Jeff Withington\Local Settings\Application Data\xeuuhdogx\ayclirctssd.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: BullGuard - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - https://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BgRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe
O23 - Service: BullGuard scanning service (BsScanner) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
O23 - Service: BullGuard update service (BsUpdate) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6957 bytes
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Wednesday, July 6, 2022, 5:52 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
30 Guest(s), 0 Registered Member(s) are currently online.