The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Virus/Malware - Green Desktop Background & System Infected Error

Posted 7/24/2010 3:03 PM
#87872
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
Hi,



Virus/Malware got onto computer. All applications running slow. Desktop taken over and replaced with Green Backgound and a black error box in the centre. Error message (in large red font) stating that the system was infected. Also had symbol on bottom toolbar of large Red X, which generated a periodic pop-up to state system infected.



I have Bullguard 8.7 installed for my Anti-Virus.



As per forum advice I ran CCleaner, MBAM, DDS, uninstall/install Java and Hijack This.



The Green Background and Error Box, plus symbol on Toolbar are now gone. However I don't think all corrupt files are gone - for example MBAM reported that not all infected files could be removed.



Thank you for taking the time to look at this and help - much appreciated.



Liv76.



P.S. Going to post log files into seperate threads as it seems when they are too long post won't work.
Liv
Posted 7/24/2010 3:05 PM
#87873
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
HijackThis Log - Part 1


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13:45, on 24/07/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\Bullguard\Trend Micro\HijackThis\HijackThis.exe
Liv
Posted 7/24/2010 3:07 PM
#87874
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://192.168.1.254/
R3 - URLSearchHook: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S73.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Liv
Posted 7/24/2010 3:09 PM
#87875
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
HijackThis Log - Part 3



O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll



Liv
Posted 7/24/2010 3:12 PM
#87876
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
HijackThis Log - Part 4

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 7143 bytes
Liv
Posted 7/24/2010 3:13 PM
#87877
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
The O15 and O16 parts of the HijackThis file won't post - keeps causing an error?????


Malware Bytes Log



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4343

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

24/07/10 14:42:54
mbam-log-2010-07-24 (14-42-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 268472
Time elapsed: 3 hour(s), 35 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 13
Folders Infected: 20
Files Infected: 111

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Start Menu\Programs\AntiVirusPro2009 (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\4A.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\7C.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\7E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\A6.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\A8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\D1.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\D3.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\F9.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temp\FA.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Local Settings\Temporary Internet Files\Content.IE5\UVWV2HOB\exe[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0C428855-AC28-4124-AAD9-15DEA53323EB}\RP456\A0081023.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\aec.sys (Rootkit.Bubnix) -> Delete on reboot.
C:\Program Files\FunWebProducts\Shared\008529C8.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00029020 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0068FB5D (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0080A5E6.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0080A809.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0080C833.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0080DDDE.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\008D668C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\008D6832.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\008D696A.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\008D6AA3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\011FC5CC (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Start Menu\Programs\AntiVirusPro2009\AntivirusPro2009.lnk (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Start Menu\Programs\AntiVirusPro2009\Uninstall.lnk (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Desktop\AntivirusPro2009.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro2009.lnk (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ES15.exe (Rogue.SecurityEsssentials) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helpers32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warnings.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oliver.OFFICE\Start Menu\Programs\Startup\srvklw32.exe (Trojan.Agent) -> Delete on reboot.
Liv
Posted 7/24/2010 3:15 PM
#87878
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
DDS Log - Part 1


DDS (Ver_10-03-17.01) - NTFSx86
Run by Oliver at 14:50:32.93 on 24/07/10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.212 [GMT 1:00]

AV: BullGuard Antivirus *On-access scanning enabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Oliver\My Documents\Bullguard\dds.scr



Liv
Posted 7/24/2010 3:19 PM
#87879
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
DDS Log - Part 2

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.254/
uURLSearchHooks: Radio Bar 1 Toolbar: {0fc85f5d-6207-4515-a490-45a549d285c0} - c:\program files\radio_bar_1\tbRad0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Radio Bar 1 Toolbar: {0fc85f5d-6207-4515-a490-45a549d285c0} - c:\program files\radio_bar_1\tbRad0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Radio Bar 1 Toolbar: {0fc85f5d-6207-4515-a490-45a549d285c0} - c:\program files\radio_bar_1\tbRad0.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe"
uRun: [Iomega Automatic Backup] c:\program files\iomega\iomega automatic backup\ibackup.exe
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S73.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Iomega Automatic Backup 1.0.1] c:\program files\iomega\iomega automatic backup\ibackup.exe
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe" -boot
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
Liv
Posted 7/24/2010 3:20 PM
#87880
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
DDS Log - Part 3



StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\bglsp.dll
Trusted Zone: cyber-deployment.com
Trusted Zone: cyber-deployment.com
Liv
Posted 7/24/2010 3:22 PM
#87881
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
DDS Log - Part 4


============= SERVICES / DRIVERS ===============

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2008-11-28 55504]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [2008-9-18 31640]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [2008-11-28 256792]
S2 BsFileScan;BullGuard File Scan Service;c:\windows\system32\svchost.exe -k BullGuard [2001-8-18 14336]
S2 BsFire;BullGuard Firewall Service;c:\windows\system32\svchost.exe -k BullGuard [2001-8-18 14336]
S2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\system32\svchost.exe -k BullGuard [2001-8-18 14336]
S3 BGRaSvc;BGRaSvc;c:\program files\bullguard ltd\bullguard\support\bgrasvc.exe [2008-7-29 83280]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [2009-2-12 17536]

=============== Created Last 30 ================

2010-07-24 09:22:15 0 d-----w- c:\docume~1\oliver~1.off\applic~1\Malwarebytes
2010-07-24 09:21:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 09:21:24 0 d-----w- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2010-07-24 09:21:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 09:02:53 0 ----a-w- c:\windows\system32\SET48.tmp
2010-07-24 08:55:08 0 d-----w- C:\My Documents
2010-07-16 13:58:16 0 d-----w- c:\docume~1\oliver~1.off\applic~1\PriceGong
2010-07-15 16:04:17 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-10 14:17:15 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2008-12-02 14:23:48 2585872 ----a-w- c:\program files\WindowsInstaller-KB893803-v2-x86.exe
2008-11-23 19:40:38 14296 ----a-w- c:\program files\common files\qijopyvivy.vbs
2008-11-23 19:40:38 10696 ----a-w- c:\program files\common files\wazusec.com
2008-11-23 19:40:37 16742 ----a-w- c:\program files\common files\haqaves.exe
2008-11-23 19:40:36 15996 ----a-w- c:\program files\common files\ekuz.com
2006-05-27 19:36:28 45511639 ----a-w- c:\program files\NIS06910IN.exe
2005-04-26 14:23:52 142 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 14:53:38.39 ===============
Liv
Posted 7/24/2010 3:27 PM
#87882
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
DPF Lines in DSS Log File wouldn't post - caused an error ????



DSS "Attach" File attached. Also attached full HijackThis file and DDS (First Log Generated) file as sections coudn't be posted.







Thanks again.
Post attachments:
Liv
Posted 7/24/2010 4:23 PM
#87885
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello Liv :smile:






Please download combofix: Here

Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.





Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix.

There are details for disabling many programmes: Here






Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply



The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/24/2010 7:18 PM
#87888
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
Hi Touch,

Many thanks for getting in contact and posting your advice.

I downloaded and ran the Combofix application.



(In the middle of this it requested to install/update Microsfot Recovery Console, so I followed along with that - hope that is ok.)



Logfile from ComboFix below.



Thanks,

Liv.





ComboFix Log - Part 1.



ComboFix 10-07-23.04 - Oliver 24/07/10 19:46:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.155 [GMT 1:00]
Running from: c:\documents and settings\Oliver\My Documents\Bullguard\ComboFix.exe
AV: BullGuard Antivirus *On-access scanning disabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 14:10 . 2010-07-24 14:10 -------- d-----w- c:\program files\Common Files\Java
2010-07-24 14:10 . 2010-07-24 14:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 14:10 . 2010-07-24 14:10 -------- d-----w- c:\program files\Java
2010-07-24 09:22 . 2010-07-24 09:22 -------- d-----w- c:\documents and settings\Oliver.OFFICE\Application Data\Malwarebytes
2010-07-24 09:21 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 09:21 . 2010-07-24 09:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-24 09:21 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 08:55 . 2010-07-24 08:55 -------- d-----w- C:\My Documents
2010-07-16 13:58 . 2010-07-24 14:11 -------- d-----w- c:\documents and settings\Oliver.OFFICE\Application Data\PriceGong
2010-07-15 16:04 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 14:08 . 2008-11-28 11:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BullGuard
2010-07-24 14:06 . 2005-04-22 09:53 -------- d-----w- c:\program files\hp deskjet 940c series
2010-07-24 09:02 . 2010-07-24 09:02 0 ----a-w- c:\windows\system32\SET48.tmp
2010-07-22 17:57 . 2010-07-22 17:57 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\hwzypv.dat
2010-07-22 13:49 . 2010-07-22 13:49 20 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\hwzypv.dat
2010-07-15 16:02 . 2010-02-27 14:15 -------- d-----w- c:\program files\Radio_Bar_1
2010-06-14 14:30 . 2008-11-27 15:33 743936 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-25 10:25 . 2010-05-25 10:25 348160 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\msvcr71.dll
2010-05-25 10:25 . 2010-05-25 10:25 503808 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\msvcp71.dll
2010-05-25 10:25 . 2010-05-25 10:25 499712 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\jmc.dll
2010-05-25 10:25 . 2010-05-25 10:25 61440 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64d4c1fd-n\decora-sse.dll
2010-05-25 10:25 . 2010-05-25 10:25 12800 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64d4c1fd-n\decora-d3d.dll
2010-05-10 14:17 . 2009-04-06 08:45 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-05-06 10:41 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2001-08-18 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2008-12-02 14:23 . 2008-12-02 14:23 2585872 ----a-w- c:\program files\WindowsInstaller-KB893803-v2-x86.exe
2008-11-23 19:40 . 2008-11-23 19:40 14296 ----a-w- c:\program files\Common Files\qijopyvivy.vbs
2008-11-23 19:40 . 2008-11-23 19:40 10696 ----a-w- c:\program files\Common Files\wazusec.com
2008-11-23 19:40 . 2008-11-23 19:40 16742 ----a-w- c:\program files\Common Files\haqaves.exe
2008-11-23 19:40 . 2008-11-23 19:40 15996 ----a-w- c:\program files\Common Files\ekuz.com
2006-05-27 19:36 . 2006-05-27 19:36 45511639 ----a-w- c:\program files\NIS06910IN.exe
.
Liv
Posted 7/24/2010 7:19 PM
#87889
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
ComboFix Log - Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fc85f5d-6207-4515-a490-45a549d285c0}]
2010-07-15 16:02 2734688 ----a-w- c:\program files\Radio_Bar_1\tbRad0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{0FC85F5D-6207-4515-A490-45A549D285C0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-05-10 304464]
"Iomega Automatic Backup"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-08-28 3014656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-08-14 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-08-28 3014656]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-05-10 304464]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-4-26 209016]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-3-3 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-11-28 589824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [28/11/08 12:36 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [18/09/08 10:17 31640]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [28/11/08 12:37 256792]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [29/07/08 08:40 83280]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [12/02/09 14:03 17536]
Liv
Posted 7/24/2010 7:19 PM
#87890
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
ComboFix Log - Part 3 (Final Part)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.254/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\bglsp.dll
Trusted Zone: cyber-deployment.com
Trusted Zone: cyber-deployment.com
DPF: Microsoft XML Parser for Java - https://www.gmer.net
Rootkit scan 2010-07-24 20:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\WININET.dll
c:\windows\system32\bglsp.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
Completion time: 2010-07-24 20:09:41
ComboFix-quarantined-files.txt 2010-07-24 19:09

Pre-Run: 100,266,807,296 bytes free
Post-Run: 100,316,762,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 96224EFD1CCD8C62F27D38D759029174
Liv
Posted 7/25/2010 2:34 AM
#87895
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974


Open notepad and copy/paste the bolded text,including the link, in the codebox below into it:

Name the file as CFScript
and Save it on the desktop





[color=#0000ff] https://forum.bullguard.com/forum/9/VirusMalware---Green-Desktop-B_87872.html[/color]

Killall::

Snapshot::

Collect::
c:\windows\system32\SET48.tmp
c:\windows\system32\config\systemprofile\Application Data\hwzypv.dat
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\hwzypv.dat


c:\program files\Common Files\qijopyvivy.vbs
c:\program files\Common Files\wazusec.com
c:\program files\Common Files\haqaves.exe
c:\program files\Common Files\ekuz.com
c:\program files\NIS06910IN.exe





User image



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.





When ComboFix has finished its scan / cleaning opens a ComboFix log along with a small message box. Now click OK in the message box to upload the compiled files for further analysis (you must have an Internet connection to upload files).



Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/25/2010 4:07 PM
#87905
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
Hi.


Combofix Log as requested.



Thanks,

Liv.





ComboFix 10-07-24.03 - Oliver 25/07/10 16:39:06.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.201 [GMT 1:00]
Running from: c:\documents and settings\Oliver\My Documents\Bullguard\ComboFix.exe
Command switches used :: c:\documents and settings\Oliver\My Documents\Bullguard\CFScript.txt
AV: BullGuard Antivirus *On-access scanning enabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

file zipped: c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\hwzypv.dat
file zipped: c:\program files\Common Files\ekuz.com
file zipped: c:\program files\Common Files\haqaves.exe
file zipped: c:\program files\Common Files\qijopyvivy.vbs
file zipped: c:\program files\Common Files\wazusec.com
file zipped: c:\program files\NIS06910IN.exe
file zipped: c:\windows\system32\config\systemprofile\Application Data\hwzypv.dat
file zipped: c:\windows\system32\SET48.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\hwzypv.dat
c:\program files\Common Files\ekuz.com
c:\program files\Common Files\haqaves.exe
c:\program files\Common Files\qijopyvivy.vbs
c:\program files\Common Files\wazusec.com
c:\program files\NIS06910IN.exe
c:\windows\system32\config\systemprofile\Application Data\hwzypv.dat
c:\windows\system32\SET48.tmp

.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 14:10 . 2010-07-24 14:10 -------- d-----w- c:\program files\Common Files\Java
2010-07-24 14:10 . 2010-07-24 14:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 14:10 . 2010-07-24 14:10 -------- d-----w- c:\program files\Java
2010-07-24 09:22 . 2010-07-24 09:22 -------- d-----w- c:\documents and settings\Oliver.OFFICE\Application Data\Malwarebytes
2010-07-24 09:21 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 09:21 . 2010-07-24 09:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-24 09:21 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 08:55 . 2010-07-24 08:55 -------- d-----w- C:\My Documents
2010-07-16 13:58 . 2010-07-25 15:29 -------- d-----w- c:\documents and settings\Oliver.OFFICE\Application Data\PriceGong
2010-07-15 16:04 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 14:10 . 2008-11-28 11:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BullGuard
2010-07-24 14:06 . 2005-04-22 09:53 -------- d-----w- c:\program files\hp deskjet 940c series
2010-07-15 16:02 . 2010-02-27 14:15 -------- d-----w- c:\program files\Radio_Bar_1
2010-06-14 14:30 . 2008-11-27 15:33 743936 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-25 10:25 . 2010-05-25 10:25 348160 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\msvcr71.dll
2010-05-25 10:25 . 2010-05-25 10:25 503808 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\msvcp71.dll
2010-05-25 10:25 . 2010-05-25 10:25 499712 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-44eadd2b-n\jmc.dll
2010-05-25 10:25 . 2010-05-25 10:25 61440 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64d4c1fd-n\decora-sse.dll
2010-05-25 10:25 . 2010-05-25 10:25 12800 ----a-w- c:\documents and settings\Oliver.OFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64d4c1fd-n\decora-d3d.dll
2010-05-10 14:17 . 2009-04-06 08:45 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-05-06 10:41 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2001-08-18 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2008-12-02 14:23 . 2008-12-02 14:23 2585872 ----a-w- c:\program files\WindowsInstaller-KB893803-v2-x86.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fc85f5d-6207-4515-a490-45a549d285c0}]
2010-07-15 16:02 2734688 ----a-w- c:\program files\Radio_Bar_1\tbRad0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{0FC85F5D-6207-4515-A490-45A549D285C0}"= "c:\program files\Radio_Bar_1\tbRad0.dll" [2010-07-15 2734688]

[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-05-10 304464]
"Iomega Automatic Backup"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-08-28 3014656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-08-14 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-08-28 3014656]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-05-10 304464]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-4-26 209016]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-3-3 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-11-28 589824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [28/11/08 12:36 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [18/08/01 13:00 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [18/09/08 10:17 31640]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [28/11/08 12:37 256792]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [29/07/08 08:40 83280]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [12/02/09 14:03 17536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.254/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\bglsp.dll
Trusted Zone: cyber-deployment.com
Trusted Zone: cyber-deployment.com
DPF: Microsoft XML Parser for Java - https://www.gmer.net
Rootkit scan 2010-07-25 16:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\WININET.dll
c:\windows\system32\bglsp.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\system32\bglsp.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\system32\devldr32.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2010-07-25 17:04:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 16:04
ComboFix2.txt 2010-07-24 19:09

Pre-Run: 100,315,959,296 bytes free
Post-Run: 100,219,936,768 bytes free

- - End Of File - - CBF158D42D37A6038F4311F20E246ACD
Liv
Posted 7/26/2010 2:38 AM
#87909
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Looks clean. Please post new hijacktis log and tell how things are running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/26/2010 12:22 PM
#87923
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
Hi Touch.

Ran the Hijackthis scan, it only took about 5-8 seconds to run, hope that is ok.


Please see below for this Hijackthis log.



Computer itself seems to be running fine and at normal speed.





Thanks,

Liv.



HijackThis Log - Part 1





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:23, on 26/07/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\My Documents\Bullguard\Trend Micro\HijackThis\HijackThis.exe
Liv
Posted 7/26/2010 12:22 PM
#87924
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
HijackThis Log - Part 2


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [color=#0068cf>https://www.google.ie/[/url]
R1]https://go.microsoft.com/fwlink/?LinkId=69157[/color]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [color=#0068cf>https://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1]https://go.microsoft.com/fwlink/?LinkId=54896[/color]

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [color=#0068cf>https://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1]https://192.168.1.254/[/color]

R3 - URLSearchHook: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Radio Bar 1 Toolbar - {0fc85f5d-6207-4515-a490-45a549d285c0} - C:\Program Files\Radio_Bar_1\tbRad0.dll
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\DOCUME~1\OLIVER~1.OFF\LOCALS~1\Temp\E_S6.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Liv
Posted 7/26/2010 12:23 PM
#87925
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
HijackThis Log - Part 3 (Final Part)

O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O15 - Trusted Zone: [url=https://*.cyber-deployment.com/][color=#0068cf>https://*.cyber-deployment.com
[/url]
O15]https://*.cyber-deployment.com[/color] (HKLM)
O16 - DPF: Ulster Bank AnyTime - [color=#0068cf>https://www.anytimebusiness.ie/asp/AnyTime.cab[/url]
O16]https://go.microsoft.com/fwlink/?linkid=58813[/color]

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227873495217
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6761 bytes
Liv
Posted 7/26/2010 1:25 PM
#87927
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Clean log :smile:








Now your computer problems are solved, it is time for the clean-up procedure

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.





Download OTL by OldTimer, saving it to your desktop: Here

Click on the CleanUp! button. You'll be asked if you want to Begin cleanup process? Select Yes.

This step removes the files, folders, and shortcuts created by the tools I had you download and run.



When done, you will be prompted to restart your computer. Please restart your computer.







To find out what programs need to be updated, please download and run the:

[color=#222222>Secunia]





Please read Tony Klein´s guide about how to protect yourself while on the internet:

How did I get infected in the first place? [/color][/url]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/26/2010 5:37 PM
#87940
User avatar

liv76 Valued member

Date Joined Nov 2016
Total Posts: 25
Hi Touch,


Thank you so much for all your help and advice.



Take care and best wishes.



Liv.
Liv
Posted 7/27/2010 1:07 AM
#87955
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It was my pleasure to help :smile:






Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please contact Me with the address of the thread.
Thank you !


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Wednesday, July 6, 2022, 5:51 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
30 Guest(s), 0 Registered Member(s) are currently online.