EN

The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

FORUMS

SEARCH FORUM

Windows security alert

Posted 6/5/2009 2:23 PM
#74138
User avatar

cracka Valued member

Date Joined Nov 2016
Total Posts: 13
Please help i keep getting a windows security alert saying do you want to block this software.
trojan -keylogger.win32.agent. how do i get rid of it. thanks in advance.
Posted 6/6/2009 2:02 AM
#74145
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello cracka :smile:





Download this program: https://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.



Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.



[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 6/6/2009 6:09 AM
#74149
User avatar

cracka Valued member

Date Joined Nov 2016
Total Posts: 13
thanks touch i have run the cc cleaner now trying to down load the malwarebytes but i keep getting this error.


16 bit MS-DOS Subsystem

C:\docume~1/naomih~1\desktop\fix\malwar~1.exe

C:\docume~1/naomih~1\locals~1\temp\.
a temporary file needed for initialization could not be created or could not be written to.Make sure that the path exists, and disk space is available.choose close to terminate the application.



any help greatly appreciated.
Posted 6/6/2009 8:05 AM
#74150
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. See if combofix will run -



Please download combofix here ->

[color=#0000ff>[/color]




Before Saving it to Desktop, please rename it to something like 123.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 6/6/2009 8:55 AM
#74151
User avatar

cracka Valued member

Date Joined Nov 2016
Total Posts: 13
Ok have done that here is the log requested.


ComboFix 09-06-05.07 - Naomi Horn 06/06/2009 18:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.214 [GMT 10:00]
Running from: c:\documents and settings\Naomi Horn\Desktop\123com.exe
AV: BullGuard Antivirus *On-access scanning disabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Naomi Horn\Application Data\inst.exe
c:\windows\system32\iehostcx32.dll
c:\windows\system32\muzapp.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-06 05:40 . 2009-06-06 05:40 -------- d-----w- c:\program files\CCleaner
2009-06-02 01:53 . 2009-06-06 06:29 -------- d-----w- c:\documents and settings\Naomi Horn\XP Deluxe Protector
2009-05-22 02:49 . 2009-05-22 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 08:47 . 2008-12-04 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-05-28 23:33 . 2007-05-13 12:36 -------- d-----w- c:\documents and settings\Naomi Horn\Application Data\CamfrogWEB
2009-05-22 03:14 . 2009-03-03 04:05 -------- d-----w- c:\documents and settings\Naomi Horn\Application Data\Canon
2009-05-22 02:50 . 2009-03-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-04-14 10:46 . 2009-04-14 10:46 -------- d-----w- c:\program files\Fast Browser SearchP
2009-04-06 06:56 . 2009-04-06 06:56 152576 ----a-w- c:\documents and settings\Naomi Horn\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-16 08:49 . 2009-03-16 08:49 152576 ----a-w- c:\documents and settings\Naomi Horn\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-03-08 19:19 . 2009-03-16 08:51 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-11 1961984]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"PhotoJoy"="c:\program files\PhotoJoy\bin\PhotoJoy.exe" [2008-10-19 918840]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"BullGuard"="c:\program files\BullGuard Software\BullGuard\bullguard.exe" [2008-12-04 308552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"LVComs"="c:\windows\system32\LVCOMS.EXE" [2000-03-29 77824]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-11 32768]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-19 132624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2008-07-06 111928]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"BullGuard"="c:\program files\BullGuard Software\BullGuard\bullguard.exe" [2008-12-04 308552]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 03:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjApp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjImp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PhotoJoy.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 12:39 PM 51440]
R1 VFILT;BullGuard Firewall Kernel Driver;c:\program files\BullGuard Software\BullGuard\fwengine\Filtnt.sys [27/02/2007 7:28 PM 125216]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [4/12/2008 5:15 PM 50896]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [4/08/2004 10:00 PM 14336]
R2 BsFwall;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuardFw [4/08/2004 10:00 PM 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [4/08/2004 10:00 PM 14336]
R3 PROTECT.DLL;BullGuard Firewall Protection Plugin;c:\program files\BullGuard Software\BullGuard\fwengine\Protect.dll [27/02/2007 7:28 PM 16960]
R3 Reconn;BullGuard Email Monitor;c:\program files\BullGuard Software\BullGuard\Reconn.sys [27/02/2007 7:31 PM 16984]
S3 ADBLOCK.DLL;BullGuard Firewall Adware Plugin;\??\c:\program files\BullGuard Software\BullGuard\FwEngine\AdBlock.dll --> c:\program files\BullGuard Software\BullGuard\FwEngine\AdBlock.dll [?]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Software\BullGuard\support\bgrasvc.exe [4/12/2008 5:34 PM 79176]
S3 HTMLFILT.DLL;BullGuard Firewall HTML Plugin;\??\c:\program files\BullGuard Software\BullGuard\FwEngine\HtmlFilt.dll --> c:\program files\BullGuard Software\BullGuard\FwEngine\HtmlFilt.dll [?]
S3 HTTPFILT.DLL;BullGuard Firewall HTTP Plugin;\??\c:\program files\BullGuard Software\BullGuard\FwEngine\HttpFilt.dll --> c:\program files\BullGuard Software\BullGuard\FwEngine\HttpFilt.dll [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 5:51 PM 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy
BullGuardFw REG_MULTI_SZ BsFwall
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-FBSearch - c:\program files\Fast Browser SearchP\FastBrowserSearchProtectionV.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*https://www.yahoo.com
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-06-06 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSearch = c:\program files\Fast Browser SearchP\FastBrowserSearchProtectionV.exe?is EULA, the term ?Software P

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3500)
c:\program files\BullGuard Software\BullGuard\antispam\PluginHook.dll
c:\program files\BullGuard Software\BullGuard\res\en\PluginHookRes.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\BullGuard Software\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PhotoJoy\Bin\PjApp.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-06 18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 08:54

Pre-Run: 117,109,809,152 bytes free
Post-Run: 118,388,256,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

166 --- E O F --- 2009-05-13 17:02
Posted 6/6/2009 9:25 AM
#74152
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It looks clean :smile:




Update Bullguard, run a complete scan, post the log it produce and tell how things are running ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, July 4, 2022, 7:38 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
41 Guest(s), 0 Registered Member(s) are currently online.