Virus help needed - Free Antivirus Forum

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

Virus help needed

BullGuard Antivirus Forum > Virus Removal > Removal Help > Virus help needed

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

graham9
New Member

Date Joined Jun 2009
Total Posts : 3

Posted 7/6/2009 8:55 AM (GMT +3)

I have some kind of virus. I first knew when i tried to go to my online banking website and a fake page came up. I wasnt fooled but i need to get rid of it because its slowing my whole internet down and i cannot get onto my banking. Ive ran a scan and it comes up with something to do with svchost.exe and Trojan.gen.heur virus.

Ive ran the combofix and hijackthis tools and here are the logs from them:

ComboFix 09-07-05.01 - Graham Pigott 06/07/2009 6:32.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1498 [GMT 1:00]
Running from: c:\documents and settings\Graham Pigott\Desktop\FIX\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\GRAHAM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\browserui.dll
c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\mt_32.dll
c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\winload.dll
c:\documents and settings\Graham Pigott\Local Settings\Temp\IadHide5.dll
c:\windows\ld08.exe
c:\windows\system32\browsearch.dll
c:\windows\system32\browserui.dll
c:\windows\system32\clfsw.dll
c:\windows\system32\digiwet.dll
c:\windows\system32\IMEw.exe
c:\windows\system32\mscert.dll
c:\windows\system32\mshtmllib.dll
c:\windows\system32\mt_32.dll
c:\windows\system32\protect.dll
c:\windows\system32\pxcrt.dll
c:\windows\system32\winload.dll
D:\AUTORUN.INF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HELPSVCDMADMIN
-------\Service_helpsvcdmadmin

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 05:27 . 2009-07-06 05:27 -------- d-sh--w- c:\documents and settings\Graham Pigott\IECompatCache
2009-07-06 05:27 . 2009-07-06 05:27 -------- d-----w- c:\program files\CCleaner
2009-07-04 21:26 . 2009-07-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-07-04 21:26 . 2009-07-04 21:26 -------- d-----w- c:\documents and settings\Graham Pigott\Application Data\BullGuard
2009-07-04 21:24 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2009-07-04 20:48 . 2009-07-04 20:48 -------- d-----w- c:\program files\SpyZooka
2009-07-04 15:57 . 2009-07-04 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-03 15:44 . 2009-07-03 15:44 6656 ----a-w- c:\windows\system32\netd.dll
2009-07-03 15:44 . 2009-07-03 15:44 4266 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll
2009-07-03 15:44 . 2009-07-03 15:43 10752 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll
2009-07-03 15:44 . 2009-07-03 15:43 13824 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\winload.dll
2009-07-02 12:18 . 2009-07-02 12:18 -------- d-sh--w- C:\FOUND.041
2009-06-22 10:46 . 2009-06-22 10:46 -------- d-sh--w- c:\documents and settings\Brenda Pigott\IETldCache
2009-06-12 16:00 . 2009-06-12 16:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-11 09:49 . 2009-06-11 09:49 -------- d-----w- c:\windows\ie8updates
2009-06-10 10:15 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 10:15 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:15 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 10:14 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 05:35 . 2005-05-13 05:57 12 ----a-w- c:\windows\bthservsdp.dat
2009-05-20 09:02 . 2009-05-20 09:02 -------- d-----w- c:\program files\PrivacyPartners, LLC
2009-05-16 22:47 . 2009-05-16 20:09 32 --s-a-w- c:\windows\system32\3134949988.dat
2009-05-13 05:15 . 2004-08-04 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-28 10:51 . 2009-04-28 10:51 87376 ----a-w- c:\windows\system32\BGLsp.dll
2009-04-17 12:26 . 2004-08-04 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"RayV"="c:\program files\RayV\RayV\RayV.exe" [2009-01-13 2278696]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-05-12 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-10-11 286720]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 385024]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-12 185896]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-05-12 304464]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-15 88202]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-22 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-14 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Private Proxy Cleanup.lnk - c:\program files\PrivacyPartners, LLC\Private Proxy\PrivateProxy.exe [2009-5-20 126040]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TacxFortius\\Fortius.exe"=
"c:\\Program Files\\TacxFortius\\catalyst\\Catalyst_Fortius.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.dll"=
"c:\\Program Files\\RayV\\RayV\\RayV.exe"=

R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [23/03/2009 13:07 31128]
S2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336]
S2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [16/04/2009 13:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eyeBeam SIP Client - (no file)
HKLM-Run-EPSON Stylus C48 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE
HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.betfair.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\BGLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wimbledon.org/en_GB/index.html
FF - component: c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: c:\program files\Mozilla Firefox\extensions\info@google.com\components\FFLocal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 06:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1344)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\docume~1\GRAHAM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\acer\EMANAGER\ANBMSERV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-07-06 6:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 05:38

Pre-Run: 37,370,462,208 bytes free
Post-Run: 37,366,136,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

225 --- E O F --- 2009-06-11 09:49

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:41:39, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Graham Pigott\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betfair.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search - {24A1E1CC-4393-941E-B765-2264A695D4E3} - C:\WINDOWS\system32\browsearch.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [RayV] C:\Program Files\RayV\RayV\RayV.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Brenda Pigott')
O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" (User 'Brenda Pigott')
O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Brenda Pigott')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Private Proxy Cleanup.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - Unknown owner - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe (file missing)
O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10826 bytes

After running these programs i still get the fake logon page when i go to Lloyds TSB banking so i think the virus is still there.

Any help appreciated thanks.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 7/6/2009 9:35 AM (GMT +3)

Hello graham9 smile

Please download Malwarebytes' Anti-Malware:

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch
Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Run a complete san with Bullguard, post the log it produce along with malwarebyte log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

graham9
New Member

Date Joined Jun 2009
Total Posts : 3

Posted 7/6/2009 1:39 PM (GMT +3)

Here is the log from MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

06/07/2009 11:15:15
mbam-log-2009-07-06 (11-15-15).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 150525
Time elapsed: 17 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\browsearch.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\graham pigott\application data\microsoft\systembackup\winload.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\documents and settings\graham pigott\application data\microsoft\systembackup\browserui.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\documents and settings\graham pigott\application data\Mozilla\Firefox\Profiles\main\winload.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\documents and settings\graham pigott\application data\Mozilla\Firefox\Profiles\main\browserui.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP387\A0183126.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP387\A0184125.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP394\A0185140.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0186123.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0186151.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187388.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187390.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187391.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187392.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187393.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187394.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187395.DLL (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187397.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187398.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187400.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187401.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187402.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187487.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187489.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\graham pigott\application data\microsoft\systembackup\browserui.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\graham pigott\application data\microsoft\systembackup\winload.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\ld08.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\browsearch.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\browserui.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\clfsw.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\digiwet.dll.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\mscert.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\mshtmllib.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\protect.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\pxcrt.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\winload.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshtmllib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxcrt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\mt_32.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.

My internet seems to have speeded up and i no longer get the fake page when going to LLoyds TSB website.

I think thats probably solved it then.

Thanks for your help Touch :)

graham9
New Member

Date Joined Jun 2009
Total Posts : 3

Posted 7/6/2009 1:54 PM (GMT +3)

By the way here is the Bullguard scan log:

BullGuard Scan Report
Scan Profile: "My Computer"
___________________________________________________________

----[ System Info ]------------

OS Version: Windows XP Professional - Service Pack 3 (Build 2600) [1 * x86 CPUs]
Physical memory: 2048 MB
System up-time: 0 days, 00 hours, 33 minutes, 33 seconds
BullGuard up-time: 0 days, 00 hours, 32 minutes, 56 seconds
TopLayer Version: 8, 7, 0, 17
FileSpy5 Version: N/A
BdFileSpy Version: N/A
BsFileScan Version: 8, 5, 0, 71
Reconn Version: N/A
MailProxy Version: 8, 5, 0, 21
AntiVirus Version: 8, 5, 0, 49

----[ Scan Parameters ]------------

Folders to scan:
C:\
D:\

Excluded folders:
None

Files to scan:
None

Scan type:
[o] Scan all files
[ ] Scan program files only
[ ] Scan custom extensions:

[X] Exclude user extensions: lnk

[X] Scan boot sectors
[X] Scan packed files
[X] Scan archives
[X] Scan emails
[X] Scan running processes
[X] Scan registry
[X] Scan IE cookies
[X] Enable heuristic detection

[ ] Scan default action
___________________________________________________________

Scan Statistics
___________________________________________________________

Scan started: Monday, July 06, 2009 11:51:58
Scan duration: 0 days, 00 hours, 30 minutes, 27 seconds
Completion status: Successful

Total files scanned: 153734
Total files skipped: 86
Identified viruses: 0
Scan speed: 84.15 files/sec

Files skipped:
C:\WINDOWS\system32\config\system.LOG [Open Failed]
C:\WINDOWS\system32\config\software.LOG [Open Failed]
C:\WINDOWS\system32\config\default.LOG [Open Failed]
C:\WINDOWS\system32\config\SAM.LOG [Open Failed]
C:\WINDOWS\system32\config\SECURITY.LOG [Open Failed]
C:\WINDOWS\system32\config\SECURITY [Open Failed]
C:\WINDOWS\system32\config\SOFTWARE [Open Failed]
C:\WINDOWS\system32\config\SYSTEM [Open Failed]
C:\WINDOWS\system32\config\DEFAULT [Open Failed]
C:\WINDOWS\system32\config\SAM [Open Failed]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
C:\Documents and Settings\NetworkService\NTUSER.DAT [Open Failed]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG [Open Failed]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
C:\Documents and Settings\LocalService\NTUSER.DAT [Open Failed]
C:\Documents and Settings\LocalService\ntuser.dat.LOG [Open Failed]
C:\Documents and Settings\Administrator\NTUSER.DAT [Open Failed]
C:\Documents and Settings\Administrator\ntuser.dat.LOG [Open Failed]
C:\Documents and Settings\Graham Pigott\NTUSER.DAT [Open Failed]
C:\Documents and Settings\Graham Pigott\ntuser.dat.LOG [Open Failed]
C:\Documents and Settings\Graham Pigott\Local Settings\Temp\etilqs_TfGvJXzZjlqgcmd2qrmS [Open Failed]
C:\Documents and Settings\Graham Pigott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
C:\Documents and Settings\Graham Pigott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
C:\Documents and Settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\parent.lock [Open Failed]
C:\Documents and Settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\places.sqlite-journal [Open Failed]
C:\Documents and Settings\Brenda Pigott\NTUSER.DAT [Open Failed]
C:\Documents and Settings\Brenda Pigott\ntuser.dat.LOG [Open Failed]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>Ad-Aware SE Default.skn [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp [Password protected]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp [Password protected]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000009.FCS [Open Failed]
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat [Open Failed]
C:\FOUND.011\FILE0001.CHK=>VIRSCAN5.985 [Corrupted archive]

___________________________________________________________

Results after ROUND 0
___________________________________________________________

Scan started: Monday, July 06, 2009 11:21:31
Scan duration: 0 days, 00 hours, 30 minutes, 27 seconds
Infections solved: 0
Infections left: 0
Viruses left: 0

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 7/6/2009 2:01 PM (GMT +3)

That´s good news smile

Yes, it looks like your problem are solved.

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Click START then RUN

Now type Combofix /u in the runbox and click OK.

Note the space between the X and the U, it needs to be there.
The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Sunday, May 19, 2013 12:46 AM (GMT +3)
There are a total of 59,515 posts in 13,139 threads.
In the last 3 days there were 4 new threads and 5 reply posts. View Active Threads