Virus help needed

Posted 7/6/2009 5:55 AM
#74925
User avatar

graham9 Member

Date Joined Nov 2016
Total Posts: 3
I have some kind of virus. I first knew when i tried to go to my online banking website and a fake page came up. I wasnt fooled but i need to get rid of it because its slowing my whole internet down and i cannot get onto my banking. Ive ran a scan and it comes up with something to do with svchost.exe and Trojan.gen.heur virus. <br/> <br/>Ive ran the combofix and hijackthis tools and here are the logs from them: <br/> <br/>ComboFix 09-07-05.01 - Graham Pigott 06/07/2009 6:32.1 - FAT32x86 <br/>Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1498 [GMT 1:00] <br/>Running from: c:\documents and settings\Graham Pigott\Desktop\FIX\ComboFix.exe <br/>. <br/> <br/>((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/> <br/>c:\docume~1\GRAHAM~1\LOCALS~1\Temp\IadHide5.dll <br/>c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\browserui.dll <br/>c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\mt_32.dll <br/>c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\winload.dll <br/>c:\documents and settings\Graham Pigott\Local Settings\Temp\IadHide5.dll <br/>c:\windows\ld08.exe <br/>c:\windows\system32\browsearch.dll <br/>c:\windows\system32\browserui.dll <br/>c:\windows\system32\clfsw.dll <br/>c:\windows\system32\digiwet.dll <br/>c:\windows\system32\IMEw.exe <br/>c:\windows\system32\mscert.dll <br/>c:\windows\system32\mshtmllib.dll <br/>c:\windows\system32\mt_32.dll <br/>c:\windows\system32\protect.dll <br/>c:\windows\system32\pxcrt.dll <br/>c:\windows\system32\winload.dll <br/>D:\AUTORUN.INF <br/> <br/>. <br/>((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/> <br/>-------\Legacy_HELPSVCDMADMIN <br/>-------\Service_helpsvcdmadmin <br/> <br/> <br/>((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 ))))))))))))))))))))))))))))))) <br/>. <br/> <br/>2009-07-06 05:27 . 2009-07-06 05:27 -------- d-sh--w- c:\documents and settings\Graham Pigott\IECompatCache <br/>2009-07-06 05:27 . 2009-07-06 05:27 -------- d-----w- c:\program files\CCleaner <br/>2009-07-04 21:26 . 2009-07-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard <br/>2009-07-04 21:26 . 2009-07-04 21:26 -------- d-----w- c:\documents and settings\Graham Pigott\Application Data\BullGuard <br/>2009-07-04 21:24 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys <br/>2009-07-04 20:48 . 2009-07-04 20:48 -------- d-----w- c:\program files\SpyZooka <br/>2009-07-04 15:57 . 2009-07-04 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP <br/>2009-07-03 15:44 . 2009-07-03 15:44 6656 ----a-w- c:\windows\system32\netd.dll <br/>2009-07-03 15:44 . 2009-07-03 15:44 4266 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll <br/>2009-07-03 15:44 . 2009-07-03 15:43 10752 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll <br/>2009-07-03 15:44 . 2009-07-03 15:43 13824 ----a-w- c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\winload.dll <br/>2009-07-02 12:18 . 2009-07-02 12:18 -------- d-sh--w- C:\FOUND.041 <br/>2009-06-22 10:46 . 2009-06-22 10:46 -------- d-sh--w- c:\documents and settings\Brenda Pigott\IETldCache <br/>2009-06-12 16:00 . 2009-06-12 16:00 -------- d-----w- c:\program files\Common Files\xing shared <br/>2009-06-11 09:49 . 2009-06-11 09:49 -------- d-----w- c:\windows\ie8updates <br/>2009-06-10 10:15 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll <br/>2009-06-10 10:15 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll <br/>2009-06-10 10:15 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll <br/>2009-06-10 10:14 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll <br/> <br/>. <br/>(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>2009-07-06 05:35 . 2005-05-13 05:57 12 ----a-w- c:\windows\bthservsdp.dat <br/>2009-05-20 09:02 . 2009-05-20 09:02 -------- d-----w- c:\program files\PrivacyPartners, LLC <br/>2009-05-16 22:47 . 2009-05-16 20:09 32 --s-a-w- c:\windows\system32\3134949988.dat <br/>2009-05-13 05:15 . 2004-08-04 04:00 915456 ----a-w- c:\windows\system32\wininet.dll <br/>2009-05-07 15:32 . 2004-08-04 04:00 345600 ----a-w- c:\windows\system32\localspl.dll <br/>2009-04-28 10:51 . 2009-04-28 10:51 87376 ----a-w- c:\windows\system32\BGLsp.dll <br/>2009-04-17 12:26 . 2004-08-04 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys <br/>2009-04-15 14:51 . 2004-08-04 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll <br/>. <br/> <br/>((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>. <br/>*Note* empty entries & legit default entries are not shown <br/>REGEDIT4 <br/> <br/>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <br/>"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] <br/>"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352] <br/>"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] <br/>"RayV"="c:\program files\RayV\RayV\RayV.exe" [2009-01-13 2278696] <br/>"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] <br/>"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184] <br/>"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-05-12 304464] <br/> <br/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <br/>"LaunchApp"="Alaunch" [X] <br/>"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491] <br/>"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315] <br/>"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768] <br/>"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] <br/>"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] <br/>"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] <br/>"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] <br/>"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064] <br/>"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-10-11 286720] <br/>"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 385024] <br/>"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232] <br/>"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] <br/>"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] <br/>"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-12 185896] <br/>"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-05-12 304464] <br/>"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-15 88202] <br/>"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] <br/>"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-22 77824] <br/> <br/>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] <br/>"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] <br/> <br/>c:\documents and settings\All Users\Start Menu\Programs\Startup\ <br/>Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] <br/>Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-14 180224] <br/>KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423] <br/>Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] <br/>Private Proxy Cleanup.lnk - c:\program files\PrivacyPartners, LLC\Private Proxy\PrivateProxy.exe [2009-5-20 126040] <br/> <br/>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc] <br/>@="Service" <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\security center] <br/>"UpdatesDisableNotify"=dword:00000001 <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] <br/>"DisableMonitoring"=dword:00000001 <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] <br/>"DisableMonitoring"=dword:00000001 <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] <br/>"DisableMonitoring"=dword:00000001 <br/> <br/>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] <br/>"%windir%\\system32\\sessmgr.exe"= <br/>"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= <br/>"c:\\Program Files\\Messenger\\msmsgs.exe"= <br/>"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= <br/>"%windir%\\Network Diagnostic\\xpnetdiag.exe"= <br/>"c:\\Program Files\\TacxFortius\\Fortius.exe"= <br/>"c:\\Program Files\\TacxFortius\\catalyst\\Catalyst_Fortius.exe"= <br/>"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= <br/>"c:\\Program Files\\iTunes\\iTunes.exe"= <br/>"c:\\Program Files\\RayV\\RayV\\RayV.dll"= <br/>"c:\\Program Files\\RayV\\RayV\\RayV.exe"= <br/> <br/>R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336] <br/>R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [23/03/2009 13:07 31128] <br/>S2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336] <br/>S2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 05:00 14336] <br/>S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [16/04/2009 13:24 73728] <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] <br/>BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire <br/> <br/>[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] <br/>"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP <br/>. <br/>Contents of the 'Scheduled Tasks' folder <br/> <br/>2009-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job <br/>- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] <br/>. <br/>- - - - ORPHANS REMOVED - - - - <br/> <br/>HKCU-Run-eyeBeam SIP Client - (no file) <br/>HKLM-Run-EPSON Stylus C48 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE <br/>HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe <br/> <br/> <br/>. <br/>------- Supplementary Scan ------- <br/>. <br/>uStart Page = hxxp://www.betfair.com/ <br/>mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html <br/>uInternet Settings,ProxyOverride = 127.0.0.1;*.local <br/>uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ <br/>IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm <br/>LSP: c:\windows\system32\BGLsp.dll <br/>DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab <br/>FF - ProfilePath - c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\ <br/>FF - prefs.js: browser.startup.homepage - hxxp://www.wimbledon.org/en_GB/index.html <br/>FF - component: c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll <br/>FF - component: c:\program files\Mozilla Firefox\extensions\info@google.com\components\FFLocal.dll <br/>FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll <br/>FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll <br/> <br/>---- FIREFOX POLICIES ---- <br/>FF - user.js: network.proxy.socks - <br/>FF - user.js: network.proxy.socks_port - 0 <br/>FF - user.js: network.proxy.type - 0 <br/>. <br/> <br/>************************************************************************** <br/> <br/>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net <br/>Rootkit scan 2009-07-06 06:36 <br/>Windows 5.1.2600 Service Pack 3 FAT NTAPI <br/> <br/>scanning hidden processes ... <br/> <br/>scanning hidden autostart entries ... <br/> <br/>scanning hidden files ... <br/> <br/>scan completed successfully <br/>hidden files: 0 <br/> <br/>************************************************************************** <br/>. <br/>--------------------- DLLs Loaded Under Running Processes --------------------- <br/> <br/>- - - - - - - > 'winlogon.exe'(1288) <br/>c:\windows\system32\Ati2evxx.dll <br/> <br/>- - - - - - - > 'lsass.exe'(1344) <br/>c:\windows\system32\BGLsp.dll <br/> <br/>- - - - - - - > 'explorer.exe'(3104) <br/>c:\windows\system32\WININET.dll <br/>c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll <br/>c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll <br/>c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll <br/>c:\docume~1\GRAHAM~1\LOCALS~1\Temp\IadHide5.dll <br/>c:\windows\system32\ieframe.dll <br/>c:\windows\system32\webcheck.dll <br/>c:\windows\system32\WPDShServiceObj.dll <br/>c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll <br/>c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll <br/>c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL <br/>c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr <br/>c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr <br/>c:\windows\system32\PortableDeviceTypes.dll <br/>c:\windows\system32\PortableDeviceApi.dll <br/>. <br/>------------------------ Other Running Processes ------------------------ <br/>. <br/>c:\windows\SYSTEM32\ATI2EVXX.EXE <br/>c:\windows\SYSTEM32\ATI2EVXX.EXE <br/>c:\acer\EMANAGER\ANBMSERV.EXE <br/>c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE <br/>c:\program files\BONJOUR\MDNSRESPONDER.EXE <br/>c:\windows\system32\wscntfy.exe <br/>c:\windows\SYSTEM32\RUNDLL32.EXE <br/>c:\program files\PC Connectivity Solution\ServiceLayer.exe <br/>c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe <br/>c:\program files\iPod\bin\iPodService.exe <br/>c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe <br/>c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe <br/>. <br/>************************************************************************** <br/>. <br/>Completion time: 2009-07-06 6:38 - machine was rebooted <br/>ComboFix-quarantined-files.txt 2009-07-06 05:38 <br/> <br/>Pre-Run: 37,370,462,208 bytes free <br/>Post-Run: 37,366,136,832 bytes free <br/> <br/>WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe <br/>[boot loader] <br/>timeout=2 <br/>default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS <br/>[operating systems] <br/>c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons <br/>multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect <br/> <br/>225 --- E O F --- 2009-06-11 09:49 <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/>Logfile of Trend Micro HijackThis v2.0.2 <br/>Scan saved at 06:41:39, on 06/07/2009 <br/>Platform: Windows XP SP3 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v8.00 (8.00.6001.18702) <br/>Boot mode: Normal <br/> <br/>Running processes: <br/>C:\WINDOWS\System32\smss.exe <br/>C:\WINDOWS\system32\winlogon.exe <br/>C:\WINDOWS\system32\services.exe <br/>C:\WINDOWS\system32\lsass.exe <br/>C:\WINDOWS\system32\Ati2evxx.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\system32\spoolsv.exe <br/>C:\WINDOWS\system32\Ati2evxx.exe <br/>C:\Acer\eManager\anbmServ.exe <br/>C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\Program Files\Bonjour\mDNSResponder.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\system32\wscntfy.exe <br/>C:\WINDOWS\AGRSMMSG.exe <br/>C:\Program Files\Synaptics\SynTP\SynTPLpr.exe <br/>C:\Program Files\Synaptics\SynTP\SynTPEnh.exe <br/>C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe <br/>C:\WINDOWS\system32\rundll32.exe <br/>C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe <br/>C:\WINDOWS\SOUNDMAN.EXE <br/>C:\Program Files\Launch Manager\QtZgAcer.EXE <br/>C:\Acer\Empowering Technology\eRecovery\Monitor.exe <br/>C:\Program Files\btbb_wcm\McciTrayApp.exe <br/>C:\Program Files\iTunes\iTunesHelper.exe <br/>C:\Program Files\Common Files\Real\Update_OB\realsched.exe <br/>C:\Program Files\Messenger\msmsgs.exe <br/>C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe <br/>C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe <br/>C:\Program Files\RayV\RayV\RayV.exe <br/>C:\WINDOWS\system32\ctfmon.exe <br/>C:\Program Files\Registry Mechanic\RegMech.exe <br/>C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe <br/>C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe <br/>C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe <br/>C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe <br/>C:\Program Files\PC Connectivity Solution\ServiceLayer.exe <br/>C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe <br/>C:\Program Files\iPod\bin\iPodService.exe <br/>C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe <br/>C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe <br/>C:\WINDOWS\system32\wuauclt.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\WINDOWS\explorer.exe <br/>C:\WINDOWS\system32\notepad.exe <br/>C:\Program Files\Mozilla Firefox\firefox.exe <br/>C:\Program Files\Internet Explorer\IEXPLORE.EXE <br/>C:\Documents and Settings\Graham Pigott\Desktop\FIX\HijackThis.exe <br/> <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betfair.com/ <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ <br/>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local <br/>R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll <br/>O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll <br/>O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll <br/>O2 - BHO: MSN Search - {24A1E1CC-4393-941E-B765-2264A695D4E3} - C:\WINDOWS\system32\browsearch.dll <br/>O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll <br/>O4 - HKLM\..\Run: [LaunchApp] Alaunch <br/>O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe <br/>O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe <br/>O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe <br/>O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" <br/>O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent <br/>O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 <br/>O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC <br/>O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC <br/>O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName <br/>O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe <br/>O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE <br/>O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE <br/>O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe <br/>O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime <br/>O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" <br/>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <br/>O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot <br/>O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background <br/>O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray <br/>O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog <br/>O4 - HKCU\..\Run: [RayV] C:\Program Files\RayV\RayV\RayV.exe /background <br/>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <br/>O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H <br/>O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" <br/>O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Brenda Pigott') <br/>O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" (User 'Brenda Pigott') <br/>O4 - HKUS\S-1-5-21-2601734612-1318749754-2030855190-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Brenda Pigott') <br/>O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') <br/>O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') <br/>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <br/>O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe <br/>O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe <br/>O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe <br/>O4 - Global Startup: Private Proxy Cleanup.lnk = ? <br/>O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm <br/>O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe <br/>O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe <br/>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll <br/>O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll <br/>O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe <br/>O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe <br/>O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe <br/>O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - Unknown owner - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe (file missing) <br/>O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe <br/>O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe <br/>O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe <br/>O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe <br/> <br/>-- <br/>End of file - 10826 bytes <br/> <br/> <br/> <br/>After running these programs i still get the fake logon page when i go to Lloyds TSB banking so i think the virus is still there. <br/> <br/> <br/> <br/>Any help appreciated thanks.
Posted 7/6/2009 6:35 AM
#74926
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hello graham9 :smile: <br/> <br/> <br/> <br/> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">Please download Malwarebytes' Anti-Malware:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #555454; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"><SPAN style="mso-spacerun: yes"> <SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">to your desktop<SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #555454; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #555454; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">Double-click <B style="mso-bidi-font-weight: normal">mbam-setup.exe</B> and follow the prompts to install the program. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch <br/>Malwarebytes' Anti-Malware, then click Finish. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"><SPAN style="mso-tab-count: 1"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">If an update is found, it will download and install the latest version. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"><SPAN style="mso-tab-count: 1"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">Once the program has loaded, select Perform full scan, then click Scan. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">When the scan is complete, click OK, then Show Results to view the results. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">Be sure that everything is checked, and click Remove Selected. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB">When completed, a log will open in Notepad. Please save it to a convenient location. <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB"> <o:p></o:p> <br/> <br/><B style="mso-bidi-font-weight: normal"><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: red; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">NB</B><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: red; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">:<SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB"> If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">Click OK to either and let MBAM proceed with the disinfection process. <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">If asked to restart the computer, please do so immediately.<o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="COLOR: black; mso-ansi-language: EN-GB">[3] [/3] <br/> <br/><SPAN lang=EN-GB style="COLOR: black; mso-ansi-language: EN-GB">Run a complete san with Bullguard, post the log it produce along with malwarebyte log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/6/2009 10:39 AM
#74927
User avatar

graham9 Member

Date Joined Nov 2016
Total Posts: 3
Here is the log from MBAM: <br/> <br/> <br/>Malwarebytes' Anti-Malware 1.38 <br/>Database version: 2379 <br/>Windows 5.1.2600 Service Pack 3 <br/> <br/>06/07/2009 11:15:15 <br/>mbam-log-2009-07-06 (11-15-15).txt <br/> <br/>Scan type: Full Scan (C:\|D:\|E:\|) <br/>Objects scanned: 150525 <br/>Time elapsed: 17 minute(s), 21 second(s) <br/> <br/>Memory Processes Infected: 0 <br/>Memory Modules Infected: 0 <br/>Registry Keys Infected: 3 <br/>Registry Values Infected: 0 <br/>Registry Data Items Infected: 1 <br/>Folders Infected: 0 <br/>Files Infected: 42 <br/> <br/>Memory Processes Infected: <br/>(No malicious items detected) <br/> <br/>Memory Modules Infected: <br/>(No malicious items detected) <br/> <br/>Registry Keys Infected: <br/>HKEY_CLASSES_ROOT\CLSID\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully. <br/>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully. <br/>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully. <br/> <br/>Registry Values Infected: <br/>(No malicious items detected) <br/> <br/>Registry Data Items Infected: <br/>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. <br/> <br/>Folders Infected: <br/>(No malicious items detected) <br/> <br/>Files Infected: <br/>C:\WINDOWS\system32\browsearch.dll (Trojan.BHO) -> Quarantined and deleted successfully. <br/>c:\documents and settings\graham pigott\application data\microsoft\systembackup\winload.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\documents and settings\graham pigott\application data\microsoft\systembackup\browserui.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\documents and settings\graham pigott\application data\Mozilla\Firefox\Profiles\main\winload.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\documents and settings\graham pigott\application data\Mozilla\Firefox\Profiles\main\browserui.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP387\A0183126.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP387\A0184125.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP394\A0185140.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0186123.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0186151.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187388.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187390.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187391.exe (Trojan.Dropper) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187392.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187393.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187394.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187395.DLL (Trojan.Dropper) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187397.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187398.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187400.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187401.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187402.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187487.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\system volume information\_restore{511c714d-d653-47dc-b24b-14ca99b02fca}\RP398\A0187489.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\documents and settings\graham pigott\application data\microsoft\systembackup\browserui.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\documents and settings\graham pigott\application data\microsoft\systembackup\winload.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\ld08.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\browsearch.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\browserui.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\clfsw.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\digiwet.dll.vir (Trojan.Dropper) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\mscert.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\mshtmllib.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\protect.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\pxcrt.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>c:\Qoobox\quarantine\C\WINDOWS\system32\winload.dll.vir (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/>C:\WINDOWS\system32\mshtmllib.dll (Trojan.Agent) -> Quarantined and deleted successfully. <br/>c:\documents and settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully. <br/>C:\WINDOWS\system32\netd.dll (Trojan.Agent) -> Quarantined and deleted successfully. <br/>C:\WINDOWS\system32\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully. <br/>C:\WINDOWS\system32\pxcrt.dll (Trojan.Agent) -> Quarantined and deleted successfully. <br/>c:\documents and settings\Graham Pigott\Application Data\Microsoft\SystemBackup\mt_32.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully. <br/> <br/> <br/>My internet seems to have speeded up and i no longer get the fake page when going to LLoyds TSB website. <br/> <br/>I think thats probably solved it then. <br/> <br/> <br/>Thanks for your help Touch :)
Posted 7/6/2009 10:54 AM
#74928
User avatar

graham9 Member

Date Joined Nov 2016
Total Posts: 3
By the way here is the Bullguard scan log: <br/> <br/> <br/>BullGuard Scan Report <br/>Scan Profile: "My Computer" <br/>___________________________________________________________ <br/> <br/> <br/>----[ System Info ]------------ <br/> <br/>OS Version: Windows XP Professional - Service Pack 3 (Build 2600) [1 * x86 CPUs] <br/>Physical memory: 2048 MB <br/>System up-time: 0 days, 00 hours, 33 minutes, 33 seconds <br/>BullGuard up-time: 0 days, 00 hours, 32 minutes, 56 seconds <br/>TopLayer Version: 8, 7, 0, 17 <br/>FileSpy5 Version: N/A <br/>BdFileSpy Version: N/A <br/>BsFileScan Version: 8, 5, 0, 71 <br/>Reconn Version: N/A <br/>MailProxy Version: 8, 5, 0, 21 <br/>AntiVirus Version: 8, 5, 0, 49 <br/> <br/>----[ Scan Parameters ]------------ <br/> <br/>Folders to scan: <br/> C:\ <br/> D:\ <br/> <br/>Excluded folders: <br/> None <br/> <br/>Files to scan: <br/> None <br/> <br/>Scan type: <br/> [o] Scan all files <br/> [ ] Scan program files only <br/> [ ] Scan custom extensions: <br/> <br/> [X] Exclude user extensions: lnk <br/> <br/> [X] Scan boot sectors <br/> [X] Scan packed files <br/> [X] Scan archives <br/> [X] Scan emails <br/> [X] Scan running processes <br/> [X] Scan registry <br/> [X] Scan IE cookies <br/> [X] Enable heuristic detection <br/> <br/> [ ] Scan default action <br/>___________________________________________________________ <br/> <br/>Scan Statistics <br/>___________________________________________________________ <br/> <br/>Scan started: Monday, July 06, 2009 11:51:58 <br/>Scan duration: 0 days, 00 hours, 30 minutes, 27 seconds <br/>Completion status: Successful <br/> <br/>Total files scanned: 153734 <br/>Total files skipped: 86 <br/>Identified viruses: 0 <br/>Scan speed: 84.15 files/sec <br/> <br/>Files skipped: <br/> C:\WINDOWS\system32\config\system.LOG [Open Failed] <br/> C:\WINDOWS\system32\config\software.LOG [Open Failed] <br/> C:\WINDOWS\system32\config\default.LOG [Open Failed] <br/> C:\WINDOWS\system32\config\SAM.LOG [Open Failed] <br/> C:\WINDOWS\system32\config\SECURITY.LOG [Open Failed] <br/> C:\WINDOWS\system32\config\SECURITY [Open Failed] <br/> C:\WINDOWS\system32\config\SOFTWARE [Open Failed] <br/> C:\WINDOWS\system32\config\SYSTEM [Open Failed] <br/> C:\WINDOWS\system32\config\DEFAULT [Open Failed] <br/> C:\WINDOWS\system32\config\SAM [Open Failed] <br/> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed] <br/> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed] <br/> C:\Documents and Settings\NetworkService\NTUSER.DAT [Open Failed] <br/> C:\Documents and Settings\NetworkService\ntuser.dat.LOG [Open Failed] <br/> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed] <br/> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed] <br/> C:\Documents and Settings\LocalService\NTUSER.DAT [Open Failed] <br/> C:\Documents and Settings\LocalService\ntuser.dat.LOG [Open Failed] <br/> C:\Documents and Settings\Administrator\NTUSER.DAT [Open Failed] <br/> C:\Documents and Settings\Administrator\ntuser.dat.LOG [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\NTUSER.DAT [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\ntuser.dat.LOG [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\Local Settings\Temp\etilqs_TfGvJXzZjlqgcmd2qrmS [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\parent.lock [Open Failed] <br/> C:\Documents and Settings\Graham Pigott\Application Data\Mozilla\Firefox\Profiles\nfo7sz88.default\places.sqlite-journal [Open Failed] <br/> C:\Documents and Settings\Brenda Pigott\NTUSER.DAT [Open Failed] <br/> C:\Documents and Settings\Brenda Pigott\ntuser.dat.LOG [Open Failed] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>Ad-Aware SE Default.skn [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp [Password protected] <br/> C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp [Password protected] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000009.FCS [Open Failed] <br/> C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat [Open Failed] <br/> C:\FOUND.011\FILE0001.CHK=>VIRSCAN5.985 [Corrupted archive] <br/> <br/>___________________________________________________________ <br/> <br/>Results after ROUND 0 <br/>___________________________________________________________ <br/> <br/>Scan started: Monday, July 06, 2009 11:21:31 <br/>Scan duration: 0 days, 00 hours, 30 minutes, 27 seconds <br/>Infections solved: 0 <br/>Infections left: 0 <br/>Viruses left: 0
Posted 7/6/2009 11:01 AM
#74929
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
That´s good news :smile: <br/> <br/> <br/> <br/> <br/>Yes, it looks like your problem are solved. <br/> <br/> <br/> <br/> <br/> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #222222; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">You should Create a New Restore Point to prevent possible reinfection from an old one. <br/>The easiest and safest way to do this is:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 10.0pt; mso-ansi-language: EN-GB; mso-bidi-font-family: Arial">Go to Start > All Programs > Accessories > System Tools > System Restore <br/>Select Create a restore point, and Ok it. <br/>Next, go to Start > Run and type in cleanmgr <br/>Select the More options tab <br/>Choose the option to clean up system restore and OK it. <br/> <br/>This will remove all restore points except the new one you just created.<o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 8.0pt; mso-ansi-language: EN-GB"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-bidi-font-size: 8.0pt; mso-ansi-language: EN-GB"> <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #222222; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">Click START then RUN <o:p></o:p> <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #222222; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">Now type Combofix /u in the runbox and click OK. <br/> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: #222222; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">Note the space between the X and the U, it needs to be there. <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB">The above procedure will: <o:p></o:p> <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; COLOR: black; FONT-FAMILY: Verdana; mso-ansi-language: EN-GB; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: DA; mso-bidi-language: AR-SA">Delete the following: <br/><SPAN lang=EN-GB style="FONT-SIZE: 9pt; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: EN-GB; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: DA; mso-bidi-language: AR-SA">ComboFix and its associated files and folders. <br/><SPAN style="FONT-SIZE: 9pt; FONT-FAMILY: Verdana; mso-bidi-font-size: 12.0pt; mso-ansi-language: DA; mso-bidi-font-family: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: DA; mso-bidi-language: AR-SA">Reset the clock settings. <br/>Hide file extensions, if required. <br/>Hide System/Hidden files, if required. <BR style="mso-special-character: line-break"><BR style="mso-special-character: line-break">

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Tuesday, December 6, 2016, 6:55 PM (GMT +1)
There are a total of 61,160 posts in 13,449 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 37,965 registered members. Please welcome our newest member, Old shape.
There are currently no users on-line.