Have I Got A Virus - Free Antivirus Forum

Have I Got A Virus

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Have I Got A Virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

mysterious_
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-11-2008 7:33 (GMT +1)

Please can someone have a look at my HiJackThis Log and tell me if i have a virus or not. I'd be very gratefull for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21:06, on 11/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {A518C1F4-8850-44E8-8540-B437EB5C1827} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {ED231CD1-E6B8-4F8D-AED2-FA119BA07238} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220008440733
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6355 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-12-2008 6:13 (GMT +1)

Hello

It looks clean. Run a complete systemscan with Bullguard, post the log it produce, and tell why you think you have virus ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

mysterious_
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-22-2008 1:14 (GMT +1)

Hi! Sorry it's been so long getting back to you, but there was a death in the family.

The reason i'm asking is, a few weeks ago i had a virus and had to take it to the shop to get repaired and i don't know if it's come back. My pc is slow and sometimes i can't view web pages and when i go to my mail the url doesn't look right.

Here is scan log.

----[ System Info ]------------

OS Version: Microsoft Windows XP Home Edition - Service Pack 3 (Build 2600) [1 * x86 CPUs]
Physical memory: 224 MB
System up-time: 0 days, 03 hours, 22 minutes, 15 seconds
BullGuard up-time: 0 days, 03 hours, 21 minutes, 14 seconds
TopLayer Version: 8, 0, 0, 7
FileSpy5 Version: N/A
BdFileSpy Version: 3.12.0.62 built by: WinDDK
BsFileScan Version: 8, 0, 0, 57
Reconn Version: 1.1.0.5 built by: WinDDK
MailProxy Version: 8, 0, 0, 17
AntiVirus Version: 8, 0, 0, 46

----[ Scan Parameters ]------------

Folders to scan:
A:\
C:\

Excluded folders:
None

Files to scan:
None

Scan type:
    [o] Scan all files
    [ ] Scan program files only
    [ ] Scan custom extensions:

[X] Exclude user extensions: lnk

    [X] Scan boot sectors
    [X] Scan packed files
    [X] Scan archives
    [X] Scan emails
    [X] Scan running processes
    [X] Scan registry
    [X] Scan IE cookies
    [X] Enable heuristic detection

[ ] Scan default action
___________________________________________________________

Scan Statistics
___________________________________________________________

Scan started: Monday, September 22, 2008 11:59:43
Scan duration: 0 days, 00 hours, 40 minutes, 04 seconds
Completion status: Successful

Total files scanned: 155039
Total files skipped: 52
Identified viruses: 0
Scan speed: 64.49 files/sec

Files skipped:
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\LocalService\NTUSER.DAT [Open Failed]
    C:\Documents and Settings\LocalService\ntuser.dat.LOG [Open Failed]
    C:\Documents and Settings\Michelle9412\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\Michelle9412\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\Michelle9412\NTUSER.DAT [Open Failed]
    C:\Documents and Settings\Michelle9412\NTUSER.DAT.LOG [Open Failed]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\NetworkService\NTUSER.DAT [Open Failed]
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG [Open Failed]
    C:\Documents and Settings\user\My Documents\Backup\My Documents\My Music\mp3 downloads\winzip90.exe=>(ZIP Sfx s)=>SETUP.WZ=>WINZIP32.EX_ [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\RdrMsgSplash.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\WebSearch\WebSearchENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig\ENU\Data1.cab=>WebSearchENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig\ENU\Data1.cab=>RdrMsgSplash.pdf [Password protected]
    C:\Program Files\BullGuard Ltd\BullGuard\force-reboot [Open Failed]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{060FB5B7-BD16-4539-A4D7-793AACDA0317} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{573556A9-08F0-4FD9-AC4B-60E0EDF5F6B8} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{595102E2-34EC-4071-AB8C-5A27104D2A98} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{74BAF636-6E3A-4477-B2E5-84967F132823} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{7CBE6527-5D37-4B46-9469-E5739AAC5591} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>{A05CA7D6-2C48-4A6D-ADD0-7A058F3E368E} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-18-2008 - 08-47-30.SBU=>backup.db [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{1158CDF5-1A56-499A-94E0-873D7F909876} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{6B52C7B5-D812-416D-B5D8-8D9A8F24D8B5} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{6BDB4A7D-F8E9-4A1B-ADF1-6C312024879B} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{87E2C514-6941-4897-ADD8-F2E3F15628AC} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{B63086F6-DD86-4A9D-B4D1-BC66752DE012} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{F159684B-D2DD-40C5-A3BF-A099004193F9} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>{F41CD4B3-F089-434A-A62C-4029118000BD} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-20-2008 - 13-04-18.SBU=>backup.db [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-24-2008 - 11-59-41.SBU=>{04904554-9FC8-4A4B-8F6B-F9E5EFF4B2D1} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-24-2008 - 11-59-41.SBU=>{29A16B69-E85D-420F-91A5-7EBAE0DC185D} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-24-2008 - 11-59-41.SBU=>backup.db [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-26-2008 - 10-18-37.SBU=>backup.db [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-30-2008 - 14-09-46.SBU=>backup.db [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 09-01-2008 - 11-44-04.SBU=>{0E1A6823-C5D0-477A-A231-7B84B51392CC} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 09-01-2008 - 11-44-04.SBU=>{CCEB0AB3-FF22-4F41-8791-16F781A1EA49} [Password protected]
    C:\RECYCLER\S-1-5-21-1229272821-1202660629-725345543-1005\Dc6.com\SUPERAntiSpyware\Quarantine\Quarantine - 09-01-2008 - 11-44-04.SBU=>backup.db [Password protected]
    C:\System Volume Information\MountPointManagerRemoteDatabase [Open Failed]
    C:\WINDOWS\system32\config\default [Open Failed]
    C:\WINDOWS\system32\config\default.LOG [Open Failed]
    C:\WINDOWS\system32\config\SAM [Open Failed]
    C:\WINDOWS\system32\config\SAM.LOG [Open Failed]
    C:\WINDOWS\system32\config\SECURITY [Open Failed]
    C:\WINDOWS\system32\config\SECURITY.LOG [Open Failed]
    C:\WINDOWS\system32\config\software [Open Failed]
    C:\WINDOWS\system32\config\software.LOG [Open Failed]
    C:\WINDOWS\system32\config\system [Open Failed]
    C:\WINDOWS\system32\config\system.LOG [Open Failed]

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-22-2008 2:45 (GMT +1)

Sorry to hear about the loss.

Bullguard looks clean, however I´ll suggest we dig deeper ->

Click here - >> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with SuperAntiSpyware log, , C: combofix TXT in this topic

Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

mysterious_
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-25-2008 4:45 (GMT +1)

Here are the Hijackthis log along with SuperAntiSpyware log and Combofix TXT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:40, on 25/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.360.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Homepage - {0DABAE24-7224-488B-98EC-19FD6DB0E1BC} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {10F6A445-E65B-4D4A-9209-000F15B4E05C} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220008440733
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 3904 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/25/2008 at 03:48 PM

Application Version : 4.21.1004

Core Rules Database Version : 3579
Trace Rules Database Version: 1567

Scan type : Complete Scan
Total Scan Time : 00:27:36

Memory items scanned      : 369
Memory threats detected   : 0
Registry items scanned    : 3968
Registry threats detected : 0
File items scanned        : 10714
File threats detected     : 0

ComboFix 08-09-24.12 - Michelle9412 2008-09-25 16:05:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.55 [GMT 1:00]
Running from: C:\Documents and Settings\Michelle9412\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-25 15:17 . 2008-09-25 15:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-25 15:17 . 2008-09-25 15:17 <DIR> d-------- C:\Documents and Settings\Michelle9412\Application Data\SUPERAntiSpyware.com
2008-09-25 15:17 . 2008-09-25 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-25 15:15 . 2008-09-25 15:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-25 15:09 . 2008-09-25 15:09 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 09:35 . 2008-09-22 09:35 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-21 10:34 . 2008-09-21 10:34 <DIR> d-------- C:\Documents and Settings\Michelle9412\Application Data\ArcSoft
2008-09-21 10:23 . 2008-09-21 10:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-21 10:23 . 2008-09-21 10:23 <DIR> d-------- C:\Program Files\ArcSoft
2008-09-21 10:23 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-09-21 10:22 . 2008-09-21 10:22 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-09-21 10:17 . 2008-04-13 19:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-20 08:31 . 2008-09-20 09:40 <DIR> d-------- C:\Documents and Settings\Michelle9412\Application Data\BullGuard
2008-09-20 08:31 . 2008-09-25 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BullGuard
2008-09-20 08:30 . 2008-09-20 08:30 <DIR> d-------- C:\Program Files\BullGuard Ltd
2008-09-20 08:30 . 2008-06-12 11:17 52,560 --a------ C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-09-18 10:28 . 2008-09-18 10:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-14 17:33 . 2008-09-14 17:33 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-10 19:17 . 2008-09-22 10:34 <DIR> d-------- C:\Program Files\PCPitstop
2008-09-10 14:21 . 2008-09-10 14:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-06 20:42 . 2008-09-06 20:46 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-09-05 13:47 . 2008-09-05 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 17:53 . 2008-09-03 17:55 <DIR> d-------- C:\Documents and Settings\user\Application Data\BullGuard
2008-09-03 14:03 . 2008-09-03 14:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BullGuard
2008-09-02 19:38 . 2008-09-03 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-02 12:00 . 2008-09-16 16:24 <DIR> d-------- C:\Documents and Settings\Michelle9412\Application Data\AdobeUM
2008-09-02 11:40 . 2008-09-02 11:41 <DIR> d-------- C:\Program Files\VerbatimDenotoSoftware
2008-09-02 11:40 . 2000-12-20 21:53 369,664 --a------ C:\WINDOWS\system32\Dav3_32.dll
2008-09-02 11:40 . 2000-12-20 21:53 143,360 --a------ C:\WINDOWS\system32\Leon3_32.dll
2008-09-02 11:36 . 2008-09-02 11:36 268 --ah----- C:\sqmdata02.sqm
2008-09-02 11:36 . 2008-09-02 11:36 244 --ah----- C:\sqmnoopt02.sqm
2008-09-01 16:51 . 2008-09-01 16:51 268 --ah----- C:\sqmdata01.sqm
2008-09-01 16:51 . 2008-09-01 16:51 244 --ah----- C:\sqmnoopt01.sqm
2008-09-01 13:31 . 2008-09-02 17:53 <DIR> d-------- C:\Documents and Settings\Michelle9412\Contacts
2008-08-31 12:26 . 2008-09-07 16:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-30 18:07 . 2008-08-30 18:07 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-30 14:20 . 2008-08-30 14:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-28 18:15 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-08-28 18:15 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-08-28 17:38 . 2008-09-02 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 12:58 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-09-20 15:52 --------- d-----w C:\Program Files\CyberLink
2008-09-18 18:08 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-09-14 14:11 --------- d-----w C:\Program Files\Yahoo!
2008-09-10 18:35 --------- d-----w C:\Program Files\Common Files\Scanner
2008-09-09 16:13 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-29 09:21 --------- d-----w C:\Program Files\Java
2008-08-26 11:31 --------- d-----w C:\Documents and Settings\Michelle9412\Application Data\Yahoo!
2008-08-23 09:41 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-08-19 16:23 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-08-19 08:35 --------- d-----w C:\Program Files\Windows Live
2008-08-19 08:31 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-19 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-18 15:36 --------- d-----w C:\Program Files\BT Broadband 2091
2008-08-18 11:16 --------- d-----w C:\Program Files\Motive
2008-08-18 11:16 --------- d-----w C:\Program Files\Ahead
2008-08-17 19:30 --------- d-----w C:\Program Files\BT Yahoo
2008-08-17 19:21 155,995 ----a-w C:\WINDOWS\java\Packages\3LZZV1ZD.ZIP
2008-08-16 11:14 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2008-08-16 11:11 --------- d-----w C:\Program Files\Common Files\Nero
2008-08-16 11:10 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-16 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-16 11:09 --------- d-----w C:\Program Files\Common Files\Java
2008-08-16 11:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-16 10:42 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-05 10:08 19,784 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-08-05 10:04 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-08-05 304456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTFirstRun]
--a------ 2004-06-09 12:53 397312 C:\WINDOWS\Firstrun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 15:43 57344 C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-04-01 15:33 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;C:\WINDOWS\system32\drivers\BdFileSpy.sys [2008-06-12 52560]
R2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 BsFire;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2007-11-28 199440]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [2007-10-29 16984]
S3 BGRaSvc;BGRaSvc;C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2008-08-05 79176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

*Newly Created Service* - PROCEXP90
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKCU-Main,Start Page = hxxp://uk.360.yahoo.com/

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 16:09:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-25 16:13:10
ComboFix-quarantined-files.txt 2008-09-25 15:13:06

Pre-Run: 42,978,000,896 bytes free
Post-Run: 43,076,968,448 bytes free

169 --- E O F --- 2008-09-10 12:07:01

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-26-2008 11:41 (GMT +1)

It looks clean smile

How are things running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

mysterious_
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-27-2008 8:48 (GMT +1)

I's running better and thanks for helping me and putting my mind at rest. smile

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-27-2008 8:56 (GMT +1)

My pleasure smile

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Download, install, and keep updated Spyware Blaster (freeware):
http://www.javacoolsoftware.com/spywareblaster.html

Also, please read this article by Tony Klein: How I got Infected in the First Place

Since this issue appears resolved ... this Topic is closed.

If you would like it to be reopened please contact Me.

Thank you !

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Tuesday, December 02, 2008 3:43 PM (GMT +1)
There are a total of 64.503 posts in 15.906 threads.
In the last 3 days there were 17 new threads and 99 reply posts. View Active Threads