Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Weeks Old Problem--please Help!


  • Please log in to reply
16 replies to this topic

#1 keithaw1

keithaw1

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 10 September 2008 - 09:22 AM

Have done all asked.....here is the HJT Logfile
PLEASE HELP..........................


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:18 AM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\Hijack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [inrhcrnpj0egdg] C:\WINDOWS\Temp\.tt4D.tmp.exe /CR=E08AC8ADEEC613C39E30C48EA611036BDAD15B0511075108F37C69A7F3AFC2F133C8D0FA85D21B802E2B9D38A95B60C1FB8EB48C8B80A68FC6080FD31FF57D052C330F681183B558E84709A6DF035E8C2B55F443FC55B3
O4 - HKLM\..\Run: [lphcvnpj0egdg] C:\WINDOWS\system32\lphcvnpj0egdg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [SpeedItUpEX] "C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe" -MINI
O4 - HKCU\..\Run: [PC Digital Safe] "C:\Program Files\PC Digital Safe\PcDigitalSafe.exe" -mini
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdase3.exe" /minimize
O4 - HKUS\S-1-5-18\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/277952c273a66d...ip/RdxIE601.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%20LT%202002/AcDcToday.ocx
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://207.144.44.254/activex/AxisCamControl.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://store.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%20LT%202002/InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%20LT%202002/InstFred.ocx
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://contentpurity.com/members/FileClean.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tigerpawsoftware.webex.com/client/v...bex/ieatgpc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...975/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%20LT%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7334F8A-AB8C-4775-A822-30E51DC43CFA}: NameServer = 10.1.1.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: bnguql - C:\WINDOWS\SYSTEM32\bnguql.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8450 bytes



PLEASE SAVE ME!!!!!!!!!

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 10 September 2008 - 02:35 PM

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 11 September 2008 - 09:49 AM

Sorry it took so long but the PC ran super slow especially on Kaspersky...Had to let it run overnight. Here are the 3 log file results:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 14:56:32
Records in database: 1207325
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
G:\
L:\

Scan statistics:
Files scanned: 76081
Threat name: 29
Infected objects: 82
Suspicious objects: 0
Duration of the scan: 04:53:16


File name / Threat name / Threats count
C:\WINDOWS\system32\bnguql32.dll/C:\WINDOWS\system32\bnguql32.dll Infected: Backdoor.Win32.Hijack.d 1
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.goa 1
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1
C:\WINDOWS\system32\bnguql.dll/C:\WINDOWS\system32\bnguql.dll Infected: Backdoor.Win32.Hijack.d 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\.tt14.tmp.bac_a00236 Infected: Trojan.Win32.KillAV.agz 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\.tt1C1.tmp.bac_a00236 Infected: Trojan.Win32.KillAV.agz 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\.tt2F2.tmp.bac_a00236 Infected: Backdoor.Win32.Agent.pnt 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\aeaudio.sys.bac_a00236 Infected: Trojan-Mailfinder.Win32.Agent.mm 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\amx1A.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\assest.dll.bac_a00236 Infected: Trojan.Win32.Dialer.bi 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\beep.sys.bac_a00236 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Binaries1.zip.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.t 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Binaries1[1].zip.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.t 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Binaries2.zip.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.af 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Binaries2[1].zip.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.af 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\buritos.exe.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\bym1B.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\cmd11.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc11.exe.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc13.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc18.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc19.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\enm13.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\gjj2D.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\gve17.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Install[1].exe.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.p 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\jgn2B.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\karina.dat.bac_a00236 Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\kashir[1].exe.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\png27.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\pphcvnpj0egdg.exe.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.qj 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\qwa19.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rje10.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rld5D.tmp.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rld5E.tmp.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rld60.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rld61.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rld9.tmp.bac_a00236 Infected: Trojan-Spy.Win32.Zbot.epz 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rldAB.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rldAD.tmp.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rldB3.tmp.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\rxi23.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\scan[1].exe.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\tag1F.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ufu11.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\us[1].exe.bac_a00236 Infected: Trojan-Spy.Win32.Zbot.epz 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\winivstr.exe.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.p 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\wuauclt.exe.bac_a00236 Infected: Worm.Win32.AutoRun.luy 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xfp12.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ych17.tmp.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\rburle\Local Settings\Temp\.ttD.tmp Infected: Trojan.Win32.KillAV.agz 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: Trojan-Downloader.Win32.Wren.d 1
C:\Documents and Settings\rburle\My Documents\screensaversinstaller.exe Infected: not-a-virus:AdWare.Win32.Comet.bc 1
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d 1
C:\Program Files\Microsoft AntiSpyware\Quarantine\7E4C2A06-07E5-42CB-B8AD-F83309\99E48E44-70CD-4ACC-B7AA-991C0A Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\WINDOWS\sasent.dll Infected: Trojan.Win32.Dialer.bi 1
C:\WINDOWS\system32\bnguql.dll Infected: Backdoor.Win32.Hijack.d 1
C:\WINDOWS\system32\bnguql32.dll Infected: Backdoor.Win32.Hijack.d 1
C:\WINDOWS\system32\lphcvnpj0egdg.exe Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\apeC.tmp Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\BN2.tmp Infected: Trojan-Downloader.Win32.Agent.vfa 1
C:\WINDOWS\Temp\BN3.tmp Infected: Trojan-Downloader.Win32.Agent.vfa 1
C:\WINDOWS\Temp\eoqD.tmp Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\gay9.tmp Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\hio10.tmp Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\lom18.tmp Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\ses12.tmp Infected: Backdoor.Win32.Frauder.ee 1
G:\Program Files\Navnt\Quarantine\03125677.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\051D566D.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\0FA10220.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\252712A6.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\2B045684.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\2D0F567B.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\2F195671.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\31A13C58.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\43D5633B.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\59165674.doc Infected: Virus.MSWord.Class.q 1
G:\Program Files\Navnt\Quarantine\5E39089E.EXE Infected: Email-Worm.Win32.Magistr.a 1
G:\Program Files\Navnt\Quarantine\6DA047E8.doc Infected: Virus.MSWord.Class.q 1

The selected area was scanned.


Malwarebytes' Anti-Malware 1.28
Database version: 1138
Windows 5.1.2600 Service Pack 2

9/11/2008 8:29:22 AM
mbam-log-2008-09-11 (08-29-22).txt

Scan type: Quick Scan
Objects scanned: 56799
Time elapsed: 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e30ac01-99d7-4e9c-b13e-94e1701b0ac9} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f0a06f6-df4d-4d54-b8ca-e8eedbae6ddb} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcvnpj0egdg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcrnpj0egdg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhcrnpj0egdg (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Application Data\rhcrnpj0egdg\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\blphcvnpj0egdg.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\rhcrnpj0egdg.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\rhcrnpj0egdg.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrnpj0egdg\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlph.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcvnpj0egdg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcvnpj0egdg.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


ComboFix 08-09-10.04 - rburle 2008-09-11 9:01:33.1 - NTFSx86
Running from: C:\Documents and Settings\rburle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rburle\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\rburle\err.log
C:\Documents and Settings\rburle\My Documents\Online Security Guide.url
C:\WA6P
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\sasent.dll
C:\WINDOWS\system32\_004321_.tmp.dll
C:\WINDOWS\system32\_004322_.tmp.dll
C:\WINDOWS\system32\_004323_.tmp.dll
C:\WINDOWS\system32\_004324_.tmp.dll
C:\WINDOWS\system32\_004331_.tmp.dll
C:\WINDOWS\system32\_004332_.tmp.dll
C:\WINDOWS\system32\_004333_.tmp.dll
C:\WINDOWS\system32\_004334_.tmp.dll
C:\WINDOWS\system32\_004336_.tmp.dll
C:\WINDOWS\system32\_004337_.tmp.dll
C:\WINDOWS\system32\_004846_.tmp.dll
C:\WINDOWS\system32\_004852_.tmp.dll
C:\WINDOWS\system32\_005008_.tmp.dll
C:\WINDOWS\system32\_005009_.tmp.dll
C:\WINDOWS\system32\_005010_.tmp.dll
C:\WINDOWS\system32\_005011_.tmp.dll
C:\WINDOWS\system32\_005018_.tmp.dll
C:\WINDOWS\system32\_005019_.tmp.dll
C:\WINDOWS\system32\_005020_.tmp.dll
C:\WINDOWS\system32\_005022_.tmp.dll
C:\WINDOWS\system32\_005023_.tmp.dll
C:\WINDOWS\system32\_005026_.tmp.dll
C:\WINDOWS\system32\_005027_.tmp.dll
C:\WINDOWS\system32\_005029_.tmp.dll
C:\WINDOWS\system32\_005030_.tmp.dll
C:\WINDOWS\system32\_005031_.tmp.dll
C:\WINDOWS\system32\_005033_.tmp.dll
C:\WINDOWS\system32\_005034_.tmp.dll
C:\WINDOWS\system32\_005036_.tmp.dll
C:\WINDOWS\system32\_005040_.tmp.dll
C:\WINDOWS\system32\_005041_.tmp.dll
C:\WINDOWS\system32\_005043_.tmp.dll
C:\WINDOWS\system32\_005044_.tmp.dll
C:\WINDOWS\system32\_005046_.tmp.dll
C:\WINDOWS\system32\_005048_.tmp.dll
C:\WINDOWS\system32\_005049_.tmp.dll
C:\WINDOWS\system32\_005050_.tmp.dll
C:\WINDOWS\system32\_005051_.tmp.dll
C:\WINDOWS\system32\_005054_.tmp.dll
C:\WINDOWS\system32\_005056_.tmp.dll
C:\WINDOWS\system32\_005057_.tmp.dll
C:\WINDOWS\system32\_005058_.tmp.dll
C:\WINDOWS\system32\_005062_.tmp.dll
C:\WINDOWS\system32\_005064_.tmp.dll
C:\WINDOWS\system32\blphcvnpj0egdg.scr
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\drivers\Glq84.sys
C:\WINDOWS\system32\lphcvnpj0egdg.exe
C:\WINDOWS\system32\phcvnpj0egdg.bmp
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_GLQ84
-------\Legacy_SYSREST.SYS
-------\Legacy_TCPSR
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Service_Glq84


((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\rburle\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 07:43 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 15:12 . 2008-09-09 08:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-09 14:39 . 2008-09-09 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 11:41 . 2008-09-09 11:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 11:41 . 2008-09-09 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 10:58 . 2008-09-09 11:33 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-09 10:31 . 2008-09-09 10:32 <DIR> d-------- C:\Program Files\CCleaner
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-09-09 08:51 . 2008-09-09 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-09-09 08:50 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-09-09 08:41 . 2008-09-09 08:50 <DIR> d-------- C:\Program Files\Java
2008-09-09 08:38 . 2008-09-09 08:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-09 08:37 . 2008-09-09 08:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-09-09 08:35 . 2008-09-11 08:34 21,504 --a------ C:\WINDOWS\system32\bnguql32.dll
2008-09-09 08:08 . 2008-09-09 08:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:32 . 2008-09-08 14:32 164 --a------ C:\install.dat
2008-09-05 08:57 . 2008-09-08 16:15 5,680 --a------ C:\WINDOWS\system32\drivers\psntkd20.sys
2008-09-05 07:39 . 2008-09-10 08:13 21,504 --a------ C:\WINDOWS\system32\bnguql.dll
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-12 16:32 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 13:36 --------- d-----w C:\Program Files\BHODemon 2
2008-09-10 13:12 --------- d-----w C:\Program Files\Google
2008-09-09 19:39 --------- d-----w C:\Program Files\Lavasoft
2008-09-09 19:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-09 15:31 --------- d-----w C:\Program Files\Yahoo!
2008-09-09 12:52 67,645 ----a-w C:\WINDOWS\system32\drivers\pshook11.sys
2008-09-08 18:26 --------- d-----w C:\Program Files\INAC
2008-09-05 15:36 --------- d-----w C:\Program Files\No Trace
2008-08-07 20:52 --------- d-----w C:\Program Files\Common Files\L&H
2008-08-07 20:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-31 08:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-24 19:21 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-07-24 19:19 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-07-23 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 14:08 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-21 15:01 36,864 ----a-w C:\Documents and Settings\rburle\atwbxdet.dll
2007-12-14 21:01 112,592 ----a-w C:\Documents and Settings\rburle\Application Data\GDIPFONTCACHEV1.DAT
2006-08-02 19:51 202,920 ----a-w C:\Program Files\Western Hideaway.jpg
2005-11-28 16:13 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
2005-11-28 16:09 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
2005-11-28 16:08 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2004-06-09 13:55 0 ----a-w C:\Documents and Settings\rburle\Application Data\wklnhst.dat
2003-12-02 18:08 125 ----a-w C:\Program Files\Readme.txt
2003-09-11 20:52 302,249 ----a-w C:\Program Files\Animusic-PipeDream-800.jpg
2003-09-11 20:52 260,800 ----a-w C:\Program Files\Animusic-StickFigures-800.jpg
2003-09-11 20:51 274,558 ----a-w C:\Program Files\Animusic-DrumMachine-800.jpg
2003-09-11 20:51 250,215 ----a-w C:\Program Files\Animusic-HarmonicVoltage-800.jpg
2003-09-11 20:51 227,725 ----a-w C:\Program Files\Animusic-FutureRetro-800.jpg
2003-09-11 20:50 224,358 ----a-w C:\Program Files\Animusic-AquaHarp-800.jpg
2003-09-11 20:49 378,127 ----a-w C:\Program Files\Animusic-AcousticCurves-800.jpg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"lphcvnpj0egdg"="C:\WINDOWS\system32\lphcvnpj0egdg.exe" [2008-09-11 203776]
"inrhcrnpj0egdg"="C:\WINDOWS\Temp\.tt7.tmp.exe" [2008-09-11 1612496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

C:\Documents and Settings\rburle\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-02-12 778240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bnguql]
2008-09-11 08:34 21504 C:\WINDOWS\system32\bnguql32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 16:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-13 17:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcvnpj0egdg]
--a------ 2008-09-11 09:25 203776 C:\WINDOWS\system32\lphcvnpj0egdg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-21 08:43 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-21 08:43 118784 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoTrace]
--------- 2006-06-30 07:29 1223168 C:\Program Files\No Trace\NoTrace2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-01 09:19 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 09:24 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinfernoUpdate]
--a------ 2007-01-09 14:04 1482752 C:\Program Files\Common Files\Winferno\WSCUpdtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 12:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"W32Time"=2 (0x2)
"iPodService"=3 (0x3)
"SimpTcp"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"
"AntiVirusDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\BHODemon 2\\BHODemon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-10-12 143360]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 151552]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;C:\Documents and Settings\rburle\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [2007-12-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-SpeedItUpEX - C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe
HKCU-Run-PC Digital Safe - C:\Program Files\PC Digital Safe\PcDigitalSafe.exe
HKCU-Run-CyberDefender Early Detection Center - C:\Program Files\CyberDefender\AntiSpyware\cdase3.exe
MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McRegWiz - C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
MSConfigStartUp-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-Microsoft Works Update Detection - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MSConfigStartUp-Spyware remover - C:\WINDOWS\Remove_spyware.exe
MSConfigStartUp-SWN2 - C:\Program Files\Spyware Nuker\swnxt.exe
MSConfigStartUp-sysrest32 - C:\WINDOWS\system32\sysrest32.exe
MSConfigStartUp-YBrowser - C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
MSConfigStartUp-buritos - buritos.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\rburle\Application Data\Mozilla\Firefox\Profiles\su9yvmfk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
.
------- File Associations (Beta) -------
.
inffile=blank
inifile=blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 09:22:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\phcvnpj0egdg.bmp 625208 bytes
C:\WINDOWS\system32\lphcvnpj0egdg.exe 203776 bytes executable
C:\WINDOWS\system32\blphcvnpj0egdg.scr 118784 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\bnguql32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Temp\hgk3.tmp
C:\WINDOWS\Temp\.tt7.tmp
.
**************************************************************************
.
Completion time: 2008-09-11 9:33:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 14:33:09

Pre-Run: 14,308,896,768 bytes free
Post-Run: 14,311,903,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

302 --- E O F --- 2008-08-13 08:19:35


Also.....BHODemon is downloaded and running on this machine and I can not figure out how to delete it. It does not show up in ADD/Remove Programs. Can you help on that too?

Keith

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 11 September 2008 - 04:48 PM

HI Keith

Installing and Uninstalling bhodemon :-

http://www.definitivesolutions.com/files/bhodemon20help.html

To uninstall BHODemon, use the Windows Control Panel 'Add/Remove Programs' applet, as usual.

If it isn't in Add/Remove Programs as it's supposed to be, please have a look in this folder and post a list of the files in the folder :-

C:\Program Files\BHODemon 2 ( don't delete anything...)

To stop the program running at startup, run hijackthis & place a checkmark next to this entry :-

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

Click "fix checked" ... the next time you reboot BHODemon will not be running ...

-
Please empty/delete the contents of these Quarantine\ folders

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\

C:\Program Files\Microsoft AntiSpyware\Quarantine

G:\Program Files\Navnt\Quarantine

THEN because the programs you ran have found & deleted so much malware, please run all 3 again & post new logs, so that I can see exactly what still remains to be removed ...

Also after running the programs again, please run hijackthis & post a new log ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 11 September 2008 - 06:28 PM

Thank you for all your help.....I may try to get to this by tomorrow. We shut down our office this afternoon as Hurricane Ike approaches (we are in Houston). I have shutdown, powered off and totally unplugged all computers, Servers and Telephone system equipment and covered them in plastic sheeting. We are taking no chances as we are a Telecom/VoIP company and our Customer Support comes second only to our Employees saftey. Depending on the weather tomorrow (Friday), I may go in and work on this problem PC only. More than likely it will be Monday before I post these for you unless Kaspersky goes faster and I can bring our Gateway/Firewall back up long enough to post. I will follow all procedures like before as my Boss is going crazy without full use of his PC and is driving me nutz. Until then..................

Cheers,
Keith

#6 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 12 September 2008 - 09:56 AM

I have come in this morning and fired up his PC and the darn XP Antivirus 2008 Install window came up. You have to go to Task Manager and kill the process to get rid of this Installer as the only option is to Install. Anyway, I will re-run Kaspersky, MBAM and Combofix and post the results of each.

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 12 September 2008 - 11:33 AM

HI Keith

A couple of other things to do ...

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

jre1.5.0_03

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 7' and press the 'Download' button.


Running an out-of-date version of java is an infection risk, as they can be exploited by malware.


ALSO... clean out temp/teporary internet files ...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 12 September 2008 - 02:26 PM

Here are the 3 results after re-running Kaspersky, MBAM and Combofix.....................Please let me know ASAP so I can get out of this office and get home before the Hurricane comes in......I hope I can wait until your reply.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 12, 2008 15:10:00
Records in database: 1217834
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 51144
Threat name: 26
Infected objects: 66
Suspicious objects: 0
Duration of the scan: 01:22:44


File name / Threat name / Threats count
C:\WINDOWS\system32\bnguql32.dll/C:\WINDOWS\system32\bnguql32.dll Infected: Backdoor.Win32.Hijack.d 1
C:\WINDOWS\system32\lphcvnpj0egdg.exe/C:\WINDOWS\system32\lphcvnpj0egdg.exe Infected: Backdoor.Win32.Frauder.ee 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\rburle\Local Settings\temp\.tt7.tmp Infected: not-a-virus:FraudTool.Win32.XPAntivirus.rs 1
C:\Documents and Settings\rburle\Local Settings\temp\.tt7.tmp.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.rs 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: Trojan-Downloader.Win32.Wren.d 1
C:\Documents and Settings\rburle\My Documents\screensaversinstaller.exe Infected: not-a-virus:AdWare.Win32.Comet.bc 1
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d 1
C:\QooBox\Quarantine\C\WINDOWS\sasent.dll.vir Infected: Trojan.Win32.Dialer.bi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphcvnpj0egdg.exe.vir Infected: Backdoor.Win32.Frauder.ee 1
C:\QooBox\Quarantine\catchme2008-09-11_ 90717.89.zip Infected: Rootkit.Win32.Agent.cmo 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc29\99E48E44-70CD-4ACC-B7AA-991C0A Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc34.bac_a00236 Infected: Trojan.Win32.KillAV.agz 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc38.bac_a00236 Infected: Backdoor.Win32.Agent.pnt 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc42.bac_a00236 Infected: Trojan.Win32.KillAV.agz 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc53.bac_a00236 Infected: Trojan-Mailfinder.Win32.Agent.mm 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc54.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc55.bac_a00236 Infected: Trojan.Win32.Dialer.bi 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc56.bac_a00236 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc57.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.t 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc58.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.t 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc59.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.af 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc60.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.af 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc62.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc63.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc64.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc66.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc67.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc68.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc69.bac_a00236 Infected: Trojan.Win32.Crypt.os 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc70.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc71.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc72.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc73.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.p 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc74.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc75.bac_a00236 Infected: Backdoor.Win32.Small.eug 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc76.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc77.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc78.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.qj 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc79.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc80.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc81.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc82.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc83.bac_a00236 Infected: Trojan-Spy.Win32.Zbot.epz 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc84.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc85.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc86.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc87.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc88.bac_a00236 Infected: Hoax.Win32.Renos.vaws 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc89.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc90.bac_a00236 Infected: Backdoor.Win32.Frauder.bf 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc91.bac_a00236 Infected: Trojan.Win32.KillAV.agz 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc92.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc93.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc94.bac_a00236 Infected: Trojan-Spy.Win32.Zbot.epz 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc95.bac_a00236 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.p 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc96.bac_a00236 Infected: Worm.Win32.AutoRun.luy 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc97.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\RECYCLER\S-1-5-21-90728321-1170230348-2076119496-1001\Dc98.bac_a00236 Infected: Backdoor.Win32.Frauder.dk 1
C:\WINDOWS\system32\bnguql.dll Infected: Backdoor.Win32.Hijack.d 1
C:\WINDOWS\system32\bnguql32.dll Infected: Backdoor.Win32.Hijack.d 1
C:\WINDOWS\system32\lphcvnpj0egdg.exe Infected: Backdoor.Win32.Frauder.ee 1
C:\WINDOWS\Temp\.tt7.tmp Infected: not-a-virus:FraudTool.Win32.XPAntivirus.rs 1
C:\WINDOWS\Temp\ipaC.tmp Infected: Backdoor.Win32.Frauder.ee 1

The selected area was scanned.



Malwarebytes' Anti-Malware 1.28
Database version: 1138
Windows 5.1.2600 Service Pack 2

2008-09-12 14:01:07
mbam-log-2008-09-12 (14-01-07).txt

Scan type: Quick Scan
Objects scanned: 54802
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\lphcvnpj0egdg.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\blphcvnpj0egdg.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcrnpj0egdg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphcvnpj0egdg.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcvnpj0egdg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcvnpj0egdg.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Local Settings\temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Local Settings\temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rburle\Local Settings\temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


ComboFix 08-09-11.02 - rburle 2008-09-12 14:07:05.2 - NTFSx86
Running from: C:\Documents and Settings\rburle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blphcvnpj0egdg.scr
C:\WINDOWS\system32\lphcvnpj0egdg.exe
C:\WINDOWS\system32\phcvnpj0egdg.bmp

.
((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 )))))))))))))))))))))))))))))))
.

2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\rburle\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 07:43 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 15:12 . 2008-09-09 08:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-09 14:39 . 2008-09-09 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 11:41 . 2008-09-09 11:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 11:41 . 2008-09-09 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 10:58 . 2008-09-09 11:33 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-09 10:31 . 2008-09-09 10:32 <DIR> d-------- C:\Program Files\CCleaner
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-09-09 08:51 . 2008-09-09 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-09-09 08:50 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-09-09 08:41 . 2008-09-09 08:50 <DIR> d-------- C:\Program Files\Java
2008-09-09 08:38 . 2008-09-09 08:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-09 08:37 . 2008-09-09 08:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-09-09 08:35 . 2008-09-11 08:34 21,504 --a------ C:\WINDOWS\system32\bnguql32.dll
2008-09-09 08:08 . 2008-09-09 08:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:32 . 2008-09-08 14:32 164 --a------ C:\install.dat
2008-09-05 08:57 . 2008-09-08 16:15 5,680 --a------ C:\WINDOWS\system32\drivers\psntkd20.sys
2008-09-05 07:39 . 2008-09-10 08:13 21,504 --a------ C:\WINDOWS\system32\bnguql.dll
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-08-12 16:32 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 13:12 --------- d-----w C:\Program Files\Google
2008-09-09 19:39 --------- d-----w C:\Program Files\Lavasoft
2008-09-09 19:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-09 15:31 --------- d-----w C:\Program Files\Yahoo!
2008-09-09 12:52 67,645 ----a-w C:\WINDOWS\system32\drivers\pshook11.sys
2008-09-08 18:26 --------- d-----w C:\Program Files\INAC
2008-09-05 15:36 --------- d-----w C:\Program Files\No Trace
2008-08-07 20:52 --------- d-----w C:\Program Files\Common Files\L&H
2008-08-07 20:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-31 08:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-24 19:21 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-07-24 19:19 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-07-23 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 14:08 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-12-21 15:01 36,864 ----a-w C:\Documents and Settings\rburle\atwbxdet.dll
2007-12-14 21:01 112,592 ----a-w C:\Documents and Settings\rburle\Application Data\GDIPFONTCACHEV1.DAT
2006-08-02 19:51 202,920 ----a-w C:\Program Files\Western Hideaway.jpg
2005-11-28 16:13 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
2005-11-28 16:09 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
2005-11-28 16:08 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2004-06-09 13:55 0 ----a-w C:\Documents and Settings\rburle\Application Data\wklnhst.dat
2003-12-02 18:08 125 ----a-w C:\Program Files\Readme.txt
2003-09-11 20:52 302,249 ----a-w C:\Program Files\Animusic-PipeDream-800.jpg
2003-09-11 20:52 260,800 ----a-w C:\Program Files\Animusic-StickFigures-800.jpg
2003-09-11 20:51 274,558 ----a-w C:\Program Files\Animusic-DrumMachine-800.jpg
2003-09-11 20:51 250,215 ----a-w C:\Program Files\Animusic-HarmonicVoltage-800.jpg
2003-09-11 20:51 227,725 ----a-w C:\Program Files\Animusic-FutureRetro-800.jpg
2003-09-11 20:50 224,358 ----a-w C:\Program Files\Animusic-AquaHarp-800.jpg
2003-09-11 20:49 378,127 ----a-w C:\Program Files\Animusic-AcousticCurves-800.jpg
.

((((((((((((((((((((((((((((( snapshot@2008-09-11_ 9.32.42.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-11 14:13:57 224,264 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-12 19:06:22 224,265 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-12 19:03:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bnguql]
2008-09-11 08:34 21504 C:\WINDOWS\system32\bnguql32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 16:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-13 17:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-21 08:43 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-21 08:43 118784 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoTrace]
--------- 2006-06-30 07:29 1223168 C:\Program Files\No Trace\NoTrace2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-01 09:19 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 09:24 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinfernoUpdate]
--a------ 2007-01-09 14:04 1482752 C:\Program Files\Common Files\Winferno\WSCUpdtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 12:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"W32Time"=2 (0x2)
"iPodService"=3 (0x3)
"SimpTcp"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"
"AntiVirusDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-10-12 143360]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 151552]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;C:\Documents and Settings\rburle\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [2007-12-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcvnpj0egdg - C:\WINDOWS\system32\lphcvnpj0egdg.exe
MSConfigStartUp-lphcvnpj0egdg - C:\WINDOWS\system32\lphcvnpj0egdg.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\rburle\Application Data\Mozilla\Firefox\Profiles\su9yvmfk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
.
------- File Associations (Beta) -------
.
inffile=blank
inifile=blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 14:11:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\bnguql32.dll
.
Completion time: 2008-09-12 14:18:35
ComboFix-quarantined-files.txt 2008-09-12 19:18:30
ComboFix2.txt 2008-09-11 14:33:15

Pre-Run: 14,251,364,352 bytes free
Post-Run: 14,289,776,640 bytes free

217 --- E O F --- 2008-08-13 08:19:35

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 12 September 2008 - 02:53 PM

Hi

It is better, but it is going to take several more posts by both of us to remove all this ... you still have a severely compromised computer, I suggest you make your way home safely now ...

I will post some more instructions shortly, you can reply when you get back after the hurricane has passed :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 12 September 2008 - 03:01 PM

Thanks.......I will monitor this thread as much as possible from home.....I will log him out and finish all my power downs and get out. We should be back in operation Monday morning and I need to get back on this to get him back to work. Thanks for ALL you guys help!!!!!

Keith

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 12 September 2008 - 04:34 PM

Hi

Please do the following :- in this order ...

1. Please update your java
2. Run Ccleaner as per my last post ...
3. Empty your recycle bin if it's not empty ...
4. combofix instructions below

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\bnguql.dll
C:\WINDOWS\system32\bnguql32.dll
C:\WINDOWS\system32\lphcvnpj0egdg.exe
C:\WINDOWS\Temp\.tt7.tmp
C:\WINDOWS\Temp\ipaC.tmp
C:\Documents and Settings\rburle\Local Settings\temp\.tt7.tmp
C:\Documents and Settings\rburle\Local Settings\temp\.tt7.tmp.exe
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe
C:\Documents and Settings\rburle\My Documents\screensaversinstaller.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bnguql]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

5. post the Combofix log
6. post a new hijackthis log
7. run Malwarebytes' Anti-Malware & post the new log
8. Finally post a new KASPERSKY ONLINE SCANNER 7 REPORT

I know this looks like a lot to do, but it is necessary due to the extent of the malware to be removed...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#12 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 12 September 2008 - 07:09 PM

No worries.....this does not seem too bad....especially compared to what he has done for the past 2 weeks and what I have done in the past 2~3 days. If I am reading the above correctly, can I safely say this is more than likely due to him downloading unsafe screen savers and generally downloading usafe items from the Web or via spam emails? I need to be more proactive here.

Cheers
Keith

#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 13 September 2008 - 03:38 PM

Hi Keith

The classicalhummingbird.exe & screensaversinstaller.exe which I think is what you refer to do contain adware, but are not part of the real infection, There is usually no way to know 100% where an infection came from, however in this case I would bet on a website with a java script exploit, bearing in mind that a lot of these kind of infections exploit security vulnerabilities in old versions of java & the java version on this machine is/was VERY old ... jre1.5.0_03

Java Runtime Environment (JRE) 5.0 Update 16 is the latest version of (JRE) 5.0 ... your update 3 is 13 updates behind ...

However (JRE) 6.0 was brought out nearly 2 years ago & is now up to update 7 itself ...

(JRE) 6.0 is much faster than (JRE) 5.0 so unless you have programs which will not run with (JRE) 6.0 (& I don't actually know of any) you should update to the newer faster more secure version (JRE) 6.0 update 7

I have been seeing the devastation caused by the hurricane on our TV here in the UK, I hope you managed to weather the storm OK yourself :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#14 keithaw1

keithaw1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 19 September 2008 - 01:23 PM

Sorry for the delay....I am kinda working, but off generators. Will not have full power until middle of next week (I hope). I have gone thru the last instructions this morning and here are the results requested.


CLEANING COMPLETE - (6.395 secs)
------------------------------------------------------------------------------------------
0.97MB removed.
------------------------------------------------------------------------------------------

Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (205 files) 0.93MB
C:\Documents and Settings\rburle\Cookies\rburle@c.msn[1].txt 68 bytes
C:\Documents and Settings\rburle\Cookies\rburle@www.java[1].txt 73 bytes
C:\Documents and Settings\rburle\Cookies\rburle@www.msn[2].txt 532 bytes
C:\Documents and Settings\rburle\Cookies\rburle@live[1].txt 100 bytes
C:\Documents and Settings\rburle\Cookies\rburle@rad.msn[2].txt 680 bytes
C:\Documents and Settings\rburle\Cookies\rburle@sun[1].txt 111 bytes
C:\Documents and Settings\rburle\Cookies\rburle@specificclick[2].txt 562 bytes
C:\Documents and Settings\rburle\Cookies\rburle@msnportal.112.2o7[1].txt 125 bytes
C:\Documents and Settings\rburle\Cookies\rburle@msn[2].txt 328 bytes
Marked for deletion: C:\Documents and Settings\rburle\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\rburle\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\rburle\Local Settings\History\History.IE5\desktop.ini
Marked for deletion: C:\Documents and Settings\rburle\Local Settings\History\History.IE5\index.dat
Marked for deletion: C:\Documents and Settings\rburle\Local Settings\History\History.IE5\MSHist012008091920080920\index.dat
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 259 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.log 1.30KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 67 bytes
C:\WINDOWS\0.log 0 bytes
C:\WINDOWS\Debug\UserMode\userenv.log 16.84KB
C:\Documents and Settings\rburle\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 405 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1145.log 1.95KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1247.txt 5.89KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1250.log 194 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1301.txt 1.77KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1304.log 572 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080909-1403.txt 2.64KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080912-1512.log 244 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.080912-1517.txt 1.93KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.080909-1247.txt 5.70KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.080909-1406.txt 2.61KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log 155 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Update downloads.log 1.19KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini 1.89KB
------------------------------------------------------------------------------------------


ComboFix 08-09-16.05 - rburle 2008-09-19 10:39:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.55 [GMT -5:00]Running from: C:\Documents and Settings\rburle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rburle\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blphcvnpj0egdg.scr
C:\WINDOWS\system32\bnguql.dll
C:\WINDOWS\system32\bnguql32.dll
C:\WINDOWS\system32\lphcvnpj0egdg.exe
C:\WINDOWS\system32\phcvnpj0egdg.bmp

.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-19 10:21 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-19 10:20 . 2008-09-19 10:21 <DIR> d-------- C:\Program Files\Java
2008-09-19 10:17 . 2008-09-19 10:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\rburle\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-11 07:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 07:43 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 07:43 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 15:12 . 2008-09-09 08:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-09 14:39 . 2008-09-09 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 11:41 . 2008-09-09 11:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 11:41 . 2008-09-19 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 10:58 . 2008-09-09 11:33 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-09 10:31 . 2008-09-09 10:32 <DIR> d-------- C:\Program Files\CCleaner
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-09-09 10:26 . 2004-08-04 07:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-09-09 08:51 . 2008-09-09 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-09-09 08:37 . 2008-09-09 08:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-09-09 08:08 . 2008-09-09 08:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 14:32 . 2008-09-08 14:32 164 --a------ C:\install.dat
2008-09-05 08:57 . 2008-09-08 16:15 5,680 --a------ C:\WINDOWS\system32\drivers\psntkd20.sys
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-09-04 01:00 . 2008-09-04 01:00 0 --a------ C:\WINDOWS\system32\SBFC.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 19:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-10 13:12 --------- d-----w C:\Program Files\Google
2008-09-09 15:31 --------- d-----w C:\Program Files\Yahoo!
2008-09-09 12:52 67,645 ----a-w C:\WINDOWS\system32\drivers\pshook11.sys
2008-09-08 18:26 --------- d-----w C:\Program Files\INAC
2008-09-05 15:36 --------- d-----w C:\Program Files\No Trace
2008-08-07 20:52 --------- d-----w C:\Program Files\Common Files\L&H
2008-08-07 20:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-31 08:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-24 19:21 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-07-24 19:19 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-07-23 20:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 14:08 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-21 15:01 36,864 ----a-w C:\Documents and Settings\rburle\atwbxdet.dll
2007-12-14 21:01 112,592 ----a-w C:\Documents and Settings\rburle\Application Data\GDIPFONTCACHEV1.DAT
2006-08-02 19:51 202,920 ----a-w C:\Program Files\Western Hideaway.jpg
2005-11-28 16:13 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
2005-11-28 16:09 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
2005-11-28 16:08 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2004-06-09 13:55 0 ----a-w C:\Documents and Settings\rburle\Application Data\wklnhst.dat
2003-12-02 18:08 125 ----a-w C:\Program Files\Readme.txt
2003-09-11 20:52 302,249 ----a-w C:\Program Files\Animusic-PipeDream-800.jpg
2003-09-11 20:52 260,800 ----a-w C:\Program Files\Animusic-StickFigures-800.jpg
2003-09-11 20:51 274,558 ----a-w C:\Program Files\Animusic-DrumMachine-800.jpg
2003-09-11 20:51 250,215 ----a-w C:\Program Files\Animusic-HarmonicVoltage-800.jpg
2003-09-11 20:51 227,725 ----a-w C:\Program Files\Animusic-FutureRetro-800.jpg
2003-09-11 20:50 224,358 ----a-w C:\Program Files\Animusic-AquaHarp-800.jpg
2003-09-11 20:49 378,127 ----a-w C:\Program Files\Animusic-AcousticCurves-800.jpg
.

((((((((((((((((((((((((((((( snapshot@2008-09-11_ 9.32.42.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-11 13:53:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-19 13:36:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-11 13:53:58 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2008-09-19 13:36:53 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2008-09-11 13:53:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-19 15:13:10 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-19 13:36:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091920080920\index.dat
- 2008-09-11 14:13:57 224,264 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-19 15:49:19 224,264 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2005-04-13 07:19:56 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-04-13 07:20:04 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-04-13 08:48:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-09-19 15:45:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphcvnpj0egdg"="C:\WINDOWS\system32\lphcvnpj0egdg.exe" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-29 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 16:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 08:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-13 17:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-21 08:43 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-21 08:43 118784 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoTrace]
--------- 2006-06-30 07:29 1223168 C:\Program Files\No Trace\NoTrace2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-01 09:19 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-25 09:24 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinfernoUpdate]
--a------ 2007-01-09 14:04 1482752 C:\Program Files\Common Files\Winferno\WSCUpdtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 12:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"W32Time"=2 (0x2)
"iPodService"=3 (0x3)
"SimpTcp"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"
"AntiVirusDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-10-12 143360]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 151552]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;C:\Documents and Settings\rburle\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [2007-12-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 10:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-09-19 11:04:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 16:04:49
ComboFix2.txt 2008-09-12 19:18:37
ComboFix3.txt 2008-09-11 14:33:15

Pre-Run: 14,574,174,208 bytes free
Post-Run: 14,568,964,096 bytes free

203 --- E O F --- 2008-08-13 08:19:35



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09, on 2008-09-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hijack.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [lphcvnpj0egdg] C:\WINDOWS\system32\lphcvnpj0egdg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%20LT%202002/AcDcToday.ocx
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://207.144.44.254/activex/AxisCamControl.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://store.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%20LT%202002/InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%20LT%202002/InstFred.ocx
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://contentpurity.com/members/FileClean.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tigerpawsoftware.webex.com/client/v...bex/ieatgpc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...975/mcfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%20LT%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7334F8A-AB8C-4775-A822-30E51DC43CFA}: NameServer = 10.1.1.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7043 bytes



Malwarebytes' Anti-Malware 1.28
Database version: 1138
Windows 5.1.2600 Service Pack 2

2008-09-19 11:23:22
mbam-log-2008-09-19 (11-23-22).txt

Scan type: Quick Scan
Objects scanned: 53837
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcvnpj0egdg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 19, 2008 17:30:31
Records in database: 1249222
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 48674
Threat name: 10
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:34:17


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: Trojan-Downloader.Win32.Wren.d 1
C:\Documents and Settings\rburle\My Documents\screensaversinstaller.exe Infected: not-a-virus:AdWare.Win32.Comet.bc 1
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d 1
C:\QooBox\Quarantine\C\WINDOWS\sasent.dll.vir Infected: Trojan.Win32.Dialer.bi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bnguql.dll.vir Infected: Backdoor.Win32.Hijack.w 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bnguql32.dll.vir Infected: Backdoor.Win32.Hijack.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphcvnpj0egdg.exe.vir Infected: Backdoor.Win32.Frauder.gy 1
C:\QooBox\Quarantine\catchme2008-09-11_ 90717.89.zip Infected: Rootkit.Win32.Agent.cmo 1

The selected area was scanned.

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 September 2008 - 02:29 PM

Hi Keith

Glad you made it back OK, I guess it's pretty rough in your area at the moment...

Your logs look pretty good now, one file I noticed is probably part of a rogue anti-spyware program - SpywareNuker...

That's this :- C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS

I want you to run SUPERAntiSpyware, which will remove that file & any other files associated with it...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

That just leaves what is shown in the KASPERSKY ONLINE SCANNER 7 REPORT

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

These first 2 are legit files used by SmitfraudFix, but as you don't need SmitfraudFix anymore, you can delete the SmitfraudFix folder from the Administrator\Desktop ...

-
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\rburle\My Documents\classicalhummingbird.exe Infected: Trojan-Downloader.Win32.Wren.d 1
C:\Documents and Settings\rburle\My Documents\screensaversinstaller.exe Infected: not-a-virus:AdWare.Win32.Comet.bc 1

These next 3 ( 2 files actually) I included in the Combofix script to be deleted, but they weren't, so please find them & delete them manually ...

-
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d 1

Of course this is a downloader, it downloads mail ... it's not malware, it's just tagged because it's includes a downloader.

-
C:\QooBox\Quarantine\C\WINDOWS\sasent.dll.vir Infected: Trojan.Win32.Dialer.bi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bnguql.dll.vir Infected: Backdoor.Win32.Hijack.w 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bnguql32.dll.vir Infected: Backdoor.Win32.Hijack.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphcvnpj0egdg.exe.vir Infected: Backdoor.Win32.Frauder.gy 1
C:\QooBox\Quarantine\catchme2008-09-11_ 90717.89.zip Infected: Rootkit.Win32.Agent.cmo 1

These are safely in Quarantine & will be deleted when we uninstall Combofix ...

How's the computer running now ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users