| Hello,
Two days ago my computer was infected with a trojan, I immedialy carried out a virus scan scan and Bullguard detected two viruses named phcag1j0enae.bmp and bphcag1j0enae.scr. Since then i have been trying to remove these trojans with no success. When I turned on my computer the next day my desktop background had been changed to white screen with an imitation windows vista box, and a pop up called 'Antivirus XP 2008'. After reading about others with the same problems I downloaded MalwareBytes, SuperAntispyware, Combofix and HijackThis but so far none have been able to remove the trojans.
Below are the logs from SuperAntispyware, HiJackThis and Combofix respectively.
I hope that you can help me to remove these problems as quickly as possible.
Thank you very much.
Generated 08/26/2008 at 11:39 PM
Application Version : 4.20.1046
Core Rules Database Version : 3548
Trace Rules Database Version: 1536
Scan type : Complete Scan
Total Scan Time : 00:32:21
Memory items scanned : 593
Memory threats detected : 1
Registry items scanned : 7224
Registry threats detected : 6
File items scanned : 24600
File threats detected : 8
Trojan.Dropper/Gen
C:\WINDOWS\SYSTEM32\PGRENQPC.EXE
C:\WINDOWS\SYSTEM32\PGRENQPC.EXE
[smartsyssrv] C:\WINDOWS\SYSTEM32\PGRENQPC.EXE
[WebStr] C:\WINDOWS\SYSTEM32\WVKTQFGX.EXE
C:\WINDOWS\SYSTEM32\WVKTQFGX.EXE
[MonUtilStr] C:\WINDOWS\SYSTEM32\PEPUXITS.EXE
C:\WINDOWS\SYSTEM32\PEPUXITS.EXE
[ActCfg] C:\WINDOWS\SYSTEM32\AVSRENSB.EXE
C:\WINDOWS\SYSTEM32\AVSRENSB.EXE
[MntDbDsc] C:\WINDOWS\SYSTEM32\GNMDUNQT.EXE
C:\WINDOWS\SYSTEM32\GNMDUNQT.EXE
[UiActCmd] C:\WINDOWS\SYSTEM32\QNAVWFEB.EXE
C:\WINDOWS\SYSTEM32\QNAVWFEB.EXE
Rogue.AntiVirus 2008
C:\WINDOWS\SYSTEM32\PHCAG1J0ENAE.BMP
NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHCAG1J0ENAE.SCR
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:51, on 27/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\All Users\Application Data\rclgpmbi\bgrkdwpu.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\cpclkriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\vqxgtmle.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [lphcag1j0enae] C:\WINDOWS\system32\lphcag1j0enae.exe O4 - HKLM\..\Run: [inrhceg1j0enae] C:\Documents and Settings\Phil\Local Settings\temp\.tt8.tmp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [mntapp] C:\WINDOWS\system32\cpclkriv.exe O4 - HKCU\..\Run: [uicfg] C:\WINDOWS\system32\lmhezyzq.exe O4 - HKLM\..\Policies\Explorer\Run: [l40mWh0AQy] C:\Documents and Settings\All Users\Application Data\rclgpmbi\bgrkdwpu.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161947083750O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: ChkShCom - {70C2B6EE-7439-0217-1873-0B913CEAD49A} - C:\Program Files\upgtdnd\ChkShCom.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe --
End of file - 10418 bytes
ComboFix 08-08-25.01 - Phil 2008-08-26 23:57:28.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT 1:00]
Running from: C:\Documents and Settings\Phil\My Documents\Programs\ComboFix.exe
* Resident AV is active
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\blphcag1j0enae.scr
C:\WINDOWS\system32\lphcag1j0enae.exe
C:\WINDOWS\system32\phcag1j0enae.bmp
.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2019-03-07 18:56 . 2004-08-10 20:00 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2019-03-07 18:54 . 2019-03-07 18:56 <DIR> d-------- C:\i386
2019-03-07 18:53 . 2019-03-07 18:53 <DIR> d-------- C:\cmpnents
2008-08-26 23:41 . 2008-08-26 23:41 203,776 --a------ C:\WINDOWS\system32\ifglstoj.exe
2008-08-26 23:41 . 2008-08-26 23:41 86,016 --a------ C:\WINDOWS\system32\cpclkriv.exe
2008-08-26 17:42 . 2008-08-26 17:42 203,776 --a------ C:\WINDOWS\system32\heravgfm.exe
2008-08-26 16:38 . 2008-08-26 19:01 <DIR> d-------- C:\HJT
2008-08-26 16:14 . 2008-08-26 16:14 203,776 --a------ C:\WINDOWS\system32\wvqnupmd.exe
2008-08-26 15:58 . 2008-08-26 15:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:58 . 2008-08-26 15:58 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\SUPERAntiSpyware.com
2008-08-26 15:58 . 2008-08-26 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-26 15:03 . 2008-08-26 15:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-26 15:03 . 2008-08-26 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 15:03 . 2008-08-26 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-26 13:36 . 2008-08-26 13:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 13:36 . 2008-08-26 13:36 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Malwarebytes
2008-08-26 13:36 . 2008-08-26 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 13:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-26 13:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-26 11:48 . 2008-08-26 22:57 353 --a------ C:\WINDOWS\wininit.ini
2008-08-25 22:04 . 2008-08-25 22:04 <DIR> d-------- C:\Program Files\Reality Pump
2008-08-25 20:54 . 2008-08-25 20:54 <DIR> d-------- C:\Program Files\upgtdnd
2008-08-25 20:54 . 2008-08-25 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rclgpmbi
2008-08-21 11:43 . 2008-08-21 23:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-21 11:43 . 2008-08-21 23:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-21 11:43 . 2008-08-21 23:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-21 11:43 . 2008-08-21 23:27 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-21 11:39 . 2008-08-21 23:44 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-21 11:28 . 2007-10-26 04:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-21 11:27 . 2007-02-28 10:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-20 14:05 . 2008-04-14 01:12 727,040 --a------ C:\WINDOWS\system32\SET7BD.tmp
2008-08-20 14:04 . 2008-04-14 01:12 8,461,312 --a------ C:\WINDOWS\system32\SET819.tmp
2008-08-20 14:03 . 2008-04-14 01:11 1,082,368 --a------ C:\WINDOWS\system32\SET9A5.tmp
2008-08-20 14:02 . 2008-04-14 01:11 1,267,200 --a------ C:\WINDOWS\system32\SETA13.tmp
2008-08-20 13:28 . 2008-08-22 11:08 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-16 20:09 . 2008-08-16 20:31 <DIR> d-------- C:\Program Files\Mafia
2008-08-16 20:09 . 2002-08-08 00:13 319,488 -ra------ C:\WINDOWS\system32\MafiaSetup.exe
2008-08-09 14:01 . 2008-08-09 15:43 <DIR> d-------- C:\Documents and Settings\Phil\.gimp-2.4
2008-08-08 13:08 . 2008-08-09 15:43 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\gtk-2.0
2008-08-08 13:08 . 2008-08-08 13:08 <DIR> d-------- C:\Documents and Settings\Phil\.thumbnails
2008-08-08 12:40 . 2008-08-09 14:00 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-08-04 16:41 . 2008-08-04 16:41 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\InstallShield
2008-07-31 22:39 . 2008-08-04 16:45 <DIR> d-------- C:\Program Files\THQ
2008-07-31 03:42 . 2008-07-31 03:42 <DIR> d-------- C:\Program Files\Maxis
2008-07-31 03:35 . 2008-07-31 03:36 <DIR> d-------- C:\Program Files\MagicDisc
2008-07-31 03:35 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-07-31 03:32 . 2008-07-31 03:35 <DIR> d-------- C:\Program Files\MagicISO
2008-07-30 16:25 . 2008-07-30 16:25 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Nokia Multimedia Player
2008-07-30 16:24 . 2008-07-30 16:25 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Nokia
2008-07-30 16:24 . 2008-07-30 16:24 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Datalayer
2008-07-30 16:23 . 2008-07-30 21:19 <DIR> d-------- C:\Documents and Settings\Phil\Phone Browser
2008-07-30 16:20 . 2008-07-30 16:20 <DIR> d-------- C:\Program Files\DIFX
2008-07-30 16:20 . 2008-07-30 16:20 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-30 16:19 . 2008-07-30 16:23 <DIR> d-------- C:\Program Files\Nokia
2008-07-30 16:19 . 2008-07-30 16:20 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-30 16:19 . 2008-07-30 16:20 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\PC Suite
2008-07-30 16:19 . 2008-07-30 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-30 16:19 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-30 16:19 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-30 16:19 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-30 16:19 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-30 16:19 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-30 16:19 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-30 16:19 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-07-30 16:18 . 2008-07-30 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-08-26 21:48 --------- d-----w C:\Documents and Settings\Phil\Application Data\Azureus
2008-08-26 01:00 --------- d-----w C:\Program Files\complete
2008-08-25 23:50 --------- d-----w C:\Documents and Settings\Phil\Application Data\BullGuard
2008-08-25 22:30 --------- d-----w C:\Program Files\Disk 2
2008-08-25 18:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-21 22:52 --------- d-----w C:\Program Files\Creative
2008-08-16 10:13 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-14 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-10 21:39 --------- d-----w C:\Program Files\Sony
2008-08-10 21:39 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-07-02 11:56 --------- d-----w C:\Program Files\Azureus
2008-07-01 12:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
.
((((((((((((((((((((((((((((( snapshot@2008-08-26_19.00.03.82 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-26 17:55:54 222,393 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-08-26 23:01:37 222,392 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-08-26 23:02:15 86,016 ----a-w C:\WINDOWS\system32\lmhezyzq.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 05:17 67128]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-12-23 03:39 102400]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"mntapp"="C:\WINDOWS\system32\cpclkriv.exe" [2008-08-26 23:41 86016]
"uicfg"="C:\WINDOWS\system32\lmhezyzq.exe" [2008-08-27 00:02 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 14:39 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-08-14 14:41 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-14 14:38 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 19:14 36975]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-02 10:10 98304]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 19:21 110744]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-28 18:41 185896]
"lphcag1j0enae"="C:\WINDOWS\system32\lphcag1j0enae.exe" [2008-08-27 00:02 203776]
"inrhceg1j0enae"="C:\Documents and Settings\Phil\Local Settings\temp\.tt8.tmp.exe" [2008-08-27 00:02 1613605]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"l40mWh0AQy"="C:\Documents and Settings\All Users\Application Data\rclgpmbi\bgrkdwpu.exe" [2008-08-25 20:54 57344]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-23 05:17:35 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-01 17:38:41 450560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ChkShCom"= {70C2B6EE-7439-0217-1873-0B913CEAD49A} - C:\Program Files\upgtdnd\ChkShCom.dll [2008-08-25 20:54 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Phil\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Phil\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-28 18:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--a------ 2004-06-08 19:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\generals.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\generals.exe"=
"C:\\Program Files\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"C:\\Documents and Settings\\Phil\\My Documents\\My Games\\[PC GAME] Worms Armageddon + All weapons unblocked + cracked + xp patch by Lupen[FUMAI]\\wormsarm\\WA.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 14:22]
R2 BBDemon;Backbone Service;C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe [2005-09-06 23:11]
R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]
R3 FileSpy5;BullGuard File Monitor;C:\Program Files\BullGuard Software\BullGuard\filespy5.sys [2007-12-23 03:39]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2007-12-23 03:39]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 08:30]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-28 20:28]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 m5287;m5287;C:\WINDOWS\system32\DRIVERS\m5287.sys [2005-02-05 08:00]
S4 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 11:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bg5 REG_MULTI_SZ BGMainSvc BsFileSpy BsMailProxy BsFirewall
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74127d8c-d92c-11db-89fa-0018e7046c1b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-27 00:01:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\lphcag1j0enae.exe 203776 bytes executable
C:\WINDOWS\system32\phcag1j0enae.bmp 625208 bytes
C:\WINDOWS\system32\lmhezyzq.exe 86016 bytes executable
C:\WINDOWS\system32\blphcag1j0enae.scr 118784 bytes executable
scan completed successfully
hidden files: 4
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTxfispi.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\lphcag1j0enae.exepplication Data\PC Suite
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-27 0:06:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 23:06:15
ComboFix2.txt 2008-08-26 22:00:18
ComboFix3.txt 2008-08-26 18:12:27
ComboFix4.txt 2008-08-26 18:00:31
ComboFix5.txt 2008-08-26 22:57:15
Pre-Run: 119,871,971,328 bytes free
Post-Run: 119,880,962,048 bytes free
309 --- E O F --- 2008-08-22 10:13:12 | 
