Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE  
Forum Quick Jump
 
New Topic Post reply to : Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE Printable version of : Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
[ << Previous Thread | Next Thread >> ]

backdraft999
New Member


Date Joined Feb 2006
Total Posts : 7
  		   Posted 6-2-2007 7:25 (GMT +1)    Quote: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXEAlert an admin about: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
My wife may have been phished using her yahoo email account. She made contact with a suspicious character from an ebay auction and ever since my computer has been acting up. Ebay forums say guy was a scammer and probably installed something on my computer (keystroke logger, etc) in order to gain personal info.
 
I was performing my AVG scan and when it was approx. 75% completed a message popped up from my Sana Security [anti-spyware/adware] program (sanasecurity.com) that said a threat called "BGNEWSUI.EXE" had been detected and quarantined. Then when my AVG scan had completed, I clicked on apply action and a warning message popped up that read: "The file C:\System Volume Information\_restore{C253B3E0-5474-45CB-9E63-8AF93CE499F6}\RP636A0085370.exe/WeUnistall.exe cannot be quarantined because it is embedded in the archive C:\System Volume Information\_restore{C253B3E0-5474-45CB-9E63-8AF93CE499F6}\RP636A0085370.exe. Do you want to quaratine the whole archive?" I clicked no because it looked to me like the entire C: drive would be quarantined. I hope that was the right choice.
 
After I clicked no on the warning message above the AVG scan said that all actions had been applied and that the BGNEWSUI.EXE had be quarantined.
 
My AVG Scan Report is:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
  + Created at:   12:48:13 AM 6/2/2007
  + Scan result:  
 C:\System Volume Information\_restore{C253B3E0-5474-46CB-9E63-8AF93CB499F6}\RP636\A0085370.exe/WeUninstall.exe -> Backdoor.Graybird : Cleaned with backup (quarantined).
 ::Report end
 
My HijackThis Scan Report is:
 
Logfile of HijackThis v1.99.1
Scan saved at 12:51:53 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Internet Marketing Center\Desktop Marketer 3\Readers\259\367\Icanplaydrums Messenger.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\alternativhijackthis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onenewsnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://harrythompson.com/webjal.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.srf?xpwiz=true&lc=1033&langid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AuctionSentryDeluxe] "C:\Program Files\Auction Sentry Deluxe\AuctionSentryDeluxe.exe"
O4 - HKCU\..\Run: [Icanplaydrums Messenger] "C:\Program Files\The Internet Marketing Center\Desktop Marketer 3\Readers\259\367\Icanplaydrums Messenger.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124280654281
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A7A6EF43-0FA0-4911-BC67-3F4C55D34DB9} (MediaBay.DownloadManager) - http://www.audiobookclub.com/software/DownloadManager.CAB
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4699/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Unknown owner - C:\Program Files\CacheBoost\cbsrv.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SanaSafeConnectAgent - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
 
Please help with this matter. Any and all help will be greatly appreciated. Thanks.
~Billy


Image Attachment :
Image Preview
avg warning.jpg   60KB (image/jpg)
This image has been viewed 30 time(s).
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14295
  		   Posted 6-2-2007 7:38 (GMT +1)    Quote: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXEAlert an admin about: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
Hello smile
 
 
Turn off and then turn on System Restore. To do so, follow these steps:
System Restore
 
 
It will get rid of infections in System Volume Information
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

backdraft999
New Member


Date Joined Feb 2006
Total Posts : 7
  		   Posted 6-3-2007 5:18 (GMT +1)    Quote: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXEAlert an admin about: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
Is this all I have to do? Do I need to run the scans again or anything else? Thanks!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14295
  		   Posted 6-3-2007 6:53 (GMT +1)    Quote: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXEAlert an admin about: Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
Run a scan with AVG and make sure it´s gone  ;-)

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 
New Topic Post reply to : Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE Printable version of : Possible Crimeware/Keystroke Logger and BGNEWSUI.EXE
 
Forum Information
Currently it is Tuesday, January 06, 2009 4:04 PM (GMT +1)
There are a total of 65.870 posts in 16.165 threads.
In the last 3 days there were 21 new threads and 93 reply posts. View Active Threads
Who's Online
This forum has 27758 registered members. Please welcome our newest member, Nards.
43 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Cannot remove malware (6)06-01-2009 14:30:24 (phill)
Error message (1)06-01-2009 14:23:27 (Touch)
Virus stopping AVG and spybot from running (7)06-01-2009 14:17:45 (Touch)
Have I a machine infection? (9)06-01-2009 14:14:36 (Touch)
How to restore missing control panel and properties (1)06-01-2009 14:07:24 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard