PDA

View Full Version : Fraud.Sysguard, Virtumonde, WinSpyWareProtect, jenksysguard.exe, fvhrsysguard.exe



RafikiSupai!
2009-11-11, 22:51
Greetings

11/06/09 3:39 pm Drive by download
WinPatrol asking if OK for new start up programs: NO

Steps I took:
WinPatrol to shut down IE
CCleaner
Searched Files created on 11/06/09 at time of drive by

Found:
C:\WINDOWS\Prefetch\JENKSYSGUARD.EXE-26B3D3DB.pf
C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf
C:\WINDOWS\Prefetch\OP[1].EXE-135CA8B5.pf
C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
C:\WINDOWS\Prefetch\WISPTIS.EXE-1AD43041.pf
C:\WINDOWS\Prefetch\ACROBAT.EXE-37DF90AA.pf
C:\Documents and Settings\DavDenRusSki\Local Settings\Application Data\kycssw\jenksysguard.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0242102.exe

Ran Spybot, found & fixed:
Fraud.Sysguard
WinSpyWareProtect

The files I found are still there.

:: ::

11/11/09 12:15 pm Drive by download
WinPatrol asking if OK for new start up programs: NO
Pop up message from system tray with Spybot Immunize logo saying I have virus to download program: Did not engage with message.

Steps I took:
WinPatrol to shut down IE
CCleaner
Searched Files created on 11/11/09 at time of drive by

Found:
C:\WINDOWS\SYSTEM32\~.exe
C:\WINDOWS\Prefetch\~.EXE-10AA984B.pf
C:\WINDOWS\Prefetch\FVHRSYSGUARD.EXE-255D32DE.pf
C:\Documents and Settings\DavDenRusSki\Local Settings\Application Data\ikvvyn\ fvhrsysguard.exe

Ran Spybot, found & fixed:
Fraud.Sysguard
Virtumonde
WinSpyWareProtect

The files I found are still there with the exception of, C:\WINDOWS\SYSTEM32\~.exe

I have not closed Spybot
I have not downloaded MS Updates that are ready as I fear spreading or activating whatever.
I have run "ERUNT" and backed up "System registry" only.

Thank you for your help.
:: ::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:30 PM, on 11/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apod.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE7
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5632] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1110] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC446] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7973] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2943] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1158] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKUS\S-1-5-21-2710597939-3187016515-2077082144-1053\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'The David's')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 7668 bytes

Blade81
2009-11-15, 16:35
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

RafikiSupai!
2009-11-17, 19:41
DDS (Ver_09-10-26.01) - NTFSx86
Run by DavDenRusSki at 12:28:10.76 on Tue 11/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -5:00]
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\DAVDEN~1\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL =
uStart Page = hxxp://apod.nasa.gov/apod/
uWindow Title = IE7
mWindow Title = IE7
BHO: AutorunsDisabled - No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\davden~1\applic~1\mozilla\firefox\profiles\6shrei5i.default\
FF - prefs.js: browser.startup.homepage - hxxp://fodors.com/forums/threadselect.jsp?fid=4
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-4-17 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-4-17 439664]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-4-17 35448]
S3 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S4 gupdate1c97c0d1e54e113;Google Update Service (gupdate1c97c0d1e54e113);c:\program files\google\update\GoogleUpdate.exe [2009-1-21 133104]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S4 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
=============== Created Last 30 ================
2009-11-07 15:29:44 68683 ----a-w- C:\WPorder.jpg
==================== Find3M ====================
2009-11-17 17:06:08 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-24 00:05:04 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-24 00:04:56 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
============= FINISH: 12:29:07.06 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/9/2004 7:02:31 PM
System Uptime: 11/17/2009 12:20:49 PM (0 hours ago)
Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 145 GiB total, 52.872 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1106ED8623C04
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1106ED8623C04
Service: NIC1394
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\80035537D100
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\80035537D100
Service: NIC1394
==== System Restore Points ===================
RP1752: 8/20/2009 7:13:05 AM - System Checkpoint
RP1753: 8/21/2009 8:13:04 AM - System Checkpoint
RP1754: 8/22/2009 9:13:00 AM - System Checkpoint
RP1755: 8/23/2009 10:13:03 AM - System Checkpoint
RP1756: 8/24/2009 11:13:01 AM - System Checkpoint
RP1757: 8/25/2009 1:15:00 PM - System Checkpoint
RP1758: 8/26/2009 2:00:22 AM - Software Distribution Service 3.0
RP1759: 8/27/2009 2:13:07 AM - System Checkpoint
RP1760: 8/28/2009 3:13:04 AM - System Checkpoint
RP1761: 8/29/2009 4:13:04 AM - System Checkpoint
RP1762: 8/30/2009 5:13:04 AM - System Checkpoint
RP1763: 8/31/2009 6:13:07 AM - System Checkpoint
RP1764: 9/1/2009 7:13:08 AM - System Checkpoint
RP1765: 9/2/2009 8:13:04 AM - System Checkpoint
RP1766: 9/3/2009 9:13:03 AM - System Checkpoint
RP1767: 9/4/2009 10:13:04 AM - System Checkpoint
RP1768: 9/5/2009 11:32:04 AM - System Checkpoint
RP1769: 9/6/2009 12:12:47 PM - System Checkpoint
RP1770: 9/7/2009 1:12:47 PM - System Checkpoint
RP1771: 9/8/2009 2:12:46 PM - System Checkpoint
RP1772: 9/9/2009 2:17:45 PM - System Checkpoint
RP1773: 9/10/2009 2:00:20 AM - Software Distribution Service 3.0
RP1774: 9/11/2009 2:16:53 AM - System Checkpoint
RP1775: 9/12/2009 3:16:53 AM - System Checkpoint
RP1776: 9/13/2009 4:16:44 AM - System Checkpoint
RP1777: 9/14/2009 5:16:44 AM - System Checkpoint
RP1778: 9/15/2009 6:16:45 AM - System Checkpoint
RP1779: 9/16/2009 7:16:44 AM - System Checkpoint
RP1780: 9/17/2009 8:24:50 AM - System Checkpoint
RP1781: 9/18/2009 9:16:44 AM - System Checkpoint
RP1782: 9/19/2009 10:58:19 AM - System Checkpoint
RP1783: 9/20/2009 11:16:36 AM - System Checkpoint
RP1784: 9/21/2009 12:16:33 PM - System Checkpoint
RP1785: 9/22/2009 1:16:36 PM - System Checkpoint
RP1786: 9/23/2009 2:16:36 PM - System Checkpoint
RP1787: 9/24/2009 3:16:35 PM - System Checkpoint
RP1788: 9/25/2009 4:23:06 PM - System Checkpoint
RP1789: 9/26/2009 5:17:41 PM - System Checkpoint
RP1790: 9/27/2009 6:30:25 PM - System Checkpoint
RP1791: 9/28/2009 7:28:10 PM - System Checkpoint
RP1792: 9/29/2009 8:07:27 PM - System Checkpoint
RP1793: 9/30/2009 9:19:22 PM - System Checkpoint
RP1794: 10/1/2009 10:07:25 PM - System Checkpoint
RP1795: 10/2/2009 11:07:25 PM - System Checkpoint
RP1796: 10/4/2009 12:00:14 AM - System Checkpoint
RP1797: 10/5/2009 8:31:22 AM - System Checkpoint
RP1798: 10/6/2009 8:46:26 AM - System Checkpoint
RP1799: 10/7/2009 9:46:26 AM - System Checkpoint
RP1800: 10/8/2009 10:37:41 AM - System Checkpoint
RP1801: 10/9/2009 11:37:38 AM - System Checkpoint
RP1802: 10/10/2009 3:34:29 PM - System Checkpoint
RP1803: 10/11/2009 7:25:21 PM - System Checkpoint
RP1804: 10/12/2009 10:57:53 PM - System Checkpoint
RP1805: 10/14/2009 12:51:21 AM - System Checkpoint
RP1806: 10/15/2009 1:39:05 AM - System Checkpoint
RP1807: 10/16/2009 2:00:19 AM - Software Distribution Service 3.0
RP1808: 10/17/2009 2:28:30 AM - System Checkpoint
RP1809: 10/18/2009 2:42:30 AM - System Checkpoint
RP1810: 10/19/2009 3:26:12 AM - System Checkpoint
RP1811: 10/20/2009 4:23:59 AM - System Checkpoint
RP1812: 10/21/2009 5:00:00 AM - System Checkpoint
RP1813: 10/22/2009 5:37:47 AM - System Checkpoint
RP1814: 10/23/2009 2:00:19 AM - Software Distribution Service 3.0
RP1815: 10/24/2009 2:22:00 AM - System Checkpoint
RP1816: 10/25/2009 3:21:59 AM - System Checkpoint
RP1817: 10/26/2009 4:21:50 AM - System Checkpoint
RP1818: 10/27/2009 5:21:50 AM - System Checkpoint
RP1819: 10/28/2009 5:48:15 AM - System Checkpoint
RP1820: 10/29/2009 6:48:14 AM - System Checkpoint
RP1821: 10/30/2009 7:48:14 AM - System Checkpoint
RP1822: 10/31/2009 8:26:26 AM - System Checkpoint
RP1823: 11/1/2009 2:26:31 PM - Configured Seagate Manager Installer
RP1824: 11/2/2009 4:00:40 PM - System Checkpoint
RP1825: 11/4/2009 12:22:39 AM - System Checkpoint
RP1826: 11/4/2009 3:00:17 AM - Software Distribution Service 3.0
RP1827: 11/5/2009 3:26:44 AM - System Checkpoint
RP1828: 11/6/2009 4:26:43 AM - System Checkpoint
RP1829: 11/7/2009 5:26:43 AM - System Checkpoint
RP1830: 11/8/2009 5:26:43 AM - System Checkpoint
RP1831: 11/9/2009 7:47:00 AM - System Checkpoint
RP1832: 11/10/2009 8:27:38 AM - System Checkpoint
RP1833: 11/11/2009 8:45:58 PM - System Checkpoint
RP1834: 11/12/2009 2:00:19 AM - Software Distribution Service 3.0
RP1835: 11/13/2009 2:22:52 AM - System Checkpoint
RP1836: 11/14/2009 3:22:50 AM - System Checkpoint
RP1837: 11/15/2009 4:22:51 AM - System Checkpoint
RP1838: 11/16/2009 5:22:41 AM - System Checkpoint
RP1839: 11/17/2009 6:02:14 AM - System Checkpoint
RP1840: 11/17/2009 12:19:05 PM - Removed AVG 8.0
RP1841: 11/17/2009 12:20:19 PM - Installed AVG 8.0
==== Installed Programs ======================

Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe SVG Viewer 3.0
America Online (Choose which version to remove)
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Autodesk DWF Viewer
Banctec Service Agreement
Broadcom Advanced Control Suite 2
BUM
Calculator Powertoy for Windows XP
Camera Access Library
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon ZoomBrowser EX (E)
CCleaner (remove only)
cg4ie (remove only)
Citrix Presentation Server Client
Creative MediaSource
Defraggler (remove only)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
EasyCleaner
EPSON Printer Software
ERUNT 1.1j
Google Earth
Google Earth Plugin
Google Update
GoToMeeting 2.0.0.124
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
IE7Pro
Intel Application Accelerator
Internet Explorer Default Page
iPod for Windows 2005-09-23
ItsDeductible Express
iTunes
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
KODAK EASYSHARE Gallery Easy Upload, v2.0
KODAK EASYSHARE Gallery Upload ActiveX Control
Linksys EasyLink Advisor
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
Macromedia Shockwave Player
Magnifier Powertoy for Windows XP
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual Studio 6.0 Enterprise Edition
Modem Event Monitor
Modem Helper
Modem On Hold
MovieEdit Task
Mozilla Firefox (2.0.0.14)
Mozilla Thunderbird (2.0.0.18)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
Picasa 2
PowerDVD 5.1
Pure Networks Platform
Qualxserve Service Agreement
QuickTime
RAW Image Task
Seagate Manager Installer
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows XP (KB969947)
Shockwave
Skype™ 3.6
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Audigy 2
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.2
TurboTax 2008
TurboTax 2008 wdeiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
VC 9.0 Runtime
Viewpoint Media Player
Virtual Desktop Manager Powertoy for Windows XP
Virtual Earth 3D (Beta)
Weather Pulse 2.10 build 5
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPatrol 2009
WinZip 11.1
WordPerfect Office 12
ZoneAlarm Extreme Security
Zune Desktop Theme
==== Event Viewer Messages From Past Week ========
11/16/2009 8:58:14 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00111145C785 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/12/2009 2:19:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgTdiX
11/11/2009 1:59:32 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
==== End Of File ===========================

Blade81
2009-11-17, 21:06
Hi again :)

There's newer version of Spybot available. Upgrade your version to the latest one here (http://www.safer-networking.org/en/spybotsd/index.html).


Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?


Uninstall your current Macromedia shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

Any issues left?

RafikiSupai!
2009-11-17, 23:59
Malwarebytes' Anti-Malware 1.41
Database version: 3189
Windows 5.1.2600 Service Pack 3
11/17/2009 3:57:38 PM
mbam-log-2009-11-17 (15-57-38).txt
Scan type: Quick Scan
Objects scanned: 158348
Time elapsed: 33 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

:: ::

Comments:

During the Malwarebytes Scan the DDS.scr program ran, flashed a log, and then disappeared. Problem?

Do you recommend setting Java to run automatic updates?
Carbonite was not offered nor anything else extra during setup – yay!
Hopefully, I downloaded the correct Java as I could not reach it per your instructions and had to search the site for Windows Offline Installation to be able to download.

Do I keep the Malwarebytes and the DDS.scr programs?

:: ::

Before I originally posted I could not find any information on fvhrsysguard.exe, jenksysguard.exe and their buddies that suddenly downloaded with Virtumonde.

I have never had files download that way that I am aware of; is there a logical reason for this process and these particular files that are still there?

:: ::

“Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?”
No


[I]“Any issues left?”

I have no clue Blade81! I never had any systems and have no idea if anything was compromised. Once I could not find any info stated in my post I came here to the forum because I did not want any issues.

I actually do not use this computer very often, until recently that is, as I had one laptop die and my new one with Vista will not connect to the internet via wireless or broadband and cannot not even upgrade to Windows 7.

So, I came back to this computer for when my eyes tire of reading the internet on the Blackberry or iphone. MyMy, I was reminded in this process I still have AOL [disabled though] on this computer that I used for a public email address that was preferred by a non-profit I provided some service for years ago. tsk tsk

If you see any issues or have any recommendations I welcome your advice.

Thank you for your time and service Blade81.

RafikiSupai!
2009-11-18, 01:10
Ole hyvä antaa anteeksi.

Blade81
2009-11-18, 08:30
Hi,


During the Malwarebytes Scan the DDS.scr program ran, flashed a log, and then disappeared. Problem?
No, I don't think so :)



Do I keep the Malwarebytes and the DDS.scr programs?
I'd keep Malwarebytes' Anti-Malware. DDS can be deleted.


Before I originally posted I could not find any information on fvhrsysguard.exe, jenksysguard.exe and their buddies that suddenly downloaded with Virtumonde.

I have never had files download that way that I am aware of; is there a logical reason for this process and these particular files that are still there?
Those may have been downloaded by exploiting unpatched vulnerabilities of the system. Pretty common nowadays.


“Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?”
No
Ok. Then I recommend to uninstall it and get one of these alternatives here (http://pdfwriters.org/).

RafikiSupai!
2009-11-18, 21:22
Blade81 for your time and expertise.

Blade81
2009-11-18, 23:04
You're welcome :)

Blade81
2009-11-27, 08:45
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.