PDA

View Full Version : Fraud.sysguard



waljit
2010-06-16, 17:33
Hi,

Unfortunately it looks like my PC is infected with fraud.sysguard

I have the latest Spybot S&D, and that detects and cleans it. But when I re-start the machine, the malware comes back (it runs a fake AV program).

I looked for startup entries but could not see any relevant to this.

But it must still be lurking somewhere.

Help!

DDS log below....

regards
Waljit


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 15:27:48.40 on 16/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2688 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Turn on nView Desktop Manager] rundll32.exe "c:\program files\nvidia corporation\nview\nview.dll",nViewInitialize
mRun: [bkjwyjoxhii] c:\documents and settings\nick\local settings\application data\nvvulct\ynuree.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1271355140750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {1FF2C6C8-A641-4523-92C8-4B83393E70AB} = 212.159.13.49,212.159.13.50
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\wuwkl6nt.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E69C2460-C871-4D26-B2A1-93DBF2FDA079} - c:\documents and settings\nick\local settings\application data\{E69C2460-C871-4D26-B2A1-93DBF2FDA079}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-5 24064]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-12 242896]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-8-5 176640]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 1.1.14.0;c:\windows\system32\drivers\libusb0.sys [2010-5-19 22400]
S0 mmmlwkr;mmmlwkr; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-12 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-12 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-21 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
S2 ParPort2k;Zeecube ParPort 2000;c:\windows\system32\drivers\ParPort2k.sys [2009-10-10 6421]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-8-20 17149]
S3 FTCSER2K;FTDI USB Dual Serial Port Driver;c:\windows\system32\drivers\ftcser2k.sys [2009-9-21 56031]
S3 FTCUSB;FTCUSB.SYS FT2232C IO test driver;c:\windows\system32\drivers\ftcusb.sys [2009-9-21 43235]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2009-8-20 472644]

=============== Created Last 30 ================

2010-06-16 14:00:02 0 d-----w- c:\program files\Safer Networking
2010-06-16 13:37:27 0 d-----w- c:\windows\pss
2010-06-10 17:43:34 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb08c472f0549a.mof
2010-06-10 15:45:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 16:37:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-06-07 16:37:53 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-07 16:37:23 9046 ----a-w- c:\windows\system32\nvinfo.pb
2010-06-07 16:37:23 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 16:37:22 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 16:37:22 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 16:37:22 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-07 16:37:17 0 d-----w- C:\NVIDIA
2010-06-07 16:30:38 0 d-----w- c:\program files\SystemRequirementsLab
2010-05-31 16:39:41 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb00dfde3ee744.mof
2010-05-30 10:25:43 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-30 09:47:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-30 09:47:44 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-30 09:47:44 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-25 15:49:49 0 d-----w- c:\program files\Pixim
2010-05-19 17:44:43 37376 ----a-w- c:\windows\system32\libusb0.dll
2010-05-19 17:44:43 22400 ----a-w- c:\windows\system32\drivers\libusb0.sys
2010-05-19 17:44:43 0 d-----w- c:\program files\LibUSB-Win32

==================== Find3M ====================

2010-06-03 07:01:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-11 15:43:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 07:19:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-21 07:19:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 22:55:31 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55:31 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55:31 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55:31 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55:31 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55:31 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 18:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-02 15:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-10 21:57:27 32768 ----a-w- c:\program files\common files\keydll3.dll
2003-06-19 10:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll
2010-03-08 14:34:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 15:28:09.84 ===============

shelf life
2010-06-20, 17:33
hi,

Your post is a few days old. If you still need help simply reply to my post.

waljit
2010-06-21, 11:35
hi

Thanks for replying.

I *think* I am clean now. I spotted a couple suspicious looking startup entries, so deleted those, rebooted and then ran several iterations of S&D.

It seems OK now. The fake AV software is not popping up anymore.

Is there something I can do to verify that it really is clean? That might be worthwhile.

thanks
Waljit

shelf life
2010-06-21, 23:45
You can download and run Malwarebytes as another check for now.
Is your browser functioning ok? Not ending up at web sites you didnt intend to go to?

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

waljit
2010-06-22, 13:23
yes, browser is working OK. Not redirecting to other sites or anything like that.

Log below:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/06/2010 10:29:07
mbam-log-2010-06-22 (10-29-07).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 580893
Time elapsed: 1 hour(s), 25 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Is this closed?

thanks
Waljit

shelf life
2010-06-23, 01:21
hi,

This scareware can often come or fetch rootkits. Its possible your package didnt. Lets get one more utility as a check for rootkits, then we will call it quits. Link and direction:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

waljit
2010-06-23, 10:36
thanks

rootrepeal log below

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/23 08:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4CD2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8656000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3D55000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

shelf life
2010-06-24, 00:26
looks good to me. You can keep malwarebytes and note that the free version must be updated manually and a scan started manually. If its not updated a scan will soon be worthless. You can delete the Root Repeal icon from your desktop.
You can make a new restore point. The how and the why:

One of the features of Windows XP, Vista and Windows 7 is the System Restore option. However, if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing and making a new restore point is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore points)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore point on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last if all is good, some tips to help you remain malware free:

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider using limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Or see a slideshow (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing)on how to configure IE 8.0.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?

A longer version in links below.

Happy Safe Surfing.