PDA

View Full Version : Fraud.sysguard infection



webbyguy
2010-12-21, 07:50
First thanks for your help.

Today, I got a fake antivirus program on my computer that didn't go away on my first attempt, so I tried some more, and ended up here. Unfortunatly, I had tried a few things before I got here, so I hope I didn't mess anything up. I got the virus by following a link to a friend's blog (that were posting family pictures). The website came up, but it also opened a blank pdf. I'm guessing it was a acrobat vunerability. From then on I had been getting pop ups warning that my computer was under attack.

I tried to install spybot, but could not at first. I then went to my other computer, and made a avg boot disk and a spybot boot disk. AVG found the virus files, and deleted them. spybot didn't find anything. I restarted and the problem was still there.

I shut down the system and started in safe mode. It appears in safe mode the virus/trojan doesn't run. I ran spybot, and it found "fraud.sysguard", and says it fixed it. It's log is below. I also downloaded malewarebytes anti-malware to my other computer, and transfered it with a thumb drive to the problem computer. (I hadn't seen the warning not to use a thumb drive on this site before I did that). The anti-malware didn't find anything (again, it was run after spybot had already cleaned).

I am afraid that when I start again out of safe mode the problem will still be there. What should I do next?

Thanks

Spybot Info:


Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-975534454-977753286-5522801-46786\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

DoubleClick: Tracking cookie (Internet Explorer: FFMYGT) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-12-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-10-05 Includes\Adware.sbi (*)
2010-11-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2010-12-14 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2010-11-30 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2010-12-14 Includes\KeyloggersC.sbi (*)
2010-12-14 Includes\Malware.sbi (*)
2010-12-14 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-12-14 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-12-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-12-14 Includes\Spyware.sbi (*)
2010-12-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-11-02 Includes\Trojans.sbi (*)
2010-12-16 Includes\TrojansC-02.sbi (*)
2010-12-16 Includes\TrojansC-03.sbi (*)
2010-12-16 Includes\TrojansC-04.sbi (*)
2010-12-16 Includes\TrojansC-05.sbi (*)
2010-12-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
DDS log:




Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 5364

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/20/2010 9:59:15 PM
mbam-log-2010-12-20 (21-59-15).txt

Scan type: Full scan (C:\|U:\|)
Objects scanned: 461559
Time elapsed: 1 hour(s), 15 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Sorry for the double post, but I had a little more info.

Mcaffe on virus scan didn't find anything either.

Also, I found some people wondering about system restore points, and I one for about every day. I don't know if fraud.sysguard would have gotten to those too.

Oh one other question: Should I leave my computer off while waiting for a response or leave it on in safe mode or ...?

ken545
2010-12-27, 11:57
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Sorry for the delay, looks like your post slipped through the cracks, happens sometimes.

Have you resolved this or do you still need help ?

webbyguy
2010-12-27, 18:13
Yep. I still need help. Thank you.

I went ahead and left my computer off for the last week. As I said above, it appears that I don't see the malware in safe mode, and I have system restore points from before when the malware appeared (if that helps).

Thanks again.

ken545
2010-12-27, 19:05
Hi,

Glad we didn't lose you :bigthumb:

Most of the infection is in your system restore also BUT, having an infected restore point is better than no restore point so just leave them be and when where done we will flush it all out and create a new one.

Just post the logs we ask for please, no need to quote them


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

webbyguy
2010-12-27, 19:40
Combofix is telling me that I have "anti virus: VirusScan Enterprise + AntiSpyware Enterprise" running, but there is nothing in my taskbar, so I don't know how to turn it off. (I'm in safe mode). Should I go ahead?

webbyguy
2010-12-27, 20:27
Oh, I looked through all of my running processes, and I don't see any virus program running.

ken545
2010-12-27, 20:52
Yes, Safemode is fine,

webbyguy
2010-12-27, 21:22
Here is the log:

ken545
2010-12-27, 22:38
Hi,


You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\z03fzdo5.exe <--This file

If the site is busy you can try this one
http://virusscan.jotti.org/en





OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

webbyguy
2010-12-27, 22:48
That file is gmer. I had downloaded it earlier, but I had not run it. I have sent it for analysis anyway.

When the report is ready I will send it, and I'm doing the other instructions now.

webbyguy
2010-12-27, 22:51
Here is the virustotal result:

3 VT Community user(s) with a total of 53 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: z03fzdo5.exe
Submission date: 2010-12-27 20:48:21 (UTC)
Current status: queued (#5) queued analysing finished


Result: 0/ 43 (0.0%)
VT Community

goodware
Safety score: 100.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.27 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.27 -
BitDefender 7.2 2010.12.27 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.27 -
Command 5.2.11.5 2010.12.27 -
Comodo 7206 2010.12.27 -
DrWeb 5.0.2.03300 2010.12.27 -
Emsisoft 5.1.0.1 2010.12.27 -
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.27 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.27 -
Ikarus T3.1.1.90.0 2010.12.27 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.27 -
McAfee 5.400.0.1158 2010.12.27 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.27 -
Prevx 3.0 2010.12.27 -
Rising 22.79.06.07 2010.12.27 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.27 -
Symantec 20101.3.0.103 2010.12.27 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.27 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7849 2010.12.27 -
ViRobot 2010.12.27.4222 2010.12.27 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional informationShow all
MD5 : df7501a91a7c99cc3f0269080748ee61
SHA1 : 453b6bed84bcc63f52d00b76ab6572f039c69b1f
SHA256: f2ffef9c4aee46839f249583d7469885e1bd34e49da8ddd31c7548b0d55ae85c
ssdeep: 6144:ZX2vaMjt1CDW5I/YWxZ8aSCqbrU1dGRsIjA9TqYBYEKpviwgwd:J2vaMjPCCZuzSCrLGuI
jmTq2dKpviwg
File size : 296448 bytes
First seen: 2010-11-08 10:48:02
Last seen : 2010-12-27 20:48:21
TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15530
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers (F-Prot): UPX
packers (Kaspersky): UPX, PE_Patch
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xB5B80
timedatestamp....: 0x4CD7C3B7 (Mon Nov 08 09:32:39 2010)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x6E000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x6F000, 0x47000, 0x46E00, 7.93, 11c69a19e7a357f370f4c16b661cccf6
.rsrc, 0xB6000, 0x2000, 0x1400, 3.38, e9d1f576d3270307152849db30312caa

[[ 1 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 290816
EntryPoint: 0xb5b80
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 290 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 1, 0, 15, 15530
FileVersionNumber: 1.0.15.15530
ImageVersion: 0.0
InitializedDataSize: 8192
LanguageCode: Polish
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductVersionNumber: 1.0.15.15530
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2010:11:08 10:32:39+01:00
UninitializedDataSize: 450560



VT Community

3
User:jeje

Reputation:51 credits

Comment date:2010-11-09 14:30:27 (UTC)
Tags: Goodware
Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-11-28 23:45:26 (UTC)
Tags: Goodware,
Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-12-06 19:48:19 (UTC)
rootkit scanner
Tags: Goodware,
Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

webbyguy
2010-12-27, 23:10
1st half of OTL.Txt:

webbyguy
2010-12-27, 23:11
2nd Half of OTL.Txt:

webbyguy
2010-12-27, 23:13
Extras.Txt:

ken545
2010-12-28, 00:08
Let me ask you , is this a company computer ?

webbyguy
2010-12-28, 00:14
Yes. This is my work computer. I managed to get a virus on it within the first month, and over christmas.

Thanks again for helping me.

ken545
2010-12-28, 01:06
Sorry , but this is as far as we can go.

http://forums.spybot.info/showthread.php?t=27710

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.
Thank you for your understanding.