-
Fraud.sysguard
Hi,
Unfortunately it looks like my PC is infected with fraud.sysguard
I have the latest Spybot S&D, and that detects and cleans it. But when I re-start the machine, the malware comes back (it runs a fake AV program).
I looked for startup entries but could not see any relevant to this.
But it must still be lurking somewhere.
Help!
DDS log below....
regards
Waljit
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 15:27:48.40 on 16/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2688 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.live.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Turn on nView Desktop Manager] rundll32.exe "c:\program files\nvidia corporation\nview\nview.dll",nViewInitialize
mRun: [bkjwyjoxhii] c:\documents and settings\nick\local settings\application data\nvvulct\ynuree.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1271355140750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {1FF2C6C8-A641-4523-92C8-4B83393E70AB} = 212.159.13.49,212.159.13.50
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\wuwkl6nt.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E69C2460-C871-4D26-B2A1-93DBF2FDA079} - c:\documents and settings\nick\local settings\application data\{E69C2460-C871-4D26-B2A1-93DBF2FDA079}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-5 24064]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-12 242896]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-8-5 176640]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 1.1.14.0;c:\windows\system32\drivers\libusb0.sys [2010-5-19 22400]
S0 mmmlwkr;mmmlwkr; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-12 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-12 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-21 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
S2 ParPort2k;Zeecube ParPort 2000;c:\windows\system32\drivers\ParPort2k.sys [2009-10-10 6421]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-8-20 17149]
S3 FTCSER2K;FTDI USB Dual Serial Port Driver;c:\windows\system32\drivers\ftcser2k.sys [2009-9-21 56031]
S3 FTCUSB;FTCUSB.SYS FT2232C IO test driver;c:\windows\system32\drivers\ftcusb.sys [2009-9-21 43235]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2009-8-20 472644]
=============== Created Last 30 ================
2010-06-16 14:00:02 0 d-----w- c:\program files\Safer Networking
2010-06-16 13:37:27 0 d-----w- c:\windows\pss
2010-06-10 17:43:34 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb08c472f0549a.mof
2010-06-10 15:45:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 16:37:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-06-07 16:37:53 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-07 16:37:23 9046 ----a-w- c:\windows\system32\nvinfo.pb
2010-06-07 16:37:23 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 16:37:22 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 16:37:22 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 16:37:22 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-07 16:37:17 0 d-----w- C:\NVIDIA
2010-06-07 16:30:38 0 d-----w- c:\program files\SystemRequirementsLab
2010-05-31 16:39:41 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb00dfde3ee744.mof
2010-05-30 10:25:43 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-30 09:47:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-30 09:47:44 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-30 09:47:44 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-25 15:49:49 0 d-----w- c:\program files\Pixim
2010-05-19 17:44:43 37376 ----a-w- c:\windows\system32\libusb0.dll
2010-05-19 17:44:43 22400 ----a-w- c:\windows\system32\drivers\libusb0.sys
2010-05-19 17:44:43 0 d-----w- c:\program files\LibUSB-Win32
==================== Find3M ====================
2010-06-03 07:01:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-11 15:43:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 07:19:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-21 07:19:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 22:55:31 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55:31 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55:31 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55:31 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55:31 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55:31 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 18:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-02 15:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-10 21:57:27 32768 ----a-w- c:\program files\common files\keydll3.dll
2003-06-19 10:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll
2010-03-08 14:34:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
============= FINISH: 15:28:09.84 ===============
-
hi,
Your post is a few days old. If you still need help simply reply to my post.
-
hi
Thanks for replying.
I *think* I am clean now. I spotted a couple suspicious looking startup entries, so deleted those, rebooted and then ran several iterations of S&D.
It seems OK now. The fake AV software is not popping up anymore.
Is there something I can do to verify that it really is clean? That might be worthwhile.
thanks
Waljit
-
You can download and run Malwarebytes as another check for now.
Is your browser functioning ok? Not ending up at web sites you didnt intend to go to?
Please download Malwarebytes to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
-
yes, browser is working OK. Not redirecting to other sites or anything like that.
Log below:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4223
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
22/06/2010 10:29:07
mbam-log-2010-06-22 (10-29-07).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 580893
Time elapsed: 1 hour(s), 25 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Is this closed?
thanks
Waljit
-
hi,
This scareware can often come or fetch rootkits. Its possible your package didnt. Lets get one more utility as a check for rootkits, then we will call it quits. Link and direction:
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules