Hi,

Unfortunately it looks like my PC is infected with fraud.sysguard

I have the latest Spybot S&D, and that detects and cleans it. But when I re-start the machine, the malware comes back (it runs a fake AV program).

I looked for startup entries but could not see any relevant to this.

But it must still be lurking somewhere.

Help!

DDS log below....

regards
Waljit


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 15:27:48.40 on 16/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2688 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Turn on nView Desktop Manager] rundll32.exe "c:\program files\nvidia corporation\nview\nview.dll",nViewInitialize
mRun: [bkjwyjoxhii] c:\documents and settings\nick\local settings\application data\nvvulct\ynuree.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1271355140750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {1FF2C6C8-A641-4523-92C8-4B83393E70AB} = 212.159.13.49,212.159.13.50
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\wuwkl6nt.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E69C2460-C871-4D26-B2A1-93DBF2FDA079} - c:\documents and settings\nick\local settings\application data\{E69C2460-C871-4D26-B2A1-93DBF2FDA079}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-5 24064]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-12 242896]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-8-5 176640]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 1.1.14.0;c:\windows\system32\drivers\libusb0.sys [2010-5-19 22400]
S0 mmmlwkr;mmmlwkr; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-12 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-12 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-21 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
S2 ParPort2k;Zeecube ParPort 2000;c:\windows\system32\drivers\ParPort2k.sys [2009-10-10 6421]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-8-20 17149]
S3 FTCSER2K;FTDI USB Dual Serial Port Driver;c:\windows\system32\drivers\ftcser2k.sys [2009-9-21 56031]
S3 FTCUSB;FTCUSB.SYS FT2232C IO test driver;c:\windows\system32\drivers\ftcusb.sys [2009-9-21 43235]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2009-8-20 472644]

=============== Created Last 30 ================

2010-06-16 14:00:02 0 d-----w- c:\program files\Safer Networking
2010-06-16 13:37:27 0 d-----w- c:\windows\pss
2010-06-10 17:43:34 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb08c472f0549a.mof
2010-06-10 15:45:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 16:37:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-06-07 16:37:53 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-07 16:37:23 9046 ----a-w- c:\windows\system32\nvinfo.pb
2010-06-07 16:37:23 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 16:37:22 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 16:37:22 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 16:37:22 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-07 16:37:17 0 d-----w- C:\NVIDIA
2010-06-07 16:30:38 0 d-----w- c:\program files\SystemRequirementsLab
2010-05-31 16:39:41 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb00dfde3ee744.mof
2010-05-30 10:25:43 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-30 09:47:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-30 09:47:44 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-30 09:47:44 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-25 15:49:49 0 d-----w- c:\program files\Pixim
2010-05-19 17:44:43 37376 ----a-w- c:\windows\system32\libusb0.dll
2010-05-19 17:44:43 22400 ----a-w- c:\windows\system32\drivers\libusb0.sys
2010-05-19 17:44:43 0 d-----w- c:\program files\LibUSB-Win32

==================== Find3M ====================

2010-06-03 07:01:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-11 15:43:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 07:19:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-21 07:19:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 22:55:31 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55:31 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55:31 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55:31 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55:31 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55:31 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 18:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-02 15:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-10 21:57:27 32768 ----a-w- c:\program files\common files\keydll3.dll
2003-06-19 10:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll
2010-03-08 14:34:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 15:28:09.84 ===============