Results 1 to 8 of 8

Thread: Fraud.sysguard

  1. #1
    Junior Member
    Join Date
    Jun 2010

    Default Fraud.sysguard


    Unfortunately it looks like my PC is infected with fraud.sysguard

    I have the latest Spybot S&D, and that detects and cleans it. But when I re-start the machine, the malware comes back (it runs a fake AV program).

    I looked for startup entries but could not see any relevant to this.

    But it must still be lurking somewhere.


    DDS log below....


    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Administrator at 15:27:48.40 on 16/06/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2688 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Turn on nView Desktop Manager] rundll32.exe "c:\program files\nvidia corporation\nview\nview.dll",nViewInitialize
    mRun: [bkjwyjoxhii] c:\documents and settings\nick\local settings\application data\nvvulct\ynuree.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
    uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    Trusted Zone:
    Trusted Zone:
    Trusted Zone:
    Trusted Zone:
    Trusted Zone:
    Trusted Zone:
    Trusted Zone:
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://
    TCP: {1FF2C6C8-A641-4523-92C8-4B83393E70AB} =,
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\wuwkl6nt.default\
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {E69C2460-C871-4D26-B2A1-93DBF2FDA079} - c:\documents and settings\nick\local settings\application data\{E69C2460-C871-4D26-B2A1-93DBF2FDA079}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-5 24064]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-12 242896]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-8-5 176640]
    R3 libusb0;LibUsb-Win32 - Kernel Driver, Version;c:\windows\system32\drivers\libusb0.sys [2010-5-19 22400]
    S0 mmmlwkr;mmmlwkr; [x]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-12 216200]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-12 29584]
    S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-21 308064]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
    S2 ParPort2k;Zeecube ParPort 2000;c:\windows\system32\drivers\ParPort2k.sys [2009-10-10 6421]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-8-20 17149]
    S3 FTCSER2K;FTDI USB Dual Serial Port Driver;c:\windows\system32\drivers\ftcser2k.sys [2009-9-21 56031]
    S3 FTCUSB;FTCUSB.SYS FT2232C IO test driver;c:\windows\system32\drivers\ftcusb.sys [2009-9-21 43235]
    S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2009-8-20 472644]

    =============== Created Last 30 ================

    2010-06-16 14:00:02 0 d-----w- c:\program files\Safer Networking
    2010-06-16 13:37:27 0 d-----w- c:\windows\pss
    2010-06-10 17:43:34 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb08c472f0549a.mof
    2010-06-10 15:45:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-07 16:37:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
    2010-06-07 16:37:53 0 d-----w- c:\program files\NVIDIA Corporation
    2010-06-07 16:37:23 9046 ----a-w- c:\windows\system32\nvinfo.pb
    2010-06-07 16:37:23 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-06-07 16:37:22 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-06-07 16:37:22 2183470 ----a-w- c:\windows\system32\nvdata.bin
    2010-06-07 16:37:22 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-06-07 16:37:17 0 d-----w- C:\NVIDIA
    2010-06-07 16:30:38 0 d-----w- c:\program files\SystemRequirementsLab
    2010-05-31 16:39:41 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb00dfde3ee744.mof
    2010-05-30 10:25:43 0 d-----w- c:\program files\Microsoft CAPICOM
    2010-05-30 09:47:44 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-05-30 09:47:44 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-05-30 09:47:44 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-05-25 15:49:49 0 d-----w- c:\program files\Pixim
    2010-05-19 17:44:43 37376 ----a-w- c:\windows\system32\libusb0.dll
    2010-05-19 17:44:43 22400 ----a-w- c:\windows\system32\drivers\libusb0.sys
    2010-05-19 17:44:43 0 d-----w- c:\program files\LibUSB-Win32

    ==================== Find3M ====================

    2010-06-03 07:01:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-05-11 15:43:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys
    2010-04-21 07:19:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-21 07:19:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-03 22:55:31 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-04-03 22:55:31 600680 ----a-w- c:\windows\system32\nvudisp.exe
    2010-04-03 22:55:31 4075520 ----a-w- c:\windows\system32\nvcuda.dll
    2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcodins.dll
    2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
    2010-04-03 22:55:31 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-04-03 22:55:31 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-04-03 22:55:31 1097728 ----a-w- c:\windows\system32\nvapi.dll
    2010-04-03 18:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
    2010-04-03 18:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-04-03 18:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-04-03 18:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
    2010-04-03 18:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-04-03 18:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-04-02 15:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
    2009-06-10 21:57:27 32768 ----a-w- c:\program files\common files\keydll3.dll
    2003-06-19 10:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll
    2010-03-08 14:34:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

    ============= FINISH: 15:28:09.84 ===============

  2. #2
    Join Date
    Nov 2005



    Your post is a few days old. If you still need help simply reply to my post.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Jun 2010



    Thanks for replying.

    I *think* I am clean now. I spotted a couple suspicious looking startup entries, so deleted those, rebooted and then ran several iterations of S&D.

    It seems OK now. The fake AV software is not popping up anymore.

    Is there something I can do to verify that it really is clean? That might be worthwhile.


  4. #4
    Join Date
    Nov 2005


    You can download and run Malwarebytes as another check for now.
    Is your browser functioning ok? Not ending up at web sites you didnt intend to go to?

    Please download Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Jun 2010


    yes, browser is working OK. Not redirecting to other sites or anything like that.

    Log below:

    Malwarebytes' Anti-Malware 1.46

    Database version: 4223

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22/06/2010 10:29:07
    mbam-log-2010-06-22 (10-29-07).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
    Objects scanned: 580893
    Time elapsed: 1 hour(s), 25 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Is this closed?


  6. #6
    Join Date
    Nov 2005



    This scareware can often come or fetch rootkits. Its possible your package didnt. Lets get one more utility as a check for rootkits, then we will call it quits. Link and direction:

    Please download: RootRepeal

    Click the icon on your desktop to start.
    Click on the Report tab at the bottom of the window
    Next, Click on the Scan button
    In the Select Scan Window check everything:

    Stealth Objects
    Hidden Services

    Click the OK button
    In the next dialog window select all the drives that are listed
    Click OK to start the scan

    May take some time to complete.
    When done click the Save Report button.
    Save the report to your desktop
    To Exit RootRepeal: click File>Exit
    Post the report in your reply
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Jun 2010



    rootrepeal log below

    ROOTREPEAL (c) AD, 2007-2009
    Scan Start Time: 2010/06/23 08:16
    Program Version: Version
    Windows Version: Windows XP SP3

    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xB4CD2000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xB8656000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xB3D55000 Size: 49152 File Visible: No Signed: -
    Status: -

    Last edited by tashi; 2010-07-13 at 20:33. Reason: Date of archive

  8. #8
    Join Date
    Nov 2005


    looks good to me. You can keep malwarebytes and note that the free version must be updated manually and a scan started manually. If its not updated a scan will soon be worthless. You can delete the Root Repeal icon from your desktop.
    You can make a new restore point. The how and the why:

    One of the features of Windows XP, Vista and Windows 7 is the System Restore option. However, if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing and making a new restore point is a good idea after malware is removed and your computer appears to be functioning ok.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


    1. Turn off System Restore. (deletes old possibly infected restore points)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.(creates a new restore point on a clean system)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK, then reboot

    And last if all is good, some tips to help you remain malware free:

    10 Tips for Reducing/Preventing Your Risk To Malware:

    In no special order

    1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

    2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

    3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free*.

    4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

    5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

    6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

    7) Consider using limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

    8) Install and understand the *limitations* of a software firewall.

    9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Or see a slideshow on how to configure IE 8.0.

    10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?

    A longer version in links below.

    Happy Safe Surfing.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts