Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spywareguard.exe & winscenter.exe


  • This topic is locked This topic is locked
10 replies to this topic

#1 ktb2008

ktb2008

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 12 December 2008 - 10:07 AM

Last night I began having pop-up windows claiming that they were the Windows Security Center and Spyware Guard 2008. Knowing this to be a malware infection, I took a look at the processes in my Task Manager, and have narrowed down the offending programs to spywareguard.exe and winscenter.exe, because when I end these processes the windows go away.

However, it seems this infection is preventing me from even getting to the Kaspersky Online Scanner, as well as the download for the RSIT tool. Moreover, it is preventing me from executing the HiJackThis tool, or installing SuperAntiSpyWare or MalwareBytes Spyware tool. It won't even let me get to www.bleepingcomputer.com, so I'm having to post this from another machine!

So, I basically do not know where to begin, and need some help. Thanks in advance!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 12 December 2008 - 04:27 PM

Hi, try downloading either MBAM or SUper off another PC. then tranfer and run it on the infected machine. tranfer it to a CD,USB,Flash drive or other removeable media.

I will post their instructions her so you can print them off the clean Pc.
MBAM
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

SAS
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ktb2008

ktb2008
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 15 December 2008 - 09:54 AM

Last week I began having three pop-up windows claiming that they were the Windows Security Center and Spyware Guard 2008. I did not click anything on these windows. Knowing this to be a malware infection, I took a look at the processes in my Task Manager, and have narrowed down the offending programs to spywareguard.exe and winscenter.exe, because when I end these processes the windows go away. Obviously they keep reappearing, though.

However, it seems this infection is preventing me from even getting to the Kaspersky Online Scanner, as well as the download for the RSIT tool. Moreover, it is preventing me from executing the HiJackThis tool, or installing SuperAntiSpyWare or MalwareBytes Spyware tool. I've tried downloading their installs from another machine, writing them to a CD, and installing them that way, to no avail. It won't even let me get to www.bleepingcomputer.com, so I'm having to post this from another machine!

So, I basically do not know where to begin, and need some help. Thanks in advance!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:44 AM

Posted 15 December 2008 - 07:59 PM

Hello ktb2008,

I've merged your most recent topic in the HiJack This forum to your currently existing topic here in the Am I Infected forum. Please keep all responses concerning this issue to this topic by using the Add Reply button at the bottom of the topic unless you have been asked to post a new topic in the HiJack This forum. Posting more than one topic on the same issue confuses things and delays the assistance you receive.

Back to you boopme,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 ktb2008

ktb2008
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 16 December 2008 - 11:01 AM

Sorry for the confusion. I think my original post was also moved from the HiJack This forum to the Am I Infected forum, and when I didn't see it there, I reposted the topic.

Nevertheless, I had tried the idea of downloading SuperAntiSpyware and MalwareBytes Anti-Malware from another machine, write them to a CD, then try installing them on the infected machine from there, but even that didn't work. However, I did find in another post that someone renamed the extensions from .exe to .bat to get them to install, and I tried that last night and it worked. Moreover, it also worked for HiJack This. So, I'm going to try and run some of these things tonight, and hopefully I'll have some results.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 16 December 2008 - 02:32 PM

OK good work. Post the MBam and SAAS logs here. Hold on with the Hijack log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ktb2008

ktb2008
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 December 2008 - 06:07 AM

Hi there,

Well, I've done two scans with each tool, and at least the visible symptoms of the infection are gone. I also want to add that when I first noticed this infection, and noticed that I could not get to certain sites, like BleepingComputer.com, I disconnect the machine from the internet. I did not reconnected it until running the first MBam and SAAS scans, then I only reconnected it to update the MBam and SAAS for the second scans. I just did it this way because I didn't feel comfortable having it connected to the internet when I could definitely see that it was infected. Anyways, here are the logs:

SAAS First Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2008 at 11:29 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 03:24:53

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 6280
Registry threats detected : 138
File items scanned : 26334
File threats detected : 53

Unclassified.Unknown Origin
HKU\S-1-5-21-917946865-427553245-1542357927-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}

InstaFinderK BHO
HKU\S-1-5-21-917946865-427553245-1542357927-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}

Adware.Tracking Cookie
C:\Documents and Settings\Keith\Cookies\keith@collective-media[2].txt
C:\Documents and Settings\Keith\Cookies\keith@revsci[2].txt
C:\Documents and Settings\Keith\Cookies\keith@ads.cnn[2].txt
C:\Documents and Settings\Keith\Cookies\keith@insightexpressai[1].txt
C:\Documents and Settings\Keith\Cookies\keith@ads.lucidmedia[2].txt
C:\Documents and Settings\Keith\Cookies\keith@realmedia[1].txt
C:\Documents and Settings\Keith\Cookies\keith@at.atwola[1].txt
C:\Documents and Settings\Keith\Cookies\keith@statcounter[1].txt
C:\Documents and Settings\Keith\Cookies\keith@ads.pointroll[1].txt
C:\Documents and Settings\Keith\Cookies\keith@atwola[1].txt
C:\Documents and Settings\Keith\Cookies\keith@cache.trafficmp[1].txt
C:\Documents and Settings\Keith\Cookies\keith@questionmarket[2].txt
C:\Documents and Settings\Keith\Cookies\keith@advertising[2].txt
C:\Documents and Settings\Keith\Cookies\keith@sexyads[1].txt
C:\Documents and Settings\Keith\Cookies\keith@mediaplex[2].txt
C:\Documents and Settings\Keith\Cookies\keith@www.burstnet[1].txt
C:\Documents and Settings\Keith\Cookies\keith@richmedia.yahoo[2].txt
C:\Documents and Settings\Keith\Cookies\keith@timeinc.122.2o7[1].txt
C:\Documents and Settings\Keith\Cookies\keith@antivirus-rapid-scanner[1].txt
C:\Documents and Settings\Keith\Cookies\keith@interclick[2].txt
C:\Documents and Settings\Keith\Cookies\keith@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Keith\Cookies\keith@ad.yieldmanager[1].txt
C:\Documents and Settings\Keith\Cookies\keith@trafficmp[2].txt
C:\Documents and Settings\Keith\Cookies\keith@2o7[1].txt
C:\Documents and Settings\Keith\Cookies\keith@iacas.adbureau[1].txt
C:\Documents and Settings\Keith\Cookies\keith@247realmedia[2].txt
C:\Documents and Settings\Keith\Cookies\keith@media6degrees[2].txt
C:\Documents and Settings\Keith\Cookies\keith@ar.atwola[1].txt
C:\Documents and Settings\Keith\Cookies\keith@tacoda[1].txt
C:\Documents and Settings\Keith\Cookies\keith@cdn.at.atwola[1].txt
C:\Documents and Settings\Keith\Cookies\keith@clicksoverview[1].txt

Rogue.SpywareGuard2008
HKU\S-1-5-21-917946865-427553245-1542357927-1006\Software\Spyware Guard
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#InstallDate
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#DisplayName
C:\Program Files\Spyware Guard 2008\conf.cfg
C:\Program Files\Spyware Guard 2008\mbase.vdb
C:\Program Files\Spyware Guard 2008\quarantine
C:\Program Files\Spyware Guard 2008\quarantine.vdb
C:\Program Files\Spyware Guard 2008\queue.vdb
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\Program Files\Spyware Guard 2008\uninstall.exe
C:\Program Files\Spyware Guard 2008\vbase.vdb
C:\Program Files\Spyware Guard 2008
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008
C:\WINDOWS\reged.exe
C:\WINDOWS\spoolsystem.exe
C:\WINDOWS\sys.com
C:\WINDOWS\syscert.exe
C:\WINDOWS\sysexplorer.exe
C:\WINDOWS\vmreg.dll
C:\Documents and Settings\Keith\Desktop\Spyware Guard 2008.lnk
C:\WINDOWS\Prefetch\SPYWAREGUARD.EXE-1D259822.pf

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\outerinfo+uninstall
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\outerinfo+uninstall#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\outerinfo+uninstall#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\outerinfo+uninstall#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\MS Track System#Click2
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace
HKLM\Software\Microsoft\F0CB0BB9
HKLM\Software\Microsoft\F0CB0BB9#f0cb0bb9
HKLM\Software\Microsoft\F0CB0BB9#Version
HKLM\Software\Microsoft\F0CB0BB9#f0cba639
HKLM\Software\Microsoft\F0CB0BB9#f0cbcfdc

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-917946865-427553245-1542357927-1006\SOFTWARE\Microsoft\fias4013

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#build
HKLM\SOFTWARE\TDSS#type
HKLM\SOFTWARE\TDSS#affid
HKLM\SOFTWARE\TDSS#subid
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#f6065612
HKLM\SOFTWARE\TDSS\connections#8f214514
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\TDSS\disallowed#daft.exe
HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\versions
HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance

Trojan.Net-SvHoster
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PROTECT\SVHOST.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SVHOST.EXE

SAAS Second Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2008 at 07:51 PM

Application Version : 4.23.1006

Core Rules Database Version : 3676
Trace Rules Database Version: 1655

Scan type : Complete Scan
Total Scan Time : 02:22:25

Memory items scanned : 442
Memory threats detected : 3
Registry items scanned : 6282
Registry threats detected : 15
File items scanned : 26610
File threats detected : 25

Rogue.SpywareGuard2008
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\MODULEIE.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\MODULEIE.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\IEMODULE.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\IEMODULE.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\SMJDCIXQBR.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DLLS\SMJDCIXQBR.DLL
HKLM\Software\Classes\CLSID\{E18E6404-5E0A-4156-82F2-7F337E69C0C9}
HKCR\CLSID\{E18E6404-5E0A-4156-82F2-7F337E69C0C9}
HKCR\CLSID\{E18E6404-5E0A-4156-82F2-7F337E69C0C9}\InprocServer32
HKCR\CLSID\{E18E6404-5E0A-4156-82F2-7F337E69C0C9}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#ieModule
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008#InstallDate
C:\Program Files\Spyware Guard 2008\conf.cfg
C:\Program Files\Spyware Guard 2008\mbase.vdb
C:\Program Files\Spyware Guard 2008\quarantine
C:\Program Files\Spyware Guard 2008\quarantine.vdb
C:\Program Files\Spyware Guard 2008\queue.vdb
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\Program Files\Spyware Guard 2008\uninstall.exe
C:\Program Files\Spyware Guard 2008\vbase.vdb
C:\Program Files\Spyware Guard 2008
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008
C:\WINDOWS\reged.exe
C:\WINDOWS\spoolsystem.exe
C:\WINDOWS\sys.com
C:\WINDOWS\syscert.exe
C:\WINDOWS\sysexplorer.exe
C:\WINDOWS\vmreg.dll
C:\Documents and Settings\Keith\Desktop\Spyware Guard 2008.lnk
C:\WINDOWS\Prefetch\SPYWAREGUARD.EXE-1D259822.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{94F93E23-6853-4A61-B5B2-FCA6485FEA4C}
HKCR\CLSID\{94F93E23-6853-4A61-B5B2-FCA6485FEA4C}
HKCR\CLSID\{94F93E23-6853-4A61-B5B2-FCA6485FEA4C}
HKCR\CLSID\{94F93E23-6853-4A61-B5B2-FCA6485FEA4C}\InprocServer32
HKCR\CLSID\{94F93E23-6853-4A61-B5B2-FCA6485FEA4C}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#InternetConnection

Rootkit.TDSServ/Fake
C:\DOCUMENTS AND SETTINGS\KEITH\LOCAL SETTINGS\TEMP\TDSS5288.TMP

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSLRVD.DAT

MBam First Scan

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/16/2008 5:25:17 AM
mbam-log-2008-12-16 (05-25-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151933
Time elapsed: 4 hour(s), 17 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 30

Memory Processes Infected:
C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxtoolbar.tbinfo (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxtoolbar.tbinfo.1 (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\TDSShrxr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSoiqt.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSrtqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSxfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpqlt.sys (Trojan.TDSS) -> Delete on reboot.
C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf3f82aab.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith\Desktop\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSkkbi.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.

MBam Second Scan

Malwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 3

12/17/2008 5:18:31 AM
mbam-log-2008-12-17 (05-18-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 148049
Time elapsed: 1 hour(s), 45 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Keith\Local Settings\Temp\TDSS5334.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winscenter.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 17 December 2008 - 10:52 AM

Hi, good choice to disconnect.. You are/were heavily infected wiyh some dangerous and stubborn malwares. Have you rebooted after these scans? You should.
I must tell you this warning here also after seeing TDDS serv

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ktb2008

ktb2008
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 December 2008 - 11:45 AM

Yes, I did reboot the machine after every scan, and as I said before, I disconnected the machine immediately after realizing it had been infected by malware, and only reconnected after the initial scans, in order to update the Malbytes and SuperAntiSpyWare definitions for the second scans, after which I disconnected it again while they ran. I reconnected it to post the logs on here this morning, then disconnected it again.

Well, the honest truth is that the infected machine is an over 5-year old desktop machine which I've kept because it serves my email, word-processing, internet, and spreadsheet functions that I don't really need a newer machine for. However, I'd rather just upgrade to a laptop before having to reformat and reinstall all the stuff I have on it.

I don't keep any type of personal information on my computer files, but I do check my bank account balances and credit card balances online, yet I never choose to save any of the preferences and whenever I've done I usually delete the Browsing History from my browser, just because I guess I'm a little paranoid about passwords or usernames being saved in a cookie somewhere on my machine. I have changed my online passwords from my work machine, but do you really think that's information that still could have been stolen by this malware or could be stolen in the future after we disinfect the machine?

I guess it's just more than a little annoying that I pay yearly user fees to McAfee to keep getting their virus definition files and upgrades, and my "virus protection" was no protection at all! So, even if I were to get another machine, how could I ever be confident that I wouldn't be hit by this type of attack in the future?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 17 December 2008 - 11:59 AM

I would recommend than,to clean this you post a HJT log in the Malware removal forum.
Use the Preparation Guide For Use Before Posting A Hijackthis Log.
Then create a new topic here HijackThis Logs and Malware Removal.

Edited by boopme, 17 December 2008 - 12:01 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:44 AM

Posted 18 December 2008 - 07:31 PM

Hello ktb2008,

Now that your log is posted here: http://www.bleepingcomputer.com/forums/topic187477.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users