Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unremovable Spyware Guard 2008


  • Please log in to reply
1 reply to this topic

#1 dsean

dsean

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 12 May 2009 - 09:59 PM

Greetings,

I've about reached the end of the rope with this machine, but since I like the challenge I'm reaching out for some help. A buddy of mine has brought me a Win2K box, in which at first look, appears to be simply (haha!) infected with Spyware Guard 2008, but complications abound once you sit down and start poking around the box. The box has AVG 8.5 installed, but is non-functional now, Spybot S&D, also non-functional. Booting into safe mode allowed me to install Spybot and it will perform a scan & fix, but on reboot everything is back as though it never left. Spybot found references to TDSS, Spyware Guard 2008, Smitfraud-C and Virtumonde, but there has to be more somewhere I'm not thinking about. I have tried to install any and everything I can and Spybot is the only one that has made it in. On any sort of security install or executable, the process is terminated within seconds, DDS did run though. I have created an ulimate boot cd for windows and have booted from that, used the McAfee Stinger, Spybot, Malwarebytes, registry editors and the list goes on. One other odd tidbit, while in safe mode, when a thumb drive is inserted, a file, m.exe, is copied to the thumb drive, which is promptly deleted by Symantec on the other computer I'm using connect to the Internet with, the odd part is, it doesn't happen in normal mode, safe mode only. I'm getting tired so I'll post my log and come back to this in the morning, I've got 16 hours on it now, hopefully someone has some idea of a way to move forward. Much appreciation for any suggestions.




DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 21:28:48.32 on Tue 05/12/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_07
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.172 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\winscenter.exe
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\dds.scr
C:\PROGRA~1\AVG\AVG8\avgemc.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\winnt\system32\vumer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {32b093d6-7cf5-ada8-72a4-8c96ac96cf0a}: {a0fc69ca-69c8-4a27-8ada-5fc76d390b23} - c:\winnt\system32\nkbjij.dll
BHO: {d8a3cd28-496c-40e6-8bf7-bdd501be421c} - c:\winnt\system32\BASESR.dll
BHO: {fb39953a-a6ec-4e82-bb33-57cfc534fc46} - c:\winnt\system32\BASESR.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [AtiPTA] atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {2D337EB0-3BFB-42A3-B314-A24BBA8C085B} - hxxp://download.yahoo.com/dl/mail/yautoiol1.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221064381820
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: dfecbadb - c:\winnt\system32\dfecbadb.dll
Notify: __c00A7A1 - c:\winnt\system32\__c00A7A1.dat
SSODL: ieModule - {C94AC3FC-9DCA-4D67-9E9E-190265D342C7} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {BB21DF22-36B2-4E05-A858-5F74EF7B2299} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\mfbhibqiuq.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\welolazu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\winnt\system32\welolazu.dll
LSA: Notification Packages = scecli c:\winnt\system32\sabobosu.dll c:\winnt\system32\tipajile.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\buf021nw.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R?2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-11 908568]
R0 AvgRkx86;avgrkx86.sys;c:\winnt\system32\drivers\avgrkx86.sys [2009-1-18 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-1-18 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-1-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-1-18 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-11 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-5-11 1366904]
R3 Avgfwdx;Avgfwdx;c:\winnt\system32\drivers\avgfwdx.sys [2009-1-18 29208]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2005-3-26 61712]
S3 Avgfwfd;AVG network filter service;c:\winnt\system32\drivers\avgfwdx.sys [2009-1-18 29208]

=============== Created Last 30 ================

2009-05-12 21:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_300.dat
2009-05-12 21:05 377,002 ----h--- c:\winnt\ShellIconCache
2009-05-12 20:57 <DIR> --d----- c:\program files\Spyware Guard 2008
2009-05-12 19:30 99,928 a------- c:\winnt\system32\__c00A3F5D.exe
2009-05-12 19:30 134,149 a------- c:\winnt\reged.exe
2009-05-12 19:30 18,941 a------- c:\winnt\vmreg.dll
2009-05-12 19:30 1,003,957 a------- c:\winnt\sysexplorer.exe
2009-05-12 19:30 51,197 a------- c:\winnt\spoolsystem.exe
2009-05-12 19:30 47,872 a------- c:\winnt\syscert.exe
2009-05-12 19:30 392,704 a------- c:\winnt\system32\winscenter.exe
2009-05-12 16:28 <DIR> --d----- C:\ComboFix
2009-05-12 16:28 236,816 a------- c:\winnt\system32\CF580.exe
2009-05-12 16:00 <DIR> --d----- c:\winnt\ERUNT
2009-05-12 15:59 <DIR> --d----- C:\SDFix
2009-05-12 15:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_510.dat
2009-05-12 15:04 2,967,816 a------- C:\msetup.exe
2009-05-12 14:46 13,744 ac------ c:\winnt\system32\dllcache\kbdhid.sys
2009-05-12 14:46 13,744 a------- c:\winnt\system32\drivers\kbdhid.sys
2009-05-12 14:46 19,728 ac------ c:\winnt\system32\dllcache\hidserv.exe
2009-05-12 14:46 19,728 a------- c:\winnt\system32\hidserv.exe
2009-05-12 14:46 11,632 ac------ c:\winnt\system32\dllcache\mouhid.sys
2009-05-12 14:46 11,632 a------- c:\winnt\system32\drivers\mouhid.sys
2009-05-12 14:46 30,480 ac------ c:\winnt\system32\dllcache\pid.dll
2009-05-12 14:46 13,904 ac------ c:\winnt\system32\dllcache\hidusb.sys
2009-05-12 14:46 30,480 a------- c:\winnt\system32\pid.dll
2009-05-12 14:46 13,904 a------- c:\winnt\system32\drivers\hidusb.sys
2009-05-11 21:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-11 21:54 161,792 a------- c:\winnt\SWREG.exe
2009-05-11 21:54 98,816 a------- c:\winnt\sed.exe
2009-05-11 21:54 236,816 a------- c:\winnt\system32\CF11551.exe
2009-05-11 20:34 478 a------- c:\winnt\wininit.ini
2009-05-11 19:41 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-11 19:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-11 12:22 125,440 a------- c:\winnt\system32\__c0049D65.exe
2009-05-10 12:21 125,440 a------- c:\winnt\system32\__c008D7C6.exe
2009-05-09 12:19 125,440 a------- c:\winnt\system32\__c00D1227.exe
2009-05-08 12:17 125,440 a------- c:\winnt\system32\__c0014C89.exe

==================== Find3M ====================

2009-05-12 20:57 50,620 a------- c:\winnt\sys.com
2009-05-12 19:30 25,088 a------- c:\winnt\system32\__c00A7A1.dat
2009-05-11 19:47 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-11 19:47 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-05-11 19:46 108,552 a------- c:\winnt\system32\drivers\avgtdix.sys
2009-05-11 19:46 50,968 a------- c:\winnt\system32\avgfwdx.dll
2009-05-11 19:46 29,208 a------- c:\winnt\system32\drivers\avgfwdx.sys
2009-05-11 19:46 12,552 a------- c:\winnt\system32\drivers\avgrkx86.sys
2009-05-08 12:30 323 a------- C:\xcrashdump.dat
2001-05-08 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 21:29:28.03 ===============

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:52 AM

Posted 22 May 2009 - 06:46 AM

hi dsean,

your log is several days old. If you still need help simply reply to my post and give me a update on your malware situation.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users