Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ake spyware detector, Sysgard.exe has appeared and i.explorer is being hijacked.


  • Please log in to reply
6 replies to this topic

#1 purrlofagirl

purrlofagirl

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tampa, FL
  • Local time:11:38 AM

Posted 18 June 2009 - 05:13 PM

My Trouble: Sysgard.exe appeared ( I did not install it.) It does not appear in add-remove programs. It reported that my system is infected. I recognized the type of program as a fake spyware detector.

Next, my Google search was hijacked to "BestWebSearch", and upon clicking back`through what should have been history - other assorted suspicious sites appeared instead.

Comment: I would not be surprised if sysgard.exe actually infected me!

My attempts to diagnose and fix: I ran Malwarebytes - no infections found.
Hard to figure out why Malwarebytes, AVG, Spybot, and Ad-aware are not detecting current problem.
- I use all and all are up-to-date.

PS. I've also run Hijack This- and noted items I chose to delete.

Also , Combofix and dd.. -But I did not initiate any additional fixes.

-Decided to ask for help before I waste any more time.

******** Please advise ****** What to do next? ********** Thank you.

Edited by purrlofagirl, 18 June 2009 - 05:17 PM.


BC AdBot (Login to Remove)

 


#2 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:38 AM

Posted 18 June 2009 - 06:24 PM

Please do an online scan with Kaspersky WebScanner
. http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#3 purrlofagirl

purrlofagirl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tampa, FL
  • Local time:11:38 AM

Posted 18 June 2009 - 11:57 PM

Absolutely cannot run Kaspersky online scan. I click "scan now". Nothing happens. Clearedbrowser cache, still nothing. Tried several times. It just does not work. So.. I uninstalled AVG, spybot, and Adaware. Downloaded trial of Kaspersky antivirus software (full product) for FREE by downloading and installing a free trial. Not able to get updates- not able to run scan. Please offer another option. Thanks.

#4 purrlofagirl

purrlofagirl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tampa, FL
  • Local time:11:38 AM

Posted 19 June 2009 - 01:24 PM

RAN SCAN IN SAFE MODE w/NETWORKING!

RESULTS:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, June 19, 2009 14:39:49
Records in database: 2365449
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 95267
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 04:32:00


File name / Threat name / Threats count
C:\WINDOWS\freddy46.exe Infected: Net-Worm.Win32.Koobface.acn 1
C:\WINDOWS\system32\wbem\proquota.exe Infected: Trojan.Win32.Inject.adqp 1

The selected area was scanned.

#5 purrlofagirl

purrlofagirl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tampa, FL
  • Local time:11:38 AM

Posted 19 June 2009 - 09:45 PM

Note: I have 2 .jpg screenshots - referenced below- but did not know how to attach them.
__________________________________________________________________________

So, new development - I can't make a connection to internet in regular mode - from desktop.

I am now working in safemode w/ networking.

Cannot run Windows update in either mode. But, I have a screen shot (screen shot #1) which shows windows updates registered in add-remove.

After running Kaspersky online (in safemode w/networking, earlier.) I, then rebooted to desktop, reinstalled AVG.

Tried to update AVG. Could not. (screnshot #2.) Indicates "the update control file is missing."

Also ran avg in safemode w/ networking. #3 avg rpt.txt I am sending in next post - in case you don't want to post it. (Unfortunately it appears useless - all files are "locked" - But thought it might mean something to you.)

*******************************************************************


AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.354, engine 8.0.372
Virus Database: Version 270.12.69/2176 2009-06-14

C:\a5946986e4f917bc7b6b4da241aa\$shtdwn$.req Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\legitcheckcontrol.dll Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\spmsg.dll Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\spuninst.exe Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\update\ Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\wgalogon.dll Locked file. Not tested.
C:\a5946986e4f917bc7b6b4da241aa\wgatray.exe Locked file. Not tested.
C:\af60da20bfee89d97b31d822f451c8b6\amd64\ Locked file. Not tested.
C:\af60da20bfee89d97b31d822f451c8b6\i386\ Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\admparse.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\admparse.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\advpack.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\advpack.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\browseui.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\corpol.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\custsat.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\dxtmsft.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\dxtrans.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\extmgr.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\extmgr.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\feeddisc.wav Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\hmmapi.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\hmmapi.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\html.iec Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\html.iec.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\icardie.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\icardie.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\icrav03.rat Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ie4uinit.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ie4uinit.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieakeng.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieakeng.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieakmmc.chm Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieaksie.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieaksie.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieakui.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieakui.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieapfltr.dat Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieapfltr.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iedkcs32.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iedkcs32.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iedw.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iedw.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieencode.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieeula.chm Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieframe.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieframe.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iepeers.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iepeers.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieproxy.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iernonce.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iernonce.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iertutil.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iesetup.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iesetup.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iesupp.chm Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieudinit.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieui.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieui.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieuinit.inf Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ieunatt.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iexplore.chm Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iexplore.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\iexplore.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\imgutil.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inetcorp.iem Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inetcpl.cpl Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inetcpl.cpl.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inetres.adm Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inetset.iem Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\infobar.wav Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inseng.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\inseng.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\install.ins Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\jscript.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\jsproxy.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\licmgr10.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\licmgr10.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeeds.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeeds.mof Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeedsbs.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeedsbs.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeedsbs.mof Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msfeedssync.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshta.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshta.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtml.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtml.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtml.tlb Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtmled.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtmled.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtmler.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mshtmler.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msls31.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msrating.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\msrating.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\mstime.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\navstart.wav Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\occache.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\occache.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\occache.ini Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\pngfilt.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\popupblk.wav Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\shdocvw.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\shlwapi.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\spmsg.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\spuninst.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\spupdsvc.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\tdc.ocx Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\ticrf.rat Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\update\ Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\url.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\urlmon.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\urlmon.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\vbscript.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\vgx.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\webcheck.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\webcheck.dll.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\webcheck.ini Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\winfxdocobj.exe Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\winfxdocobj.exe.mui Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\wininet.dll Locked file. Not tested.
C:\c2dedbe69a0a209baab0ef\wininet.dll.mui Locked file. Not tested.
C:\Documents and Settings\Administrator.LAPTOP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Administrator.LAPTOP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Administrator.LAPTOP\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Administrator.LAPTOP\NTUSER.DAT.LOG Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1291fc6ad8e880af8c71b211d92b3792_1f0ac9fb-6b2c-44ad-b9d8-bf41aea80f90 Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76c6b2ea434d5b95bd8247dfe1132c16_1f0ac9fb-6b2c-44ad-b9d8-bf41aea80f90 Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e930fb314fcb8c7e356ecac260c05a4c_1f0ac9fb-6b2c-44ad-b9d8-bf41aea80f90 Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll.dmp Locked file. Not tested.
C:\Program Files\BrainsBreaker\BBrk.ini Locked file. Not tested.
C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.ilg Locked file. Not tested.
C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.ilg Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 322866
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

#6 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:38 AM

Posted 22 June 2009 - 10:45 AM

Where are the screenshots?

#7 purrlofagirl

purrlofagirl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tampa, FL
  • Local time:11:38 AM

Posted 23 June 2009 - 01:14 AM

After submitting message - I could not figure out how to attach or send scr shots. At any rate, I've completely cleaned computer. Kaspersky online scan detected and gave locations of infections. I found and deleted the .exe's, then followed with Trend Micro Housecall beta ver 7 online scan - very fast - which detected AND also disinfected the remaining junk. Then reinstalled AVG and ran scan. And ran it again. Tonight I ran TrendMicro Housecall beta ver 7 online scan, and report showed 0 infections. Will now create new restore point and enable system restore. Note: I'm quite certain the infectoin was from Facebook. Possibly even a flash (.exe) advertisement (which activates itself) or from a quiz. Word to the wise: clean and scan often. Also, I use ccleaner often - but also want to recommend atf cleaner - Thanks for your attention.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users