Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


infected sysguard and os-guardpro, I think

  • This topic is locked This topic is locked
2 replies to this topic

#1 Jaybird934


  • Members
  • 110 posts
  • Local time:01:55 AM

Posted 17 October 2009 - 01:01 AM

(Update...I found a similar post and ran combofix, which found a rootkit and took care of it. Almost all scans are coming back clean...superantispy, malwarebytes, bitdefender online virus, spybot. But, some of these scans missed it when I know I had it...so I'm still kinda worried. Rootkit repeal will still not run...it hard reboots my computer. Is this a sign of a problem? What else should I do, or run? Combofix still finds "Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected"....every time I run it. )

I was infected with a rogue antispyware product that added the following lines to my HJT log:
O1 - Hosts: os-guardpro.com
O4 - HKCU\..\Run: [system tool] C:\Program Files\tdkfwd\hmcvsysguard.exe

I quickly rebooted to safemode (maybe too quickly...I can't remember what it was called), removed these two lines, update malwarebytes, and scanned with it. It found only: C:\WINDOWS\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Updated and ran spybot..which found "sysguard" and "virtumonde", which I deleted.

Ran a bitdefender scan which found a random sounding file in my temp folder, an old virus in my system restore checkpoints, and nothing else. It seems like I should be clean, except that firefox and IE are both slow when searching...and my attempt to search often gives me a bunch of bogus results....especially if I use the my default google searcher at the top of the toolbar....usually taking forever to even connect.

Rootkit repeal will not run...it turns my screen black, then I'm suddenly rebooting...after improperly shutting down. I tried several times.

From this log notice at the top of my "created last 30" group I have a lsp.dll entry from my system32 folder. This is exactly the time I got infected. I've also read that this file can be infected...but I'm scared to mess with it since Jotti came up clean from every source after I uploaded it.

-----------my dds.txt log follows--------------------------------------

DDS (Ver_09-10-13.01) - NTFSx86
Run by Jason at 1:24:34.73 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.645 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "f:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
LSP: c:\windows\system32\lsp.dll
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232943645078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {887AF483-A29C-4290-92FB-8153525FFE0B} =,
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\fanesazi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\jpihshbv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\jason\application data\mozilla\firefox\profiles\jpihshbv.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: f:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: f:\program files\quicktime\plugins\npqtplugin7.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-28 28544]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-9 108289]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-19 47640]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2009-9-18 14416]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2009-9-18 44344]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-2 44928]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-16 16:01 178,432 a------- c:\windows\system32\lsp.dll
2009-09-19 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LogMeIn
2009-09-19 19:22 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-19 19:22 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-09-19 19:22 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-19 19:22 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-19 19:22 <DIR> --d----- c:\program files\LogMeIn
2009-09-19 00:06 <DIR> --d----- c:\docume~1\jason\applic~1\GretagMacbeth
2009-09-18 22:57 126,976 a------- c:\windows\system32\drivers\direci2c.dll
2009-09-18 22:57 44,344 a------- c:\windows\system32\drivers\EyeOneDp.sys
2009-09-18 22:57 28,672 a------- c:\windows\system32\drivers\i1io2.sys
2009-09-18 22:57 26,045 a------- c:\windows\system32\drivers\i1.sys
2009-09-18 22:57 14,416 a------- c:\windows\system32\drivers\pdihwctl.sys
2009-09-18 22:57 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-09-18 22:56 <DIR> --d----- c:\program files\GretagMacbeth
2009-09-18 22:44 34 a------- c:\windows\AutoRun.ini
2009-09-18 19:09 <DIR> --d----- C:\drivers

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 1:24:53.21 ===============

Attached Files

Edited by Jaybird934, 17 October 2009 - 03:13 PM.

BC AdBot (Login to Remove)


#2 Jaybird934

  • Topic Starter

  • Members
  • 110 posts
  • Local time:01:55 AM

Posted 25 October 2009 - 06:25 PM

I'm now certain I have cleaned the pc myself. This topic can be closed.

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 25 October 2009 - 08:05 PM

Thanks for letting us know

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users