Malwarebytes removal of System Guard

View previous topic View next topic Go down

Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 1:05 pm

Anyone have any luck getting Malwarebytes to run once System Guard starts locking up the PC? I did as much manual removal as I can, but the PC is now at the point where it pretty much slows to a stop on boot. Don't get the bogus System Center or System Guard scan windows anymore, but I can't seem to get the PC to run the removal tool.

Any help would be greatly appreciated!

Matt

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 23rd February 2009, 1:34 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 3:37 pm

Umm, I did mention I can't get anything to run/install, right?

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 23rd February 2009, 3:45 pm

Yes, but atleast we tried. Lets do a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 4:19 pm

Flashes briefly, then the system hangs again. I notice that Symantec Corp. Edition 10 keeps finding more Trojans whenever I try to run anything else, mostly "m.exe". It quarantines them, but I'm guessing this crap virus is trying to reintall them?

I also can't download directly, as the manual methods for removal detailed in this forum apparently hosed my IE, so I've had to tranfer from a thumb drive to the infected machine. So far, it won't let me finish the copy fomr the thumb drive to the infected machine to run it there. I have scanned the thumb drive each time I do a "transfer" and so far it comes up clean, but if I can't run it from the thumb drive and can't copy it to the infected machine, what options do I have left?

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 23rd February 2009, 4:24 pm

Lets try this. These aren't .exe files, so hopefully the malware won't notice, but I suspect it will do, but see if you can run them anyway.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 4:33 pm

It (DDS) will let me save the attach.txt but will not allow me to cut and paste the DDS notepad display.

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 4:35 pm

In fact, once it runs, the DDS notepad almost immediately goes into "Not Responding" mode Sad tearing

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 23rd February 2009, 4:37 pm

Can you try booting to safe mode and try DDS there? if DDS will run, then great. Remember to save the log file.

Also, see if the avenger will run in safe mode.

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 23rd February 2009, 4:44 pm

No to both, nor will it run Malwarebytes. Been there, tried that, same results

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 23rd February 2009, 4:45 pm

Lets give Dr.web a try.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Dr Web scan finished

Post by mtsx1us on 24th February 2009, 5:06 pm

administrator.exe;c:\documents and settings\administrator;Trojan.DownLoad.28430;Deleted.;
mousehook.dll;c:\documents and settings\administrator\local settings\temp;Trojan.Click.24603;Deleted.;
lwucese.dll;c:\windows;Probably Trojan.Packed.453;Incurable.Moved.;
userinit.exe;c:\windows\system32;Trojan.DownLoad.28002;Cured.;
00203187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1596;Deleted.;
00599937.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1634;Deleted.;
00605265.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1596;Deleted.;
12670921.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.29330;Deleted.;
mousehook.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Click.24603;Deleted.;
rsyncini.exe;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.DownLoad.138;Deleted.;
pifccddur[1].txt;C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9VQKR0EO;Trojan.DownLoad.28017;Deleted.;
lsp[1].exe;C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DL4F1TVW;Trojan.DownLoad.28002;Incurable.Moved.;
04680004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
04680006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0468000B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0468000D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0B600000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0B640001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Spambot.4117;Incurable.Moved.;
0B640002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.HLLW.Siggen.56;Deleted.;
0B640004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Spambot.4117;Incurable.Moved.;
0C440000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.854;Deleted.;
0C440001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Juan.78;Deleted.;
0C440002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Juan.78;Deleted.;
4DFE9D1B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680001;Trojan.Fakealert.3952;Deleted.;
4DFEA2C6.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680009;Trojan.Fakealert.3952;Deleted.;
4BFE9128.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE9144.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE9146.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE913F.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600002;Win32.Virut.56;Incurable.Moved.;
4BFE9146.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600003;Win32.Virut.56;Incurable.Moved.;
4BFE914C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600004;Win32.Virut.56;Incurable.Moved.;
4BFE9152.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600005;Win32.Virut.56;Incurable.Moved.;
4BFE9158.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600006;Win32.Virut.56;Incurable.Moved.;
4BFE915D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600007;Trojan.DownLoad.29917;Deleted.;
4BFE9163.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600008;Win32.Virut.56;Incurable.Moved.;
4BFE9169.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600009;Win32.Virut.56;Incurable.Moved.;
A0013012.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP139;Trojan.DownLoad.29330;Deleted.;
A0013370.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP146;Trojan.Virtumod.1596;Deleted.;
A0014020.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP148;Trojan.Virtumod.1634;Deleted.;
A0014021.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP148;Trojan.Virtumod.1596;Deleted.;
A0015226.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP150;Trojan.Virtumod.854;Deleted.;
A0015417.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Virtumod.854;Deleted.;
A0015419.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0015429.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016262.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Adware.Bho.433;Incurable.Moved.;
A0016273.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016275.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016333.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Packed.365;Deleted.;
A0016375.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Virtumod.855;Deleted.;
A0017369.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017370.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017371.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017372.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017376.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017378.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017378.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28002;Incurable.Moved.;
A0017379.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017380.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017387.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017388.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019420.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019421.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019422.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019423.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Fakealert.3952;Deleted.;
A0019424.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0022438.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Fakealert.3952;Deleted.;
A0035429.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28430;Deleted.;
A0035430.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28002;Incurable.Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
belzv.dll;C:\WINDOWS\system32;Trojan.Proxy.3351;Deleted.;
ssqOEWpo.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod.855;Deleted.;
vumer.dll;C:\WINDOWS\system32;Adware.Bho.421;Incurable.Moved.;
userinit.exe;C:\WINDOWS\system32\dllcache;Trojan.DownLoad.28002;Incurable.Moved.;
uninstall.exe;F:\Program Files\nickarcade;Adware.Xbarre;Incurable.Moved.;

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 24th February 2009, 5:27 pm

Hello.
I hate to say this, but your machine is in a bad state, you may or may not have Virut.
See here, info about Virut:
[You must be registered and logged in to see this link.]

See if you can get DDS to run now, but if you read the link above, Virut cannot be fixed, so as of this point right now, you machine has a 50/50 chance of getting through this.

If DDS will run, post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 24th February 2009, 6:00 pm

BTW,

Still can't get Avenger to run, flashes a message I can't see/read, then goes away. Still can't get SP3 to reload either, though it gets further now (I get all the way to the "I Agree" button before the window closes)

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 24th February 2009, 6:01 pm

Got DDS to fnish this time. Here's the log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 12:59:31.62 on Tue 02/24/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: c:\windows\system32\vcar3sdu3yaj3.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\vcar3sdu3yaj3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] f:\program files\aim95\aim.exe -cnetwait.odl
uRun: [jsg8jfgfdfhfhf] c:\docume~1\admini~1\locals~1\temp\winlognn.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [systemguard] c:\program files\system guard 2009\systemguard.exe
mRun: [jsg8jfgfdfhfhf] c:\docume~1\admini~1\locals~1\temp\winlognn.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
Filter: text/html - {7f7ed156-d6e6-419d-b6ff-089e5de7a891} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: feadeabecabe - c:\windows\system32\feadeabecabe.dll
Notify: jkkLDVpP - jkkLDVpP.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: tuilop.dll
SSODL: InternetConnection - {F25B3DC9-206F-494C-A7B4-CD2456517FEB} - c:\documents and settings\all users\application data\microsoft\network\dlls\mblltjwuvp.dll
SSODL: ieModule - {06AE1439-C4BF-4556-8F42-ECFB2F8A186E} - c:\documents and settings\all users\application data\microsoft\network\dlls\ieModule.dll
STS: c:\windows\system32\vcar3sdu3yaj3.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\vcar3sdu3yaj3.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkLDVpP.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqOEWpo

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-23 14:05 --d----- c:\documents and settings\administrator\DoctorWeb
2009-02-23 12:28 --d----- C:\9ade2a2f59a28c98afb767
2009-02-23 12:06 --d----- C:\c6b2265a2f8bc7c547d1c866f10bab
2009-02-20 11:01 --d----- C:\ff5b1b855e7cb4d65a398f319b7a6405
2009-02-20 10:07 --d-h--- c:\windows\system32\GroupPolicy
2009-02-20 08:08 --d----- C:\56b876dd32dfc4c8a341d9706a182e
2009-02-20 06:32 179 a------- C:\handle.dat
2009-02-19 15:33 30,208 a------- c:\windows\system32\UACneqhswuy.dll
2009-02-19 15:33 15,000 a------- c:\windows\system32\vcar3sdu3yaj3.dll
2009-02-19 15:33 56,320 a------- c:\windows\system32\drivers\UACavsbmasb.sys
2009-02-19 15:33 1 a------- c:\windows\system32\uniq.tll
2009-02-19 15:33 10 a------- c:\windows\system32\kr_done1
2009-02-19 15:33 72,704 a------- c:\windows\system32\wgjnoxny.dll
2009-02-19 13:23 0 a------- c:\windows\vpc32.INI
2009-02-19 13:18 123,488 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 13:18 91,856 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-19 13:17 --d----- c:\program files\Symantec
2009-02-19 13:17 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-19 13:17 --d----- c:\program files\Symantec AntiVirus
2009-02-16 10:22 1,589,401 ---sh--- c:\windows\system32\qbcuikfj.ini
2009-02-15 16:05 1,583,467 ---sh--- c:\windows\system32\qnmmxird.ini
2009-02-14 20:03 --d----- c:\program files\directx
2009-02-14 15:03 3,684 a--sh--- c:\windows\system32\opWEOqss.ini2
2009-02-14 15:03 3,684 a--sh--- c:\windows\system32\opWEOqss.ini
2009-02-13 17:01 --d----- c:\program files\LEGO Media
2009-02-04 09:49 --d-hr-- C:\$VAULT$.AVG
2009-01-31 18:42 --d----- c:\program files\Common

==================== Find3M ====================

2009-02-20 07:07 5,632 a------- c:\windows\system32\cisvc.exe
2009-02-20 07:07 224,768 a------- c:\windows\system32\dmadmin.exe
2009-02-20 07:07 6,144 a------- c:\windows\system32\msdtc.exe
2009-02-20 06:17 14,336 a------- c:\windows\system32\svchost.exe
2009-02-20 06:16 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-02-20 06:16 24,576 -------- c:\windows\system32\userinit.exe
2009-02-20 06:14 13,312 a------- c:\windows\system32\lsass.exe
2009-02-20 06:14 108,032 a------- c:\windows\system32\services.exe
2009-02-20 06:14 502,272 a------- c:\windows\system32\winlogon.exe
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 12:59:48.39 ===============

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 24th February 2009, 6:13 pm

Bad news.

See these lines from DDS's Find3m part of the report.

2009-02-20 07:07 5,632 a------- c:\windows\system32\cisvc.exe
2009-02-20 07:07 224,768 a------- c:\windows\system32\dmadmin.exe
2009-02-20 07:07 6,144 a------- c:\windows\system32\msdtc.exe
2009-02-20 06:17 14,336 a------- c:\windows\system32\svchost.exe
2009-02-20 06:16 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-02-20 06:16 24,576 -------- c:\windows\system32\userinit.exe
2009-02-20 06:14 13,312 a------- c:\windows\system32\lsass.exe
2009-02-20 06:14 108,032 a------- c:\windows\system32\services.exe
2009-02-20 06:14 502,272 a------- c:\windows\system32\winlogon.exe

All these files are legit, and all are patched.
You have Virut, we can't do anything now.
I'm sorry, but this is game over.

You have to know this about Virut:

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 25th February 2009, 3:53 pm

Short of a reformat, what other tools are available? I can do a factory restore on it, plus software re-install, but would rather not.

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 25th February 2009, 3:55 pm

PS - I'm SANS GIAC Silver and CompTIA Security+ certified Smile

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by Belahzur on 25th February 2009, 4:02 pm

Very well done.
So I assume you know (or somewhat anyway) about malware and how dangerous it can be.

A factory restore or full reformat is the only way out, Virut cannot be fixed.
See here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes removal of System Guard

Post by mtsx1us on 25th February 2009, 4:22 pm

Okay, re-install it is. Thanks!

mtsx1us
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-02-20
OS OS : Win2k3,XP,Vista,openSUSE,Win2k
Points Points : 28490
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum