1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Sister's Computer - "SpyGuardPro" trojan

Discussion in 'Virus & Other Malware Removal' started by Kyoto1000, Nov 12, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Kyoto1000

    Kyoto1000 Thread Starter

    Joined:
    Nov 12, 2007
    Messages:
    24
    Sister is somehow infected. She was playing a game, alt tabbed, and the computer automatically started to download SpyGuardPro. I assume that she has been infected by something like Virtumonde, and I'm posting a hijackthis log.

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\mshta.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\DOCUME~1\Carolyn\LOCALS~1\Temp\winshow.exe
    C:\WINDOWS\17PHolmes77.exe
    C:\Program Files\Web Buying\v1.8.5\webbuying.exe
    C:\WINDOWS\17PHolmes1000106.exe
    C:\DOCUME~1\Carolyn\LOCALS~1\Temp\install_en.exe
    C:\DOCUME~1\Carolyn\LOCALS~1\Temp\NI.UGA6P_0001_N122M2210\setup.exe
    C:\DOCUME~1\Carolyn\LOCALS~1\Temp\~uga6psetup.exe
    C:\DOCUME~1\Carolyn\LOCALS~1\Temp\is-L5SUQ.tmp\~uga6psetup.exe.tmp
    C:\WINDOWS\b122.exe
    C:\Documents and Settings\Carolyn\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\rundll32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
    O2 - BHO: (no name) - {1ddeacc0-2ffc-4d45-9f94-1bd9eb487e2b} - C:\WINDOWS\system32\lohorsx.dll
    O2 - BHO: (no name) - {3AD7AD19-4B03-47B7-A7D3-25FDE3B81E06} - C:\Program Files\MSN\menozC:\DOCUME~1\Carolyn\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {EA3F00C6-99BA-4CAB-AA2B-E7EE4C44B4D3} - C:\Program Files\MSN\menozC:\WINDOWS\system32\h2\jumper83122.exe.dll (file missing)
    O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\SpyGuardPro\Tools\IEFWBHO.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
    O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\Carolyn\LOCALS~1\Temp\install_en.exe"
    O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
    O4 - HKLM\..\Run: [{5E-E1-14-42-ZN}] C:\DOCUME~1\Carolyn\LOCALS~1\Temp\T0CHD001.exe CHD001
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Carolyn\Local Settings\Temp\T0CHD001.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: fccayax - C:\WINDOWS\SYSTEM32\fccayax.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    --
    End of file - 4709 bytes
     
  2. Kyoto1000

    Kyoto1000 Thread Starter

    Joined:
    Nov 12, 2007
    Messages:
    24
    Can anyone help me with this? I'm already scanning with superantispyware, and it has over 181 threats detected!
     
  3. Kyoto1000

    Kyoto1000 Thread Starter

    Joined:
    Nov 12, 2007
    Messages:
    24
    I've completed a scan with SUPERAntiSpyware, and it detected a total of 185 items. It quarantined and cleaned them, and I rebooted the computer. Upon login, I had 3 popups about SpyGuardPro, like the file not found or something. I'm fairly sure the computer is still infected. Need I post another Hijackthis log?

    Note: I'm currently re-scanning with SUPERAntiSpyware, and so far it has only picked up Adware.Vundo Variant, though i've only been scanning maybe a minute.

    Note2: Adware.Vundo Variant was the only thing found on the computer again. I'm going to disconnect the internet on her computer after download AVG Anti Virus, uninstall Avast Anti Virus, install AVG Anti Virus, and perform a scan. If it picks up anything, I will post another HiJackThis log.

    Note3: Scanning with AVG, Yazzle1549OinAdmin.exe and wininstall.exe found on the computer. More may be added. I will be posting another HIJACKTHIS log after AVG cleans and quarantines.

    Note4: 17PHolmes572.exe, mrofinu1000106.exe, mrofinu77.exe, Yazzle1549OinAdmin.exe, and wininstall.exe found so far on the system.
     
  4. Kyoto1000

    Kyoto1000 Thread Starter

    Joined:
    Nov 12, 2007
    Messages:
    24
    System is still heavily infected. I see the things I believe needed to be deleted, but I won't delete anything in Hijackthis without an official. AVG Anti Virus picked up one more virus which was not included in the post above. If needed, I will post it's name.

    Here is the new Hijackthis log. Please help! >_<!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:49:51 PM, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Documents and Settings\Carolyn\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    O2 - BHO: (no name) - {3AD7AD19-4B03-47B7-A7D3-25FDE3B81E06} - C:\Program Files\MSN\menozC:\DOCUME~1\Carolyn\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {EA3F00C6-99BA-4CAB-AA2B-E7EE4C44B4D3} - C:\Program Files\MSN\menozC:\WINDOWS\system32\h2\jumper83122.exe.dll (file missing)
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [{5E-E1-14-42-ZN}] C:\DOCUME~1\Carolyn\LOCALS~1\Temp\T0CHD001.exe CHD001
    O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Carolyn\Local Settings\Temp\T0CHD001.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

    --
    End of file - 4344 bytes
     
  5. Kyoto1000

    Kyoto1000 Thread Starter

    Joined:
    Nov 12, 2007
    Messages:
    24
    Anyone going to help me? I think i'm only slowing the virus down. Even spybot is picking up a few things still..
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/651174

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice