Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyguardpro?


  • Please log in to reply

#1
jdoane

jdoane

    New Member

  • Member
  • Pip
  • 1 posts
After downloading a handful of keygens for ms office i started getting a shitstorm of infections in my adaware spybot and avast scans. Every couple of minutes i get an offical looking pop up saying,
---------------------------
Windows Security Alert
---------------------------
Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and
Internet files. Run full scan now to prevent any unauthorized access
to your files! Click here to download spyware remover...
---------------------------
Yes No
---------------------------
I also got 2 new icons in my toolbar next to the clock saying im infected with spyware and clicking on them brings me to
http://spyguardpro.c...nfo=4388_0_4442
Also, occasionaly my start menu,toolbar, and all desktop icons will dissapear...

Hijackthis and combofix logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:39 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvgaz.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5094 bytes







ComboFix 08-02.05.3 - Joey Doane 2008-02-07 7:38:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1617 [GMT -5:00]
Running from: C:\Documents and Settings\Joey Doane\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\mljkjii.dll
C:\Program Files\lsass.exe
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\bcqyvljr.dll
C:\WINDOWS\system32\cnijtdnu.dll
C:\WINDOWS\system32\cuneevhn.dll
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\efcbxya.dll
C:\WINDOWS\system32\eioobbcu.dll
C:\WINDOWS\system32\erhwwync.dll
C:\WINDOWS\system32\gahllvhu.dll
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\liodnbcs.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mljkjii.dll
C:\WINDOWS\system32\oxvofxmg.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\ssqonli.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\trehiakk.dll
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\vinxyihf.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\wmohmjgc.dll
C:\WINDOWS\system32\xjispkhg.dll
C:\WINDOWS\system32\xysxwxeg.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 07:16 . 2008-02-07 07:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 13:21 . 2008-02-06 13:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 13:21 . 2008-02-06 13:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 21:58 . 2008-02-05 21:58 305,029 --a------ C:\AnalysisLog.sr0
2008-02-05 21:24 . 2008-02-05 21:24 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-05 21:14 . 2008-02-05 21:14 90,688 --a------ C:\WINDOWS\system32\akgpkbkv.dll
2008-02-05 21:09 . 2008-02-05 21:09 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-04 18:20 . 2008-02-04 18:20 15,872 --a------ C:\WINDOWS\system32\drvgaz.dll
2008-02-02 23:50 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-02-02 23:49 . 2008-02-02 23:50 <DIR> d-------- C:\Program Files\MagicDisc
2008-02-02 23:45 . 2008-02-02 23:46 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-02-02 23:45 . 2008-02-02 23:45 <DIR> d-------- C:\Documents and Settings\Joey Doane\Application Data\DAEMON Tools
2008-02-02 16:52 . 2008-02-02 16:58 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-29 00:12 . 2008-01-29 00:12 25,088 --a------ C:\WINDOWS\system32\winzoa32.dll
2008-01-29 00:11 . 2008-01-29 00:11 25,088 --a------ C:\WINDOWS\system32\winjjq32.dll
2008-01-29 00:10 . 2008-01-29 00:10 25,088 --a------ C:\WINDOWS\system32\winpdc32.dll
2008-01-28 20:29 . 2008-01-28 20:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 16:34 . 2008-01-26 16:34 <DIR> d-------- C:\Program Files\GW Team Builder
2008-01-26 16:34 . 2008-01-26 16:34 <DIR> d-------- C:\Documents and Settings\Joey Doane\.gwteambuilder
2008-01-26 00:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-26 00:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-26 00:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-26 00:05 . 2008-01-26 00:05 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-26 00:04 . 2008-01-26 00:05 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-01-25 23:03 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-25 23:01 . 2008-01-25 23:01 <DIR> d-------- C:\Program Files\MSBuild
2008-01-25 23:01 . 2008-01-25 23:02 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-25 22:59 . 2008-01-25 22:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-25 22:55 . 2008-01-25 23:24 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-25 22:54 . 2008-02-02 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-25 22:53 . 2008-01-25 22:53 <DIR> dr-h----- C:\MSOCache
2008-01-25 22:39 . 2008-02-02 21:01 <DIR> d-------- C:\Program Files\MagicISO
2008-01-25 12:06 . 2008-01-25 12:06 <DIR> d-------- C:\Documents and Settings\Joey Doane\Application Data\acccore
2008-01-25 12:05 . 2008-01-25 12:05 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-01-25 12:05 . 2008-01-25 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-25 12:05 . 2008-01-28 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-23 14:23 . 2008-02-02 21:05 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-23 14:23 . 2008-01-28 19:52 <DIR> d-------- C:\Program Files\AIM6
2008-01-23 14:22 . 2008-01-28 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-23 14:22 . 2008-01-28 19:52 3,948 --ah----- C:\IPH.PH
2008-01-23 14:22 . 2008-01-23 14:22 29 --a------ C:\WINDOWS\atid.ini
2008-01-21 15:32 . 2008-01-21 15:32 <DIR> d-------- C:\Documents and Settings\Joey Doane\Application Data\InstallShield
2008-01-21 13:26 . 2008-01-21 13:26 <DIR> d-------- C:\Program Files\Perfect World
2008-01-11 11:48 . 2008-01-11 11:48 754 --a------ C:\WINDOWS\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 03:42 --------- d-----w C:\Documents and Settings\Joey Doane\Application Data\Azureus
2008-02-06 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 23:31 --------- d-----w C:\Program Files\Microsoft Games
2008-02-03 04:41 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-03 02:05 --------- d-----w C:\Program Files\AIM
2008-01-25 17:05 --------- d-----w C:\Program Files\Viewpoint
2008-01-24 03:06 --------- d-----w C:\Program Files\Guild Wars
2008-01-22 17:42 --------- d-----w C:\Documents and Settings\Joey Doane\Application Data\OpenOffice.org1.9.95
2008-01-18 05:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-04 04:50 --------- d-----w C:\Program Files\Azureus
2007-12-13 05:10 --------- d-----w C:\Program Files\iTunes
2007-12-13 05:10 --------- d-----w C:\Program Files\iPod
2007-12-13 02:55 --------- d-----w C:\Program Files\IGN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 11:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2002-01-02 12:02 4603904]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"MSDisp32"="C:\WINDOWS\system32\drvgaz.dll" [2008-02-04 18:20 15872]

C:\Documents and Settings\Joey Doane\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-02 23:49:59 557568]

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-11-30 21:49]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 04:31]
R3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet58lx.sys [2004-03-26 14:08]
S2 Abel;Abel;C:\Program Files\Cain\Abel.exe []
S3 jbridgep;jbridgep;C:\DOCUME~1\JOEYDO~1\LOCALS~1\Temp\jbridgep.sys []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-09-18 14:36]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15abd242-c0d5-11da-a4f9-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 06:28:21 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-02-02 06:34:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 06:29:26 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2008-02-02 06:30:33 C:\WINDOWS\Tasks\CCleaner.job"
- C:\PROGRA~1\CCleaner\ccleaner.exe
"2008-02-02 06:31:36 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 07:45:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvgaz.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-07 7:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 12:47:50
.
2008-01-27 08:01:23 --- E O F ---
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP