Malignant growths related to "Vista Guardian"? Help!

Archive
1

Yesterday I fell to some kind of computer virus which installed the "trial" of Vista Guardian, a rogue security application.  I never downloaded the "full version" and I believe I removed the Vista Guardian effects following the recommendations and manual removal from that site, but I am also worried and suspicious that it was just the fancy finish on a host of other problems.  How might I go about finding out what else the security breach might have changed or how to fix it?

 

I was a little disappointed that Norton Internet Security did not seem to give me any warnings.  Looking through its history after the fact, it did seem to block at least some things.  It also gives me a long history around the time of suspected infection (after I clicked the windows toolbar recommendation to update Windows).  It is too long to include everything, but I'm most worried about whether the above link's manual removal fixed all the registry settings as well as possible changes to the core files mentioned below.

 

"c:\windows\syswow64\cmd.exe"
"\REGISTRY\USER\S-1-5-21-561658425-4283027154-3312309362-1000\Software\Microsoft\Windows\CurrentVersion\Run\uishf9wuifwuh387fh3wufinhjfdwefe"

"c:\windows\syswow64\cmd.exe"

"c:\windows\syswow64\regsrv32.exe"

"c:\windows\syswow64\rundll32.exe"

"c:\windows\syswow64\explorer.exe"

"\REGISTRY\USER\S-1-5-21-56165825-4283027154-3312309362-1000\Software\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb"

"c:\program files (x86)\ati technologies\ati.ace\core-static\ccc.exe"

"\REGISTRY\USER\S-1-5-21-561658425-4283027154-3312309362-1000_CLASSES\Wow6432Node\.exe\DefaultIcon"
"\REGISTRY\USER\S-1-5-21-561658425-428302715403312309362-1000_CLASSES\.exe\DefaultIcon"
"\REGISTRY\USER\S-1-5-21-561658425-428302715403312309362-1000_CLASSES\Wow6432Node\secfile\DefaultIcon"
"\REGISTRY\USER\S-1-5-21-561658425-428302715403312309362-1000_CLASSES\secfile\DefaultIcon"

"c:\program files (x86)\java\jre6\bin\ssvagent.exe"
"c:\program files\ltonhis\verbatim\skdaemon.exe"
"c:\program files\windows defender\msascui.exe"
"c:\windows\raidtool\xinside.exe"
"c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe"
"c:\program files (x86)\via\viaudioi\vdeck\vdeck.exe"
"c:\program files (x86)\ati technologies\ati.ace\core-static\clistart.exe"
"c:\program files (x86)\adobe\reader 9.0\reader\reader_sl.exe"
"c:\program files\asus\turbov\turbov.exe"
"c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe"
"c:\program files (x86)\java\jre6\bin\jusched.exe"
"c:\program files (x86)\hp\hp software update\hpwuschd2.exe"
"c:\program files\asus\turbo key\turbokey.exe"
"c:\program files (x86)\internet explorer\iexplore.exe"
"c:\program files (x86)\openoffice.org 3\program\quickstart.exe"
"c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe"

"c:\program files (x86)\java\jre6\bin\jucheck.exe"
"c:\program files (x86)\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis\a5e82d02\16.8.0.41\inststub.exe"
"c:\program files (x86)\norton internet security\engine\16.8.0.41\uistub.exe"

 

I am also worried that Norton Internet Security stopped noticing these modifications because it was modified.

 

 

Here is a hijackthis run.  I am particularly concerned by all the missing files (though maybe this was because it is a self-built computer?) and the line.

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\Will\AppData\Local\Temp\services.exe

 [edit: I should mention that C:\Users\Will\AppData\Local\Temp\services.exe was one of the files modifying the av.exe file during the critical time]

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:29 AM, on 2/24/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ASUS\TurboV\TurboV.exe
C:\Program Files\ASUS\Turbo Key\TurboKey.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Users\Will\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [Turbo Key] "C:\Program Files\ASUS\Turbo Key\TurboKey.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\Will\AppData\Local\Temp\services.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

 

Thanks for any help, and taking the time to read through any of that mess,

Will