WiredWX Hobby Weather ToolsLog in

 


descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
I am having similar issues with Spyware Guard not being able to be deleted. I have tried SmitfraudFix.exe and I downloaded, but can not install Malwarebyte's Anti-Malware program. The malware will not let me access internet sites (Trend Micro or other virus software sites) which might be useful in fighting it.

I downloaded the Silent Runners script you suggested, but attempts to post the txt file make this post too big.

Here is the HiJackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:45 PM, on 12/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cc02faf7] rundll32.exe "C:\WINDOWS\system32\lpwymuce.dll",b
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106968273171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169310646090
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://media.rivals.com/msichat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exacttarget.webex.com/client/T25L/nbr/ieatgpc.cab
O20 - AppInit_DLLs: xdvhle.dll
O21 - SSODL: ieModule - {D7173B7C-1166-4BB9-84CC-F6AF4594A6D4} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {D82C2A6D-35A0-48DF-9877-550C833DF2F5} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\mdpmzbxqcq.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe

--
End of file - 9124 bytes

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Split from:

http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/remove-spyware-guard-2008-odaboda-t4431.htm

Do not post your logs/problems in other people's topic in future.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Hello.


  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Remove Spyware Guard 2008 - GreenEngineer Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Remove Spyware Guard 2008 - GreenEngineer Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Here is the Combofix txt file - the software was unable to connect to the internet and download whatever files it was looking for:
ComboFix 08-11-18.03 - Cindy Green 2008-12-12 15:53:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.432 [GMT -5:00]
Running from: c:\documents and settings\Cindy Green\Desktop\-Combo-Fix-.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.dll
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 15:52 . 2008-12-12 15:55 d----c--- C:\-Combo-Fix-
2008-12-12 13:14 . 2008-12-12 13:14 1,644,981 ---hs---- c:\windows\SYSTEM32\bquwivir.ini
2008-12-12 13:14 . 2008-12-12 13:14 72,704 --a------ c:\windows\SYSTEM32\riviwuqb.dll
2008-12-12 13:09 . 2008-12-12 13:09 129,024 --a------ c:\windows\SYSTEM32\uuxmqboq.dll
2008-12-12 13:09 . 2008-12-12 13:09 129,024 --a------ c:\windows\SYSTEM32\pcsazt.dll
2008-12-11 20:53 . 2008-12-11 20:53 d-------- c:\program files\Spyware Guard 2008
2008-12-11 20:53 . 2008-12-11 20:53 1,003,957 --a------ c:\windows\sysexplorer.exe
2008-12-11 20:53 . 2008-12-11 20:53 134,149 --a------ c:\windows\reged.exe
2008-12-11 20:53 . 2008-12-11 20:53 51,197 --a------ c:\windows\spoolsystem.exe
2008-12-11 20:53 . 2008-12-11 20:53 50,620 --a------ c:\windows\sys.com
2008-12-11 20:53 . 2008-12-11 20:53 47,872 --a------ c:\windows\syscert.exe
2008-12-11 20:53 . 2008-12-11 20:53 18,941 --a------ c:\windows\vmreg.dll
2008-12-11 20:24 . 2008-12-11 20:24 1,623,552 ---hs---- c:\windows\SYSTEM32\ecumywpl.ini
2008-12-11 20:24 . 2008-12-11 20:24 129,024 --a------ c:\windows\SYSTEM32\xdvhle.dll
2008-12-11 20:24 . 2008-12-11 20:24 129,024 --a------ c:\windows\SYSTEM32\qasmpsju.dll
2008-12-11 07:32 . 2008-12-11 07:32 11,264 --ahs---- c:\windows\SYSTEM32\Thumbs.db
2008-12-10 22:37 . 2008-12-11 20:42 5,212 --a------ c:\windows\SYSTEM32\tmp.reg
2008-12-10 21:36 . 2008-12-11 07:32 53,248 --ahs---- c:\windows\Thumbs.db
2008-12-10 20:52 . 2008-12-10 20:52 d-------- c:\program files\Enigma Software Group
2008-12-10 20:24 . 2008-12-10 20:24 7,922 --a------ c:\windows\SYSTEM32\tsdrcboc.dll
2008-12-10 20:22 . 2008-12-10 20:22 7,926 --a------ c:\windows\SYSTEM32\pgxnfjot.dll
2008-12-09 20:27 . 2008-12-09 20:27 7,922 --a------ c:\windows\SYSTEM32\sorgvhtv.dll
2008-12-09 20:25 . 2008-12-09 20:25 381,952 --a------ c:\windows\SYSTEM32\winscenter.exe
2008-12-09 20:25 . 2008-12-09 20:25 158,208 --a------ c:\windows\SYSTEM32\xddtdtdl.exe
2008-12-09 20:25 . 2008-12-09 20:25 13,829 --a------ c:\documents and settings\All Users\Application Data\svhost.exe
2008-12-09 20:21 . 2008-12-09 20:21 7,926 --a------ c:\windows\SYSTEM32\bgibsyie.dll
2008-12-08 22:30 . 2008-12-08 22:30 7,926 --a------ c:\windows\SYSTEM32\ijpnovka.dll
2008-12-08 22:30 . 2008-12-08 22:30 7,922 --a------ c:\windows\SYSTEM32\fjpohysm.dll
2008-12-07 22:30 . 2008-12-07 22:30 7,926 --a------ c:\windows\SYSTEM32\xenqvvqm.dll
2008-12-07 22:28 . 2008-12-07 22:28 7,922 --a------ c:\windows\SYSTEM32\bbjxkpkn.dll
2008-12-07 22:27 . 2008-12-12 15:54 884,628 --ahs---- c:\windows\SYSTEM32\TDNTAcfe.ini2
2008-12-07 22:27 . 2008-12-12 15:54 884,628 --ahs---- c:\windows\SYSTEM32\TDNTAcfe.ini
2008-12-07 22:27 . 2008-12-07 22:27 302,592 --a------ c:\windows\SYSTEM32\efcATNDT.dll
2008-12-07 22:22 . 2008-12-07 22:22 34,816 --a------ c:\windows\SYSTEM32\ljJYpnmj.dll
2008-12-07 22:22 . 2008-12-07 22:22 7,812 --a------ c:\windows\SYSTEM32\ssqNgHxw.dll
2008-12-07 20:01 . 2008-12-07 20:01 32,256 --a------ c:\windows\SYSTEM32\digeste.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 20:54 --------- d-----w c:\program files\Common
2008-12-11 03:29 --------- d-----w c:\program files\Trend Micro
2008-11-15 01:44 --------- d-----w c:\program files\Safari
2008-11-11 13:10 --------- d-----w c:\program files\iTunes
2008-11-11 13:10 --------- d-----w c:\program files\iPod
2008-11-11 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-31 02:54 7,704 ----a-w c:\windows\SYSTEM32\mst120.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2006-10-03 06:43 2,402,550 -c--a-w c:\windows\INF\SET83.tmp
2006-07-01 19:06 284 ----a-w c:\documents and settings\Cindy Green\Application Data\ViewerApp.dat
2005-11-09 04:56 321,326 -csh--w c:\windows\SYSTEM\tacniw.bak1
2005-11-12 01:57 259,190 -csh--w c:\windows\SYSTEM\tacniw.bak2
2005-11-12 15:46 258,788 -csh--w c:\windows\SYSTEM\tacniw.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A14A0C-CAD3-4DBE-B6B6-2EE2D55001A0}]
2008-12-07 22:27 302592 --a------ c:\windows\system32\efcATNDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4694e1c9-436a-440e-9ee5-94d7eb453e50}]
2008-12-12 13:09 129024 --a------ c:\windows\system32\pcsazt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 524288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-21 26112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-10-08 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 24626]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 20530]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-05-07 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"pccguide.exe"="c:\progra~1\TRENDM~1\IN2591~1\pccguide.exe" [2006-12-27 3112960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"spywareguard"="c:\program files\Spyware Guard 2008\spywareguard.exe" [2008-12-11 1005568]
"cc02faf7"="c:\windows\system32\riviwuqb.dll" [2008-12-12 72704]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\ljJYpnmj.dll" [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {D7173B7C-1166-4BB9-84CC-F6AF4594A6D4} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-09 2676736]
"InternetConnection"= {D82C2A6D-35A0-48DF-9877-550C833DF2F5} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\mdpmzbxqcq.dll [2008-12-09 762368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYpnmj]
2008-12-07 22:22 34816 c:\windows\SYSTEM32\ljJYpnmj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pcsazt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\efcATNDT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-02-22 18110]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-02-22 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-02-22 423454]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\DRIVERS\sonypvd3.sys [2006-02-22 64964]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\aoesetup.exe /autorun
\Shell\directx\command - d:\directx\dxsetup.exe
\Shell\dplay\command - d:\directx\dplay61a.exe
\Shell\dxdiag\command - d:\goodies\ar40eng.exe
\Shell\dxinfo\command - d:\goodies\DirectX\dxinfo.exe
\Shell\dxtest\command - d:\directx\dxdiag.exe
\Shell\dxtool\command - d:\goodies\DirectX\dxtool.exe
\Shell\log\command - d:\goodies\machine\machine.exe -l
\Shell\machine\command - d:\goodies\machine\machine.exe
\Shell\setup\command - D:\aoesetup.exe /autorun
\Shell\zone\command - d:\goodies\mszone\zoneA600.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff3d6b4-d900-11d9-a8cf-001111b7c3f8}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42ad5c09-8294-11dc-b355-001111b7c3f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c566979-a9fb-11da-b2e1-001111b7c3f8}]
\Shell\AutoRun\command - f:\jdlightning\Windows\JDLightning.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Cindy Green\Application Data\Mozilla\Firefox\Profiles\xock6ehf.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 15:55:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\ljJYpnmj.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\efcATNDT.dll
.
Completion time: 2008-12-12 15:57:54
ComboFix-quarantined-files.txt 2008-12-12 20:57:46

Pre-Run: 53,432,639,488 bytes free
Post-Run: 53,639,876,608 bytes free

218 --- E O F --- 2008-11-12 08:02:46

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Hello.
We need to take down the rootkit before we can use combofix.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
TDSSserv.sys

Files to delete:
c:\windows\system32\drivers\TDSSmqlt.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
I'm trying to download the Avenger script, but the infection will not allow my to access anti-malware websites. I "googled" Avenger and Swandog... trying to find a site with the script, but all attempts to access won't go through.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
I have uploaded it here.

http://www.sendspace.com/file/ul6425

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Belazhur - I downloaded Avenger and ran it per your directions..... However, as soon as it restarted the computer.... upon reboot, the computer goes to CHKDSK utility. It verifies the files, but gets stuck midway through the index verification and reboots the computer. It continues to reboot midway through the index verification in a continuous loop. Any suggestions? or it the hard drive corrupt beyond repair?

Thanks for all your help.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Sad tearing This maybe the work of the rootkit.

Do you have your XP CD?

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
I should have it..... what are your suggestions/directions?

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Hello.
We can try a repair install, this site will be better than me explaining it.

http://www.michaelstevenstech.com/XPrepairinstall.htm

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionSolvedRe: Remove Spyware Guard 2008 - GreenEngineer

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum