Remove Spyware Guard 2008 - GreenEngineer

View previous topic View next topic Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by GreenEngineer on Fri Dec 12, 2008 2:20 am

I am having similar issues with Spyware Guard not being able to be deleted. I have tried SmitfraudFix.exe and I downloaded, but can not install Malwarebyte's Anti-Malware program. The malware will not let me access internet sites (Trend Micro or other virus software sites) which might be useful in fighting it.

I downloaded the Silent Runners script you suggested, but attempts to post the txt file make this post too big.

Here is the HiJackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:45 PM, on 12/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cc02faf7] rundll32.exe "C:\WINDOWS\system32\lpwymuce.dll",b
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - [You must be registered and logged in to see this link.]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: xdvhle.dll
O21 - SSODL: ieModule - {D7173B7C-1166-4BB9-84CC-F6AF4594A6D4} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {D82C2A6D-35A0-48DF-9877-550C833DF2F5} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\mdpmzbxqcq.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe

--
End of file - 9124 bytes

GreenEngineer
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-12
OS OS : Windows XP
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Doctor Inferno on Fri Dec 12, 2008 4:01 am

Split from:

[You must be registered and logged in to see this link.]

Do not post your logs/problems in other people's topic in future.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Belahzur on Fri Dec 12, 2008 4:58 pm

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by GreenEngineer on Fri Dec 12, 2008 9:11 pm

Here is the Combofix txt file - the software was unable to connect to the internet and download whatever files it was looking for:
ComboFix 08-11-18.03 - Cindy Green 2008-12-12 15:53:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.432 [GMT -5:00]
Running from: c:\documents and settings\Cindy Green\Desktop\-Combo-Fix-.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.dll
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 15:52 . 2008-12-12 15:55 d----c--- C:\-Combo-Fix-
2008-12-12 13:14 . 2008-12-12 13:14 1,644,981 ---hs---- c:\windows\SYSTEM32\bquwivir.ini
2008-12-12 13:14 . 2008-12-12 13:14 72,704 --a------ c:\windows\SYSTEM32\riviwuqb.dll
2008-12-12 13:09 . 2008-12-12 13:09 129,024 --a------ c:\windows\SYSTEM32\uuxmqboq.dll
2008-12-12 13:09 . 2008-12-12 13:09 129,024 --a------ c:\windows\SYSTEM32\pcsazt.dll
2008-12-11 20:53 . 2008-12-11 20:53 d-------- c:\program files\Spyware Guard 2008
2008-12-11 20:53 . 2008-12-11 20:53 1,003,957 --a------ c:\windows\sysexplorer.exe
2008-12-11 20:53 . 2008-12-11 20:53 134,149 --a------ c:\windows\reged.exe
2008-12-11 20:53 . 2008-12-11 20:53 51,197 --a------ c:\windows\spoolsystem.exe
2008-12-11 20:53 . 2008-12-11 20:53 50,620 --a------ c:\windows\sys.com
2008-12-11 20:53 . 2008-12-11 20:53 47,872 --a------ c:\windows\syscert.exe
2008-12-11 20:53 . 2008-12-11 20:53 18,941 --a------ c:\windows\vmreg.dll
2008-12-11 20:24 . 2008-12-11 20:24 1,623,552 ---hs---- c:\windows\SYSTEM32\ecumywpl.ini
2008-12-11 20:24 . 2008-12-11 20:24 129,024 --a------ c:\windows\SYSTEM32\xdvhle.dll
2008-12-11 20:24 . 2008-12-11 20:24 129,024 --a------ c:\windows\SYSTEM32\qasmpsju.dll
2008-12-11 07:32 . 2008-12-11 07:32 11,264 --ahs---- c:\windows\SYSTEM32\Thumbs.db
2008-12-10 22:37 . 2008-12-11 20:42 5,212 --a------ c:\windows\SYSTEM32\tmp.reg
2008-12-10 21:36 . 2008-12-11 07:32 53,248 --ahs---- c:\windows\Thumbs.db
2008-12-10 20:52 . 2008-12-10 20:52 d-------- c:\program files\Enigma Software Group
2008-12-10 20:24 . 2008-12-10 20:24 7,922 --a------ c:\windows\SYSTEM32\tsdrcboc.dll
2008-12-10 20:22 . 2008-12-10 20:22 7,926 --a------ c:\windows\SYSTEM32\pgxnfjot.dll
2008-12-09 20:27 . 2008-12-09 20:27 7,922 --a------ c:\windows\SYSTEM32\sorgvhtv.dll
2008-12-09 20:25 . 2008-12-09 20:25 381,952 --a------ c:\windows\SYSTEM32\winscenter.exe
2008-12-09 20:25 . 2008-12-09 20:25 158,208 --a------ c:\windows\SYSTEM32\xddtdtdl.exe
2008-12-09 20:25 . 2008-12-09 20:25 13,829 --a------ c:\documents and settings\All Users\Application Data\svhost.exe
2008-12-09 20:21 . 2008-12-09 20:21 7,926 --a------ c:\windows\SYSTEM32\bgibsyie.dll
2008-12-08 22:30 . 2008-12-08 22:30 7,926 --a------ c:\windows\SYSTEM32\ijpnovka.dll
2008-12-08 22:30 . 2008-12-08 22:30 7,922 --a------ c:\windows\SYSTEM32\fjpohysm.dll
2008-12-07 22:30 . 2008-12-07 22:30 7,926 --a------ c:\windows\SYSTEM32\xenqvvqm.dll
2008-12-07 22:28 . 2008-12-07 22:28 7,922 --a------ c:\windows\SYSTEM32\bbjxkpkn.dll
2008-12-07 22:27 . 2008-12-12 15:54 884,628 --ahs---- c:\windows\SYSTEM32\TDNTAcfe.ini2
2008-12-07 22:27 . 2008-12-12 15:54 884,628 --ahs---- c:\windows\SYSTEM32\TDNTAcfe.ini
2008-12-07 22:27 . 2008-12-07 22:27 302,592 --a------ c:\windows\SYSTEM32\efcATNDT.dll
2008-12-07 22:22 . 2008-12-07 22:22 34,816 --a------ c:\windows\SYSTEM32\ljJYpnmj.dll
2008-12-07 22:22 . 2008-12-07 22:22 7,812 --a------ c:\windows\SYSTEM32\ssqNgHxw.dll
2008-12-07 20:01 . 2008-12-07 20:01 32,256 --a------ c:\windows\SYSTEM32\digeste.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 20:54 --------- d-----w c:\program files\Common
2008-12-11 03:29 --------- d-----w c:\program files\Trend Micro
2008-11-15 01:44 --------- d-----w c:\program files\Safari
2008-11-11 13:10 --------- d-----w c:\program files\iTunes
2008-11-11 13:10 --------- d-----w c:\program files\iPod
2008-11-11 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-31 02:54 7,704 ----a-w c:\windows\SYSTEM32\mst120.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2006-10-03 06:43 2,402,550 -c--a-w c:\windows\INF\SET83.tmp
2006-07-01 19:06 284 ----a-w c:\documents and settings\Cindy Green\Application Data\ViewerApp.dat
2005-11-09 04:56 321,326 -csh--w c:\windows\SYSTEM\tacniw.bak1
2005-11-12 01:57 259,190 -csh--w c:\windows\SYSTEM\tacniw.bak2
2005-11-12 15:46 258,788 -csh--w c:\windows\SYSTEM\tacniw.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A14A0C-CAD3-4DBE-B6B6-2EE2D55001A0}]
2008-12-07 22:27 302592 --a------ c:\windows\system32\efcATNDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4694e1c9-436a-440e-9ee5-94d7eb453e50}]
2008-12-12 13:09 129024 --a------ c:\windows\system32\pcsazt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 524288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-21 26112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-10-08 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 24626]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 20530]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-05-07 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"pccguide.exe"="c:\progra~1\TRENDM~1\IN2591~1\pccguide.exe" [2006-12-27 3112960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"spywareguard"="c:\program files\Spyware Guard 2008\spywareguard.exe" [2008-12-11 1005568]
"cc02faf7"="c:\windows\system32\riviwuqb.dll" [2008-12-12 72704]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\ljJYpnmj.dll" [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {D7173B7C-1166-4BB9-84CC-F6AF4594A6D4} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-09 2676736]
"InternetConnection"= {D82C2A6D-35A0-48DF-9877-550C833DF2F5} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\mdpmzbxqcq.dll [2008-12-09 762368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYpnmj]
2008-12-07 22:22 34816 c:\windows\SYSTEM32\ljJYpnmj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pcsazt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\efcATNDT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-02-22 18110]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-02-22 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-02-22 423454]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\DRIVERS\sonypvd3.sys [2006-02-22 64964]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\aoesetup.exe /autorun
\Shell\directx\command - d:\directx\dxsetup.exe
\Shell\dplay\command - d:\directx\dplay61a.exe
\Shell\dxdiag\command - d:\goodies\ar40eng.exe
\Shell\dxinfo\command - d:\goodies\DirectX\dxinfo.exe
\Shell\dxtest\command - d:\directx\dxdiag.exe
\Shell\dxtool\command - d:\goodies\DirectX\dxtool.exe
\Shell\log\command - d:\goodies\machine\machine.exe -l
\Shell\machine\command - d:\goodies\machine\machine.exe
\Shell\setup\command - D:\aoesetup.exe /autorun
\Shell\zone\command - d:\goodies\mszone\zoneA600.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff3d6b4-d900-11d9-a8cf-001111b7c3f8}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42ad5c09-8294-11dc-b355-001111b7c3f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c566979-a9fb-11da-b2e1-001111b7c3f8}]
\Shell\AutoRun\command - f:\jdlightning\Windows\JDLightning.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Cindy Green\Application Data\Mozilla\Firefox\Profiles\xock6ehf.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-12 15:55:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\ljJYpnmj.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\efcATNDT.dll
.
Completion time: 2008-12-12 15:57:54
ComboFix-quarantined-files.txt 2008-12-12 20:57:46

Pre-Run: 53,432,639,488 bytes free
Post-Run: 53,639,876,608 bytes free

218 --- E O F --- 2008-11-12 08:02:46

GreenEngineer
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-12
OS OS : Windows XP
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Belahzur on Fri Dec 12, 2008 9:17 pm

Hello.
We need to take down the rootkit before we can use combofix.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
TDSSserv.sys

Files to delete:
c:\windows\system32\drivers\TDSSmqlt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by GreenEngineer on Fri Dec 12, 2008 10:37 pm

I'm trying to download the Avenger script, but the infection will not allow my to access anti-malware websites. I "googled" Avenger and Swandog... trying to find a site with the script, but all attempts to access won't go through.

GreenEngineer
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-12
OS OS : Windows XP
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Belahzur on Fri Dec 12, 2008 10:41 pm

I have uploaded it here.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by GreenEngineer on Sat Dec 13, 2008 7:30 pm

Belazhur - I downloaded Avenger and ran it per your directions..... However, as soon as it restarted the computer.... upon reboot, the computer goes to CHKDSK utility. It verifies the files, but gets stuck midway through the index verification and reboots the computer. It continues to reboot midway through the index verification in a continuous loop. Any suggestions? or it the hard drive corrupt beyond repair?

Thanks for all your help.

GreenEngineer
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-12
OS OS : Windows XP
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Belahzur on Sat Dec 13, 2008 7:35 pm

Sad tearing This maybe the work of the rootkit.

Do you have your XP CD?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by GreenEngineer on Sun Dec 14, 2008 1:56 am

I should have it..... what are your suggestions/directions?

GreenEngineer
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-12
OS OS : Windows XP
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Belahzur on Sun Dec 14, 2008 2:01 am

Hello.
We can try a repair install, this site will be better than me explaining it.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Remove Spyware Guard 2008 - GreenEngineer

Post by Doctor Inferno on Sat Jan 17, 2009 10:26 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum