os-guard pro virus

First topic message reminder :

This morning I became a victim of this virus. Same symptoms as I've read in many posts on this website. I noticed the guidance that "each computer is unique", so rather than trying to follow the existing threads I have started my own. Thanks in advance for your help!

Yeah, give Safe Mode with networking, so you have internet access.

My script just gets exports of the 2 run keys under each hive, then has a look inside the Program Files folder.

o-k, I'm now in safe mode on the infected computer...what's next?

do I run the look.bat file now?

are you still there???

I'm having the exact same problem today as well. It's malware, by a website called os-guardpro2010.com. They've attached the spyware to all the system start up files. I've tried everything possible, including a malware scan in safe mode. I'm stuck too.

Yeah, still here, just had to go offline, went to get something to eat. Run the bat file, and post the log when done.

I fixed it!!!!

I went into safe mode with networking, downloaded spybot seek & destroy. It detected the files and fixed the problem. I then rebooted and all is back to normal!

Belahzur, I ran the Malware program in safe mode. It detected 9 problem files, which I deleted, and when I rebooted everything's working fine. I saved a log file of the Malware findings...do you wish to have it for reference, or not?

Thanks for all of your help!

Yes please, post the log.

If the log shows traced of another infection, then we'll need to go deeper.

Here's the log. I didn't see how to simply attach a file, so I just went ahead and copied it into this response.


Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

12/18/2009 5:09:06 PM
mbam-log-2009-12-18 (17-09-01).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 379687
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\kjkdcm\abvhsysguard.exe (Trojan.FakeAlert) -> No action taken.
F:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

Did you remove what it found there? says no action taken. One more scan, then I think were done.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  [You must be registered and logged in to see this link.]
  [You must be registered and logged in to see this link.]
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.