Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Remove Spyguard Pro?


  • Please log in to reply
19 replies to this topic

#1 JSLhelpme

JSLhelpme

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 03:21 AM

Okay, I was on yahoo.com and all of a sudden this program downloads itself on my computer. I looked it up and seems to be some type of virus/spyware. I actually stumbled upon this forum trying to figure out a way to get rid of this. Any help would be appreciated.


I'm using windows xp by the way

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 05 December 2007 - 03:43 AM

Welcome to Bleeping Computer.

Please see the following removal guide:

How to remove The Spy Guard
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 12:32 PM

Okay, I got to step "11"

11. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
12. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.



I didn't get a red reboot screen; instead the program just went back to it's regular menu. So I rebooted the computer myself... I still got the virus though...

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 05 December 2007 - 01:01 PM

After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive, usually at C:\rapport.txt. Please copy/paste the contents of that report into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 01:33 PM

here it is:


ComboFix 07-12-02.7 - Jacque 2007-12-04 0:34:35.2 - NTFSx86
Running from: C:\Documents and Settings\Jacque.FAMILY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jacque.FAMILY\Desktop\CFScript.txt

FILE
C:\Temp\CORE10k.EXE
C:\Temp\keygen.exe
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\cbxxxut.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\UGA6P

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-05 09:49 . 2007-12-05 09:49 <DIR> d--hs---- C:\UGA6P
2007-12-05 00:29 . 2007-12-05 00:29 209 --a------ C:\WINDOWS\cookies.ini
2007-12-05 00:23 . 2007-12-05 00:23 81,984 --a------ C:\WINDOWS\system32\gphxyisv.dll
2007-12-05 00:22 . 2007-12-05 00:23 668,932 ---hs---- C:\WINDOWS\system32\uatkkyqr.ini
2007-12-05 00:22 . 2007-12-05 00:22 85,568 --a------ C:\WINDOWS\system32\rqykktau.dll
2007-12-05 00:20 . 2007-12-05 00:29 668,941 ---hs---- C:\WINDOWS\system32\nokfiajf.ini
2007-12-05 00:19 . 2007-12-05 00:19 85,568 --a------ C:\WINDOWS\system32\fjaifkon.dll
2007-12-05 00:19 . 2007-12-05 00:19 4,672 --a------ C:\WINDOWS\system32\awvfcsbm.exe
2007-12-05 00:16 . 2007-12-05 00:16 81,984 --a------ C:\WINDOWS\system32\eusuntuv.dll
2007-12-05 00:16 . 2007-12-05 00:16 4,672 --a------ C:\WINDOWS\system32\lpvsegmx.exe
2007-12-05 00:14 . 2007-12-05 00:14 145,984 --a------ C:\WINDOWS\system32\catzsjpp.dll
2007-12-05 00:14 . 2007-12-05 01:18 20,810 ---hs---- C:\WINDOWS\system32\catzsjpp.dllbox
2007-12-05 00:13 . 2007-12-05 00:13 145,984 --a------ C:\WINDOWS\system32\yehcaqfe.dll
2007-12-04 21:09 . 2007-12-05 09:59 135,168 --a------ C:\WINDOWS\tk58.exe
2007-12-04 21:08 . 2007-12-05 09:55 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2007-12-04 00:13 . 2007-12-05 11:20 449,168 --ahs---- C:\WINDOWS\system32\oonnn.ini2
2007-12-04 00:13 . 2007-12-05 11:21 449,168 --ahs---- C:\WINDOWS\system32\oonnn.ini
2007-12-03 23:15 . 2007-12-05 11:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-03 23:15 . 2007-12-03 23:15 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 16:37 . 2007-12-03 16:37 321,120 --a------ C:\WINDOWS\system32\nnnoo.dll
2007-12-03 16:31 . 2007-12-03 16:35 <DIR> d-------- C:\Documents and Settings\Jody\Application Data\SpyGuardPro
2007-12-03 02:05 . 2007-12-05 10:34 1,850 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 01:06 . 2007-12-03 01:06 10,240 --a------ C:\Program Files\spoolsv.exe
2007-12-03 00:14 . 2007-12-03 00:22 <DIR> d-------- C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro
2007-12-03 00:06 . 2007-12-05 01:39 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-12-03 00:06 . 2007-12-03 00:07 <DIR> d-------- C:\Program Files\Common Files\SpyGuardPro
2007-12-02 23:51 . 2007-12-02 23:51 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-12-02 23:51 . 2007-12-02 23:51 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-12-02 23:51 . 2007-12-02 23:51 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-12-02 23:51 . 2007-12-02 23:51 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-02 23:51 . 2007-12-02 23:52 <DIR> d-------- C:\Temp\bkR11
2007-12-02 23:51 . 2007-12-02 23:51 35,840 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-11-10 18:49 . 2007-11-10 18:49 <DIR> d--h----- C:\Documents and Settings\Jody\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 08:29 --------- d-----w C:\Documents and Settings\Jacque.FAMILY\Application Data\SiteAdvisor
2007-12-05 06:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-12-05 04:54 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-02 17:24 --------- d-----w C:\Program Files\Mozilla Sunbird
2007-11-13 05:33 --------- d-----w C:\Program Files\iTunes
2007-11-13 05:32 --------- d-----w C:\Program Files\iPod
2007-11-13 05:14 --------- d-----w C:\Program Files\QuickTime
2007-11-11 00:50 --------- d-----w C:\Program Files\THQ
2007-11-02 04:32 --------- d-----w C:\Program Files\Lavasoft
2007-11-02 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-02 04:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 20:55 --------- d-----w C:\Program Files\Winamp Remote
2007-10-15 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-15 20:52 --------- d-----w C:\Program Files\Winamp
2007-10-15 20:49 --------- d-----w C:\Program Files\Winamp Toolbar
2007-10-15 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2007-09-15 08:24 28,624 -c--a-w C:\Documents and Settings\Jacque.FAMILY\Application Data\GDIPFONTCACHEV1.DAT
2007-09-07 00:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-05-03 05:25 27,152 -c--a-w C:\Documents and Settings\Jacque\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 20:19 36,963 -c----r C:\Program Files\Common Files\SM1updtr.dll
1998-08-24 17:09 10,000 -c----w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_ 0.14.12.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:41 450,048 -c--a-w C:\WINDOWS\system32\dllcache\aclayers.dll
+ 2004-08-04 07:56:41 116,224 -c--a-w C:\WINDOWS\system32\dllcache\acxtrnal.dll
+ 2004-08-04 07:56:42 181,760 -c--a-w C:\WINDOWS\system32\dllcache\dinput8.dll
+ 2004-08-04 07:56:42 181,248 -c--a-w C:\WINDOWS\system32\dllcache\dmime.dll
+ 2004-08-04 07:56:42 103,424 -c--a-w C:\WINDOWS\system32\dllcache\dmsynth.dll
+ 2004-08-04 07:56:42 104,448 -c--a-w C:\WINDOWS\system32\dllcache\dmusic.dll
+ 2004-08-04 07:56:42 181,760 -c--a-w C:\WINDOWS\system32\dllcache\dsdmo.dll
+ 2004-08-04 07:56:42 186,368 -c--a-w C:\WINDOWS\system32\dllcache\encdec.dll
+ 2004-08-04 07:56:42 310,272 -c--a-w C:\WINDOWS\system32\dllcache\mp43dmod.dll
+ 2004-08-04 07:56:42 384,512 -c--a-w C:\WINDOWS\system32\dllcache\mp4sdmod.dll
+ 2004-08-04 07:56:42 240,640 -c--a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll
+ 2004-08-04 07:56:43 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2004-08-04 07:56:43 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2004-08-04 07:56:43 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2004-08-04 07:56:53 343,040 -c--a-w C:\WINDOWS\system32\dllcache\mspaint.exe
+ 2004-08-04 07:56:44 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2004-08-04 07:57:01 226,816 -c--a-w C:\WINDOWS\system32\dllcache\npdrmv2.dll
+ 2004-08-04 05:45:08 33,840 -c--a-w C:\WINDOWS\system32\dllcache\ntio.sys
+ 2004-08-04 07:56:44 279,040 -c--a-w C:\WINDOWS\system32\dllcache\qdv.dll
+ 2004-08-04 07:56:45 239,104 -c--a-w C:\WINDOWS\system32\dllcache\srrstr.dll
+ 2004-08-04 07:56:46 984,576 -c--a-w C:\WINDOWS\system32\dllcache\syssetup.dll
+ 2004-08-04 07:56:46 50,688 -c--a-w C:\WINDOWS\system32\dllcache\wstdecod.dll
- 2005-12-06 14:35:55 749,600 ------w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-12-05 07:05:16 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
- 2005-10-23 13:35:32 4,288 ------w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2007-12-05 07:05:18 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}]
2007-08-02 07:43 282624 --a------ C:\Program Files\Windows NT\wodenax83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 14:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}]
2007-08-02 07:43 282624 --a------ C:\Program Files\Windows NT\wodenax4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38D8F3A-A376-4437-A62A-7A1C36C3C6D4}]
2007-12-03 16:37 321120 --a------ C:\WINDOWS\system32\nnnoo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 14:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 14:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-07 18:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Arrn"="C:\WINDOWS\DOBE~1\dexplore.exe" []
"Bqr"="C:\WINDOWS\W?nSxS\fast.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"SpyGuardPro"="C:\Program Files\SpyGuardPro\pgs.exe" [2007-10-02 15:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-03 20:04]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-03 20:06]

C:\Documents and Settings\Jody\My Documents\Startup\
PowerReg Scheduler.exe [2006-11-12 18:35:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MSN Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSN Desktop Search.lnk
backup=C:\WINDOWS\pss\MSN Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MTV Networks Video Optimizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MTV Networks Video Optimizer.lnk
backup=C:\WINDOWS\pss\MTV Networks Video Optimizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-B Notebook Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-B Notebook Adapter Utility.lnk
backup=C:\WINDOWS\pss\Wireless-B Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jacque.FAMILY^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Jacque.FAMILY\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jacque^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Jacque\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jody^My Documents^Startup^Shortcut to gfesdsd.lnk]
backup=C:\WINDOWS\pss\Shortcut to gfesdsd.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jody^My Documents^Startup^Startup.zip]
backup=C:\WINDOWS\pss\Startup.zipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad Muncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 18:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2002-10-12 21:00 294912 --------- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BookedSpace]
RunDLL32.EXE C:\WINDOWS\bs2.dll,DllRun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxsx5]
RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 01:56 15360 --------- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
DeltTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
2005-05-18 13:49 282624 --------- C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Executive Software\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrWebScheduler]
C:\Program Files\DrWeb\DRWEBSCD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-StopW]
C:\Program Files\FSI\F-Prot\F-StopW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
2005-11-15 12:12 473928 -----c--- C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]
C:\Program Files\KlipFolio\KlipFolio.exe /BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm]
2005-01-13 17:01 50272 --a--c--- C:\WINDOWS\system32\msvcmm32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNSysRestore]
C:\WINDOWS\System32\pc32.exe bg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
E:\Trend Micro\Internet Security 2006\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2005-10-28 12:08 335872 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qF5h3qh]
protpp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rundll32_7]
rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\SpyGuardPro\bm.exe dm=http://spyguardpro.com; ad=http://spyguardpro.com

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 14:20 94208 -r------- C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpiralFrog]
2007-09-14 07:58 163128 --a------ E:\Downloads\SpiralFrog\Spiralfrog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysW8]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebInstall2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2004-03-18 09:33 892928 --a--c--- C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2CF0B992-5EEB-4143-99C0-5297EF71F444}]
rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"SPTISRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"PACSPTISVR"=3 (0x3)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 16:24:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-05 17:31:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 11:18:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 11:36:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 00:22
.
--- E O F ---

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 05 December 2007 - 01:41 PM

That is a combofix log. You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Can you post the rapport.txt together with the SAS log reported after performing a scan?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 05 December 2007 - 01:43 PM

When your done with the above, please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection". Post that log as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 01:56 PM

Can you post the rapport.txt together with the SAS log reported after performing a scan?



SmitFraudFix v2.257

Scan done at 10:33:45.05, 2007-12-05
Run from C:\Documents and Settings\Jacque.FAMILY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{043AB322-214F-4635-92F5-04316B4C2885}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{043AB322-214F-4635-92F5-04316B4C2885}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{043AB322-214F-4635-92F5-04316B4C2885}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 05 December 2007 - 03:11 PM

Ok. Can I see the other two reports?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 04:46 PM

Ok. Can I see the other two reports?


Well, I'm school right now; I'll post them up when I get home. Around 10:00 pm central time...

thanks

#11 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 December 2007 - 11:55 PM

Here's the super antispyware log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/05/2007 at 03:29 PM

Application Version : 3.9.1008

Core Rules Database Version : 3355
Trace Rules Database Version: 1354

Scan type : Complete Scan
Total Scan Time : 02:01:16

Memory items scanned : 169
Memory threats detected : 1
Registry items scanned : 6742
Registry threats detected : 36
File items scanned : 49258
File threats detected : 140

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\NNNOO.DLL
C:\WINDOWS\SYSTEM32\NNNOO.DLL

Malware.LocusSoftware Inc/BestSellerAntivirus
[SpyGuardPro] C:\PROGRAM FILES\SPYGUARDPRO\PGS.EXE
C:\PROGRAM FILES\SPYGUARDPRO\PGS.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\SPYGUARDPRO.LNK

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}
HKCR\CLSID\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}
HKCR\CLSID\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}
HKCR\CLSID\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}\InProcServer32
HKCR\CLSID\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\WINDOWS NT\WODENAX83122.DLL
HKLM\Software\Classes\CLSID\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}
HKCR\CLSID\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}
HKCR\CLSID\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}
HKCR\CLSID\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}\InProcServer32
HKCR\CLSID\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\WINDOWS NT\WODENAX4444.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C5B3A30-47AA-4D48-92D3-D05FFCCE1F32}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACB4BB76-4C40-4422-B8FA-D1A170EB5FEB}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3BB60B0F-EA71-481B-809D-D76D98CB2EE1}
HKCR\CLSID\{3BB60B0F-EA71-481B-809D-D76D98CB2EE1}
HKCR\CLSID\{3BB60B0F-EA71-481B-809D-D76D98CB2EE1}\InprocServer32
HKCR\CLSID\{3BB60B0F-EA71-481B-809D-D76D98CB2EE1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\CATZSJPP.DLL
C:\WINDOWS\SYSTEM32\YEHCAQFE.DLL

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.IEPlugin
HKCR\Remove

Malware.LocusSoftware Inc/SpyGuardPro
HKU\S-1-5-21-1214440339-1708537768-1060284298-1010\Software\SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#ProductCode
HKLM\Software\SpyGuardPro#Abbr
HKLM\Software\SpyGuardPro#InstallPath
HKLM\Software\SpyGuardPro#ActivationCode
HKLM\Software\SpyGuardPro#InstallDate
HKLM\Software\SpyGuardPro\Settings
HKLM\Software\SpyGuardPro\Settings#ActiveThreats
C:\Program Files\SpyGuardPro\Activate.exe
C:\Program Files\SpyGuardPro\Config\pgs.xml
C:\Program Files\SpyGuardPro\Config
C:\Program Files\SpyGuardPro\Dat\Activate.dat
C:\Program Files\SpyGuardPro\Dat\BkSites.dat
C:\Program Files\SpyGuardPro\Dat\bnlink.dat
C:\Program Files\SpyGuardPro\Dat\incmp.dat
C:\Program Files\SpyGuardPro\Dat\index.dat
C:\Program Files\SpyGuardPro\Dat\PGUpLst.dat
C:\Program Files\SpyGuardPro\Dat\pv.dat
C:\Program Files\SpyGuardPro\Dat
C:\Program Files\SpyGuardPro\Engines\AWBase\database\enemies.dat
C:\Program Files\SpyGuardPro\Engines\AWBase\database
C:\Program Files\SpyGuardPro\Engines\AWBase\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\AWBase
C:\Program Files\SpyGuardPro\Engines\PGBase\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\PGBase
C:\Program Files\SpyGuardPro\Engines\plugins\BORLNDMM.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANADWR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANBCDR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANDLDR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANDOS1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANEMUL.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANFUNC.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANKRNL.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANMCR1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANOTHR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANSCR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANTOOL.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANTROJ.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANWIN1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNACPU.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNADBX.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\unamscan.dll
C:\Program Files\SpyGuardPro\Engines\plugins\UNMIME.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACK.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACKS.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACKS2.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPEPACK.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27601.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27602.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27603.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27604.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UADAILY.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate
C:\Program Files\SpyGuardPro\Engines\plugins\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\plugins
C:\Program Files\SpyGuardPro\Engines
C:\Program Files\SpyGuardPro\FMTR.sys
C:\Program Files\SpyGuardPro\fopnl.dll
C:\Program Files\SpyGuardPro\FWSettings.bin
C:\Program Files\SpyGuardPro\Graphics\cross.gif
C:\Program Files\SpyGuardPro\Graphics\ga6p.gif
C:\Program Files\SpyGuardPro\Graphics\kb.url
C:\Program Files\SpyGuardPro\Graphics\main.ico
C:\Program Files\SpyGuardPro\Graphics\mini.ico
C:\Program Files\SpyGuardPro\Graphics\Online.url
C:\Program Files\SpyGuardPro\Graphics\rm.url
C:\Program Files\SpyGuardPro\Graphics\support.ico
C:\Program Files\SpyGuardPro\Graphics\Support.url
C:\Program Files\SpyGuardPro\Graphics\uninstall.ico
C:\Program Files\SpyGuardPro\Graphics
C:\Program Files\SpyGuardPro\history.db
C:\Program Files\SpyGuardPro\LA\lapv.dat
C:\Program Files\SpyGuardPro\LA\License.rtf
C:\Program Files\SpyGuardPro\LA
C:\Program Files\SpyGuardPro\ResErrors.log
C:\Program Files\SpyGuardPro\Restart.exe
C:\Program Files\SpyGuardPro\rpt.dll
C:\Program Files\SpyGuardPro\RTasks.exe
C:\Program Files\SpyGuardPro\scnkrnl.dll
C:\Program Files\SpyGuardPro\settings.ini
C:\Program Files\SpyGuardPro\sqlite3.dll
C:\Program Files\SpyGuardPro\sr.log
C:\Program Files\SpyGuardPro\Tools\IEFWBHO.dll
C:\Program Files\SpyGuardPro\Tools\pg.dll
C:\Program Files\SpyGuardPro\Tools
C:\Program Files\SpyGuardPro\unins000.dat
C:\Program Files\SpyGuardPro\unins000.exe
C:\Program Files\SpyGuardPro\Up\ASupdater.dat
C:\Program Files\SpyGuardPro\Up\Download
C:\Program Files\SpyGuardPro\Up\gup.exe
C:\Program Files\SpyGuardPro\Up\PGupdater.dat
C:\Program Files\SpyGuardPro\Up\UBupdater.dat
C:\Program Files\SpyGuardPro\Up\up.dat
C:\Program Files\SpyGuardPro\Up\updater.dat
C:\Program Files\SpyGuardPro\Up
C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro\bm.exe
C:\Program Files\Common Files\SpyGuardPro\ugcw.exe
C:\Program Files\Common Files\SpyGuardPro
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\Logs
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\Contact Customer Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\SpyGuardPro.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\Uninstall SpyGuardPro.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro

Trojan.ZQuest
C:\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ312.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ107.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ145.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ481.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\BAPUHOZYQ74.DLL.VIR

Trojan.Downloader-NoName
C:\PROGRAM FILES\SPOOLSV.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\3269.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSISVCC32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\WINDOWS\SYSTEM32\HV2\SWDRV83122.EXE
C:\WINDOWS\TTC-4444.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\WINDOWS\DOBE~1\DEXPLORE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IYCRTHU.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WNSXS~1\FAST.EXE.VIR

Trojan.Unclassified/17PHolmes
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU1000106.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.VIR
C:\WINDOWS\MROFINU572.EXE.TMP

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\WINDOWS\TK58.EXE

Adware.Vundo/Traff-2
C:\WINDOWS\SYSTEM32\AWVFCSBM.EXE
C:\WINDOWS\SYSTEM32\LPVSEGMX.EXE

Adware.Adservs
C:\WINDOWS\SYSTEM32\DR1\LOGIDNDR1.EXE

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\EUSUNTUV.DLL
C:\WINDOWS\SYSTEM32\FJAIFKON.DLL
C:\WINDOWS\SYSTEM32\GPHXYISV.DLL
C:\WINDOWS\SYSTEM32\RQYKKTAU.DLL

Trojan.Downloader-Gen/TaLDrv
C:\WINDOWS\SYSTEM32\MM6\NCSTDB33.EXE

#12 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 December 2007 - 03:05 AM

Here's the Vundo log

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 06 December 2007 - 07:52 AM

You did not post the vundo log.

Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
    • C:\WINDOWS\cookies.ini
      C:\WINDOWS\system32\gphxyisv.dll
      C:\WINDOWS\system32\uatkkyqr.ini
      C:\WINDOWS\system32\rqykktau.dll
      C:\WINDOWS\system32\nokfiajf.ini
      C:\WINDOWS\system32\fjaifkon.dll
      C:\WINDOWS\system32\awvfcsbm.exe
      C:\WINDOWS\system32\eusuntuv.dll
      C:\WINDOWS\system32\lpvsegmx.exe
      C:\WINDOWS\system32\catzsjpp.dll
      C:\WINDOWS\system32\catzsjpp.dllbox
      C:\WINDOWS\system32\yehcaqfe.dll
      C:\WINDOWS\tk58.exe
      C:\WINDOWS\TTC-4444.exe
      C:\WINDOWS\system32\oonnn.ini2
      C:\WINDOWS\system32\oonnn.ini
      C:\WINDOWS\QTFont.qfn
      C:\WINDOWS\QTFont.for
      C:\WINDOWS\system32\nnnoo.dll
      C:\Documents and Settings\Jody\Application Data\SpyGuardPro
      C:\WINDOWS\system32\tmp.reg
      C:\Program Files\spoolsv.exe
      C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro
      C:\Program Files\SpyGuardPro
      C:\Program Files\Common Files\SpyGuardPro
      C:\WINDOWS\system32\mm6
      C:\WINDOWS\system32\hv2
      C:\WINDOWS\system32\dr1
      C:\WINDOWS\system32\daSgo01
      C:\Temp\bkR11
      C:\WINDOWS\mrofinu572.exe.tmp

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 December 2007 - 08:18 PM

not sure why it didn't post... here's the vundo log again:



VundoFix V6.7.0

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 12:04:59 AM 12/6/2007

Listing files found while scanning....

C:\windows\system32\catzsjpp.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\catzsjpp.dllbox
C:\windows\system32\catzsjpp.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

#15 JSLhelpme

JSLhelpme
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 December 2007 - 08:32 PM

OTMOVEIT LOG:


C:\WINDOWS\cookies.ini moved successfully.
File/Folder C:\WINDOWS\system32\gphxyisv.dll not found.
C:\WINDOWS\system32\uatkkyqr.ini moved successfully.
File/Folder C:\WINDOWS\system32\rqykktau.dll not found.
C:\WINDOWS\system32\nokfiajf.ini moved successfully.
File/Folder C:\WINDOWS\system32\fjaifkon.dll not found.
File/Folder C:\WINDOWS\system32\awvfcsbm.exe not found.
File/Folder C:\WINDOWS\system32\eusuntuv.dll not found.
File/Folder C:\WINDOWS\system32\lpvsegmx.exe not found.
File/Folder C:\WINDOWS\system32\catzsjpp.dll not found.
File/Folder C:\WINDOWS\system32\catzsjpp.dllbox not found.
File/Folder C:\WINDOWS\system32\yehcaqfe.dll not found.
File/Folder C:\WINDOWS\tk58.exe not found.
File/Folder C:\WINDOWS\TTC-4444.exe not found.
C:\WINDOWS\system32\oonnn.ini2 moved successfully.
C:\WINDOWS\system32\oonnn.ini moved successfully.
C:\WINDOWS\QTFont.qfn moved successfully.
C:\WINDOWS\QTFont.for moved successfully.
File/Folder C:\WINDOWS\system32\nnnoo.dll not found.
C:\Documents and Settings\Jody\Application Data\SpyGuardPro\Logs moved successfully.
C:\Documents and Settings\Jody\Application Data\SpyGuardPro moved successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
File/Folder C:\Program Files\spoolsv.exe not found.
File/Folder C:\Documents and Settings\Jacque.FAMILY\Application Data\SpyGuardPro not found.
File/Folder C:\Program Files\SpyGuardPro not found.
File/Folder C:\Program Files\Common Files\SpyGuardPro not found.
C:\WINDOWS\system32\mm6 moved successfully.
C:\WINDOWS\system32\hv2 moved successfully.
C:\WINDOWS\system32\dr1 moved successfully.
C:\WINDOWS\system32\daSgo01 moved successfully.
C:\Temp\bkR11 moved successfully.
File/Folder C:\WINDOWS\mrofinu572.exe.tmp not found.

Created on 12/06/2007 19:30:49




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users