Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Spyguard Pro Removal Please!


  • Please log in to reply
6 replies to this topic

#1 felinne

felinne

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 26 December 2007 - 12:02 AM

Hi!

First of all, happy holidays! Thank you in advance for your help. I caught Spyguard Pro today and found some great removal instructions on this site from this link: http://www.bleepingcomputer.com/forums/lof...hp/t119682.html. I have followed them as far as I can.

1. I've run SmitFraudFix (rapport.txt posted below)
2. I've run ATF-Cleaner.exe
3. I've run SUPERAntiSpyware (scan log posted below)
4. I saw Vundo/Winfixer while doing step 3 and ran Vundofix (scan log posted below)

The current status is that when my computer boots Spyguard Pro no longer starts up its crazy installation sequence. Although, a Spyguard Pro icon still remains on my desktop without its logo (it's now a generic windows icon without the Spyguard Pro logo).

I also got an error when my computer booted saying that windows could not find C:\WINDOWS\system32\iige.exe file or load it into the registry. It was one of the files that Vundofix deleted. Please let me know what I should do about this error.

According to the original removal instructions, I'm suppose to download and use OTMoveIt and copy and paste a list of files. I'm holding off on this because I am afraid that the list was specific to the original user's computer. So, please advise on my next step.

Thank you!

BC AdBot (Login to Remove)

 


m

#2 felinne

felinne
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 26 December 2007 - 12:05 AM

SmitFraudFix v2.274

Scan done at 20:06:02.45, 25/12/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C302160-728D-44F6-9D43-3E6A30A4D7FF}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7C302160-728D-44F6-9D43-3E6A30A4D7FF}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C302160-728D-44F6-9D43-3E6A30A4D7FF}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#3 felinne

felinne
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 26 December 2007 - 12:08 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/25/2007 at 09:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3368
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:59:43

Memory items scanned : 177
Memory threats detected : 2
Registry items scanned : 4939
Registry threats detected : 30
File items scanned : 32132
File threats detected : 112

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\SSQROOO.DLL
C:\WINDOWS\SYSTEM32\SSQROOO.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ssqrooo
C:\WINDOWS\SYSTEM32\KHFDEEE.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\IIIGE.DLL
C:\WINDOWS\SYSTEM32\IIIGE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA5B7859-1902-4187-B5B1-0E61BC69EB26}
HKCR\CLSID\{CA5B7859-1902-4187-B5B1-0E61BC69EB26}
HKCR\CLSID\{CA5B7859-1902-4187-B5B1-0E61BC69EB26}\InprocServer32
HKCR\CLSID\{CA5B7859-1902-4187-B5B1-0E61BC69EB26}\InprocServer32#ThreadingModel

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Malware.LocusSoftware Inc/SpyGuardPro
HKU\S-1-5-21-1202660629-920026266-1343024091-500\Software\SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#ProductCode
HKLM\Software\SpyGuardPro#Abbr
HKLM\Software\SpyGuardPro#InstallPath
HKLM\Software\SpyGuardPro#ActivationCode
HKLM\Software\SpyGuardPro#InstallDate
HKLM\Software\SpyGuardPro\Settings
HKLM\Software\SpyGuardPro\Settings#ActiveThreats
C:\Program Files\SpyGuardPro\Activate.exe
C:\Program Files\SpyGuardPro\al.dat
C:\Program Files\SpyGuardPro\Config\pgs.xml
C:\Program Files\SpyGuardPro\Config
C:\Program Files\SpyGuardPro\Dat\Activate.dat
C:\Program Files\SpyGuardPro\Dat\BkSites.dat
C:\Program Files\SpyGuardPro\Dat\bnlink.dat
C:\Program Files\SpyGuardPro\Dat\cd.dat
C:\Program Files\SpyGuardPro\Dat\incmp.dat
C:\Program Files\SpyGuardPro\Dat\index.dat
C:\Program Files\SpyGuardPro\Dat\PGUpLst.dat
C:\Program Files\SpyGuardPro\Dat\pv.dat
C:\Program Files\SpyGuardPro\Dat
C:\Program Files\SpyGuardPro\dhlp.dll
C:\Program Files\SpyGuardPro\Engines\AWBase\database\enemies.dat
C:\Program Files\SpyGuardPro\Engines\AWBase\database
C:\Program Files\SpyGuardPro\Engines\AWBase\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\AWBase
C:\Program Files\SpyGuardPro\Engines\PGBase\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\PGBase
C:\Program Files\SpyGuardPro\Engines\plugins\BORLNDMM.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANADWR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANBCDR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANDLDR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANDOS1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANEMUL.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANFUNC.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANMCR1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANOTHR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANSCR.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANTOOL.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANTROJ.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\SCANWIN1.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNACPU.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNADBX.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\unamscan.dll
C:\Program Files\SpyGuardPro\Engines\plugins\UNMIME.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACK.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACKS.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPACKS2.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UNPEPACK.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27601.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27602.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27603.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UA27604.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate\UADAILY.DLL
C:\Program Files\SpyGuardPro\Engines\plugins\UpDate
C:\Program Files\SpyGuardPro\Engines\plugins\vbpv.dat
C:\Program Files\SpyGuardPro\Engines\plugins
C:\Program Files\SpyGuardPro\Engines
C:\Program Files\SpyGuardPro\FWSettings.bin
C:\Program Files\SpyGuardPro\Graphics\cross.gif
C:\Program Files\SpyGuardPro\Graphics\ga6p.gif
C:\Program Files\SpyGuardPro\Graphics\kb.url
C:\Program Files\SpyGuardPro\Graphics\main.ico
C:\Program Files\SpyGuardPro\Graphics\mini.ico
C:\Program Files\SpyGuardPro\Graphics\Online.url
C:\Program Files\SpyGuardPro\Graphics\rm.url
C:\Program Files\SpyGuardPro\Graphics\support.ico
C:\Program Files\SpyGuardPro\Graphics\Support.url
C:\Program Files\SpyGuardPro\Graphics\uninstall.ico
C:\Program Files\SpyGuardPro\Graphics
C:\Program Files\SpyGuardPro\history.db
C:\Program Files\SpyGuardPro\LA\lapv.dat
C:\Program Files\SpyGuardPro\LA\License.rtf
C:\Program Files\SpyGuardPro\LA
C:\Program Files\SpyGuardPro\main.log
C:\Program Files\SpyGuardPro\pgs .exe
C:\Program Files\SpyGuardPro\pgs.exe
C:\Program Files\SpyGuardPro\ptask .exe
C:\Program Files\SpyGuardPro\ptask.exe
C:\Program Files\SpyGuardPro\reload.exe
C:\Program Files\SpyGuardPro\ResErrors.log
C:\Program Files\SpyGuardPro\scnkrnl.dll
C:\Program Files\SpyGuardPro\settings.ini
C:\Program Files\SpyGuardPro\sqlite3.dll
C:\Program Files\SpyGuardPro\sr.log
C:\Program Files\SpyGuardPro\Tools\pblock.dll
C:\Program Files\SpyGuardPro\Tools\sbiebho.dll
C:\Program Files\SpyGuardPro\Tools
C:\Program Files\SpyGuardPro\unins000.dat
C:\Program Files\SpyGuardPro\unins000.exe
C:\Program Files\SpyGuardPro\Up\ASupdater.dat
C:\Program Files\SpyGuardPro\Up\Download
C:\Program Files\SpyGuardPro\Up\gup.exe
C:\Program Files\SpyGuardPro\Up\PGupdater.dat
C:\Program Files\SpyGuardPro\Up\UBupdater.dat
C:\Program Files\SpyGuardPro\Up\up.dat
C:\Program Files\SpyGuardPro\Up\updater.dat
C:\Program Files\SpyGuardPro\Up
C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro\bm .exe
C:\Program Files\Common Files\SpyGuardPro\bm.exe
C:\Program Files\Common Files\SpyGuardPro\ugac .exe
C:\Program Files\Common Files\SpyGuardPro\ugac.exe
C:\Program Files\Common Files\SpyGuardPro
C:\Documents and Settings\Administrator\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\Administrator\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\SpyGuardPro\Logs
C:\Documents and Settings\Administrator\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\Administrator\Application Data\SpyGuardPro
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\Contact Customer Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\SpyGuardPro.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro\Uninstall SpyGuardPro.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SpyGuardPro

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE

Trojan.Downloader-Gen/BundleBase
C:\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\POP3\PARREO83122.EXE

Edited by felinne, 26 December 2007 - 12:09 AM.


#4 felinne

felinne
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 26 December 2007 - 12:09 AM

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Scan started at 10:11:35 PM 25/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\egiii.ini
C:\WINDOWS\system32\egiii.ini2
C:\WINDOWS\system32\iiige.dll
C:\WINDOWS\system32\iiige.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\egiii.ini
C:\WINDOWS\system32\egiii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\egiii.ini2
C:\WINDOWS\system32\egiii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiige.dll
C:\WINDOWS\system32\iiige.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiige.exe
C:\WINDOWS\system32\iiige.exe Has been deleted!

Performing Repairs to the registry.
Done!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:00 AM

Posted 26 December 2007 - 10:37 AM

I also got an error when my computer booted saying that windows could not find C:\WINDOWS\system32\iige.exe file

From what you describe in regards to the error message, the file is an orphaned entry related to malware that was set to run at startup. Windows is trying to load this file but cannot locate it since the file was removed with vundofix. However, an associated registry entry remains and is telling Windows to load the file when you boot up. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the iige.exe file in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Then search for and delete the following file(s)/folder(s) in bold if they are present. You can use Windows Explorer to navigate to them:

C:\Documents and Settings\ALL USERS\DESKTOP\SPYGUARDPRO.LNK
C:\Documents and Settings\username\Application Data\SpyGuardPro
C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 felinne

felinne
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 December 2007 - 07:06 PM

I followed your instructions and updated my Java. Thanks so much! Strange thing happened though, I've recently started to get reboot requests from Avast. I've been poking around the Internet and it seems like it might a glitch in the newest version? I've doing a clean reinstall. Have you heard anything about this?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:00 AM

Posted 28 December 2007 - 08:48 AM

I have not heard about the avast problem but I have not had time to research. If you come across anything, please let me know.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users