Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CAN'T SHAKE SPYWARE GUARD 2008 INFECTION


  • This topic is locked This topic is locked
5 replies to this topic

#1 hybrids

hybrids

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 17 December 2008 - 02:02 PM

Running Dell 4400I computer, 512mb ram, XP Pro sp2

I have taken over a computer my daughter received from a friend and it is riddled with spyware.
The worst one is SPYWARE GUARD 2008, POSSIBLE OTHER NAMES, can't get ride of TREND antivirus either, have physically removed the files after going into safe mode, but still shows up under remove programs and requires a password I don't have in order to remove.

It has taken over the Iexplorer, I can't get out to the web even though my network is up and pinging show the network is sending and receiving, it blocks everything that tries to get out.

I have downloaded tons of suggested software Googling, most claim to be free but they want money after you go thru all of the crap. Most I have downloaded on my other computer and tried to run on the bad one but it defeats everyone I try.

At one point I had Spybot loaded but didn't do anyhing I was aware of to get rid of the infection, I finally deleted it thinking possibly it was cusing problems, now can't get reloaded.

I have loaded and ran CCleaner a register cleaner, looks good, but who knows if it is really making changes or fixing anything. Still have the same problems don't believe it did anything, sure didn't fix it.

I am beginning to think all of this web crap is worthless, just a bunch of bells and whistles to make you think you are getting your moneys worth.

This SPYWARE GUARD 2008 is nothing but a dummy virus software, from Russia? takes over the System virus window popup in right corner of screen, it is fake though. I have read and tried every software download that is out there and available, regedits, taskmgr file fixes etc.

I can't get to Regedit, locked out, even though I have admin rights, has dummy message comeup saying admin has locked me out, same with C-A-D, taskmgr, is locked out.

I have found the software dir and files, deleted them manually, but they immediately come right back, dir and all, even desktop icon.

I have finally defeated this by making a dummy dir under \Programs and put all 0 byte files with the same names, but it still doesn't effect the virus window allert from coming up with a fake one?

I check my firewire and it is on, but this window says it isn't, just bogus crap.

I have been into the servics menu and turn on disabled about anything I thought could be causing this, in my admin user and also in safe mode under the ADMIN log in. This ADMIN log in is not available to normal boot up for login, only when in safe mode. Unfortuneately you can't do much in safe mode to load programs or remove them?

I have deleted all existing users that were on the comp and keep adding new ones over and over trying to trick this piece of crap, but nothing works for long.

At one time I could get to the web, went to microsoft and tried to download some things, it looked like it was doing it but never would complete downloads.

Fortuneately I have never had such a big mess in my life, it must have taken years to get this computer so hosed up?
He was a young kid who used to do a lot of instant messaging and other sources, probably downloaded the spyware thinking it was safe when it wasn't.

Well, I hope I have given someone enough info to see what a mess I am in, possibly someone else has been thru the same problems.

I read thru your beginning advice but not being able to download from the web or run the suggested software items it didn't help, can't print out that file you would like to see.

I need a file I can download and actually run on that computer, I can download on my other computer and thumbdrive it over, but it has to be a complete program, one that doesn't have to go into a run mode to load or go to the web to get definition files.

My DSL link, I tried using my Verizon.net disks to reload the software to this computer, it craps out early and even offsets the info screen so you can't enter the requested login info, what a piece of crap, it really was well written, too bad the guy didn't do it for good purposes instead of evil.

I don't have the original XP PRO certified disks to reload the software so would like to solve this problem and not have to go back to Dell for the software.

I have tried to find any settings that a ADMIN could use to lock out other users from running TaskMgr or Regedit but have found none, so I am pretty sure it is being caused by this software virus.

SpyHunter-Scanner-Install.exe

Welcome to Malwarebytes ANTI-MALWARE.pdf / mbam-setup.exe- it won't even run

SDFix.exe - won't let run

windows-kb890830-v2.4.exe

ccsetup214.exe - doesn't do anything

ComboFix.exe - doesn't do anything

Cannot Access Regedit, How to Fix It.pdf - doesn't do anything

TaskManagerFix.exe / Task Manager Has Been Disabled, How to Fix It.pdf - doesn't do anything

FILES IT LIKES TO ADD TO c:\PROGRAMs\SPYWARE GUARD 2008 dir:

REGED.EXE
SPOOLSYSTEM.EXE
SYS.COM
SYSCERT.EXE
SYSEXPLORER.EXE
VMREG.DLL

I have placed 0 byte dummy files in the dir it likes to put these files, so keeps them from loading, still won't give me back control though?

Any and all suggestions would be greatly appreciated.

See Ya..........

Phil

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:31 AM

Posted 26 December 2008 - 05:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 hybrids

hybrids
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 29 December 2008 - 06:11 PM

KoanYorel

thanks for getting back with me, however, as I stated earlier, unless I can regain control of my internet explorer and get on line, nothing I have been offered can be downloaded or used, if it needs web access.

Same goes for the utilities you listed.

I noticed an add on this site for Trend micro, I don't trust this utility, have recently read where it has become one of the big malware offenders and wouldn't want to use it. In fact, it was on this computer that i am having problems with, even more evidence of my distrust for it.
I can't even delete the remains of this program???
Have tried uninstall, has password, manually deleted every possible trace of it's files, yet still shows up in Services, which I have disabled?

I have tried over and over to delete and reinstall the IE but won't let me. Comes up with cromograpics services not working or some bull bleep. I have verified the CS is working, even manually typed in all of the certificates into the registry after deleting the Catroot2 dir under System32. Still get bogus error messages.

Have finally traced down all files and services that was displaying the Micro Sec Prot window down in right bottom tray. Stopped all services and delted or setup dummy files to replace them.

Finally got back my Taskmgr function and my Regedit commands without all of the phony error messages.

Can't get to the web thru IE is my biggest problem.

Any thoughts on getting this working manually?

I have DSL thru Verizon and use AOL for most mail and contacts.

Thanks.........

Phil

PS...in the process of fixing this computer, my other one has crashed, bad boot.ini of MBR???
Nothing seems to recognize files on it, ran scans with WD utilities and all scans come back clean, no errors, short and long scan.
Any possiblilites to get this drive back up? WD 1600 / WIN XP
Crashed out of a Microsoft UPDATE that would end after properly shutting down windows, kept running, saying 1 of 1 update left, ran for 3 hours or more, finally turned off.

Thanks.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:31 AM

Posted 29 December 2008 - 06:15 PM

I'm passing you on to our HJT Team. You have serious problems that I cannot help with. Hang on.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:31 PM

Posted 31 December 2008 - 07:26 AM

Hello Hybrids and welcome to BleepingComputer,

Seems like you got quite a mess on your hands. :thumbsup:

Without any kind of diagnostic log it's hard to determine the nature of your problems,
however I would suggest you take next steps, if possible, in safe mode :
Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode with network support.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Download and run next tools, if necessary after transferring them from another PC.
Renaming them before transfer may be advisable depending on the nature of the infection.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes'
    Anti-Malware
    , then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let
MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:31 PM

Posted 24 January 2009 - 07:52 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users