Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Guard Online Virus, cannot start Malwarebytes' Anti-Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 pittjo01

pittjo01

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 October 2011 - 12:33 PM

I started trying to remove this virus after getting the fake virus alert messages described in Bleepingcomputer's removal guide. I've been able to take just about all of the steps posted here:

http://www.bleepingcomputer.com/virus-removal/remove-guard-online

That includes being able to run TDSSKiller and RKill. However, once I run Malwarebytes' Anti-Malware as the last step of the process, it runs for about 10 seconds and then closes down. When I try to restart, I receive the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This all occurs when I am running Windows XP in Safe Mode. Thank you in advance for your help, and please let me know if you need any more information.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13
Run by Jack Pittenger at 10:16:18 on 2011-10-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2599 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\3770994136:657603359.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jack Pittenger\Desktop\tdsskiller.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/linksys
uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://my.yahoo.com/linksys
mStart Page = hxxp://my.yahoo.com/linksys
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [bmmmH55sQJ7ELgR8234A] c:\windows\system32\oNyyxxA1uvD2bF.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\jack pittenger\start menu\programs\startup\crss.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{0FB0385E-1A3E-4241-B4AC-E22A2A9C7367} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jack pittenger\application data\mozilla\firefox\profiles\e2sc1tfk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-4-17 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-4-17 43608]
S1 dsqosavp;dsqosavp;\??\c:\windows\system32\drivers\dsqosavp.sys --> c:\windows\system32\drivers\dsqosavp.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2009-8-4 14976]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-4-17 141376]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-4-17 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-4-17 235840]
.
=============== Created Last 30 ================
.
2011-10-08 16:58:37 -------- d-----w- c:\documents and settings\jack pittenger\application data\WRL9hTXwjClBzNc
2011-10-08 16:58:37 -------- d-----w- c:\documents and settings\jack pittenger\application data\givD2onF4m5W7E
2011-10-08 07:39:44 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-08 07:36:34 -------- d-----w- c:\documents and settings\jack pittenger\application data\qtzzPP0ycS1iD3n
2011-10-08 07:36:34 -------- d-----w- c:\documents and settings\jack pittenger\application data\KjUUVVelOB
2011-10-08 07:36:24 3032064 ----a-w- c:\windows\system32\oNyyxxA1uvD2bF.exe
2011-10-08 07:36:24 -------- d-----w- c:\documents and settings\jack pittenger\application data\LgggTXXqjUCkIrz
2011-10-08 04:01:55 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c6f016e5-54e3-46e5-82e8-2bdb4bfb1756}\offreg.dll
2011-09-28 17:07:50 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c6f016e5-54e3-46e5-82e8-2bdb4bfb1756}\mpengine.dll
2011-09-08 23:34:18 -------- d-----w- c:\documents and settings\all users\application data\bE21101JiBgD21101
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\jack pittenger\local settings\application data\qdbf.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\jack pittenger\local settings\application data\qalp.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\jack pittenger\local settings\application data\fuqd.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\jack pittenger\local settings\application data\endx.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\all users\application data\ohfn.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\all users\application data\nyvi.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\all users\application data\nxbb.exe
2011-09-08 23:34:10 0 ----a-w- c:\documents and settings\all users\application data\imck.exe
.
==================== Find3M ====================
.
2011-10-08 07:59:46 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ------w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ------w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 178536 ------w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 10:17:29.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pittjo01

pittjo01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 October 2011 - 04:41 PM

Finally figured it out, but I am not sure how to close the original topic. Thanks!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 AM

Posted 10 October 2011 - 12:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users