Malware: Spyware Guard 2008

Bunnie1982

I currently have my sisters computer in my possession as she isn't very good at this sort of thing.

A pop up came up on her computer saying she may be infected with spyware, so she has downloaded this malware called Spyware Guard 2008 from the pop-up which she now can't get rid of and is completely infecting the computer.

I'm getting to the end of my patience now at trying to remove this beastie and I have reached the point of either formatting the hard drive or throwing it out the window. I just wanted to check if anyone else had any advice and check I had exhausted all other options.

1. I've tried stopping the processes from running in task manager and removing the programme from add/remove function - within 10 minutes everything comes back

2. I've tried manually removing all the files associated with this malware - within minutes it all comes back

3. I've ran three anti-spyware programmes now which quarantines and deletes the files - within minutes it all comes back (programmes include Spyware Doctore and the Malware Bytes one)

4. Internet Explorer won't let me download any anti virus software

5. Malware blocks Kaspersky from working

6. Can't do a system restore because the only restore point is the day the malware infected the computer

If it helps at all, the computer is running Windows XP

Kingsd316

try spybot S&D then run Malwarebytes, both are avaliable FREE and are very good in removing all the nasty's off of you Harddrive

Spybot

http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html

Malwarebytes

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Bunnie1982

I've tried Malwarebytes, but not Spybot. Will try that combination, thanks

Kingsd316

try reading this as it might help

http://www.malwarebytes.org/forums/index.php?showtopic=7314

aliEnRIK

Bunnie1982 wrote: »

I've tried Malwarebytes, but not Spybot. Will try that combination, thanks

Are you absolutely SURE you deleted anything it found? For some reason a lot of people fail to do this

Download HIJACK THIS
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
SCAN and post the log here so we can see whats happening

Bunnie1982

I'm 100% certain I deleted everything it found, however I only ran the quick scan, do you think I should run the full scan?

aliEnRIK

Bunnie1982 wrote: »

I'm 100% certain I deleted everything it found, however I only ran the quick scan, do you think I should run the full scan?

Sure

Run that then post the log here (After it deletes anything else it might find)

SaqibQ

Hi Bunnie1982,

Please do the following...

1. Start Malwarebytes...

• Select the Update tab and click on Check for Updates.
• If an update is found, it will download and install the latest version.
• Now select the Scanner tab, and select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

2. Download HJTInstall.exe to your Desktop.

• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Save the log to a convenient location as you'll need to post it soon.
• Don't use the Analyse This button, its findings are dangerous if misinterpreted.
• Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Bunnie1982

Right, this is the log file from Malwarebytes


Malwarebytes' Anti-Malware 1.31
Database version: 1506
Windows 5.1.2600 Service Pack 3
16/12/2008 18:17:47
mbam-log-2008-12-16 (18-17-47).txt
Scan type: Full Scan (C:\|H:\|)
Objects scanned: 117458
Time elapsed: 40 minute(s), 47 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 26
Memory Processes Infected:
C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\bzrolrohux.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ef891a5e-475c-4184-b8be-215726501c7c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be94e1fb-e60e-40a4-91b7-7e93527c0860} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\orb.ta (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\!!1b7f9329-aaf9-4e34-8ecf-c363fd3c60cf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\!!21eeb010-57f3-11dd-b116-dad055d89593} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\orb.ta.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\!!5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\!!5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\iemodule (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\internetconnection (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\!!5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spy Protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> Delete on reboot.
C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joanne\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\bzrolrohux.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Delete on reboot.
C:\WINDOWS\system32\spria.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Joanne\Local Settings\Temporary Internet Files\Content.IE5\3BEAFJSG\SpywareGuard2008[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Delete on reboot.
C:\System Volume Information\_restore{F8A61E4E-3935-4B06-8A66-BE2FCCAE59C6}\RP1\A0001010.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8A61E4E-3935-4B06-8A66-BE2FCCAE59C6}\RP1\A0001027.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8A61E4E-3935-4B06-8A66-BE2FCCAE59C6}\RP1\A0001033.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> Delete on reboot.
C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joanne\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joanne\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joanne\Desktop\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Just going to try and do Hijackthis now

aliEnRIK

Make sure you reboot first (Some of those needed a reboot to clear)

So all these were found even though you cleared what you could on a quick scan?
(Im interested as some people believe theres no difference between a quick and a full)

Bunnie1982

The ones that I deleted on quick scan kept reappearing, almost as if the malware is consistently being reinstalled