Jump to content

Spyware Guard 2008 (HJT Log Included)


Calon1

Recommended Posts

I woke up this morning to a blue screen with a mouse cursor on my laptop. After a few minutes I noticed the new icon on the desktop for Spyware Guard 2008. I am not computer savvy so I came to the internet and this forum to try and find a fix.

I tried to do all the things requested of me in the HJT Post Instructions stickied at the top, but the only thing I could actually do on the infected computer was the HJT log (after renaming the .exe file).

I get this error when trying to install Spybot Search and Destroy:

http://*.bhicms

O15 - Trusted Zone: http://*.bravacel

O15 - Trusted Zone: http://*.bravahou

O15 - Trusted Zone: http://*.CelleWeb

O15 - Trusted Zone: http://*.DMSQUERY

O15 - Trusted Zone: http://*.dmsquerycel

O15 - Trusted Zone: http://*.dmsquerydev

O15 - Trusted Zone: http://*.dmsqueryhou

O15 - Trusted Zone: http://*.gt90

O15 - Trusted Zone: http://*.INSOURCECEL

O15 - Trusted Zone: http://*.Inview

O15 - Trusted Zone: http://*.materials

O15 - Trusted Zone: http://*.wrap

O15 - Trusted Zone: http://*.wrapAP

O15 - Trusted Zone: http://*.wrapAP2

O15 - Trusted Zone: http://*.wrapEARC

O15 - Trusted Zone: http://*.wrapEARC2

O15 - Trusted Zone: http://*.wrapLA

O15 - Trusted Zone: http://*.wrapME

O15 - Trusted Zone: http://*.wrapME2

O15 - Trusted Zone: http://*.wrapNA

O15 - Trusted Zone: http://*.wrapteam

O15 - Trusted Zone: http://*.wraptest

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://localhost/webbits3/BitRecordLayout/ScriptX.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202317297046

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202333110828

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.bhicorp.com

O17 - HKLM\Software\..\Telephony: DomainName = ent.bhicorp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.bhicorp.com

O20 - AppInit_DLLs: lngwrv.dll

O21 - SSODL: ieModule - {C9C193CA-FC26-469C-98DD-6454290F7307} - D:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll

O21 - SSODL: InternetConnection - {D0C13CD7-FC58-43A0-A866-328E90082CD7} - D:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jbyakuapbv.dll

O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe

O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe

O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe

O23 - Service: Client32 - NetSupport Ltd - C:\Program Files\PCD32\client32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\BakerHughes\GlobalConnect\cvpnd.exe

O23 - Service: sys host (enstart) - Unknown owner - C:\WINNT\System32\enstart.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Fiberlinkcomm Wireless Engine - Unknown owner - C:\Program Files\BHI Global Connect\BHI Global Connect\WENGINE2\BWEngine.exe

O23 - Service: Fiberlinkcomm WMonitor - Boingo Wireless, Inc. - C:\Program Files\BHI Global Connect\BHI Global Connect\WENGINE2\WMonitor.exe

O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\BHI Global Connect\BHI Global Connect\FLUtilsSvc.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - c:\ePOAgent\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: Radia Notify Daemon (RADEXECD) - Hewlett-Packard - C:\PROGRA~1\Novadigm\RADEXECD.exe

O23 - Service: Radia Scheduler (RADSCHED) - Hewlett-Packard - C:\PROGRA~1\Novadigm\RADSCHED.exe

O23 - Service: Radia MSI Redirector (RADSTGMS) - Hewlett-Packard - C:\PROGRA~1\Novadigm\RADSTGMS.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\BHI Global Connect\BHI Global Connect\ServiceMgr.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINNT\system32\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 12421 bytes

Not sure what to do next, any help would be appreciated.

Thanks

Link to post
Share on other sites

Hello Calon1 and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member Calon1 only. If you are a lurker, do NOT try this on your system!

If you are not Calon1 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

It seems that this has Troj/Dloadr-BHN Trojan plus Vundo and the rogue SpywareGuard 2008

Let's start with the following procedures to attempt to remove the most obvious malware related items.

It may be necessary for you to use a different pc to download some of these tools (if this system does not reach a site or if it has no internet connectivity)

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe

O4 - HKLM\..\Run: [98fbde20] rundll32.exe "C:\WINNT\system32\eygbryin.dll",b

O4 - HKCU\..\Run: [prunnet] "C:\WINNT\system32\prunnet.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O21 - SSODL: ieModule - {C9C193CA-FC26-469C-98DD-6454290F7307} - D:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll

O21 - SSODL: InternetConnection - {D0C13CD7-FC58-43A0-A866-328E90082CD7} - D:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jbyakuapbv.dll

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Next, we're going to use OTMoveIt3 to remove files.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\Program Files\Spyware Guard 2008\spywareguard.exeC:\Program Files\Spyware Guard 2008\spywareguard2008.exeC:\Program Files\Spyware Guard 2008c:\WINNT\reged.exec:\WINNT\spoolsystem.exec:\WINNT\sys.comc:\WINNT\syscert.exec:\WINNT\sysexplorer.exec:\WINNT\vmreg.dllC:\WINNT\system32\eygbryin.dllC:\WINNT\system32\olesys.dllC:\WINNT\system32\moduleie.dllC:\WINNT\system32\iemodule.dllC:\WINNT\system32\fkxmstkbrb.dllc:\WINNT\6864837.exec:\WINNT\6979062.exeC:\WINNT\system32\fkxmstkbrb.dllC:\WINNT\system32\iemodule.dllC:\WINNT\system32\moduleie.dllC:\WINNT\spywareguard.exeC:\WINNT\system32\winscenter.exeD:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jbyakuapbv.dllC:\WINNT\system32\drivers\TDSS*.*C:\WINNT\system32\TDSS*.*C:\resycledD:\resycledE:\resycledF:\resycled
    :reg[-HKEY_CURRENT_USER\Software\Spyware Guard][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008][-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet]
    :commands[EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Note: Not all items that I listed may be present on this system, but a goodly number of the spywareguard should be removed by OTMoveit procedure.

= =

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below, and SAVE it to your Desktop.

For information regarding this download,

please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

-------------------------------------------------------

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Double click Combo-Fix.exe on your Desktop to start it.

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Please post the OTMoveit3 log from above,

C:\ComboFix.txt along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

There will be more to do after this.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.