MBAM disabled by Spyware Guard 2008 ? !

[Mark246]

That (darned) "Spyware Guard 2008" is Really persistent.

I cannot get rid of it.

I was able to download & run MBAM as instructed.

It ran for over an hour, found about 120 problems, and couldn't remove 3 or 4 for some reason.

I don't recall what they were.

Now, I can't even start MBAM.

I double-click it, the hourglass appears for a few seconds, as if it's doing something, but nothing happens.

I'm sure that I have the latest version.

Looking at this forum,... I'll need to upload the Log?

Where can I find that Log, other than thru the MBAM program?

Thanks, people.

Mark246

[exile360]

Hello and welcome Mark. I'm sorry to hear you are infected, but I'll see if I can help you out. If you navigate to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe, are you able to run it then? If not, then please read the post here by AdvancedSetup and follow his instructions to see if it helps: http://www.malwarebytes.org/forums/index.p...amp;#entry35969

If either option is successful, then please follow the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936

And post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

[Mark246]

Thanks very much for you reply, exile360.

OK,... I renamed it to wasmbam.exe, & then it Did start up.

Cool.

Database is from 12/3/08, version 1456, footprints 59475.

I cannot update that... it asks if I have a 'net connection (I do),

and if my firewall allows mbam...

I stopped the Spyware Doctor that I usually have running.

With win Firewall on, I can't add mbam as an exception.

I turned off win firewall.

Same thing... can't update,... from either mirror.

Now THIS is weird...

I cannot go to malwarebytes.org OR to pctools.com (where Spyware Doctor is)...

thru Either Firefox or IE.

I believe that Spyware Guard 2008 is disallowing that, 'cause I CAN go to any other websites.

I'm communicating with you on a different un-infected laptop.

This is really pissing me off.

You might wonder why I don't try the Spyware Doctor to remove Spyware Guard 2008...

On THIS laptop, the Doctor updates just fine.

On the infected laptop, the Doctor won't update.

It's using an older definitions database... probably doesn't know about Spyware Guard 2008.

OK,... I tried the fix mentioned first, in entry35969...

Disabled the TDSSserv.sys.

Restarted.

Already had the downloaded program; didn't download another copy.

Renamed the wasmbam.exe to was2mbam.exe.

Double-clicked it... it started...

Again,... Could not update... same reason.

You didn't give me any other instructions...

like if these instructions did NOT work.

They didn't work.

The MBAM Log file has this content...

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

12/16/2008 4:50:39 PM

mbam-log-2008-12-16 (16-50-39).txt

Scan type: Quick Scan

Objects scanned: 63847

Time elapsed: 1 hour(s), 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 34

Registry Values Infected: 11

Registry Data Items Infected: 5

Folders Infected: 10

Files Infected: 48

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\mlJabyVl.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ssqPheDs.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\rsekd83jde.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpheds (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba8effdd-e866-4605-a23f-2d0110bd32c7} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ba8effdd-e866-4605-a23f-2d0110bd32c7} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack26 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgds4fgffght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgds4fgffght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljabyvl -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljabyvl -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\ssqPheDs.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\mlJabyVl.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\lVybaJlm.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\lVybaJlm.ini2 (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\mnghblgn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nglbhgnm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rsekd83jde.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Local Settings\Temporary Internet Files\Content.IE5\BNJOZLGX\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetPack\GetPack26.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetModule\GetModule32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Local Settings\Temp\winloggn.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv321229210935.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\byXNdcDV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvUonnmm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vtUlJbbX.dll (Trojan.vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nicole if lucky\Desktop\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

HELP, Please.

Thanks.

Mark246

[exile360]

Hello again Mark, I'm glad it worked. To get help from one of the experts (unfortunately I'm not one myself, just an advanced user) please post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 I also recommend that once you post there, that you only post once until someone replies as often, when the experts are browsing that forum looking for people in need of assistance, they will look for threads with 0 replies, and replying to your own makes it display 1 reply, making them think that another expert is already working on it.

[Mark246]

Thanks for the reply, exile, but if you read my entry, you'd see that it didn't work.

Regardless,... all is well, now...

I read somewhere on this forum that I should be Certain that I have a genuine version of MBAM 'cause some fakes are out there.

I don't recall how I originally got MBAM, so...

I downloaded MBAM directly from the malwarebytes site, and it solved all my problems.

I apparently was running a fake version before.

I LOVE that MBAM program !

I was getting Really upset with that Spyware Guard 2008 crap.

I was seriously thinking that malwarebytes and Spyware Guard 2008 were working WITH each other.

All is well, now.

THANKS, people.

Mark246

[nosirrah]

Download and run HijackThis :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Use the do the scan and save a logfile option . Copy and paste that log into your next post .

I also need a fresh MBAM scan log , make sure to update first .