Removed Spy Guard 2008 -- I think

[cmloveland]

I think I used Malwarebytes to successfully remove Spy Guard 2008, but I had a lot of trouble (a) getting to the site, ( downloading the software, and © running the software all because of the malware itself. It is nasty! With help from a previous post and using the technique of disabling TDSSserv.sys I finally got it to work. Because some of the comments have said that it's best to have my logs checked by someone, I reran the program and am posting the log below. (This second time I ran it, there were no issues found, unlike the first time when there were several.) Could you take a look and let me know if you think it looks clean? Should I also run and post logs from Panda Active Scan and Hijack this too? My computer has been running normally since I got Malwarebytes to run successfully.

Malwarebytes' Anti-Malware 1.31

Database version: 1526

Windows 5.1.2600 Service Pack 3

12/20/2008 2:31:56 PM

mbam-log-2008-12-20 (14-31-56).txt

Scan type: Quick Scan

Objects scanned: 54284

Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[TeMerc]

Hi and welcome to Malwarebytes forums, my name is Tom and I'll be assisting you today with malware removal.

Did you run any tools beside MBAM? If so, please provide me the log files from those scans as well as any other information you've gathered via any methods you've performed, thanks.

Then Please download HijackThis! SetUp from here. Save the file to your desktop.

• Double-click the icon to begin the installation.
  
• Follow the prompts for the default install location of:'C:\Program Files\HijackThis'.
  
• Tick the button when the option appears.
  
• Then hit the button.
  
• At the 'Ready To Install' section hit the button and HJT will open
  
• Then press the button. Once you've pressed the button, it will turn into a button.
  
• Click the button and a 'Save log....' dialog box will appear. Save the log to your desktop. Then open up with the file and contents of the scan. Place the mouse cursor into the text field and right-click and select.
  
• Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.
  

[cmloveland]

I didn't run any other tools except Malwarebytes. The computer has been running fine now for a few days, but I ran Hijack This and pasted the log below:

____________________

Logfile of HijackThis v1.99.1

Scan saved at 9:39:43 AM, on 12/23/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICGA.EXE

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\spider.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...cast.net%2Fa%2F

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p \\E70f\hp LaserJet 1300 PS -pn "" -n 0 -l 1033 -sl 120000

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [EPSON PictureMate PM 260] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICGA.EXE /FU "C:\WINDOWS\TEMP\E_SE1C.tmp" /EF "HKCU"

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182803124890

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182802986906

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[TeMerc]

The log looks fine, tho there are a few minor items we can fix with HJT, but unrelated to malware.

Open HJT, run a scan and have all widows and browsers closed, place a tick next to the following lines, if present then hit 'the '[Fix checked] button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...cast.net%2Fa%2F

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

Reboot, run another scan with HJT and if the lines above are no longer displayed in the resultant scan, then no need to post another HJT log