partially there??? Spyware Guard 2008

[RAS2008]

****The Topic was 'closed' so I didn't know how to reply to it (new at this). Below is the orignal posting and first reply. I was able to do some of the suggested - but see bottom for info.*****

It appears I have this virus (after coming back from vacation, on Christmas evening). In any case, I have mouse control but can't do anything in Windows XP unless I open in SafeMode.

After reading some info in this forum and using another computer, I downloaded Malwarebytes & Superantispyware to a CD (and also made a copy with .bat extension). Using SafeMode, I loaded onto my desktop. I've tried running from the desktop or the CD using SafeMode.

Again in Safemode:

Malwarebytes: Nothing appears to happen when I attempt to use this. Sometimes a icon appears at the bottom of the screen (and with the cursor over it it says scan)

Superantispyware - I get a message in Safe Mode saying 'The system administrator has set policies to prevent installation)

I can't open my antivirus program.

I was able to get into RegCure and could see that Spyware Guard 2008 was in the startup menu (and I think I delete it)

I tried a MS malware detector, but it came up with nothing (ran on full scan for 3 hours, showed >700,000 files, with 0 infected

SUGGESTIONS?

How do I get Malwarebytes or Superantispyware to run?

Should I be running in SafeMode with internet connection disconnected?

Thanks.

********

Post #2

Elite Member

Group: Trusted Advisors

Posts: 682

Joined: 14-February 08

Member No.: 2,103

Greetings and welcome. Please follow AdvancedSetup's instuctions here to see if it helps: http://www.malwarebytes.org/forums/index.p...amp;#entry35969

If it does, then please follow the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing. *******

*************

THANKS - .

In SAFEMODE (Windows XP) I was able to Run devmgmt.msc and View & Disable TDSSERV.SYS and Restart the computer. In regular mode (not SafeMode) I was able to have functionality (for first time, thanks!) to do some things - I had previously downloaded MBAM onto a CD using another computer and loaded into the download directory on the affected desktop. I have renamed the MBAM file, but when I click on it it gets to the 'Select Setup language' screen but goes no further.

When I check Task Manager, there are ~57 processes listed

Under Tasks, it shows only my download directory and says 'running'

The hard disk seems very active at the moment (from the sounds generated)

Also, should I reconnect the desktop to the internet/modem/router?

Should I be doing the rest of this in 'Regular' mode or 'Safe mode?

[exile360]

Hello again. If you can, try to run MBAM in normal mode, but if it won't, then go for safe mode (you may need to rename the setup file to get it to fully install). Once it's installed, go the C:\Program Files\Malwarebytes' Anti-Malware and rename the file "mbam.exe" to something random, like your name or your favorite color, anything as long as it's not mbam. Then double click the renamed file to run it and have it check for updates then try to do a quick scan and remove what's found. After that, follow the rest of the instructions I gave you previously regarding posting in our HijackThis forum that way an expert can guide you the rest of the way to getting your system cleaned up.

[redhawk]

I am also experiencing the same problems, got install to complete using the rename complete, though it hung at the "finishing installation" screen for a bit. will not run. Have tried installing to hard drive as well as flash to keep it off

I've gone through and "fixed" and deleted all the listed files and keys for the malware, but they keep coming back so there must be something more unlisted.

I get the windows send error dialog box when I try to run the superantspyware

StartupList report, 12/28/2008, 11:26:07 AM

StartupList version: 1.52.2

Started from : F:\HiJackThis.EXE

Detected: Windows XP SP3 (WinNT 5.01.2600)

Detected: Internet Explorer v7.00 (7.00.6000.16762)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\Drivers\bwcsrv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

C:\WINDOWS\system32\LMPDPUI.EXE

C:\WINDOWS\csrss.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Lexmark X125\LEX125SU.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

F:\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Bluetooth.lnk = ?

HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

(Default) =

SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

hpWirelessAssistant = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

HP Software Update = C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

QPService = "C:\Program Files\HP\QuickPlay\QPService.exe"

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe

RecGuard = C:\Windows\SMINST\RecGuard.exe

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

LMPDPSRV = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

winlogon = C:\WINDOWS\csrss.exe

QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

EEventManager = C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

qncdcuza.job

User_Feed_Synchronization-{04325060-88D3-49B4-9690-00DF0F69EA9D}.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL

CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[stagingUI Object]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx

CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

[Windows Genuine Advantage Validation Tool]

InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL

CODEBASE = http://download.microsoft.com/download/9/b...heckControl.cab

[VerifyGMN Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\hpobjinstaller_gmn.dll

CODEBASE = http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

[installation Support]

InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

[MSN Games

[Tigger93]

Please post this in the malware removal forum.