TechSpot

Spyware Guard 2008, can't run the 8-steps

By azrogue
Feb 23, 2009
  1. Spyware Guard 2008, can't run the 8-steps (EDIT: Now with Logs)

    Hello, I'm a minor IT Tech in the Health industry and was given a home PC by one of my doctors that is heavily infected and that he would like me to clean for him as a favor. I recommended he reformat and reinstall his Windows XP Professional but he has pictures and such on the machine that he doesn't want to lose and would like me to make the attempt.

    Also, I've cleaned numerous machines in the past and, since this is a favor, I am treating this as a learning experience and taking a bit of enjoyment from the challenge (it's easier when it's not MY pc that's infected, I suppose).



    Now, to business. :)

    I already have the current versions of mbam, ccleaner, superantispyware, hijackthis, spybot search and destroy, zonealarm, and avast burned onto a CD that I use, usually, to clean random PCs with minor malware issues. The CD also has the latest Stinger on it to run off the CD directly.

    The PC itself seems to be infected by Spyware Guard 2008, at least, as that's the program that pops up constantly. I'm sure there are other issues, but that's the one that advertises itself.

    For starters, the computer will not allow me to browse to any website that contains any instructions on removing ANY virus or malware infection. Once the browser begins loading the site it just shuts down completely--no error message, just closes. ALSO, I am unable to run any of my anti-malware programs from my CD, whether by trying to install directly from the disc or by copying them to my desktop. They won't work under the owner's administrator account, the new administrator account I created for myself to work from, or from the admin account under Safe Mode.

    Whenever I try to run any program, no matter how I'm logged on, the installation begins and then just closes by itself. I've renamed the programs, same result. I've even renamed the programs and given them the .bat extension instead of their normal .exe extension and still no luck. They simply will not run no matter their name and extension.

    I WAS able to install Spybot Search and Destroy and update it and it was able to locate Spywareguard2008 and Vundo but, though it says that it cleans them, there is no change. Spyware search and destroy is the only program I've been able to install and run and it's of limited (or of no) use.

    I've attempted to search my installed components, making sure that Hidden Components are visible, and then searched under the 'Non Plug and Play Devices' and there is no version that I can find of TDSS trojan, which is what I immediately assumed had infected the machine, so I can't Disable it and then run my anti-malware programs.

    I've had the computer to play with for about two days now, off and on, and have made no progress, other than installing Spybot which isn't helping. Does anyone have any ideas on what I can try next? I know it's very difficult without my posting a log of some sort, but the computer does not allow this forum to load (any other, but the instant I try a malware removal forum, here or anywhere else, it closes).

    Oh, and the first thing I did was disable System Restore, of course, but it seemed to make little difference. Windows update is also unreachable. I even tried downloading Firefox, which was allowed but gives me no more access than before. Google Chrome is not allowed and even a search for it shuts the browser down.

    I ran Stinger off the CD and this worked, but Stinger only found one trojan, a downloader, and deleted it and didn't change anything.

    Is there anything else I can try that would allow me to install or run the programs I need to run? I've tried renaming them, running them as .bat files, installing them from the CD, from the Desktop, straight download, nada. I haven't tried a thumb-drive as I am not eager in touching any writable media to the machine. It's currently standing alone and I only occasionally give it broadband access with a connection outside my network.

    It's a pretty annoying bug. I have to hand it to whomever wrote it ... right before I took a machete to them. :)

    Any advice would be appreciated. Thank you.

    PS: just in case I didn't mention it, I'm posting this from my normal PC, not the infected one.
     
  2. azrogue

    azrogue TS Rookie Topic Starter

    A bit more info, since I know this is extremely difficult without any good logs to go through and I know my descriptions are often a bit disjointed (sorry :) ).

    1. My Google searches (I haven't tried Yahoo) are NOT redirected. They do not, that I've been able to see, go through the go(dot)google(dot)com redirect I've read about. Searches work normally, with no extra ads and no redirects to other sites. The site loads normally, or it closes the browser.

    2. While Google searches are not redirected, and while I can even open up Techspot's home page, if I load any page that has instructions on virus or malware removal, or if I go to any page that has a link to download an antivirus or antimalware app, the browser instantly closes.

    3. I've tried searching for TDSS to disable with no luck, either in safe mode or during normal boot, even with hidden components visible (nothing under Non-Plug and Play Drivers even similar). I can find no evidence of the TDSServer.sys Trojan or even a reasonable variant of similar name. Is there ANOTHER baddie out there doing this?

    4. I cannot install ccleaner, malwarebytes', superantispyware, or hijackthis, even with the files renamed and even when the file extensions have been changed to .bat (I've a CD with versions of each, normal/renamed/normal.bat/renamed.bat) the programs won't install, whether in safe mode or not. They BEGIN to install but the moment the first window comes up it instantly closes again. mbam-setup.exe actually lets me choose the language first, but that's it.

    5. Spybot search and destroy seems to load normally (I installed it but don't trust it's findings, obviously) but, though it finds spywareguard2008 and vundo, and says that it cleans them, it doesn't. They return about ten seconds later. I have no idea why spybot isn't blocked, other than the fact that it doesn't work for these little nasties.

    6. The computer had AVG 7.5 installed but it doesn't run and doesn't respond even to uninstall commands. The processes are also running, though I can see no evidence that AVG is actually operating at any level (no tray icon, no access to control pane, etc.).

    7. Windows security center is also compromised, which I gather is a common facet of this infection (the Vundo aspect, maybe?). It pops up whenever spyware guard 2008 pops up, which is all too frequently.

    8. The machine is turned on (in my workshop) but not online. I connect it to the internet to attempt browsing and/or downloading of programs, but haven't had any luck so far and I don't allow the machine to sit online.


    Not sure if this is any help, but I thought I could list a few key points I can remember. Thanks. :)
     
  3. azrogue

    azrogue TS Rookie Topic Starter

    Just noticed some advice in this thread:

    techspot.com/vb/topic118177.html

    I'm going to give it a try in the morning and let you guys know how it goes. It looks like something right up my alley. Thanks mflynn. :)
     
  4. azrogue

    azrogue TS Rookie Topic Starter

    Sorry for posting so much to my own thread. It seems a bit rude and I apologize. :)

    Well, I finally found an option that unlocked things on the infected PC: ComboFix. I got the link from another thread in this forum and it worked where nothing else would. Once the PC was unlocked (I was free to install anti-malware programs) I ran through malwarebytes', superantispyware, and hijack this. I ran the first two several times each.

    I'm on the infected machine now, since it finally allows me to visit antivirus websites, and am posting the latest logs of each program. I am logging off after this and won't make any changes at all until I get some feedback from someone knowledgeable and willing to loan my case a bit of his time (which I appreciate a great deal).

    The logs are below. Thanks a bunch, by the way. Without some of the insights on this forum, I wouldn't have been able to get anywhere near as far as I have.
     
  5. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    you can not run hijackthis in safe mode it has to be in normal mode and make sure that there is nothing unchcked in the startup under system configuration utility "msconfig". Run hijackthis in normal mode again with all the startup items on then attache the new log.

    Also run a full system scan in normal mode with MBAM then attach the log.

    If no one has adviced you to use combofix and you do not know how to properly use it, it can be vary dangerous you can lose the OS. Attache the combofix log also
     
  6. azrogue

    azrogue TS Rookie Topic Starter

    Okay, when I get back to the machine I'll look for the combofix log (I didn't look for one when it finished).

    I'll start the machine in Normal mode, re-check the startup options under msconfig (I had forgotten I'd tried that, heh), and run new logs tomorrow. I'll run MBAM first, then Superantispyware, then Hijackthis, unless advised differently. Thank you. :)
     
  7. azrogue

    azrogue TS Rookie Topic Starter

    Here are the latest logs and I've included the original ComboFix log that got everything rolling.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi azrogue

    Update and run MBAM and SAS again as they had findings and we need clean logs!

    After above run ComboFix again as it was loaded.

    Attach new logs.

    Mike
     
  9. azrogue

    azrogue TS Rookie Topic Starter

    Sorry to ask for clarification, but (just to make sure) you would like me to run ComboFix again? If so, should I run it after I get clean returns for mbam and sas, or before? And, do I run ComboFix in Safe Mode or Normal mode?

    Thank you very much for your help. :)
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    I need to see logs!

    This order.
    MBAM
    SAS
    Combofix

    Mike
     
  11. azrogue

    azrogue TS Rookie Topic Starter

    Here are the logs. Thanks, amigo. :)
     
  12. azrogue

    azrogue TS Rookie Topic Starter

    Also, here's a hijackthis log that was ran after that. I ran it before realizing that it wasn't on the list.

    At the moment, I'm wondering when, in your opinion, would it be a good idea to uninstall AVG and install Avira. I'd like to change the anti-virus on the machine but won't make any changes as long as I'm here posting logs.
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    Looks clean good job!

    If the below is ok then we may be finished.

    Get and run Norman Malware Remover from here: http://www.techspot.com/vb/post724044-3.html
    Then boot to Safe mode to run.

    Reboot back to normal and attach Nfix log on Desktop when finished!

    Mike

    EDIT: Run HJT Scan only select and Fix the below
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
     
  14. azrogue

    azrogue TS Rookie Topic Starter

    Okay, here we go. I've followed your instructions and am posting the Norman Malware Remover log--which found several items in System Restore, which I turned off at the beginning of all this and haven't turned on yet.

    I also took care of that one item in the hijackthis log and included a new hijackthis log.

    Thanks again, amigo, for all of your help. :)
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    That's a cut!

    You are good to go, good job!

    Get new SR point below!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...