spywareguard 2009 removal

[jumpinjivinjoe]

I have spywaregaurd 2009 that is obviously malware. I don't know how I got it and when I delete it, it reinstalls itself. I could not run Spybot intill I found these forums. So I renamed the spyware.exe to bla.exe. Now I can run Spybot. However I still cannot uninstall spywaregaurd. What can I do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:23 PM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\winscenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\DLNIHAAVQM.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Guard 2009\spywareguard.exe
E:\spy\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\twext.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: InternetConnection - {43525CDE-9D6E-4D45-A208-90D2DDFD9519} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\zlssxkguhn.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe

--
End of file - 4231 bytes

[Shaba]

Hi jumpinjivinjoe

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[jumpinjivinjoe]

WOW! I did not know it was that bad. I now have the computer disconnected from the internet. What is the process of operating system reinstall/format? If I cannot do it I will have the guy who built my computer do it. What should I do to retain my various saved information, from software to MS documents to music files to internet links ect.? And how do I make sure that the files I retain via thumb drive and cd's, have no relation to this trojan? If I can do an OS reinstall how do I prevent them from hacking into my computer again?

Thank you truely,
Joe

[jumpinjivinjoe]

Now the only thing that appears on my computer is my desktop background in normal mode and a black screen with "safe mode" in each corner in safe mode. Other than the curser there is nothing else (ie. program icons, start menu). How could this be?
However I can get Windows Task Manager up through ctrl+alt+del and there are processes running (.exe) and a varience in cpu usage.

[Shaba]

"What is the process of operating system reinstall/format? If I cannot do it I will have the guy who built my computer do it. What should I do to retain my various saved information, from software to MS documents to music files to internet links ect.? And how do I make sure that the files I retain via thumb drive and cd's, have no relation to this trojan? If I can do an OS reinstall how do I prevent them from hacking into my computer again?"

I can give you links for that if you decide to do so.

You can move most important files to DVD/external HD etxc.

Easiest way to ensure that thumb drive is clean is to format it.

As for prevention tips, I will give them a bit later.

"Now the only thing that appears on my computer is my desktop background in normal mode and a black screen with "safe mode" in each corner in safe mode. Other than the curser there is nothing else (ie. program icons, start menu). How could this be?"

Infection can cause that you can boot to safe mode only. Are you able to choose normal mode from boot menu?

[jumpinjivinjoe]

I would like to reformat/reinstall. I can choose normal mode or safe mode and both just come up with the background only. Perhaps I should give it longer to load. . .Ok I gave it 30 minutes and still nothing other than the background came up.

[Shaba]

Here is a good guide for reformatting.

If you want to save your data before that, let me know and I will give you more links.

[jumpinjivinjoe]

I would like save some data. However I cannot access anything because there is no start menu or icons. Unless you have any ideas on how I can get past this, I'm going to take the computer to the guy who built it. And see if he can figure it out. I just can't access anything past start up.

[Shaba]

You can't likely backup data within windows but that might be possible using live linux CD.

Let me know if you want me to give instructions for that.

[jumpinjivinjoe]

Yet another question. There are three other computers on my network, are they at risk? Two of these computers are used for making money so it very important they do not have trouble! Does this trojan affect only my computer or the whole network? My mom's computer which is on the same network is acting slow and freezes up lately. A couple days ago spybot found virtumonde on her computer, I clicked fix and spybot has never found it again. This could be a coincidence. Thank you for your patience.