How to remove spyguardpro

Viruses and worms
1

Dear friends hello from Athens - Greece. I am using Avast v4.7 Home, and have a problem to remove a downloaded maleware named spyguardpro. I didnt download any software, but one day I found 2 icons at my task bar (near the clock) and on mouse over I get this msg : “Windows had detected spyware infection. Klick here to protect your computer by spyware!”. Any 15 seconds I get also a “Windows msg” like this : “Warning! Potential Spyware Operation. Your computer is making unauthorized copies of your system and Internet files. Run full scan to prevent any unauthorized access to your files. Clik here to download the spyware remover”. From the icons near the task bar clock I get also a msg like this : “Windows antivirus. Windows had detected spyware infection. It is racommended to use special tools to prevent data loss. Windows can now download and install the most up to date software for you. Click here to protect your computer from spyware”.
If I klick on msg, it opens a web site.

Please, help me !

2

One of the later variants of smitfraud, possibly with the vundo addition

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

3

Also check out this link, http://fix-computer-problem.com/rogue-antispyware/spyguardpro/spyguardpro.html.

4

Dear DavidR thanks for the answer, but nothing to do with XoftSpySE433_263.exe … The problem persists after the scan.

5

edit

6

Dear essexboy this is the log from ComboFix.exe . The problem persists after the scan with the tool. Thanks for your answer.
I would like to ask why Avast didn’t include a solution for new malware like spyguard pro when someone like me adverts.

ComboFix 08-02.05.3 - Vlamis Giorgos 2008-02-09 22:39:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.206 [GMT 2:00]
Running from: C:\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 16:48 . 2008-02-08 16:48 21,710 --a------ C:\whois-Databases.JPG
2008-02-05 17:10 . 2008-02-05 17:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-05 17:08 . 2008-02-05 17:17 d-------- C:\Documents and Settings\Vlamis Giorgos.housecall6.6
2008-02-05 16:34 . 2008-02-05 16:34 416,628 --a------ C:\WINDOWS\system32\wininet.zip
2008-02-04 18:36 . 2008-02-04 18:36 2,570 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-04 18:35 . 2008-02-04 18:38 d-------- C:\SmitfraudFix
2008-02-04 03:40 . 2008-02-04 03:40 d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-04 03:40 . 2008-02-04 12:09 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 03:39 . 2008-02-04 03:39 9,722,720 --a------ C:\spybotsd152.exe
2008-02-03 21:32 . 2008-02-03 21:32 d-------- C:\Program Files\Lavasoft
2008-02-03 21:32 . 2008-02-03 21:32 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 21:32 . 2008-02-03 21:41 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-28 17:07 . 2008-01-28 17:07 67,890 --a------ C:\SVaso.JPG
2008-01-27 14:53 . 2008-01-27 17:46 3,143 --a------ C:\glocon.htm
2008-01-16 20:01 . 2008-01-16 20:01 25,088 --a------ C:\WINDOWS\system32\winbbbbbbbbbbbbbbbbnzy32.dll
2008-01-12 19:15 . 2008-01-12 19:15 4,912 --a------ C:\logo.gif
2008-01-12 19:13 . 2008-01-12 19:13 59,747 --a------ C:\WorldRoute01kb59.jpg
2008-01-12 19:13 . 2008-01-12 19:13 5,226 --a------ C:\WorldRoute01kb59_small.jpg
2008-01-12 15:10 . 2008-01-12 15:09 24,122 --a------ C:\index_11-2004.jpg
2008-01-10 18:39 . 2008-01-10 18:39 94,208 --a------ C:\kx.tda15-24.12.07.doc
2008-01-09 18:37 . 2008-01-09 18:37 448,512 --a------ C:\Print.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 20:38 1,593,889 ----a-w C:\ComboFix.exe
2008-02-03 19:39 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-03 19:39 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-03 19:39 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 16:01 --------- d-----w C:\Program Files\Google
2007-12-06 14:26 61,832 ----a-w C:\Documents and Settings\Vlamis Giorgos\Application Data\GDIPFONTCACHEV1.DAT
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-13 00:48 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-13 00:48 286,720 ------w C:\WINDOWS\Setup1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-29 11:58 68856]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIModeChange”=“Ati2mdxx.exe” [2002-08-28 12:17 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-03-30 21:00 327680]
“SoundMan”=“SOUNDMAN.EXE” [2003-02-10 09:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-09-23 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2002-07-05 08:57 126976]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2002-07-05 08:55 557056]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11 132496]
“AdaptecDirectCD”=“C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe” [2002-12-17 12:28 684032]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-25 18:58 282624]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2006-10-30 09:36 256576]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 15:00 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 14:00 15360]

C:\Documents and Settings\Vlamis Giorgos\Start Menu\Programs\Startup
Shortcut to ATnotes.lnk - C:\Program Files\ATnotes\ATnotes.exe [2006-12-11 20:10:05 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnzy32]
winnzy32.dll

R3 WBFIRDMA;Winbond Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\wbfirdma.sys [2003-02-26 12:38]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS [2003-04-16 08:04]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-02-09 13:37:24 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FBADECAA-61C4-4030-9691-ABB3C669FFDC}.job”

  • C:\WINDOWS\system32\msfeedssync.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 22:42:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-02-09 22:43:15
ComboFix-quarantined-files.txt 2008-02-09 20:42:59

7

Hi Yeap,

There is also a removal tool for ye:
http://fix-slow-computer.com/spyware/how-to-remove-spyguardpro-spyguardpro-removal-tool/

polonus

8

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\spybotsd152.exe
C:\WINDOWS\system32\winbbbbbbbbbbbbbbbbnzy32.dll
C:\SVaso.JPG
C:\glocon.htm
C:\logo.gif

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnzy32]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.