Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

The Spy Guard

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

The Spy Guard

Unread postby a.sleeper » March 5th, 2006, 6:24 am

HI there! As almost everyone else on this board I got myself some malware and now I can't manage to get rid of it. I read a lot of guidlines and suggestions and although I found a lot on the related malware SpyAxe, I didn't find anything on The Spy Guard, which causes my problems (I assume).


------------------------------------
So here are the symptoms:

+ my desktop background changed and now I have this instead:

Image

+ The buttons lead to the site:

h**p://www.thespyguard.com/ <<link disabled by wng
+ Every now and then a fake bluescreen will popup and tell me to left-click, as soon as I do so it will vanish and, again, lead me to the link mentioned above

------------------------------------

What I have done so far:

+ Full system scan with the newest version of Ad Aware SE
+ Spybot check with newest version
+ Security fix with Spywarebuster
+ Ran Hijackthis and deleted some common malware files I read about on different boards

-------------------------------------

Here's my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:58:42, on 05.03.2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\plugins\GetFlash.exe
C:\Dokumente und Einstellungen\family.a\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpa: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe

-----------------------------------

I hope you people can find some way to kill this damn malware, because I have done everything in my power and have achieved nothing... :(

Thanks in advance!

PS: Please excuse my English, I'm no native-speaker.
a.sleeper
Active Member
 
Posts: 2
Joined: March 5th, 2006, 6:06 am
Advertisement
Register to Remove

Unread postby POADB » March 5th, 2006, 6:41 am

Hi,

Your HJT log looks very short. I know you have removed some entries, but your case is very simular to the SmitFraud Family.

i.e. - A desktop hijack with a link to a rogue program etc..

We can help you, but this seems like a new variant, one that we can learn from. In order for one of us to help you, I'd liek you to restore those HJT entires you fixed.

HiJackThis fixes can be undone by going to Config> Backups.
Select/tick every entry there & click on the 'Restore' button.
When you've done this, post a fresh HJT log here.
POADB
Active Member
 
Posts: 1
Joined: March 5th, 2006, 6:06 am

Unread postby a.sleeper » March 5th, 2006, 7:26 am

UPDATE:

Problem saulved!
It appears that at the time I posted on thios board I had already killed the malware. The only thing that had to be done was to change the desktop background and even the last symptom was gone. The fake bluescreen didn't apear any longer after deleting a few suspicous .dll files.

The warning on the desktop was saved in yod.htm on C:\WINDOWS
After changing my desktop background to the former picture and deleting the file everything went back to normal.

PS: While you are at it, don't forget to delete back.jpg and bg.gif in the same directory.
You won't need them anymore! :D

@ POADB: Thanks for the very fast reply! If you are right and the problem should reappear in any form I will report it here immediately. But at the momenmt it looks like i killed it for good! :twisted:
a.sleeper
Active Member
 
Posts: 2
Joined: March 5th, 2006, 6:06 am

Unread postby Nellie2 » March 6th, 2006, 5:24 pm

I'm glad you have managed to resolve your problem, however you do not appear to have any anti virus on your system, here are a couple of free ones to choose from

Avast

AVG

You do not appear to have a firewall running and there are a few available for free that have excellent reputations:

Zone Alarm

Kerio

I also suggest that you clear out your temproary files, this will get rid of any malware that may be hiding there, you can do this by using a nice little program by Attribune.

Please download ATF Cleaner by Atribune from here. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :

Spyware Blaster - It will prevent most spyware from ever being installed.
Spyware Guard - It offers realtime protection from spyware installation attempts.
IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article written by Tony Klein How did I get infected in the first place

May I also ask that you consider posting about your experience at Malware Complaints
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby Nick-YF19 » March 18th, 2006, 6:19 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. See Nellie2's blog here or post in our dedicated forum here
The infection you had was ......
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 276 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware