os-guard pro virus

View previous topic View next topic Go down

os-guard pro virus

Post by illini80 on 18th December 2009, 5:22 pm

This morning I became a victim of this virus. Same symptoms as I've read in many posts on this website. I noticed the guidance that "each computer is unique", so rather than trying to follow the existing threads I have started my own. Thanks in advance for your help!

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 5:42 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 6:20 pm

I am using a second computer to access the Internet as I cannot do so with the infected one. So I cannot download the current version of HijackThis as you suggest above.

What next?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 6:21 pm

Can you use a USB device to transfer the file across?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 6:47 pm

Belahzur, I tried the USB route. When I got it onto the infected computer and tried to run the program the virus blocked it.

How do I get around this?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 6:49 pm

It blocked the installer? or was it able to install fine, then blocked the program from running?

Either way, lets try this instead. This next program doesn't need to install, just download and run. (also possible to run it straight from USB)

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 6:54 pm

It allowed me to install, it blocked the program from running.

I tried to get the OTL program you referenced via my second computer (which belongs to my employer), but my employer's software has blocked it from downloading...so that route doesn't work either.

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 6:58 pm

Can you ask your employer if you/he can turn that off/disable it for a few hours? cause were gonna need some way of getting tools onto your infected machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:02 pm

no, that's not going to happen. Is there any way to disable the os-guardpro virus long enough so the Hijack This software that I was able to download can run and work?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 7:05 pm

You could try safe mode.

We can also try using mcsonfig to disable it from startup, but we'll leave that till after we try Safe Mode first.

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:06 pm

I found a thread on Norton's website where people talk about defeating this with a process that starts with the following step. I'm willing to try this - but where do I start with the "%ProgramFiles%" string of commands?

Step 1: Kill the OSGuard Pro Processes

%ProgramFiles%\Antivirus System PRO\Antivirussystempro.exe
%ProgramFiles%\Antivirus System PRO\uninstall.exe
c:\WINDOWS\sysguard.exe

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 7:11 pm

%ProgramFiles% is a system variable, pointing towards C:\Program Files

The folder Antivirus System PRO might not be the correct, Antivirus System PRO is a different product.

Can you use Notepad? we can try a batch script and pick out key locations where this might be hiding.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:13 pm

yes, Notepad is working. tell me how to proceed!

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 7:19 pm

You may need to transfer this across via USB too, because this is a difficult script to type out.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    regedit /e peek2.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    del peek*.txt
    dir "C:\Program Files" >> look.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:29 pm

sorry to keep you waiting, I had to type it into Notepad rather than just copying it and pasting it over via USB because the virus defeated that also.

I typed it in, saved it as you explained, and double clicked to run it. The message from the Virus (I think it's an evil thing, messing with me!) is "The file cmd.exe is infected" - just like everything else!

Can we do what you're suggesting in your Notepad advice thru Safe Mode? The commands you're listing above look very much like what I'm seeing in the Norton website thread (the one that had the AntiVirus System PRO reference in the string above). Can we use Safe Mode to find the evil code?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 7:31 pm

Yeah, give Safe Mode with networking, so you have internet access.

My script just gets exports of the 2 run keys under each hive, then has a look inside the Program Files folder.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:33 pm

o-k, I'm now in safe mode on the infected computer...what's next?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:40 pm

do I run the look.bat file now?

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 7:52 pm

are you still there???

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

current issue

Post by tjlj on 18th December 2009, 9:20 pm

I'm having the exact same problem today as well. It's malware, by a website called os-guardpro2010.com. They've attached the spyware to all the system start up files. I've tried everything possible, including a malware scan in safe mode. I'm stuck too.

tjlj
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-12-18
OS OS : windows xp
Points Points : 25520
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 10:41 pm

Yeah, still here, just had to go offline, went to get something to eat. Run the bat file, and post the log when done. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by tjlj on 18th December 2009, 10:47 pm

I fixed it!!!!

I went into safe mode with networking, downloaded spybot seek & destroy. It detected the files and fixed the problem. I then rebooted and all is back to normal!

tjlj
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-12-18
OS OS : windows xp
Points Points : 25520
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 11:15 pm

Belahzur, I ran the Malware program in safe mode. It detected 9 problem files, which I deleted, and when I rebooted everything's working fine. I saved a log file of the Malware findings...do you wish to have it for reference, or not?

Thanks for all of your help!

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 11:18 pm

Yes please, post the log.

If the log shows traced of another infection, then we'll need to go deeper.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: os-guard pro virus

Post by illini80 on 18th December 2009, 11:25 pm

Here's the log. I didn't see how to simply attach a file, so I just went ahead and copied it into this response.


Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

12/18/2009 5:09:06 PM
mbam-log-2009-12-18 (17-09-01).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 379687
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\kjkdcm\abvhsysguard.exe (Trojan.FakeAlert) -> No action taken.
F:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

illini80
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-18
OS OS : Windows XP
Points Points : 25673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: os-guard pro virus

Post by Belahzur on 18th December 2009, 11:33 pm

Did you remove what it found there? says no action taken. One more scan, then I think were done.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum