Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus System pro / Netguard 2010 virus, help!


  • Please log in to reply
3 replies to this topic

#1 sketch17

sketch17

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 30 November 2009 - 05:52 PM

Hi, I moved this post from Jamesr01's issue with the Antivirus System pro, Netguard 2010 virus.

So my problem is that I cannot get past the loading screen of windows XP home edition. After I was attacked by the virus, I restarted the computer and now when I try to load up in normal mode I get the BSOD Stop: 0x0000024 (0x00190203,0x8665A828, etc) and when I try to load in safe mode I get an odd blue screen with two characters, a sideways L and an ?

I still have an XP reinstallation disk, but no product key and Keyfinder only works if I could get past the loading screen. I'm really stuck, so if anyone can help I'd be eternally grateful.

-Dylan M

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:49 AM

Posted 01 December 2009 - 03:17 AM

0x00000024: NTFS_FILE_SYSTEM
A problem occurred within NTFS.SYS, the driver file that allows the system to read and write to NTFS file system drives. There may be a physical problem with the disk, or an Interrupt Request Packet (IRP) may be corrupted. Other common causes include heavy hard drive fragmentation, heavy file I/O, problems with some types of drive-mirroring software, or some antivirus software. I suggest running ChkDsk or ScanDisk as a first step; then disable all file system filters such as virus scanners, firewall software, or backup utilities. Check the file properties of NTFS.SYS to ensure it matches the current OS or SP version. Update all disk, tape backup, CD-ROM, or removable device drivers to the most current versions.

Source: http://aumha.org/a/stop.htm

Step 1
Disconnect or remove any other hard drive that may be connected to this system: This includes internal secondary/slave hard drives, external USB (or other hard drives), USB flashdrives etc.
Try booting the system now.

Step 2 .............. if there is only the one hard drive connected and it still fails to boot with the STOP 0x24 error ...
The first thing that you should do is to check that your hard drive is not failing.
Download the diagnostic utility from the hard drive manufacturer's website to create a bootable floppy or CD. Boot with it, and run the short/quick test and then the long/extended test, and check the S.M.A.R.T. status. If the hard drive tests show NO problems what-so-ever with the hard drive, then it is safe to proceed with more work to rectify the problem with the Windows system.

Find the brand name of your hard drive. You will find this info on the label of the hard drive (most likely you will have to remove the hard drive from the box to read the label). You will also find sufficient info to identify the drive (the model number) by looking in the BIOS Setup Menu.
Hard Drive Diagnostics Tools and Utilities
http://www.tacktech.com/display.cfm?ttid=287

If you have trouble identifying your hard drive manufacturer, use the Hitachi diagnostic utility: It will work with most hard drives.

Step 3 .......... if there is no problem what-so-ever with the hard drive
Start the Recovery Console using a Windows XP CD (or an XP Recovery Console .ISO image that has been burned to CD http://www.thecomputerparamedic.com/files/rc.iso): Do the following ...1. Insert the CD in the computer's optical disk drive tray.

2. Start or re-start the computer so that it boots from the CD. You may be prompted to "Press any key". (If the system does not appear to be booting from the CD, you may need to enter the BIOS Setup Menu and change the boot order, so that the CD-ROM/optical disk drive is set to boot before the hard disk drive.)

3. When the Welcome to Setup screen appears, press the R key on your keyboard to start the Recovery Console.

4. The Recovery Console will ask which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press the ENTER key. If you have just one Windows installation, type 1 and press ENTER.

5. You will be prompted for the Administrator's password. If there is no password, (and this is most likely), simply press ENTER.

6. You will be presented with a C:\Windows> prompt.
At the C:\Windows> prompt, type chkdsk /p and press <ENTER>
If any errors are found/repairs made, run chkdsk /p again, and repeat if necessary, until no more errors are found.
Type "exit" at the prompt and press <ENTER> to close the Recovery Console and restart your system.
Does Windows start normally now?

Edit: I will include this information from your post in another thread ....
You wrote: "......... I'm having the .... issue with the odd blue screen and it started on the 28th, yesterday, I'm not sure where it came from but all I remember doing was DL'ing Google Chrome and I had one BitTorrent going. When I try to start normally I get a BSOD with the stop error 0x00000024. I was thinking about running through and restoring the registry but I'm not totally confident with myself to attempt changing flies and such. ....... I restarted while the fake spy protection thing was running .................... I have no access to the start screen even w/ normal mode."

You have titled this topic "Antivirus System pro / Netguard 2010". Was this the actual name or names of "the fake spy protection thing" that you saw in your own particular case (rather than the ones that jamesr01 named)? There are many similar looking names that might have been displayed: I would like you to confirm exactly what you saw. Can you remember or describe anything else about "the fake spy protection thing"? Did you take any action other than attempt to re-start your system, such as run any malware scans?

Edited by AustrAlien, 01 December 2009 - 03:59 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 sketch17

sketch17
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 01 December 2009 - 03:25 PM

This link shows a picture of what I saw when the program popped up: http://www.bleepingcomputer.com/virus-remo...irus-system-pro

When it opened up I tried to open the task manager but was denied access. There was another pop up in the corner by the time clock that just said antivirus system pro found viruses, and asked me if I wanted to scan it. I never downloaded and ran any .exe that day except the google chrome installer.

I'm ran the chkdsk /p command and it found one error, so I ran it again and it said it found nothing that time, but when I boot in normal mode I still get the BSOD.

I'll try the Hard drive diagnostic tool next.

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:49 AM

Posted 01 December 2009 - 06:50 PM

I'll try the Hard drive diagnostic tool next.

Assuming that your hard drive has no faults what-so-ever, proceed with the following instructions. Please work slowly and carefully. If you have any questions or problems along the way, please ask for advice.

Off-line removal of the malware "Antivirus System Pro" with UBCD4Win

WARNING:
(The information provided requires editing the Windows registry.)
Improper changes to the registry could render your computer inoperable.
The following instructions include steps to save a back-up copy of the relevant part of the registry before making any changes.
Do not neglect to make those back-up copies.

Step 1
Make a UBCD4Win LiveCD
Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a bootable CD.
Test: Boot the infected machine from the CD, to make sure that all is working as it should. You should see the UBCD4Win Desktop, and be able to browse the hard drive (C: ) and view all files and folders.
-------------------------------------------

Information for the following steps:
Refer to the following information about items related to "Antivirus System Pro" when viewing the files and folders on your hard drive, and the entries in the Windows registry.

Remove Antivirus System Pro (Uninstall Guide)
Posted by Grinler on June 5, 2009
http://www.bleepingcomputer.com/virus-remo...irus-system-pro

Associated Antivirus System Pro Files:
c:\WINDOWS\sysguard.exe
c:\WINDOWS\system32\iehelper.dll
C:\Documents and Settings\<UserProfile>\<random characters>\<4 random chars>sysguard.exe

Associated Antivirus System Pro Windows Registry Information:
HKEY_CURRENT_USER\Software\AvScan
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random characters>"

-----------------------------------------

Step 2
Navigate to
C:\Documents and Settings\<username>\<random characters>\<4 random chars>\sysguard.exe <<< file
Please record the details of the folder names "<random characters>" and "<4 random chars>" (You will need this information later.).
Now, delete the folder "<random characters>" and all its contents.

Step 3
Check each of the usernames at
C:\Documents and Settings\<username>
You may need to repeat Step 2 for each of the usernames on the computer?

Step 4
Navigate to
C:\WINDOWS\ <<< folder
Locate the file "sysguard.exe" and delete it.

Step 5
Navigate to
C:\WINDOWS\system32 <<< folder
Locate and delete the file "iehelper.dll"

Step 6 Edit the registry using "Registry Editor"
At the UBCD4Win Desktop, go to Start > Programs > Registry Tools > RegEdit(Remote).
(Select C:\WINDOWS (should be the only thing showing) and click OK (if you see this dialog box at all)
At the "Runscanner" prompt box, choose "Yes".
Select Administrator probably, in the "Select User Profile" window.)
Note: What options you actually see will depend on your system configuration.
You will now see the "Registry Editor" window.

Step 7
Navigate to
HKEY_CURRENT_USER\Software\AvScan <<< key (key = folder in left-hand-side window pane)
Right-click on the "AvScan" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
Right-click on the "AvScan" key and choose "Delete" and then confirm, to remove the whole key.

Step 8
Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <<< key
Right-click on the "Run" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
In the right-hand side pane, find the entry "system tool" and delete it. (the whole line)

Step 9
Navigate to
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} <<< key
Right-click on the "{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
Right-click on the "{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}" key and choose "Delete" and then confirm, to remove the whole key.

Step 10
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} <<< key
Right-click on the "{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
Right-click on the "{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}" key and choose "Delete" and confirm, to remove the whole key.

Step 11
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <<< key
Right-click on the "Run" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
In the right-hand side pane, find the entry "<random characters>" and delete it. (the whole line)
(Refer to Step 2 for the information that you recorded about "<random characters>")

Step 12
Close the Registry Editor window.
Restart your computer
, taking out the LiveCD.
Does Windows load normally and present you with the your Desktop now?
How do things look? Are you able to operate the system normally?

Edit: Oh, yes ... Good luck !!!

Edited by AustrAlien, 01 December 2009 - 06:51 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users