Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zentom system guard


  • This topic is locked This topic is locked
19 replies to this topic

#1 discordia

discordia

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 11:37 AM

Last night I ended up with zentom system guard installing itself on my laptop. It slowed everything down and kept popping up in the middle of the screen wanting me to buy it and update it and kept popping up warnings on the toolbar. I know it was zentom because it wasn't exactly shy with it's name, it was coming up as a program in my start up menu, tool bar and obviously in it's popups. It would just close anything I tried to open, including the task manager window.

It stopped my internet connection and was trying to connect through another connection that I've never seen before. I managed to get it back to my own internet connection and followed instructions to remove the problem http://www.bleepingcomputer.com/virus-removal/remove-zentom-system-guard

Malwarebytes eventually managed to find the problem and said that it had removed it but although the popups are gone I am still getting the popup warnings from the tool bar and anything I try to open is taking about 15minutes to open and then opening multiple copies. If I try to open malwarebytes it says I don't have permission to open it. Also Every so oftne it will randomly come up and say that the thing I was searching for was not found and that I should check my spelling and press search again.. but I am not using the search funtion.

I don't know what else to try, I'm having to use my other computer to type this although I think with some patience I could probably open a webpage to follow instructions of help.

Please any advice on where to go from here would be appreciated

BC AdBot (Login to Remove)

 


#2 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 11:59 AM

I think I just answered in my last post. I was logged into the account on 2 devices.. I'd half typed on one gave up and decided to use my pc instead, when I posted I saw the half typed one from my phone had posted so I edited it as you saw but when I went back to the forum list I saw it was there twice. I can only guess because I pressed post on one that both devices that were logged into beepingcomputer posted.

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:15 PM

Can you post the malwarebytes log?

#4 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:20 PM

I don't think so, If I try to access malwarebytes I get the error 'windows cannot access he specified device, path, or file. You may not have the appropriate permissions to access the item'

Unless the log would be stored elsewhere on the laptop

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:22 PM

What is your version of Windows?

#6 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:25 PM

Windows XP

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:29 PM

C:\Documents and Settings\Yourusername\Application Data\Malwarebytes\Log

should be the location of the log.

#8 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:30 PM

I should possibly add that norton antivirus has decided to come to life and says it has found a file called BingBar.exe which it says is a high risk

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:33 PM

Probably a false positive.

#10 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:35 PM

Ok, it's opening everything slowly. Keeps crashing but I'll try and retrieve the logs

#11 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:39 PM

Trying to get into the appdata folder causes windows explorer to crash and all but the wallpaper to disappear.

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:43 PM

You may have to try via DOS Prompt.

#13 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 12:46 PM

How can I do that?

it's completely unresponsive right now. All I have on screen is my wallpaper and a curser. All I can bring up is task manager but it closes itself after a few seconds and I'm still getting norton trying to block that BingBar.exe

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:05 AM

Posted 05 September 2011 - 12:57 PM

Login to Windows using safe mode with networking via hitting F8 just after the BIOS Post screen.

#15 discordia

discordia
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 05 September 2011 - 01:05 PM

Ok back onto the infected laptop now in safemode. Last nights malwarebytes log below.



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7654

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/09/2011 14:41:04
mbam-log-2011-09-05 (14-41-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 241807
Time elapsed: 2 hour(s), 20 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{DA99EBD5-4586-4A6E-BC0A-62EAE489295D} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA99EBD5-4586-4A6E-BC0A-62EAE489295D} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA99EBD5-4586-4A6E-BC0A-62EAE489295D} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{EBD5F519-1E51-44C7-BBB9-354719A7751E} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfadcpdpr.adfadcpdpr.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfadcpdpr.adfadcpdpr (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBD5F519-1E51-44C7-BBB9-354719A7751E} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EBD5F519-1E51-44C7-BBB9-354719A7751E} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBD5F519-1E51-44C7-BBB9-354719A7751E} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zentom System Guard (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{EF664F2B-438F-4107-B440-CCD774A286DE} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumadcpdgrm.brumadcpdgrm.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumadcpdgrm.brumadcpdgrm (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF664F2B-438F-4107-B440-CCD774A286DE} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF664F2B-438F-4107-B440-CCD774A286DE} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF664F2B-438F-4107-B440-CCD774A286DE} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$XNTUninstall643$ (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Adware.BHO) -> Value: bipro -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*actionbaseedit.exe (Trojan.FakeAlert) -> Value: *actionbaseedit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*advscanmgr.exe (Trojan.FakeAlert) -> Value: *advscanmgr.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kocinc700kk.exe (Trojan.FakeAlert) -> Value: kocinc700kk.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\WINDOWS\$xntuninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\dmoc.dll (IPH.GenericBHO) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\wzrel.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\actionbaseedit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\advscanmgr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\application data\ef9678fd98a09f9834235587cc5020a0\kocinc700kk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\qpeji.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\application data\Adobe\plugs\kb14464796.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\application data\Adobe\plugs\kb14464843.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\application data\Adobe\plugs\kb14488156.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\application data\ef9678fd98a09f9834235587cc5020a0\hookdll.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\cnrsxmwoea.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\err.log14427046 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY1D2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY1D3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY1D9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY1DF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY5A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\FY5D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\3F.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\local settings\Temp\7zas.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\georgie cartner\start menu\Programs\Startup\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users