Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Guard 2012


  • Please log in to reply
3 replies to this topic

#1 davss2

davss2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 04 October 2011 - 03:10 PM

Windows 7 machine infected with Security Guard 2012. It seems to be different from previous versions as none of the fixes for the others (without year) will clean the machine. It will not run long enough to get a log and constantly comes up with a fake BSOD. Rkill does not work neither will tdskiller or malwarebytes.

Sorry I know this is not a lot to go on but I can't keep the pc running long enough to get any information.

Edited by Budapest, 04 October 2011 - 05:09 PM.
Moved from Win7 ~Budapest


BC AdBot (Login to Remove)

 


#2 MetalBlessing

MetalBlessing

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 04 October 2011 - 04:55 PM

I tried to remove this virus from a user's machine today and didnt get very far. I tried renaming Malwarebytes to "Pancakes.exe" and Rkill to "Blueberry_Muffins.exe" to attempt to fool the virus but Malwarebytes force closes about 10 seconds into a scan, and Rkill ends up killing the explorer process which causes the entire desktop to disappear. You have to manually create a new explorer process to get the desktop back.

I wracked my brain trying to think of more inventive ways to remove the virus. I tried going to the security tab for rkill and stripping away all user rights for every user, including SYSTEM in hope that it would prevent the virus' process from being able to terminate it, adding just my domain credentials, with only read and execute rights but it had the same result.

I cleared everything possible from the registry and C:\ but still no change. There is a process in task manager that cannot be killed no matter what I do and I believe it is the cause of the force closing of apps. On the pc I was remoted into the process was named "1330207000:3886462640.exe"

Tried many other strategies as well such as running Rkill as admin, running through cmd, running in elevated cmd, running under alternate credentials. Spent a little over an hour on the phone with the user, connected to his machine. I did not run combofix though

If anyone has success I would like to know your secrets.

#3 meichelman

meichelman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 06 October 2011 - 05:25 PM

Got the call regarding this new infection the other day. As has been found by others, none of the usual tools seem to work (rkill, malwarebytes, hitman pro, etc.) or are shut down immediately upon launch. The infection also disabled and corrupted an Eset NOD32 installation. I say corrupted because upon cleanup, I couldn't even uninstall/reinstall NOD32 without their forced uninstaller via SafeMode.

Here's how I got rid of it (Disclaimer: only works if the system is connected to a network, domain or workgroup makes no difference):

1. Browse to the file system of the infected computer from another computer on the network
2. Locate the files in the system32 directory, specifically the numbered .exe everyone is seeing
3. Rename the .exe to .bak
4. Reboot the infected machine

After reboot, the infection was not running on target system. I was able to run Hitman Pro and Malwarebytes in that order to cleanup the remnants. Both now return with no infection.

I suppose you could also pull the HDD, plug in via USB (I use one of these http://www.newegg.com/Product/Product.aspx?Item=N82E16812156017 ), and scan the drive externally. I happened to be working remotely when I cleaned this one up.

HTH

#4 bruceDavid

bruceDavid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 08 October 2011 - 12:55 PM

Spent 3 days chasing this problem on a laptop with XP PRo. Located a random letters-numbers entry in the KHLM\software\microsoft\windows\run key that we deleted to stop the machine from shutting down. Copied the name of the file this key pointed to for future deletion.
Ran Tdskiller to find the files, but even though it removed them they came back again, but checking the Tdskiller quarantine gave us the name and path of these two files. Searched the registry and found there was a services entry pointing to one of them, which we deleted. (2 copies)
Then ran the GMER program which gave us a BSOD pointing to the IPSEC.SYS file as being the cause. Replaced both copies with a known good copy (DLLCACHE & DRIVERS folders) and the virus files no longer came back.
The random numbers.exe file is a rootkit and was located in the Windows folder. The other file was in the Systems32 folder.
We removed the virus files and the system is now running normally. We removed the HDD and added it as a 2nd drive to another machine so that we could replace the IPSEC.SYS files without problems. This could be done with the service console or running the machine with Linux Puppy or similar system. The good IPSEC.SYS can be found in the i386 folder of the installation DVD/CD or in the latest service pack files folder on the HDD>
Hope this helps you solve the problem.

Edited by bruceDavid, 08 October 2011 - 01:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users