Questions

Help...'Denied Access to Reg" due to sysguard (updated) infection

+
0 Votes
Locked

Help...'Denied Access to Reg" due to sysguard (updated) infection

chish38
Hello all,

Just last week I dealt with one of version of sysguard and was successful removing it manually, although it had changed its designation to ----sysguard.exe

It has now taken out a second computer but revamped itself again. Now named yhkosysguard.exe Listed as user: Userenv (which not me) The big difference that I am looking for help with is that this week it has automatically taken admin access to regedit (msconfig, etc will run) and I can not access to make any other changes. It took off the ability to see hidden files.
I

I have started in Safe Mode in all ways, including w/command prompt..it proceeded to boot in regular safe mode...denied access by administrator pop-up again.

If anyone has any options out there on where/what to do..I would be greatful.

Merry Christmas! ;o) and Thanks.
  • +
    0 Votes
    Jacky Howe

    let us know how you get on.

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download and install the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
    When all is clear you may need to tidy up the Registry. Link is at the bottom.


    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    When you first start Spybot, click on the Mode menu and select Advanced mode. Under the Tools options (bottom left) select View Report. On the screen in the right hand pane, select View report to create a new report. Save the report as it may come in handy later. Spybot will also keep log files in this location in Vista:

    C:\ProgramData\Spybot - Search & Destroy\Logs

    Spybot will also keep saved log files in this location in XP:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs


    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>


    Those applications should be able to get you up and running. Here are some extra tasks if it is not working for you.


    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php


    By now you should know what the name if the infection is, if you think that it may have infected the MBR try this.

    Fixmbr - Repair Master Boot Record and remove Viral activity:

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    Registry Cleanup:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download


    Or if you want to wipe the Hard drive and start fresh try this. This is a sure way to remove any infections.

    DBAN will overwrite the hard drive filling it with 0's and 1's completly wiping the drive of information. You then create new Partitions, Format and install the OS without having to worry about a reinfection. Any traces of the Viral infection should be annihilated.

    Darik's Boot and Nuke.

    http://dban.sourceforge.net/

    Autonuke should do it by running it at least 3 times.


    Removal Tools

    http://www.symantec.com/business/security_response/removaltools.jsp

    +
    0 Votes
    CG IT

    all these people coming onto the site and put in the subject Help.. or Please Help....

    +
    0 Votes
    Jacky Howe

    I counted 7 this morning.

  • +
    0 Votes
    Jacky Howe

    let us know how you get on.

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download and install the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
    When all is clear you may need to tidy up the Registry. Link is at the bottom.


    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    When you first start Spybot, click on the Mode menu and select Advanced mode. Under the Tools options (bottom left) select View Report. On the screen in the right hand pane, select View report to create a new report. Save the report as it may come in handy later. Spybot will also keep log files in this location in Vista:

    C:\ProgramData\Spybot - Search & Destroy\Logs

    Spybot will also keep saved log files in this location in XP:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs


    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>


    Those applications should be able to get you up and running. Here are some extra tasks if it is not working for you.


    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php


    By now you should know what the name if the infection is, if you think that it may have infected the MBR try this.

    Fixmbr - Repair Master Boot Record and remove Viral activity:

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    Registry Cleanup:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download


    Or if you want to wipe the Hard drive and start fresh try this. This is a sure way to remove any infections.

    DBAN will overwrite the hard drive filling it with 0's and 1's completly wiping the drive of information. You then create new Partitions, Format and install the OS without having to worry about a reinfection. Any traces of the Viral infection should be annihilated.

    Darik's Boot and Nuke.

    http://dban.sourceforge.net/

    Autonuke should do it by running it at least 3 times.


    Removal Tools

    http://www.symantec.com/business/security_response/removaltools.jsp

    +
    0 Votes
    CG IT

    all these people coming onto the site and put in the subject Help.. or Please Help....

    +
    0 Votes
    Jacky Howe

    I counted 7 this morning.