Questions

System Guard 2009 issues...

+
0 Votes
Locked

System Guard 2009 issues...

mdfreeman
I'm working on two machine that have System Guard 2009/vundo infections on them, both systems have been cleaned off with MalwareBytes but they still cannot get updates for any AV software unless you boot into safe mode with networking. I've scanned repeatedly with MBAM, I've also removed the hard drives and attached them to another machine and scanned with AVG, both are coming up clean. The machines access the Internet fine, I can get to some security sites (symantec.com), but not others (malwarebytes.org). I cannot update MalwareBytes or Vipre in normal mode, neither can I access shares on the local network. I have reset all the zones to default level in Internet Connections, reset TCP/IP using netsh, and reset the local security policy using secedit. I have also performed a repair install on one of the machines...all to no avail. I'm really stumped on this one.
  • +
    0 Votes

    I had a similar issue to some updates and found out that my clock was out of sync.
    Look at your computer clock and make sure that the settings are correct. Make sure that the (clock) settings are set to the (correct) month, zone and the correct time.
    Hope this helps you.

    +
    0 Votes
    mdfreeman

    The clock settings are correct. I'm in the process of trying some of the other suggestions posted to this thread. Thanks for the tip, though. I had not checked the clock settings until you mentioned it.

    +
    0 Votes
    Snuffy09

    giving supersntispyware a run for its money (free)

    http://www.superantispyware.com/download.html

    If that not it, try hijack this if you havnt already

    +
    0 Votes
    mdfreeman

    SAS found 46 tracking cookies, It prompted me to reboot and now everything is working fine. Our Senior Engineer recently installed a Kerio Winroute firewall on our server, we have 40 licenses for it and we were dangerously close to our limit yesterday. I'm wondering if that may have been the problem, we've had difficulties with this system previously, but not like this. Either way, I greatly appreciate your help...thanks a LOT. I'm adding SAS to my toolkit.

    +
    0 Votes
    Snuffy09

    Glad it worked for you!

    +
    0 Votes
    Jacky Howe

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it.
    <a href=http://www.safer-networking.org/en/download/index.html target="_blank"><u>Spybot</u></a>

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>


    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    <a href="http://download.bleepingcomputer.com/lonny/Fixwareout.exe" target="_blank"><u>Fixwareout</u></a>


    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal
    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager: answer ?y? and press Enter.

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools

    +
    0 Votes
    mdfreeman

    The situation was resolved before I got the chance to try out any of your suggestions; however, you gave me some more resources to look over for my tool kit. Many thanks.

    +
    0 Votes
    Jacky Howe

    .

  • +
    0 Votes

    I had a similar issue to some updates and found out that my clock was out of sync.
    Look at your computer clock and make sure that the settings are correct. Make sure that the (clock) settings are set to the (correct) month, zone and the correct time.
    Hope this helps you.

    +
    0 Votes
    mdfreeman

    The clock settings are correct. I'm in the process of trying some of the other suggestions posted to this thread. Thanks for the tip, though. I had not checked the clock settings until you mentioned it.

    +
    0 Votes
    Snuffy09

    giving supersntispyware a run for its money (free)

    http://www.superantispyware.com/download.html

    If that not it, try hijack this if you havnt already

    +
    0 Votes
    mdfreeman

    SAS found 46 tracking cookies, It prompted me to reboot and now everything is working fine. Our Senior Engineer recently installed a Kerio Winroute firewall on our server, we have 40 licenses for it and we were dangerously close to our limit yesterday. I'm wondering if that may have been the problem, we've had difficulties with this system previously, but not like this. Either way, I greatly appreciate your help...thanks a LOT. I'm adding SAS to my toolkit.

    +
    0 Votes
    Snuffy09

    Glad it worked for you!

    +
    0 Votes
    Jacky Howe

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it.
    <a href=http://www.safer-networking.org/en/download/index.html target="_blank"><u>Spybot</u></a>

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>


    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    <a href="http://download.bleepingcomputer.com/lonny/Fixwareout.exe" target="_blank"><u>Fixwareout</u></a>


    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal
    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager: answer ?y? and press Enter.

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools

    +
    0 Votes
    mdfreeman

    The situation was resolved before I got the chance to try out any of your suggestions; however, you gave me some more resources to look over for my tool kit. Many thanks.

    +
    0 Votes
    Jacky Howe

    .