8 Replies Latest reply: Oct 1, 2011 2:58 PM by Cativo RSS

    Zentom System Guard has biten me

    Cativo

      Hi,

       

      I never thought I would get bit by this, but I did.  I was surfing a few sites this morning and looked at a video and BAM.  The Zentom System Malware/Virus is on my laptop.  I guess it turned off my McAfee live sanning??  Anyways, how can I get rid of it?

       

      I have tried various Free Malware removal software, but this dang thing blocks them or turns them off in midst scan.  HELP!!!!!

       

       

      When I run Mcafee scan it gets about 4% into it and it pops up with an error.  If I run the scan in "Safe Mode", it runs through and comes up with a couple viruses and seems to clean them, but when I restart, I am back to where I was before.  Any ideas???

       

      I have McAfee Internet Security 2011. 

       

      Thanks,

       

      J

        • 1. Re: Zentom System Guard has biten me
          sameer172006

          Hi Cativo,

           

          Have you tried disabling the said file/process from auto starting itself ?

           

          Please get into "msconfig" and then go to startup, look for and find the file pertaining to the malware and disable it from auto starting itself. Also, I would straightaway download the latest copy of malwarebytes ( you can get it here :- http://www.filehippo.com/download_malwarebytes_anti_malware/).

           

          Update it and then run a quick scan. You might be asked to do a reboot. Please do it and then just to be sure, you can also run a full scan.

           

          Hope this helps.

           

          cheers

           

           

          Sameer

          • 2. Re: Zentom System Guard has biten me
            Cativo

            I am doing this in "Safe Mode, as it won't work in the normal Windows boot.  Also, I guess I have to change the MSconfig in my Admin setting, and not my normal login mode.  I can do that!

             

            I ran the malwarebytes and it found 17 items.  So I removed them, but upon reboot, I still had the same issue.  This is before I am going to try your suggestion (MSConfig).  I do see a couple of extra things in there that were not in there prior. 

             

            We'll see....

             

            Thanks for the help...  I hope it works.  This thing is a pain in the rear.....

            • 3. Re: Zentom System Guard has biten me
              Hayton

              If you ran Malwarebytes in Safe Mode it wouldn't have been completely effective. It needs to run in normal Windows mode. Also, the default for Malwarebytes is Quick Scan, but for this infection the instructions are to run a Full Scan.

              There are removal instructions that involve the use of Malwarebytes at http://www.bleepingcomputer.com/virus-removal/remove-zentom-system-guard

               

              My advice would be to run a Full Scan from Windows, and let the program remove the files associated with this infection.

               

              Alternatively, you could run McAfee's FakeAlert Stinger first, since this Zentom infection is just another fake antivirus program and should by now be in the Stinger database.

               

              Then make sure you've got the latest updates for your OS, AV and browsers, also Flash and Java if you run those.

              • 4. Re: Zentom System Guard has biten me
                Cativo

                Hi Hayton,

                 

                Well, I should be more detailed.  (Running XP, all Microsoft updates are current, as well as my McAfee Internet Security system).  I am pretty good at staying up to date on all updates.

                 

                Anyways, I downloaded Malwarebytes, and tried running it in "Normal" Windows, and once it gets started and gets to about 20 seconds of running, the screen disappears.  I think the Zentom shuts it down????  Same goes with the McAfee virus scan.  It pops up an error box after about 4% of scanning.  If I run this stuff in Safe Mode, I can get all the way through and it typically finds one to two items to clean out for me (Both Malware & McAfee).  In addition, I am asking Malawarebytes to run the Full Scan, as I thought that would be the best approach to getting all the crap off my computer, but as stated, it won't work.

                 

                I think the RKill is key for me to re-try.  I used it when I first noticed this issue yesterday, and then tried using StopZilla with it, but found that StopZilla just would not launch.  It would start and then shut down, so I Googled around and found Malwarebytes was supposedly the better way to go.  I guess what I will try tonight is, running RKill, and then seeing if Malwarebytes will run in "Normal" Windows. 

                 

                Acutally, how does this sound?  I will try McAfee Stinger first, then RKill, and then Malwarebytes.  If that doesn't work, I guess I am screwed and may have to reformat my drive and reload my backup from three weeks ago. 

                 

                 

                Thoughts???

                • 5. Re: Zentom System Guard has biten me
                  Vinod R

                  Ok-

                   

                  Sorry for jumpng on to the thread but try these steps.

                   

                  Download the Rkill in Safe mode with networkng and run it.

                  Download the Stigner application adn allow it to run on the machine.

                  Finally download - install and Scan using that application (Malwarebytes)

                  reboot

                  Copy paste the Malwarebytes log file and report if the issue persists.

                   

                  we may need furhter steps to be performed based on the issue identified /symptoms.

                   

                  Remove StopZilla and other things- You may allow McAfee to Scan the machine however not when removal is in progress.

                  • 6. Re: Zentom System Guard has biten me
                    Cativo

                    Hi Vinod,

                     

                    Its ok, happy to get more help. 

                     

                    I ran Rkil, and it seemed to help, but I still could not run Malwarebytes in the Normal Windows mode.  I also tried Stigner, and it would just shut down (verifying this in task manager). 

                     

                    So, I enetered Safe Mode and ran RKill and Malwarebytes and it quarantines something like 25 items.  Then, I ran McAfee and it removed 17 cookies, but I did not run Stigner, as things seemed to work in Safe Mode.  However, when I go back to "Normal" windows mode I do not see the Zentom icon on my desktop, but I do see the little "Fake" shield on the task bar near my McAfee shield.  Also, in MSCONFIG / Start Up, I see the Zenom files structure there.  Though, I have it unchecked, so it doesn't start up, but I would figure these Malware devices should remove every item off my PC.  Right?

                     

                    Anyways, I haven't had time to mess with this today, but will again over the weekend.  I do notice my internet connection is now unstable, so I am wondering if this virus has messed with this as well.  Fortunately, three weeks ago I backed up (Cloned my drive onto a, external back up drive), so if I can't resolve this.... I will just reload my OS from then back onto my drive. 

                     

                    I will upload my log file later on tonight.

                     

                    Thanks....

                    • 7. Re: Zentom System Guard has biten me
                      Vinod R

                      Thanks for posting-

                       

                      Frm what you just indicated I suspect a possible Rookit activity on the machine and would need some additional logs to confirm the same--- could you please perform the below steps

                       

                      Running a Rookit scan using -----

                       

                      Rootkits are programs that try to hide themselves or other programs so that   they are not easily removed. As rootkits have become such a common problem,   it is important to run a utility that will show rootkits that may reside on   your computer. Please note that if you are running a 64-bit version of Windows   you will not be able to run GMER and should skip to the next step.

                       

                       

                      1. To start this process, download GMER from the following location and save it   to your desktop.
                      2. GMER   Download Link 1
                      3. GMER   Download Link 2 (Only use if the previous link does not work)
                      4. When you click on the above link you will see a download prompt
                      5. Click on the Save button. You will now be presented with a screen asking where you would like to save the file.
                      6. Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop.
                      7. Right-click on the gmer.zip icon and select the Extract all... from menu option
                      8. You will be shown a screen asking how you would like to extract the file. Just keep pressing the Next button until you geto the last screen and then press the Finish button to finish the extraction process. The GMER folder should automatically open and you will see that it contains the file called gmer.exe. Please double-click on the gmer.exe program. Once you double-click the icon a Windows security warning may appear asking if you are sure you would like to run the program. If this warning appears, please click on the Run button to allow GMER to start. If no warning appeared then you should just continue with the guide.
                      9. You will now see the main GMER window. If it gives you a warning about rootkit activity and asks if you want to run a full scan, please click on the NO button. We now need to configure GMER to not use some settings. Please uncheck the following settings that we do not want in our scan.

                      Modules

                      Process

                      Threads

                      Show all ( critical do not miss)

                      Files.

                       

                      After ensuring the above 5 items are unchecked- Right click on the White screen of Gmer  and Select - Options

                      You would see few more options getting listed there.

                      Select the following Two Alone

                       

                      IRP Hooks

                      NTAPI Registry Scan

                       

                      One these are selected-

                      Click on the Scan button to scan your computer for rootkits. This may take a while, so please be patient. When it has finished you will be back at the main screen

                       

                      You now need to save the rootkit scan report to your Desktop by clicking on   the Save ... . A screen will open asking where you would like to save the report.   Click once on the Desktop button to change to the Desktop folder   and then in the File name: field enter ark.txt.   Finally, press the Save button to save the report to your desktop.   Please do not act on any of the information you find in this report as many   legitimate programs could be listed in it.

                       

                      Attach the Log file thus created in your next post for verification by an expert here.

                      • 8. Re: Zentom System Guard has biten me
                        Cativo

                        Hi all,

                         

                        First off, thanks for your help.  I ended up removing my primary drive and installing a spare hard drive and restoring my image to the spare drive.  I am back up and running for the most part.  My only issue is now with McAfee. 

                         

                        I did the Windows update with no issues.  This back up was from September 3, last month, so not too ling ago so the stuff shouldn't be too out of date.  McAfee seems to be the one program that is taking a long time to down load updates.  We'll see how that goes.

                         

                        Anyways, hopefully that is it for me.  But again, thanks for all of your help!!

                         

                         

                        Great site!!