os-guard pro virus

This morning I became a victim of this virus. Same symptoms as I've read in many posts on this website. I noticed the guidance that "each computer is unique", so rather than trying to follow the existing threads I have started my own. Thanks in advance for your help!

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I am using a second computer to access the Internet as I cannot do so with the infected one. So I cannot download the current version of HijackThis as you suggest above.

What next?

Can you use a USB device to transfer the file across?

Belahzur, I tried the USB route. When I got it onto the infected computer and tried to run the program the virus blocked it.

How do I get around this?

It blocked the installer? or was it able to install fine, then blocked the program from running?

Either way, lets try this instead. This next program doesn't need to install, just download and run. (also possible to run it straight from USB)

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

It allowed me to install, it blocked the program from running.

I tried to get the OTL program you referenced via my second computer (which belongs to my employer), but my employer's software has blocked it from downloading...so that route doesn't work either.

Can you ask your employer if you/he can turn that off/disable it for a few hours? cause were gonna need some way of getting tools onto your infected machine.

no, that's not going to happen. Is there any way to disable the os-guardpro virus long enough so the Hijack This software that I was able to download can run and work?

You could try safe mode.

We can also try using mcsonfig to disable it from startup, but we'll leave that till after we try Safe Mode first.

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try Hijack This.

I found a thread on Norton's website where people talk about defeating this with a process that starts with the following step. I'm willing to try this - but where do I start with the "%ProgramFiles%" string of commands?

Step 1: Kill the OSGuard Pro Processes

%ProgramFiles%\Antivirus System PRO\Antivirussystempro.exe
%ProgramFiles%\Antivirus System PRO\uninstall.exe
c:\WINDOWS\sysguard.exe

%ProgramFiles% is a system variable, pointing towards C:\Program Files

The folder Antivirus System PRO might not be the correct, Antivirus System PRO is a different product.

Can you use Notepad? we can try a batch script and pick out key locations where this might be hiding.

yes, Notepad is working. tell me how to proceed!

You may need to transfer this across via USB too, because this is a difficult script to type out.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  regedit /e peek2.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  type peek1.txt >> look.txt
  type peek2.txt >> look.txt
  del peek*.txt
  dir "C:\Program Files" >> look.txt
  start notepad look.txt
  
  

  
  
• Save this as look.bat, save it to your desktop.
  
• Double click look.bat to run it.
  
• Copy and paste the report back here.
  

sorry to keep you waiting, I had to type it into Notepad rather than just copying it and pasting it over via USB because the virus defeated that also.

I typed it in, saved it as you explained, and double clicked to run it. The message from the Virus (I think it's an evil thing, messing with me!) is "The file cmd.exe is infected" - just like everything else!

Can we do what you're suggesting in your Notepad advice thru Safe Mode? The commands you're listing above look very much like what I'm seeing in the Norton website thread (the one that had the AntiVirus System PRO reference in the string above). Can we use Safe Mode to find the evil code?

Yeah, give Safe Mode with networking, so you have internet access.

My script just gets exports of the 2 run keys under each hive, then has a look inside the Program Files folder.

o-k, I'm now in safe mode on the infected computer...what's next?

do I run the look.bat file now?

are you still there???

I'm having the exact same problem today as well. It's malware, by a website called os-guardpro2010.com. They've attached the spyware to all the system start up files. I've tried everything possible, including a malware scan in safe mode. I'm stuck too.

Yeah, still here, just had to go offline, went to get something to eat. Run the bat file, and post the log when done.

I fixed it!!!!

I went into safe mode with networking, downloaded spybot seek & destroy. It detected the files and fixed the problem. I then rebooted and all is back to normal!

Belahzur, I ran the Malware program in safe mode. It detected 9 problem files, which I deleted, and when I rebooted everything's working fine. I saved a log file of the Malware findings...do you wish to have it for reference, or not?

Thanks for all of your help!

Yes please, post the log.

If the log shows traced of another infection, then we'll need to go deeper.

Here's the log. I didn't see how to simply attach a file, so I just went ahead and copied it into this response.


Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

12/18/2009 5:09:06 PM
mbam-log-2009-12-18 (17-09-01).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 379687
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akobhmrq (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\kjkdcm\abvhsysguard.exe (Trojan.FakeAlert) -> No action taken.
F:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

Did you remove what it found there? says no action taken. One more scan, then I think were done.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.