Help! Zenton System Guard Virus

[pinetop]

I have it on my computer, anyone know how to get rid of it?
I have tried avast, spybot, Norton, Malwarebytes, & AdAware, nothing seems to work. This darn virus just disables the programs. Suggestions?

[hech54]

http://forums.malwarebytes.org/index.php?showtopic=90452&st=0&p=457473&hl=zentom&froms...1&#entry457473

[hech54]

And always boot to SAFE MODE. Easiest way(for me) to SAFE MODE is by using BootSafe attached to this post(I hope).

[redwudz]

Besides safe mode, I would also disconnect your internet connection and turn off your Windows restore function while you are trying to kill the malware. Malware can reside in your restore files and some of it can also 'phone home' to reinstall itself till it is completely deleted.

[pinetop]

I tried malawarebytes again, after installing this or any other virus program, I get a denied access message when I try to open em.

[aedipuss]

you have to run a program named rkill before mbam to stop the virus/trojan processes. try following this guide.

http://www.bleepingcomputer.com/virus-removal/remove-zentom-system-guard

[pinetop]

I've ran rkill & reloaded mbam, but no luck. Mbam shuts itself down about 3 seconds after the scan starts. What now?

[hech54]

Re-read step number 4 in the link aedipuss posted.

[pinetop]

Nothing seems to work, I re-read step 4 in the link aedipuss posted, and used all the different rkills.

[turk690]

You can't clean a dirty hand with another dirty hand. Detach that hard drive completely, find another known virus-free PC which is NOT connected to the internet, attached the offending HDD there, and do a local scan.

[ranchhand]

I had that problem once. I renamed the Malwarebytes executable, for example, Test123.exe or something, and try to run it again. That worked for me once. Another thing I do is to use Regseeker:http://www.hoverdesk.net/freeware.htm to search the register for virus entries, nuke them, and sometimes that cripples the virus so that other things work. However, you must know the active file name that get loaded on boot. Hijack This can be helpful for that, and check Task Manager/Processes for oddly-named files with random characters. Another thing you can do, is once having located one of the key virus files (Google for that, you can get good info) use a Linux virtual boot disk or UBCD to access your drive and nuke those files.

[aedipuss]

it's quite possible you have more than one infection. it looks like it's to the point you may find it easier to re-format the hard drive and re-install windows fresh.

there is a link in the forum here to download bootable ubutu linux with avast av. that might be a good last try. freebird put up it a while ago
http://ubuntu-antivirus-livecd.awardspace.info

[ranchhand]

thanks for the link,aedipus, looks like a interesting distro; I have always wanted a virtual tool that had serious AV, and this guy claims you can update the indexes while in virtual. That's a new one on me, great if it works!

[aedipuss]

i don't know about virtual - linux live boot cd/dvds work by changing the boot drive to the cd/dvd and loading instead of windows. they have their own drivers and can run fairly well.

[freebird73717]

Yep. That's my custom distro. I use it to clean stubborn windows infections that are resistant to everything else. Avast updates without problems. Can take some time to update as the latest updates can run up to 50mb. I also included malwarebytes on it but it can sometimes be flaky since it requires wine to work.

I hope you guys find it useful. If you come across any issues or problems let me know.

[ranchhand]

Cool, Freebird, thanks for sharing. I'm gonna give it a whirl this week-end.

[lordsmurf]

Combofix is your friend.

This is the official site: http://www.bleepingcomputer.com/download/anti-virus/combofix

WARNING: Combofix.org is a piece of shit fake site.
http://www.mywot.com/en/scorecard/combofix.org

[Tuddoe]

Hi, I am new here

I was once infected with this virus before and I could manually get rid of it at that time by following a manual removal guide: http://blog.teesupport.com/remove-zentom-system-guard-virus-uninstall-fake-zentom-syst...uard-manually/. It is good to know there are also other methods.

Hello to all again

[pinetop]

Thank you aedipuss for posting the link.
And big thank you to freebird for creating the cd.
I ran freebird's cd, it was running for about 12 hrs when my computer seem to freeze up. I hard re-booted. And was able to reload and run scans with avast and malwarebytes. This was with windows running, not the cd. I now believe the virus is gone.
The only thing when I started windows I get a message:

"RUNDLL, Error Loading C:\WINDOWS\mcde32.dl The specified module could not be found."

Should I be concern?

[SLK001]

The only thing when I started windows I get a message:

"RUNDLL, Error Loading C:\WINDOWS\mcde32.dl The specified module could not be found."

Should I be concern?

If you mean MCDE32.DLL then no, there is no reason to be concerned. A search for a file named that doesn't show anything. This is probably the random name that the virus gave to its executable.

Open regedit and just delete that key.

[pinetop]

I'm thinking I've been root kitted, as I can no longer access my dvd drives and utorrent struggles to start a new torrent. I've ran gmer, which gave me no results. Suggestions?

[lordsmurf]

TDSS Killer from Kapersky.
Get it here: http://kaspersky-tdsskiller.en.softonic.com/download

[pinetop]

TDSS Killer reported 3 "medium risk" threats: 2 files BASFND & Pxhelp20 and a files system \device\Harddisk0\DRO, I moved all three to quarantine but did not delete. I still can't access my dvd drives.
I didn't delete them cause the scanner was so fast I'm not sure what it did nor what these threats are.
Imgburn shows Pxhelp20 as the lower class filter.
Should I delete em?

My device manager shows the dvd drives: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)"

[aedipuss]

what does the log show if you open imgburn?

[Nelson37]

BASFND is listed as a broadcom NIC driver, the PXhelp20 is listed as part of a Sonic Solutions CD software package.

That's three false positives, and one reason I don't run such softwares unless I FIRST familiarize myself with them.

Now, have you cleaned your TEMP directories, ALL of them? Did you run MalwareBytes a SECOND time to verify that you are still clean?

Why do the current symptoms indicate to you that you have a rootkit?

Have you checked your startup entries in RegEdit and/or cleaned the registry with a reliable product, such as CCcleaner?

Have you tried shutting down, unplugging DVD drives (BOTH cables), boot up, shut down again, plug in DVD drives, check?

When you say UTorrent "struggles", can you be a bit more specific? Can you hear the software grunting with effort, is the inside of the case re-arranged like there has been a fight, what? How is your Internet connection, measured with standard, reliable software visiting legit sites? Have you checked for a proxy server installed by the virus?

Did MBytes or any other software verify that there was, in fact, a virus present that has now been removed?

FREEBIRD, is that 12 hour run-time anywhere near Normal in your experience? That seems UnGodly long to me.

When you said MBytes shuts down 3 seconds after the scan starts, did you mean to say After the program opens? You mean you open it, update, click on the scan button, select the drive(s), and THEN it shuts down 3 seconds later? Can you do this twice in a row, or does Mbam completely fail to run the second time? This is just kinda unusual, and I am starting to suspect you may have, or had, more than one problem.

Have you run a chkdsk and defrag on the hard drive lately?

[freebird73717]

nope. 12 hours is crazy. Usually only takes 45 min to an hour depending on the size of the hard drive you are scanning. Don't know what is going on with that.

[Nelson37]

I'm thinking he has a hard drive problem and/or some other issue.

[freebird73717]

Certainly seems that way.

[pinetop]

what does the log show if you open imgburn?

I 16:23:12 ImgBurn Version 2.5.1.0 started!
I 16:23:12 Microsoft Windows XP Professional (5.1, Build 2600 : Service Pack 2)
I 16:23:12 Total Physical Memory: 1,038,408 KB - Available: 575,740 KB
I 16:23:12 Initialising SPTI...
I 16:23:12 Searching for SCSI / ATAPI devices...
W 16:23:12 No devices detected!

[aedipuss]

looks more like a hardware problem. boot into the bios and see if they are listed there. if not then open the box and check for loose/bad connections or cables.