WiniGuard on Jessica's Laptop

Discussion in 'Malware Help (A Specialist Will Reply)' started by AncientOcean, May 27, 2009.

  1. AncientOcean

    AncientOcean Private E-2

    I'm trying to remove WiniGuard from my friend's daughter's Sony Vaio laptop. I have run the Read Me procedure and attached the four logs.

    Here's the specs on the laptop:

    OS: XP Home Edition Ver 2002 Service Pack 2
    Processor: Pentium M, 1.60 GHz
    RAM: 504 MB

    The laptop was running AVG Free V7.x but stopped updating the virus definitions because V8.x was not downloaded.

    Once Windows is loaded two windows appear at the bottom left and right corners of the screen

    ------

    Security Center Alert!

    Infiltration Alert

    Your computer is being attacedk by and Internet virus. It could be a password steailing a trojan-dropper or similar

    Attack From: [an IP address which changes each time the window is displayed]

    Attacked Port: 15418 (this changes from time to time)

    Threat: Virus (this also changes from time to time)

    Do you want WiniGuard to block this attack?


    ------------------------------------------------------

    The windows include Yes and No buttons. If neither button is clicked then the two windows disappear after about 10 seconds and the following pop up message appears from the security center sheild icon at the bottom of the screen:

    ------------------------------------------

    Spyware Alert!

    Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register you copy of WiniGuard and remove spyware threats from your PC.

    -------------------------------------------

    A window which looks like the Windows Security Center is then displayed which indicates that the Firewall and Automatic Updates are on but Virus Protection is off. If the Security Center is loaded from the Control Panel the settings do not match those shown in the pop up Windows Security Center screen.


    When using Internet Explorer, the homepage (yahoo.com) is loaded properly but when a new URL is entered a screen stating "Insecure Internet activity. Threat of virus attack" is display. If "Contine to this website unprotected (not recommended)." is clicked then a pop-up stating "Do you want to get advanced real-time protection?" is displayed. If NO is clicked then the requested web page is loaded properly. This occurs each time that an new URL is accessed.


    I cannot find WiniGuard in the Add or Remove Programs list, under Program Files are anywhere else on the C: drive or in the Registry. Various malware scans have identifed Winiguard (and many other items) but the problem has not been eliminated.

    As far as I can tell the OS and other softrware on the laptop is licensed but the owner did not retain the installation disks.

    Any help that you can provide towards eliminating this problem will be appreciated.

    Thanks in advance.
     

    Attached Files:

    AncientOcean, May 27, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The log from MGtools you attach is too incomplete to be useful. Did you have any problems while running it? Any error messages? Let's try the below.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall any of the below software that are installed:
    Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 29, 2009
    #2
  3. AncientOcean

    AncientOcean Private E-2

    I don't think I ran MGTools correctly the first time. I must not have run it out of the root drive on C. I ran it again and have attached the MGTools.zip file. Hopefully I got it right this time and the ZIP file will be more helpful.

    The laptop is still acting the same as far as the WiniGuard and Windows security messages.

    Thanks for your help.
     

    Attached Files:

    AncientOcean, May 31, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you purchase ScanSpyware? We do not recommend this product. It is not considered a rogue (at least not anymore) or a fake tool, but it is just not what we would recommend as being a good product. If you did not purchase it, I recommend that you uninstall it.

    Why are you running this PC with no antivirus or firewall protection?



    What is the below folder for?
    Code:
    2009-05-25 21:56 . 2009-05-25 21:57 -------- d-----w C:\sec31
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    J2SE Runtime Environment 5.0

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [promo.exe] C:\WINDOWS\system32\promo.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.xxx

    After clicking Fix, exit HJT.




    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Jessica\Local Settings\Temp

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )




    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jun 5, 2009
    chaslang, Jun 2, 2009
    #4
  5. AncientOcean

    AncientOcean Private E-2

    She gave up on me and took the laptop to a repair shop.

    The laptop was using AVG Free anti-virus. I disabled the laptop's Internet connection while I was working on it and disabled AVG in case it might interfere with the malware removal tools.

    Thanks for your help. I'm sure we could have gotten rid of WiniGuard eventually.
     
    AncientOcean, Jun 3, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The last fix would have removed it. The promo.exe and WiniGuard.exe files were the main problems.
     
    chaslang, Jun 5, 2009
    #6
  7. AncientOcean

    AncientOcean Private E-2

    Yes, I figured we were close. It would have been nice to beat it.

    Kids don't have any patience.

    Thanks again for your help. Major Geeks is a valuable resource.
     
    AncientOcean, Jun 5, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jun 6, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds