HELP ! Zentom System Guard took over!!!

All of a sudden this message, which is still popping up every 30 seconds, came up, I closed it, suddenly the huge window opens and "Zentom System Guard Installer" begins to install malware!!!

No Task Mngr
No control alt delete
Nothing.
Turn off power immediately.
Too late.

I cannot open...
task manager
dos prompt
regedit
msconfig

Avast found nothing
Spybot found nothing

I deleted Zentom fro QUicklaunch, and application data, but it's probably renamed itself.

Ahhhh! :cry:cry:cry:cry:cry

Please help!!!
I've searched on here but found nothing. This malware has taken over my pc and I can't do anything at the moment to delete it.

 

I followed all of the links, all of the directions, ran all the programs except the Windows OS Cleaning Software link and some programs I needed to restart a few times before they would run.
At this moment the Zentom seems to be gone. I have included a hijackthis log and await your reply.
Thank you!

I am unable to run the Windows OS Cleaning Software link from your webpage, it closes each time.


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/30/2011 at 10:24:49.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 07/30/2011 at 10:25:20.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/30/2011 at 10:27:54.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 07/30/2011 at 10:28:14.

exeHelper by Raktor
Build 20100414
Run at 10:28:58 on 07/30/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Logfile of HijackThis v1.99.1

(EDIT: Please ATTACH items to your posts!!)

 

Well, of course you are right!:major Its still there, just quieter. I did an Avast boot scan and its finding stuff that it doesn't like.

Ok, so please tell me how to transfer the tools from another computer. Are you saying to just download them on a jump drive or similar and use that on my troubled computer?

Just making sure.
Ilene

 

I've spent forever doing these scans and using a jump drive to get them on the pc. There is a MGTools folder in C:, I never saw anything more than a moment of a black window open and close.

I was able to use RKill and have a log. Malwearbytes found a bunch of stuff, mbam log enclosed. Combofix worked fine. I never saw anything happen with MG Tools. Perhaps need further instructions on that.

Here are my logs.
thanks,
Ilene

 

more logs.
Hope I did this correctly.


thanks Ilene

 

Going down the list of things to do .. .Combofix and the script went fine. Couldn't seem to shut down Avast, so I uninstalled it, then ran Combofix and script again. Have log.

Then, when I got to the Super AntiSpyware program, it won't run anything more than a quick black window that flashes and goes away. I tried it from the desktop, three times.

:major After each time, a window I NEVER saw before opens up and says I'm infected and the title of this window & software is "XP ANTISPYWARE 2012".
What the heck is that?!?! Never seen it before, and it keeps showing up each time I run the SAS program. I figured it was not valid since its not 2012 yet and I never saw it before, nor read about it on your pages.

Running TDSKiller now.

 

Logs

SAS Still won't run for more than a second with a black window.

Here are my latest logs

Ilener

 

I got MGTools to run,
log attached.

Ilener

 

Yes, I sure do.

There is some kind of 'fraud security" files that Spybot tried to delete, but can't because they are in use. Safe mode no longer works for me, can't open start menu or any programs.

I feel like I'm watching a slow death :tired

What's your suggestion?

 

I tried to run the Fixmbr and it warned me that it may result in having NO access to my files, which I cannot do at this moment because there are many files from my business on here and pictures that I could never retrieve again.

So, I ran the MRBCheck once again and it found problems, fixed it. In addition I have tried for two days now to get the recovery console to run, but it refuses and just cycles back to the black window that says for me to choose whether I want to start Win XP normally or Recovery Console. No matter what I choose I am redirected there.

Then I reinstalled my windows from the cd, under the "repair your windows" choice or whatever the exact title is. It did. Not good. In doing so it deleted my SP1, SP2, SP3. I managed to reinstall SP1. I am unable to install SP2 as it hangs in the first 1/5 of the installation after it checks files and gets your system ready. Tried it about four times, even re-downloaded it, too.

Oh, I did run the Chkdsk /p and that went fine. I did that first before attempting Fixmbr.

Due to the confidential files on my pc (I'm a psychologist) and other things I am afraid to open any programs on here at this time. I'm thinking about getting a newer, bigger hard drive today at Best Buy, installing windows XP on it (because I love XP and its easy to work with) and transferring my photos and business files, iTunes, and other important software data that I've created over the years on here. If I only transfer data, pics, microsoft excel files, Microsoft Word files...by making this nasty drive the drive 2, then it will not boot from it, only booting from the new hard drive. then take out the original drive and be done with it,maybe?!:confused

Will this work?
What do you suggest now? Its been over a week now.

ps. I figured out where I got this p.o.s. Zentom software system murdered. I visited "baby daddy day" dot com after someone posted something funny about an experience with being told about some girl's baby daddy, so I was looking for a funny quote or line to post in reply... that is when Zentom took over my computer, hid the firefox download menu, denied access to TAsk Manager and infiltrated into every system file it could before I hit the power off button. Do Not go to this website, I sure never will again.
:-o

 

I would but I can't seem to find it, please tell me where it hides?
:confused

 

Sorry, sometimes the 'blonde' gets in the way.
Here is file.
Still haven't gotten sp3 back on here yet.

do you want another hijackthis log?

 

Everything seems to be running fine, will download SP3 now, hopefully my display improves.

I want this invasive stuff off my computer, so I will "back up those important files and follow my previous instructoins in post # 15, THEN re-run MBRCheck again. "

Most importantly, I want all of that garbage deleted. So, I'll get to work on this.
:major

 

Finally I was able to get SP3 installed, but it was not easy.
After trying numerous times, then failing to install using safe mode I started to end the processes running by using task manager. Some of them I knew could be turned off easily, the rest I had no clue. When I was down to about half or so, I started terminating the ones I didn't remember seeing on there before or often. Oh, the reason SP3 wouldn't install and most likely the reason I had such problems installing sp1 and sp2, was the same reason, perhaps.

So, with SP3 installation stuck about 1/5 of the way, I was down to the shortest list I've ever had in task manager, then I closed a process called csrss.exe and instantly SP3 starting installing super, super fast and it completed. Rebooted, no problem. I have no idea why, perhaps you can tell me.

Later when I get back home, I'll post the MBR log.
How can you tell what processes are running that I really don't need to run? What log can I send you that would give you that info?
:major

 

Not good. Something found.
I wasn't sure what to choose at this point so please advise me.

MWB log attached

1- something about a disk
2- repair
3. exit

 

ok
I did the FIXMBR from WinXP disk
MBR code detected

 

Had extra time, so ran combo Fix again

 

Well, I've been using the computer for a couple of days now and everything seems to work quite well. Its not slow, there seems to be nothing found in the SAS or Spybot, etc, so I'd like to free you up from my insane experience of being hijacked so you can help others.

At this time, I believe I'm good to go.
Thank you so much for showing me the way to fight these things and get them off of my pc!
:major
You're the best ever!:boxing

 

Damn!
termvw32.dll
Submission date:
2011-08-15 17:46:35 (UTC)
Current status:
finished
Result:
17/ 43 (39.5%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.15.00 2011.08.15 Trojan/Win32.Agent
AntiVir 7.11.13.48 2011.08.15 TR/Agent.ojiq
Antiy-AVL 2.0.3.7 2011.08.15 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2011.08.15 -
Avast5 5.0.677.0 2011.08.15 -
AVG 10.0.0.1190 2011.08.15 Agent3.ZGJ
BitDefender 7.2 2011.08.15 -
CAT-QuickHeal 11.00 2011.08.13 -
ClamAV 0.97.0.0 2011.08.15 -
Commtouch 5.3.2.6 2011.08.15 -
Comodo 9756 2011.08.15 Backdoor.Win32.DarkMoon.A
DrWeb 5.0.2.03300 2011.08.15 -
Emsisoft 5.1.0.8 2011.08.15 Trojan.Win32.Agent!IK
eSafe 7.0.17.0 2011.08.15 -
eTrust-Vet 36.1.8502 2011.08.15 -
F-Prot 4.6.2.117 2011.08.15 -
F-Secure 9.0.16440.0 2011.08.15 -
Fortinet 4.2.257.0 2011.08.15 W32/Agent.OJIQ!tr
GData 22 2011.08.15 -
Ikarus T3.1.1.107.0 2011.08.15 Trojan.Win32.Agent
Jiangmin 13.0.900 2011.08.15 -
K7AntiVirus 9.109.5017 2011.08.15 Trojan
Kaspersky 9.0.0.837 2011.08.15 Trojan.Win32.Agent.ojiq
McAfee 5.400.0.1158 2011.08.15 Artemis!50C7385B09D3
McAfee-GW-Edition 2010.1D 2011.08.15 Artemis!50C7385B09D3
Microsoft 1.7104 2011.08.15 -
NOD32 6380 2011.08.15 -
Norman 6.07.10 2011.08.15 -
nProtect 2011-08-15.01 2011.08.15 -
Panda 10.0.3.5 2011.08.15 Generic Trojan
PCTools 8.0.0.5 2011.08.15 -
Prevx 3.0 2011.08.15 -
Rising 23.71.00.03 2011.08.15 -
Sophos 4.68.0 2011.08.15 -
SUPERAntiSpyware 4.40.0.1006 2011.08.15 -
Symantec 20111.2.0.82 2011.08.15 WS.Reputation.1
TheHacker 6.7.0.1.277 2011.08.15 Trojan/Agent.ojiq
TrendMicro 9.500.0.1008 2011.08.15 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.15 -
VBA32 3.12.16.4 2011.08.15 Trojan.Win32.Agent.ohvi
VIPRE 10172 2011.08.15 Trojan.Win32.Generic!BT
ViRobot 2011.8.13.4621 2011.08.15 -
VirusBuster 14.0.170.0 2011.08.15 -
Additional information
MD5 : 50c7385b09d3717e05fcc0b16a6591b4
SHA1 : 9075a75f71d01b657387a4291c764f590a979fc3
SHA256: 57f6ea998be432bf23586c4c0a82e970d1300ca40227936e54599e2c5db4f7a2

Will zip the file asap and complete the rest

 

I've searched everywhere and cannot find collect.zip, so I am posting it here.
File name:
termvw32.dll
Submission date:
2011-08-17 14:43:20 (UTC)
Current status:
finished
Result:
20/ 44 (45.5%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.17.00 2011.08.17 Trojan/Win32.Agent
AntiVir 7.11.13.113 2011.08.17 TR/Agent.ojiq
Antiy-AVL 2.0.3.7 2011.08.17 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2011.08.17 -
Avast5 5.0.677.0 2011.08.17 -
AVG 10.0.0.1190 2011.08.17 Agent3.ZGJ
BitDefender 7.2 2011.08.17 Trojan.Generic.KDV.320183
ByteHero 1.0.0.1 2011.08.17 -
CAT-QuickHeal 11.00 2011.08.17 -
ClamAV 0.97.0.0 2011.08.17 -
Commtouch 5.3.2.6 2011.08.17 -
Comodo 9776 2011.08.17 Backdoor.Win32.DarkMoon.A
DrWeb 5.0.2.03300 2011.08.17 -
Emsisoft 5.1.0.8 2011.08.17 Trojan.Win32.Agent!IK
eSafe 7.0.17.0 2011.08.16 -
eTrust-Vet 36.1.8506 2011.08.17 -
F-Prot 4.6.2.117 2011.08.16 -
F-Secure 9.0.16440.0 2011.08.17 Trojan.Generic.KDV.320183
Fortinet 4.2.257.0 2011.08.17 W32/Agent.OJIQ!tr
GData 22 2011.08.17 Trojan.Generic.KDV.320183
Ikarus T3.1.1.107.0 2011.08.17 Trojan.Win32.Agent
Jiangmin 13.0.900 2011.08.16 -
K7AntiVirus 9.109.5021 2011.08.16 Trojan
Kaspersky 9.0.0.837 2011.08.17 Trojan.Win32.Agent.ojiq
McAfee 5.400.0.1158 2011.08.17 Artemis!50C7385B09D3
McAfee-GW-Edition 2010.1D 2011.08.17 Artemis!50C7385B09D3
Microsoft 1.7604 2011.08.17 -
NOD32 6386 2011.08.17 -
Norman 6.07.10 2011.08.16 -
nProtect 2011-08-17.01 2011.08.17 -
Panda 10.0.3.5 2011.08.17 Generic Trojan
PCTools 8.0.0.5 2011.08.17 -
Prevx 3.0 2011.08.17 -
Rising 23.71.02.03 2011.08.17 -
Sophos 4.68.0 2011.08.17 -
SUPERAntiSpyware 4.40.0.1006 2011.08.17 -
Symantec 20111.2.0.82 2011.08.17 WS.Reputation.1
TheHacker 6.7.0.1.278 2011.08.16 Trojan/Agent.ojiq
TrendMicro 9.500.0.1008 2011.08.17 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.17 -
VBA32 3.12.16.4 2011.08.17 Trojan.Win32.Agent.ohvi
VIPRE 10189 2011.08.17 Trojan.Win32.Generic!BT
ViRobot 2011.8.17.4625 2011.08.17 -
VirusBuster 14.0.173.0 2011.08.17 -
Additional information
MD5 : 50c7385b09d3717e05fcc0b16a6591b4
SHA1 : 9075a75f71d01b657387a4291c764f590a979fc3
SHA256: 57f6ea998be432bf23586c4c0a82e970d1300ca40227936e54599e2c5db4f7a2
ssdeep: 3072:IcMWUimHHFDJQpBxUGy3bvAgsvo2ARg9sD312fA6nwPm6L21BQhV8Kf/:IcMWUimFdQpBd
yUX3RsZ2vkmHihF
File size : 218624 bytes
First seen: 2011-08-01 00:54:59
Last seen : 2011-08-17 14:43:20
TrID:
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Intel Corporation
copyright....: Copyright 1999-2009, Intel Corporation
product......: Intel(R) CPU Performance
description..: itlperf Module
original name: itlperf.dll
internal name: itlperf
file version.: 1, 0, 0, 0
comments.....: This installation was built with Inno Setup.
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x17958
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0x1699C, 0x16A00, 6.59, 2cbbe99a5e0ba0d985067081b6134a51
DATA, 0x18000, 0x27E0, 0x2800, 3.26, 3260507c9d51efb3154e29bab43d10a4
BSS, 0x1B000, 0x9B1, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.idata, 0x1C000, 0x6B6, 0x800, 4.19, 0ba2dc7a3b2d6fed614fe9154944751a
.edata, 0x1D000, 0x4A, 0x200, 0.76, 1f12731aff1de074399e71554b8bf3bc
.reloc, 0x1E000, 0x1110, 0x1200, 6.61, dc3b5ec06c23d2d99337d1350df05aad
.rsrc, 0x20000, 0x1A22C, 0x1A400, 7.94, 8321d75891cd5431b418e24597991e57

[[ 8 import(s) ]]
kernel32.dll: GetCurrentThreadId, WideCharToMultiByte, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetSystemTime, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
oleaut32.dll: SysFreeString, SysReAllocStringLen
kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
kernel32.dll: WriteFile, VirtualQuery, Sleep, SizeofResource, SetLastError, SetFilePointer, SetEndOfFile, ReadFile, LoadResource, GlobalUnlock, GlobalLock, GetTickCount, GetSystemTime, GetProcAddress, GetLocalTime, GetLastError, GetFileSize, GetCurrentProcess, FreeLibrary, FreeConsole, CreateProcessA, CloseHandle
advapi32.dll: RegCloseKey
user32.dll: wvsprintfA, MessageBoxA
kernel32.dll: LoadLibraryA, GetWindowsDirectoryA, GetVersionExA, GetTimeFormatA, GetTempPathA, GetSystemDirectoryA, GetModuleHandleA, GetModuleFileNameA, GetFileAttributesA, GetDateFormatA, GetComputerNameA, GetCommandLineA, FindResourceA, CreateFileA, CompareStringA
advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegCreateKeyExA, GetUserNameA, CreateProcessAsUserA

[[ 1 export(s) ]]
ServiceMain
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 92672
Comments: This installation was built with Inno Setup.
CompanyName: Intel Corporation
EntryPoint: 0x17958
FileDescription: itlperf Module
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 214 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 1, 0, 0, 0
FileVersionNumber: 1.0.0.0
ImageVersion: 0.0
InitializedDataSize: 124928
InternalName: itlperf
LanguageCode: Neutral
LegalCopyright: Copyright 1999-2009, Intel Corporation
LegalTrademarks:
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename: itlperf.dll
PEType: PE32
PrivateBuild:
ProductName: Intel(R) CPU Performance
ProductVersion: 1, 0, 0, 0
ProductVersionNumber: 1.0.0.0
SpecialBuild:
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 0

 

Thanks, I will get this done over the next few days, working alot starting tomorrow, but will do this.

Can you tell me what we are doing, what we are trying to get rid of, because it looks like there's a lot more here than just this Zentom junk. Does my harddrive have all those trojans, etc, that were listed in that text?

What's the mission here:major, because I feel lost. (we need to do ____ because ____) would be helpful.

Sure is amazing how messed up this is and I wish I understood what your plan is.:confused

 

we are seeing a number of files which should not be on your machine, such as the ones listed.

Exactly what I wanted to know.
Thanks so much

 

Need Correction

I just tried to run Combofix with the text you gave me and it says exactly this ... 'were you trying to run a cf script? the name of the script was incorrectly spelt" ...and then it shuts down.

Also, I need to run it on my second drive F: because I installed a new drive and moved the infected one over. So, I was thinking to run it on C: and then change the C: to F: to send you both logs. Is this correct?

What is misspelled in the script?:confused
KILLALL::

File::
c:\windows\002552_.tmp
c:\windows\000001_.tmp
c:\windows\SET13D.tmp
c:\windows\SET131.tmp
c:\windows\system32\termvw32.dll
C:\Documents and Settings\LocalService\Local Settings\Application Data\fdvt87420h448sffo45xpbwi647n672cbp055gxv
C:\Documents and Settings\Ilene\Application Data\fdvt87420h448sffo45xpbwi647n672cbp055gxv
C:\Documents and Settings\All Users\Application Data\fdvt87420h448sffo45xpbwi647n672cbp055gxv
C:\Documents and Settings\All Users\Application Data\2398310668
C:\Documents and Settings\Ilene\Templates\fdvt87420h448sffo45xpbwi647n672cbp055gxv

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termssvces]

 

I copied and pasted it from his reply. Also posted it below my message.

I think I figured it out. I named the txt file something else.
Just fixed it

 

It looks like mgtools only ran the getlogs.bat on drive c;
I attempted to go directly to drive F (the original infected drive) but the screen said it was looking on c.

Should I wait and see if it runs on F or is there something I can change ?

Thanks

 

more

 

Did I forget something?

 

I didn't know what a Conduit Engine was and didn't know Price Gong was even there, whatever that was. Its deleted now.

Things seem to be working just fine.

Your help in resolving this incident was remarkable and more thorough than I ever expected.

Please tell me what you suggest to keep running or to complete daily/weekly scans with what software? I don't want to get in this position again, ever, if I can help it.

Appreciate all you've guided me with here.

 

Do I also uninstall Conduit Engine? I see that in the add/remove programs list.