Problems with stopguard

Hi there, Have been having problems with stopguard. I've run through the standard clean - ccleaner, cwsshredder, pestpatrol, spywareblaster, adaware, spysweeper, Nav installed.

Still get stopguard popups, generating IE failures. If I close Ie's error reporting window, another browser pops up. I haven't been able to kill one suspicious process - libip.exe.

Googled on the topic, but I don't quite know how to proceed - I have my hjt log. Thanks in advance for the help - very cool/useful siote you've got running...

 

Hey there. I had followed the walk through (very helpful), various questionables removed while in safe mode. I haven't uninstalled java yet. I went through your HFT tutorial as well, killed the problems. Even in safe mode, I was unable to kill off libip.exe, and HJT couldn't remove it. Spysweeper also recognizes libip, but can't remove it. The other problem symptom I have is that an ms security update package for IE fails to install - it downloads, requests reboot, but when i bounce the box, ms update prompts me to dl the same package.

 

Hi Chas,

I've been working through a similar situation with Stopguard on this thread:

http://forums.majorgeeks.com/showthread.php?t=42005

and have come up with a procedure to shut down the troublesome file.

I had earlier posted an @ chaslang thread because I thought I needed some help, but I think we may have found a cure. I'd still like you to look at the thread if you get a chance, and see if my solution is indeed viable. Plus, it'll give you an idea of what you are dealing with here.

By the way, the problem you are working on with everidle (surprise - another spyware frustration) has this same issue. Note that the Stopguard files mutate on every reboot!

PP

 

Thank you sir - unfortunately, I don't have access to the computer for the next few days, but with a point in the right direction, i can start rooting the thing out. How often does malware like this (sticky and stealthy and hard to kill) pop up? i hadn't ever run into an infection without a documented fix before...kind of cool. Praying for the phillies, but i don't know if anyone's listening. grin.

 

thanks, appreciate the guidance - will update and go through the tutorial. The log file was saved to a mac, which is probably what screwed up the format. Out of curiosity, is there any clarity on how this gets around, and whether it could infect other machines on the local network? Also, what criteria are you using, to pull out the suspicious 04 entries?

Thanks...

 

Hi erratic,

I think this is a kind of "Drive By Infection" - Your browser is in the wrong place at the wrong time People are still trying to figure out how it sticks itself on your computer. I think one way is for a victim to click their "Free Spyware Scan" link.

If you look at Susan's thread http://forums.majorgeeks.com/showthread.php?t=42005 , you'll see that there is a pattern to the Stopguard files that makes them easy to detect when they mutate. And they DO mutate on reboot, so you need to follow the removal steps closely.

The key lies in shutting down the troublesome process (in your case, libip.exe). I did this by utilizing a tool in HijackThis that allows you to DELETE A FILE ON REBOOT. There might, however, be an easier way - Perhaps you can try this:

Are you able to shut the Stopguard running process down via START>RUN>MSCONFIG> STARTUP Tab & uncheck the process if it is there and then DELETE the file?? This would seem like an obvious course of action, but somehow I got the impression that it didn't work, so I didn't pursue it with Susan. Could you try this? It would simplify matters. Plus, I am cursed with curiosity!

For Stopguard removal, Susan has posted the steps she followed and they ought to work for you as well. If not, you are in excellent hands with Chaslang!

Best luck,

PP

 

Hi erratic:

Another member (along with myself) had the problem with Stopguard which we fixed, but he brought up a question. He said he noticed that while he had the infection the computer was not making/keeping restore points. I believe he said he got an error message saying he did not have enough memory or something but he knows he does have plenty of capacity. However, after he fixed the infection, his computer is once again correctly making restore points. So the question is was this a coincidence with just his computer or a wicked thing caused by the infection so you couldn't restore back to a point prior to infection. So, if you haven't done the fix for Stopguard yet could you check your restore points and let us know?

Thanks,
Susan

 

Hey there, back in action, looking to terminate stopguard.

ran trendmicro, which caught 2 troj.rahibitor.a's
symantec check failed three times, right near the end - part of the browser problem
booted to safe with networking, ran
macafee stinger
ccleaner
adaware se + vx2 cleaner
cwshredder
kill2me
buster
hsremove
spybot s&d

booted to normal, spywaresweeper picked up on an app called jpegsys.exe. can't kill the process thru task manager. Looking for help in identifying removal steps based on current hjt log - very much appreciated...


current incarnation of hjt...