Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GOT BIT BY "Personal Guard 2009" and NOTHING works


  • This topic is locked This topic is locked
14 replies to this topic

#1 I HATE THIS VIRUS

I HATE THIS VIRUS

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 19 September 2009 - 12:25 AM

My machine is in limp mode , Firefox won't work , I can't open any programs. SAfemode doesn't work , revo uninstaller took it off 6 times it comes back , spybot took it off , it comes back , I used afvanced system care by ioBit , it took it off and then it came back on the reboot. Now NOTHING WORKS. when i try to click on an app , i get a bootleg warning telling me to buy this crap. Whoever made personal guard 2009 should be drug out into the street and shot!

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:10 AM

Posted 19 September 2009 - 08:56 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 20 September 2009 - 11:47 AM

I get

"application cannot be executed. The file tatertot.scr.exe is infected. please activate your antivirus software" and nothing happens.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:10 AM

Posted 20 September 2009 - 05:28 PM

1. Download Win32kDiag from any of the following locations and save it to your Desktop

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 09:00 AM

It wont work , It's not allowing me to run anything. anything i click on I get a popup telling me it's infected and can't be executed. NOTHING works , that's the problem it's not allowing me to run any programs so nothing i downloaded works. do you know of anyone else that has this issue , I'd like to see how they fixed it. I've had other problems and malware before and I've always been able to fix them myself using standard measures. This thing though is a completely different animal , that's why I'm here to talk to the experts because I'm stumped.

#6 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 03:20 PM

Does anyone know anything more about this? , It just installed "Total Security" on my machine as well. I'm about to throw this friggin thing out of the window and into the pool :thumbsup:

#7 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 03:26 PM

OK , now it restarts my machine by itself. and I'm getting popups about every 45 seconds now.

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:10 AM

Posted 21 September 2009 - 04:06 PM

Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 04:32 PM

Running from: C:\Documents and Settings\Lamont\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Lamont\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

#10 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 04:34 PM

Volume in drive C has no label.
Volume Serial Number is 884C-CEF7

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/04/2004 06:00 AM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 02:46 PM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 644,096 bytes

Directory of C:\WINDOWS\system32\dllcache

02/06/2009 02:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Total Files Listed:
8 File(s) 2,103,808 bytes
0 Dir(s) 52,238,012,416 bytes free

#11 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 04:49 PM

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 5:44:27 PM, on 9/21/2009
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v8.0 (8.0.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lamont\Desktop\tatertot.scr.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [16213594] C:\Documents and Settings\All Users\Application Data\16213594\16213594.exe
O4 - HKLM\..\Run: [vihuwojap] Rundll32.exe "c:\windows\system32\buyinuni.dll",a
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#12 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 September 2009 - 05:38 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/21 18:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PID: 216 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 240 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 408 Status: -

Path: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PID: 452 Status: -

Path: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PID: 592 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 624 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 648 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 696 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 708 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 892 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 976 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1040 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1072 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1124 Status: -

Path: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
PID: 1156 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1220 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1308 Status: -

Path: C:\WINDOWS\system32\wdfmgr.exe
PID: 1320 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1464 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1588 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1708 Status: -

Path: C:\Program Files\Viewpoint\Common\ViewpointService.exe
PID: 1816 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1960 Status: -

Path: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PID: 2572 Status: -

Path: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
PID: 2876 Status: -

Path: C:\Documents and Settings\Lamont\Desktop\tatertot.scr.exe
PID: 2904 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2960 Status: -

Path: C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
PID: 3296 Status: -

Path: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PID: 3920 Status: -

Path: C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
PID: 3936 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4008 Status: -

#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:10 AM

Posted 21 September 2009 - 08:03 PM

Now that you were successful in creating some logs you need to post them in our HJT forum:
http://www.bleepingcomputer.com/forums/forum22.htere
Give a brief description and tell them that these logs was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 I HATE THIS VIRUS

I HATE THIS VIRUS
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 22 September 2009 - 06:24 AM

Sounds good , Thank You

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 32,863 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:10 AM

Posted 22 September 2009 - 10:23 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/259431/personal-guard-2009-total-security/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users