BleepingComputer.com: GOT BIT BY "Personal Guard 2009" and NOTHING works

My machine is in limp mode , Firefox won't work , I can't open any programs. SAfemode doesn't work , revo uninstaller took it off 6 times it comes back , spybot took it off , it comes back , I used afvanced system care by ioBit , it took it off and then it came back on the reboot. Now NOTHING WORKS. when i try to click on an app , i get a bootleg warning telling me to buy this crap. Whoever made personal guard 2009 should be drug out into the street and shot!

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  
• Direct Download (Recommended)
  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror
  
  
• Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
  
  • Primary Mirror
    
    
  • Secondary Mirror
    
    
  • Secondary Mirror
  
  
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Riight-click on rootrepeal.exe and rename it to tatertot.scr
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

I get

"application cannot be executed. The file tatertot.scr.exe is infected. please activate your antivirus software" and nothing happens.

1. Download Win32kDiag from any of the following locations and save it to your Desktop

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

It wont work , It's not allowing me to run anything. anything i click on I get a popup telling me it's infected and can't be executed. NOTHING works , that's the problem it's not allowing me to run any programs so nothing i downloaded works. do you know of anyone else that has this issue , I'd like to see how they fixed it. I've had other problems and malware before and I've always been able to fix them myself using standard measures. This thing though is a completely different animal , that's why I'm here to talk to the experts because I'm stumped.

Does anyone know anything more about this? , It just installed "Total Security" on my machine as well. I'm about to throw this friggin thing out of the window and into the pool

OK , now it restarts my machine by itself. and I'm getting popups about every 45 seconds now.

Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Running from: C:\Documents and Settings\Lamont\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Lamont\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Volume in drive C has no label.
Volume Serial Number is 884C-CEF7

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/04/2004 06:00 AM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 02:46 PM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 644,096 bytes

Directory of C:\WINDOWS\system32\dllcache

02/06/2009 02:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Total Files Listed:
8 File(s) 2,103,808 bytes
0 Dir(s) 52,238,012,416 bytes free

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 5:44:27 PM, on 9/21/2009
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v8.0 (8.0.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lamont\Desktop\tatertot.scr.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [16213594] C:\Documents and Settings\All Users\Application Data\16213594\16213594.exe
O4 - HKLM\..\Run: [vihuwojap] Rundll32.exe "c:\windows\system32\buyinuni.dll",a
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/21 18:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PID: 216 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 240 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 408 Status: -

Path: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PID: 452 Status: -

Path: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PID: 592 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 624 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 648 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 696 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 708 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 892 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 976 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1040 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1072 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1124 Status: -

Path: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
PID: 1156 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1220 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1308 Status: -

Path: C:\WINDOWS\system32\wdfmgr.exe
PID: 1320 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1464 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1588 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1708 Status: -

Path: C:\Program Files\Viewpoint\Common\ViewpointService.exe
PID: 1816 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1960 Status: -

Path: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PID: 2572 Status: -

Path: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
PID: 2876 Status: -

Path: C:\Documents and Settings\Lamont\Desktop\tatertot.scr.exe
PID: 2904 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2960 Status: -

Path: C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
PID: 3296 Status: -

Path: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PID: 3920 Status: -

Path: C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
PID: 3936 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4008 Status: -

Now that you were successful in creating some logs you need to post them in our HJT forum:
http://www.bleepingcomputer.com/forums/forum22.htere
Give a brief description and tell them that these logs was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck

Sounds good , Thank You

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic259431.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom