Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Guard 2009


  • This topic is locked This topic is locked
2 replies to this topic

#1 aaron3579

aaron3579

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 September 2009 - 04:59 PM

My Windows XP laptop was attacked by a program called Personal Guard 2009 on the morning of September 8, 2009 at or around 11:00 AM. If you don’t know what it looks like, then I can tell you that it mimics Windows Security Center, and claims that your PC has no virus protection. It puts this little booger in the programs tray:

hxxp://picasaweb.google.com/aaron.leblanc1/PersonalGuard2009#5379181265958967890

It simultaneously runs this executable at C:\Program Files\Personal Guard 2009\personalguard.exe which pops up in its own window and looks like anti spyware software:

hxxp://picasaweb.google.com/aaron.leblanc1/PersonalGuard2009#5379218048032426338

It proceeds to run a phony scan of the HDD and spits out a long report of false threats to the PC. ALSO every now and then it will blast a popup that claims the PC is under attack from hackers and gives the option to either buy the full version of Personal Guard 2009 or “continue unprotected.” I fought with this program until about 5:00 AM on September 9. As of the time of this writing, I have met with very little success:

1)I closed out the Personal Guard window, the false attack window and the fake windows security center window, and opened the task manager (ctr alt del) went to the “processes” tab and right clicked on the process with the image name “Personal Guard 2009” and hit “end process tree” then hit ok.

2)I opened control panel and ran the “Add or Remove Programs” utility. Sure enough, “Personal Guard 2009” was listed. I uninstalled it. In less than four minutes, the program had reconstituted and reinstalled itself and was doing all of the things described above all over again.

3)I manually deleted the directory C:\Program Files\Personal Guard 2009. In less than four minutes, the program had reconstituted and reinstalled itself and was doing all of the things described above all over again.

4)I opened the directory C:\Program Files\Personal Guard 2009 and ran the uninstall utility contained therein (C:\Program Files\Personal Guard 2009\uninstall). In less than four minutes, the program had reconstituted and reinstalled itself and was doing all of the things described above all over again.

5)I downloaded a secure delete program known as “Free Eraser” that deletes information by rewriting gibberish over it several times instead of just altering the file allocation table. I tossed the C:\Program Files\Personal Guard 2009 directory into it and set it to the maximum destruction setting. In less than four minutes, the program had reconstituted and reinstalled itself and was doing all of the things described above all over again.

6)I ran a full scan with my McAfee antivirus software (which I have the full version of). It found some stuff (I don’t really remember what all) and I hit fix all issues. Then I ran the personal guard directory through free eraser again. In less than four minutes, the program had reconstituted and reinstalled itself and was doing all of the things described above all over again.

7)I tried to use the cmd prompt as per this YouTube video: hxxp://www.youtube.com/watch?v=pVlL...feature=related But it would not let me rename the questionable file because it was locked due to being “in use.”

8)I downloaded and ran “Trojan Remover” to no effect.

9)I downloaded and ran “Malware Bytes” to no effect.

10)I downloaded and ran “Multi-Virus Cleaner 2009” to no effect.

11)I downloaded and ran “CCleaner” to no effect.

12)I called Alienware Tech Support, and they (the guy’s name was Sebastian; hard to forget) advised me to either try Spybot Search and Destroy or wipe the HDD and start over.

13)I downloaded and ran “Spybot Search and Destroy” to no effect.

14)I downloaded “Hijack This” in order to make a process log. I tried to start the system in Safe Mode but for some reason the system failed to boot in safe mode and I instead had to boot in “registry editing safemode”

15)Once I finally got it into safemode I reran all of the antivirus software mentioned heretofore. While in safemode, the virus seemed to be dormant, and I was eventually was able to run every scan with a “no harmful software detected” clean bill of health. I re-deleted the personal guard 2009 directory and restarted windows normally but the virus was back as soon as windows booted up.

16)At around noon today (Sep 9) I downloaded a program called “Killbox” available here: http://www.bleepingcomputer.com/files/killbox.php I ran this program and aimed it at C:\Program Files\Personal Guard 2009\personalguard.exe and told it to: Replace on reboot; use dummy; end explorer shell while killing file; All files. I rebooted the system and when it came back up, the virus made a short-lived appearance but then ceased.

17)For a while, all I got is this error message every now and then:

hxxp://picasaweb.google.com/aaron.leblanc1/PersonalGuard2009#5379184375462505282

All I can figure is that since I sabotaged the virus with this kill box program, it was attempting to run itself but couldn't, and so I got this error message instead. But within about an hour, the virus had reconstituted and reinstalled itself and now I am at square one again.

Here is my last HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:35 AM, on 9/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Function Key Controller\FKC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTAPR2] "C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3663338881-2622629969-2804366026-500\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Administrator')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: EndWLAN.cmd
O4 - Global Startup: OSCust.lnk.disabled
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/55.16/uploader2.cab
O21 - SSODL: OSDriver - {44433B5D-42EA-44F3-B04F-222A00EC1637} - C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\Media Index\Drivers\lan.dll
O21 - SSODL: SystemLoading - {82CCCA9A-BA12-4A3D-9D90-30920EB05F53} - C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\Media Index\Drivers\nhbferdtqo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Intel PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9649 bytes


Anyone that can offer assistance is most welcome. Please keep in mind that my computer literacy is somewhat limited, and I would appreciate any instruction broken down Barney-style.

Thanks,
Aaron

Edited by Orange Blossom, 08 September 2009 - 09:53 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 aaron3579

aaron3579
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 11 September 2009 - 12:42 AM

n/m y'all; I reformatted. :(

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:39 PM

Posted 23 September 2009 - 08:56 AM

Thanks for letting us know :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users