Solved: HELP...personal guard 2009 has hijacked me - Page 2

mom4jdc · 10-Nov-2009, 01:46 AM **#16**

OTS Quick Scan log.

Spybot started popping up asking about allowing registry changes for Personal Guard and a couple of other things. I denied the changes.

Thanks again for taking the time to help me root this thing out of this system. You are a hero! :-)

NeonFx · 10-Nov-2009, 02:18 AM **#17**

Spybot was detecting changes I was trying to make to your system, effectively protecting the malware. Please allow any changes or disable spybot all together until we're done.

Let's do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Modules - Safe List]
YY -> nutuhunu.dll -> C:\WINDOWS\SYSTEM32\nutuhunu.dll
YY -> gokisoso.dll -> C:\WINDOWS\SYSTEM32\gokisoso.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {af97ada2-b821-477e-9940-f17367775583} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "personalguard" -> C:\Program Files\Personal Guard 2009\personalguard.exe [C:\Program Files\Personal Guard 2009\personalguard.exe]
YY -> "wawizehef" -> C:\WINDOWS\System32\gokisoso.DLL [Rundll32.exe "c:\windows\system32\gokisoso.dll",a]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "Malwarebytes' Anti-Malware" -> C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent]
YN -> "selfdel" -> C:\WINDOWS\TEMP\$$t.bat [C:\WINDOWS\TEMP\$$t.bat]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rkrk" -> C:\PROGRA~1\COMMON~1\rkrk\rkrkm.exe [C:\PROGRA~1\COMMON~1\rkrk\rkrkm.exe]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.]
YN -> {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} [HKLM] -> https://care.windstream.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab [SecurityManager Class]
YN -> {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.]
YN -> Microsoft XML Parser for Java [HKLM] -> Reg Error: Value error. [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\gokisoso.dll -> C:\WINDOWS\SYSTEM32\gokisoso.dll
YY -> c:\windows\system32\yofivowi.dll -> C:\WINDOWS\System32\yofivowi.dll
YY -> nutuhunu.dll -> C:\WINDOWS\System32\nutuhunu.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{09380d10-7db1-4d2f-9006-f9b838c0924c}" [HKLM] -> C:\WINDOWS\System32\toronitu.dll [goyazimew]
YY -> "{7add5270-97d3-4830-b88b-c8221fcdc153}" [HKLM] -> C:\WINDOWS\SYSTEM32\gokisoso.dll [sezisunib]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{09380d10-7db1-4d2f-9006-f9b838c0924c}" [HKLM] -> C:\WINDOWS\System32\toronitu.dll [jugezatag]
YY -> "{7add5270-97d3-4830-b88b-c8221fcdc153}" [HKLM] -> C:\WINDOWS\SYSTEM32\gokisoso.dll [mujuzedij]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\SYSTEM32\fxsclnt.exe" -> C:\WINDOWS\System32\fxsclnt.exe [C:\WINDOWS\SYSTEM32\fxsclnt.exe:*:Enabled:Microsoft  Fax Console]
[Files/Folders - Modified Within 14 Days]
NY -> nubimiga -> C:\WINDOWS\System32\nubimiga
[Files - No Company Name]
NY -> yuniyuzi.dll -> C:\WINDOWS\System32\yuniyuzi.dll
NY -> nutuhunu.dll -> C:\WINDOWS\System32\nutuhunu.dll
NY -> hekeyapi.dll -> C:\WINDOWS\System32\hekeyapi.dll
NY -> gokisoso.dll -> C:\WINDOWS\System32\gokisoso.dll
NY -> kasiyebo.dll -> C:\WINDOWS\System32\kasiyebo.dll
NY -> tegareto.dll -> C:\WINDOWS\System32\tegareto.dll
NY -> mirajehi.dll -> C:\WINDOWS\System32\mirajehi.dll
NY -> watusero.dll -> C:\WINDOWS\System32\watusero.dll
NY -> tupabezu.dll -> C:\WINDOWS\System32\tupabezu.dll
NY -> jojimofo.dll -> C:\WINDOWS\System32\jojimofo.dll
[Custom Items]
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""
:end
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

STEP 2

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

mom4jdc · 10-Nov-2009, 10:15 AM **#18**

Oops...sorry, I just panicked when I saw the name "Personal Guard" come up.

This computer is running so much better after the fix. I am still having an issue with IE opening other pages though. One major improvement is that it went from taking @45 minutes for IE (or any browser) to load down to less than 2. Big difference!! I don't feel like I'm on dialup anymore.

Thank you so very much for helping me with my computer!!!

NeonFx · 10-Nov-2009, 01:48 PM **#19**

Cool. There's one still there that managed to get past us. So let's get him with the next steps.

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Kill All Processes]
[Unregister Dlls]
[Modules - Safe List]
YY -> zuragiwu.dll -> C:\WINDOWS\SYSTEM32\zuragiwu.dll
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "wawizehef" -> C:\WINDOWS\System32\zuragiwu.DLL [Rundll32.exe "c:\windows\system32\zuragiwu.dll",a]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> nutuhunu.dll -> 
YY -> c:\windows\system32\zuragiwu.dll -> C:\WINDOWS\SYSTEM32\zuragiwu.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{bec00baf-1327-4f04-bc76-f0787fffed0f}" [HKLM] -> C:\WINDOWS\SYSTEM32\zuragiwu.dll [kokebosut]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{bec00baf-1327-4f04-bc76-f0787fffed0f}" [HKLM] -> C:\WINDOWS\SYSTEM32\zuragiwu.dll [jugezatag]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\explorer.exe" -> C:\WINDOWS\explorer.exe [C:\WINDOWS\explorer.exe:*:Enabled:Explorer]
YN -> "C:\WINDOWS\SYSTEM32\logonui.exe" -> C:\WINDOWS\System32\logonui.exe [C:\WINDOWS\SYSTEM32\logonui.exe:*:Enabled:logonui]
YN -> "C:\WINDOWS\SYSTEM32\lsass.exe" -> C:\WINDOWS\System32\lsass.exe [C:\WINDOWS\SYSTEM32\lsass.exe:*:Enabled:lsass]
[Files - No Company Name]
NY -> zuragiwu.dll -> C:\WINDOWS\System32\zuragiwu.dll
NY -> kasiyebo.dll -> C:\WINDOWS\System32\kasiyebo.dll
[Custom Items]
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""
:end
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.

STEP 2

Run MalwareBytes AntiMalware.

Update it by clicking on the Update tab and then on the button.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 3

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

mom4jdc · 11-Nov-2009, 12:05 AM **#20**

Okay...ran OTS. Everything went fine. Then ran Malware bytes...it asked to restart which I ok'ed, but when it came back up I got a blue screen which reads "A problem has been detected and windoews has been shut dwon to prevent damage to your computer. .......Technical information: ***Stop: 0x0000007B (0xF9679528,0xC0000034,0x00000000, 0x00000000)"

What do I do?

NeonFx · 11-Nov-2009, 02:39 AM **#21**

It sounds like the infection is defending itself. Does the computer boot into Windows ok?

If so, please attach the MalwareBytes log and run Step 3 for me so I can take a look at it again.

If not, does can you try to boot your system in to Safe Mode for me?

To do so you will need to tap the F8 key continuously as you turn your computer on until a black and white menu comes up. Select "Safe Mode with Networking" from the list and then sign into your own account. Let me know if you can get into Windows that way.

NeonFx · 11-Nov-2009, 02:42 AM **#22**

If you can get into Safe Mode with Networking as I described, please Attach the MalwareBytes log. You will find it under the logs tab inside the program.

Then run step 3 for me.

mom4jdc · 11-Nov-2009, 02:46 AM **#23**

Nope..no can do. When I restart, I get the black screen asking how I want to start. I selected Safe Mode with Networking which cause a whole lot of stuff to scroll up the screen then the blue screen again.

Not good, right?

NeonFx · 11-Nov-2009, 02:50 AM **#24**

I wonder what MalwareBytes must have found. If it detected that some necessary files were infected and deleted them it would explain what happened.

Do you have your Windows XP cds handy?

mom4jdc · 11-Nov-2009, 02:52 AM **#25**

As a matter of fact, i have the Re-installation CD right here.

NeonFx · 11-Nov-2009, 02:55 AM **#26**

Ok before we do that, can you try "Last Known Configuration" from the black and white menu for me?

mom4jdc · 11-Nov-2009, 02:58 AM **#27**

Back to the blue screen...

NeonFx · 11-Nov-2009, 02:59 AM **#28**

Ok. Is the CD you have a Windows XP cd or is it a CD that has the Manufacturer's name on it and says something like "Restore CD" ?

mom4jdc · 11-Nov-2009, 03:03 AM **#29**

It is the Dell "Operating System Already Installed on your computer. Reinstallation CD Microsoft Windows XP Home Edition Including Service Pack 1a" CD.

NeonFx · 11-Nov-2009, 03:06 AM **#30**

That's not very good news. If it was a Windows XP CD we could have used the recovery features it comes with. If we were to use the CD you have we would be deleting everything on your system.

Does this other computer have the capability of burning CDs ?

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram registry router security slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!