Solved: HELP...personal guard 2009 has hijacked me

mom4jdc · 07-Nov-2009, 10:07 PM #1

Okay....my teen son and my husband mainly use this computer. Thursday night, my husband started yelling at the computer because Internet Explorer was opening and taking him to other sites and wouldn't close. After I moved him away and started looking at the problem, I realized that it was malware. First thing I did was uninstall Personal Guard 2009 from add/remove programs. (I am running Windows XP. We mainly use Firefox for our browser but my son favors Flock.) Less than a minute later, Personal Guard was back masquarading in the Windows Security Center. We have been experiencing pop-ups, internet explorer opening itself, browser hijacking, etc. Trying to navigate to a "malware fix forum" is a nightmare, Firefox will no longer stay open. The program shuts it down before it fully loads. I tried deleting the program from the task manager (processes) but it just doesn't show up there any more. I've tried installing malwarebytes....it won't install. I've used online virus scans, etc. Nothing that I know to do has worked. The computer is spiralling downward. It took an hour for it to come up this morning.

Please help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:59 PM, on 11/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Rosetta Stone\SMS v3.0.2hs\Service\JavaSrvc.exe
C:\WINDOWS\system32\winsc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {af97ada2-b821-477e-9940-f17367775583} - bisagipi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe
O4 - HKLM\..\Run: [wawizehef] Rundll32.exe "c:\windows\system32\welemige.dll",a
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [rkrk] C:\PROGRA~1\COMMON~1\rkrk\rkrkm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [xaxgmtk] C:\WINDOWS\System32\xaxgmtk.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Copy to &Lightning Note - C:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.windstream.com/lwp/stat...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.windstream.com/lwp/stat...ELControls.cab
O20 - AppInit_DLLs: gabohoze.dll c:\windows\system32\welemige.dll
O21 - SSODL: SysNet - {229D115E-2CB1-405A-B5BF-C801C91B224C} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
O21 - SSODL: perulagud - {78c0b2e6-f482-4fbc-884d-f4910acf8403} - c:\windows\system32\guyeroso.dll
O21 - SSODL: wuyojomov - {a9eb6e3d-2d50-4bdb-9538-19e682905514} - c:\windows\system32\guyeroso.dll
O21 - SSODL: zubipurun - {f220f955-e8f6-4b1b-b972-20344b353a2f} - c:\windows\system32\guyeroso.dll
O21 - SSODL: miboneray - {d9f7ad5c-2b12-4bc0-8133-5fbcd8a43ac8} - c:\windows\system32\welemige.dll
O22 - SharedTaskScheduler: mujuzedij - {78c0b2e6-f482-4fbc-884d-f4910acf8403} - c:\windows\system32\guyeroso.dll
O22 - SharedTaskScheduler: kupuhivus - {a9eb6e3d-2d50-4bdb-9538-19e682905514} - c:\windows\system32\guyeroso.dll
O22 - SharedTaskScheduler: kupuhivus - {f220f955-e8f6-4b1b-b972-20344b353a2f} - c:\windows\system32\guyeroso.dll
O22 - SharedTaskScheduler: gahurihor - {d9f7ad5c-2b12-4bc0-8133-5fbcd8a43ac8} - c:\windows\system32\welemige.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SMSv3_0_2hs - Alexandria Software Consulting - C:\Program Files\Rosetta Stone\SMS v3.0.2hs\Service\JavaSrvc.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
--
End of file - 13314 bytes

mom4jdc · 08-Nov-2009, 09:22 PM #2

I see that y'all are really busy but I wanted to bump this up so it didn't get lost past page 4.

Thanks so much.

NeonFx · 08-Nov-2009, 09:54 PM #3

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

mom4jdc · 09-Nov-2009, 12:48 AM #4

Thank you so very very much for helping me.

Just letting you know that the sick computer is not playing very nice right now. Approximately 20 minutes to load and open a browser, 3 tries to go to the link for the OTS, now when I asked it to load the root repeal it has frozen.

I guess that I'll try it again tomorrow afternoon.

Thanks again for helping me...this thing has ticked me off and I am going to get it off this computer one way or the other. :-)

NeonFx · 09-Nov-2009, 12:57 AM #5

Alright. If you still have trouble running those try doing it in Safe Mode with Networking

To boot into that mode you will need to repeatedly tap the F8 key on your keyboard as you turn your computer on. This should bring up a black and white menu where you can select "Safe Mode with Networking" using your arrow and Enter keys. Sign into your own account and click on "Yes" when asked if you wish to continue into Safe Mode.

mom4jdc · 09-Nov-2009, 02:25 AM #6

Okay...finally forsed it to let me back on. Safe mode wouldn't work...I got a blue screen telling me to search for viruses.

Here's the OTS log. Hoping to have the Root Repeal for you in the morning.

NeonFx · 09-Nov-2009, 02:32 AM #7

Alright. Let me know how it goes.

mom4jdc · 09-Nov-2009, 08:39 PM #8

Hey again,
I could not get Root Repeal to load last night....I never got past the "Initialization.....Please wait screen." So I came back to this thread this afternoon and went to Link 2 to get Root Repeal and downloaded/installed it to my desktop again. I got the same Initialization screen but it hasn't moved in 45 minutes. And control alt delete doesn't do anything. I'm stuck with no way out.

Any suggestions?

Thanks again for your time.

NeonFx · 09-Nov-2009, 08:52 PM #9

It happens. Close it and then do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of the following code box

Code:

[Unregister Dlls]
[Processes - Safe List]
YY -> winsc.exe -> C:\WINDOWS\SYSTEM32\winsc.exe
YY -> personalguard.exe -> C:\Program Files\Personal Guard 2009\personalguard.exe
[Modules - Safe List]
YY -> toronitu.dll -> C:\WINDOWS\SYSTEM32\toronitu.dll
YY -> kiyejebe.dll -> C:\WINDOWS\SYSTEM32\kiyejebe.dll
YY -> gabohoze.dll -> C:\WINDOWS\SYSTEM32\gabohoze.dll
YY -> bisagipi.dll -> C:\WINDOWS\SYSTEM32\bisagipi.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YY -> {af97ada2-b821-477e-9940-f17367775583} [HKLM] -> C:\WINDOWS\System32\bisagipi.dll [Reg Error: Value error.]
YN -> {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} [HKLM] -> C:\WINDOWS\System32\WinStat12.dll [WinStat]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "personalguard" -> C:\Program Files\Personal Guard 2009\personalguard.exe [C:\Program Files\Personal Guard 2009\personalguard.exe]
YY -> "wawizehef" -> C:\WINDOWS\System32\kiyejebe.DLL [Rundll32.exe "c:\windows\system32\kiyejebe.dll",a]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "selfdel" -> C:\WINDOWS\TEMP\$$t.bat [C:\WINDOWS\TEMP\$$t.bat]
< Run [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rkrk" -> C:\PROGRA~1\COMMON~1\rkrk\rkrkm.exe [C:\PROGRA~1\COMMON~1\rkrk\rkrkm.exe]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \Run\\"xaxgmtk" -> C:\WINDOWS\System32\xaxgmtk.exe [C:\WINDOWS\System32\xaxgmtk.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1007\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1009\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1009\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{c95fe080-8f5d-11d2-a20b-00aa003c157a}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1010\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1010\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1011\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1011\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1013\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1013\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1011\] > -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-21-3174613677-3908529407-144104162-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found.
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} [HKLM] -> http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab [Verizon Wireless Media Upload]
YN -> {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} [HKLM] -> https://care.windstream.com/lwp/static/installers/ALLTELControls.cab [ConnectivityTester Class]
YN -> Microsoft XML Parser for Java [HKLM] -> file://C:\WINDOWS\Java\classes\xmldso.cab [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> gabohoze.dll -> C:\WINDOWS\System32\gabohoze.dll
YY -> c:\windows\system32\toronitu.dll -> C:\WINDOWS\SYSTEM32\toronitu.dll
YY -> c:\windows\system32\kiyejebe.dll -> C:\WINDOWS\SYSTEM32\kiyejebe.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> logon.exe -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\sdra64.exe -> C:\WINDOWS\System32\sdra64.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{46456d74-251f-49fe-b16e-6005759b83bf}" [HKLM] -> C:\WINDOWS\SYSTEM32\kiyejebe.dll [kujanupuw]
YY -> "{78c0b2e6-f482-4fbc-884d-f4910acf8403}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [perulagud]
YY -> "{229D115E-2CB1-405A-B5BF-C801C91B224C}" [HKLM] -> C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll [SysNet]
YY -> "{a9eb6e3d-2d50-4bdb-9538-19e682905514}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [wuyojomov]
YY -> "{f220f955-e8f6-4b1b-b972-20344b353a2f}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [zubipurun]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{46456d74-251f-49fe-b16e-6005759b83bf}" [HKLM] -> C:\WINDOWS\SYSTEM32\kiyejebe.dll [kupuhivus]
YY -> "{78c0b2e6-f482-4fbc-884d-f4910acf8403}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [mujuzedij]
YY -> "{a9eb6e3d-2d50-4bdb-9538-19e682905514}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [kupuhivus]
YY -> "{f220f955-e8f6-4b1b-b972-20344b353a2f}" [HKLM] -> C:\WINDOWS\SYSTEM32\guyeroso.dll [kupuhivus]
[Registry - Additional Scans - Safe List]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> Personal Guard 2009 -> Personal Guard 2009
[Files/Folders - Created Within 30 Days]
NY ->  C:\Program Files\Personal Guard 2009 -> C:\Program Files\Personal Guard 2009
NY -> lowsec -> C:\WINDOWS\System32\lowsec
NY -> Microsoft AData -> C:\Documents and Settings\All Users\Microsoft AData
[Files/Folders - Modified Within 30 Days]
NY -> nubimiga -> C:\WINDOWS\System32\nubimiga
NY -> yqjhagrm.job -> C:\WINDOWS\tasks\yqjhagrm.job
NY -> logfile -> C:\logfile
NY -> winsc.exe -> C:\WINDOWS\System32\winsc.exe
NY -> DCEBoot.exe -> C:\WINDOWS\DCEBoot.exe
NY -> regred.exe -> C:\WINDOWS\regred.exe
NY -> spoov.exe -> C:\WINDOWS\spoov.exe
NY -> certsystem.exe -> C:\WINDOWS\certsystem.exe
NY -> usexplorer.exe -> C:\WINDOWS\usexplorer.exe
NY -> securits.com -> C:\WINDOWS\securits.com
NY -> microsoftdef.dll -> C:\WINDOWS\microsoftdef.dll
NY ->  34 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  32 C:\Documents and Settings\Mom and Dad\My Documents\*.tmp files -> C:\Documents and Settings\Mom and Dad\My Documents\*.tmp
NY ->  3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  153 C:\Documents and Settings\Mom and Dad\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Mom and Dad\Local Settings\Temp\*.tmp
NY ->  1 C:\Documents and Settings\Mom and Dad\Local Settings\Temp\HouseCall\*.tmp files -> C:\Documents and Settings\Mom and Dad\Local Settings\Temp\HouseCall\*.tmp
[Files - No Company Name]
NY -> toronitu.dll -> C:\WINDOWS\System32\toronitu.dll
NY -> hakolike.dll -> C:\WINDOWS\System32\hakolike.dll
NY -> kiyejebe.dll -> C:\WINDOWS\System32\kiyejebe.dll
NY -> zifirobo.dll -> C:\WINDOWS\System32\zifirobo.dll
NY -> welemige.dll -> C:\WINDOWS\System32\welemige.dll
NY -> vowayore.dll -> C:\WINDOWS\System32\vowayore.dll
NY -> fesisone.dll -> C:\WINDOWS\System32\fesisone.dll
NY -> helileve.dll -> C:\WINDOWS\System32\helileve.dll
NY -> guyeroso.dll -> C:\WINDOWS\System32\guyeroso.dll
NY -> hufudame.dll -> C:\WINDOWS\System32\hufudame.dll
NY -> nigokeyo.dll -> C:\WINDOWS\System32\nigokeyo.dll
NY -> gatinuro.dll -> C:\WINDOWS\System32\gatinuro.dll
NY -> feyujafi.dll -> C:\WINDOWS\System32\feyujafi.dll
NY -> bawawaza.dll -> C:\WINDOWS\System32\bawawaza.dll
NY -> navavaze.dll -> C:\WINDOWS\System32\navavaze.dll
NY -> domasuro.dll -> C:\WINDOWS\System32\domasuro.dll
NY -> bosofifa.dll -> C:\WINDOWS\System32\bosofifa.dll
NY -> gabohoze.dll -> C:\WINDOWS\System32\gabohoze.dll
NY -> dejuyane.dll -> C:\WINDOWS\System32\dejuyane.dll
NY -> bisagipi.dll -> C:\WINDOWS\System32\bisagipi.dll
NY -> dayesaro.dll -> C:\WINDOWS\System32\dayesaro.dll
NY -> gojiyosi.dll -> C:\WINDOWS\System32\gojiyosi.dll
NY -> jotukoma.dll -> C:\WINDOWS\System32\jotukoma.dll
NY -> yimaheri.dll -> C:\WINDOWS\System32\yimaheri.dll
NY -> poyudome.dll -> C:\WINDOWS\System32\poyudome.dll
[Custom Items]
:files
C:\WINDOWS\tasks\*.job
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""
:end
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

STEP 2

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

mom4jdc · 09-Nov-2009, 10:11 PM **#10**

Okay...I started OTS with the pasted fix and about 30 seconds into the scan I got an "Old Timer Scanner has encountered a problem and needs to close..." box followed by a "OTS:OTS.exe-Bad Image" box which says "The application or DLL C:\WINDOWS\microsoftdef.dll is not a valid image. Please check against your installation diskette." in the body and an Okay box.

Right now it's just sitting here. Do you want me to click okay and let it completely shut down or.....?

NeonFx · 09-Nov-2009, 10:23 PM **#11**

Those errors will appear sometimes. When you press OK the fix should continue normally.

mom4jdc · 09-Nov-2009, 10:25 PM **#12**

Thanks...I was scared to click. I seems to be running fine now.

mom4jdc · 09-Nov-2009, 10:54 PM **#13**

Quick question....OTS seems like it has been "stuck" for a while now. The bar at the bottom has been saying "Emptying RecycleBin" for about 20 minutes now. Is that normal or is it frozen?

Again, THANK YOU so very much for your help.

NeonFx · 09-Nov-2009, 11:00 PM **#14**

It does get stuck there sometimes, but it's probably still working. Especially if you haven't had your temporary files cleaned out lately. If it does get stuck, or seems to stay that way for much longer, you'll need to force it closed and restart your computer. Then run the same fix again and it should run much smoother the second time.

mom4jdc · 10-Nov-2009, 01:32 AM **#15**

Yeah..things are getting better. Still having trouble with load times but I see an improvement. And, so far, no Personal Guard popups.

Here are the logs from Step one. I'm going back to do the quick scan. I didn't want to take the chance of losing those scans.

Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!