Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Center alerts, BSOD in safe mode start


  • This topic is locked This topic is locked
2 replies to this topic

#1 JonMill

JonMill

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 22 October 2009 - 12:19 PM

I began getting Security Center alerts, along with ProVirus alerts (?) yesterday. My typical route of removing it via Malwarebytes was rendered helpless due to the virus seemingly blocking the program. I removed Malwarebytes, reinstalled it, renamed it and was never successful. I also tried Avira antivirus without success either. Virtue of a forum post I found the idea of searching for a file named with a random set of numbers which is saved in the "application data" folder. I found this file and deleted it, but problems still persist. I also found a new folder (and desktop shortcuts) for "Active Security" which I was able to delete except for one file (coreext.dll). which still remains in the folder within my "Progam Files" folder. Attempting to restart in safe mode results in the BSOD with a message that (paraphrasing) windows is not loading to protect my PC.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Jonathan.Millican at 11:42:52.71 on Thu 10/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3038.2383 [GMT -5:00]

AV: Active Security *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\JONATH~1.BHM\LOCALS~1\Temp\wow64main.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Day-Timer Organizer 2000\XServ2k.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\DOCUME~1\JONATH~1.BHM\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jonathan.Millican.BHM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\iuv82ym44d.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuv82ym44d.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\jonath~1.bhm\locals~1\temp\avp.exe
uRun: [wow64main.exe] c:\docume~1\jonath~1.bhm\locals~1\temp\wow64main.exe
uRun: [system tool] c:\program files\puqkgt\spxnsysguard.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Login Software 2009] c:\docume~1\jonath~1.bhm\locals~1\temp\j9w6nse5q.exe
uRun: [Active Security] "c:\program files\active security\asecurity.exe" -noscan
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [Vsikawubixaxay] rundll32.exe "c:\windows\ohutafuzacanuver.dll",Startup
mRun: [tesahuwob] Rundll32.exe "c:\windows\system32\laraguji.dll",a
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\rickymartin\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\jonath~1.bhm\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\expres~1.lnk - c:\program files\day-timer organizer 2000\XServ2k.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239291756111
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\windows\system32\laraguji.dll,perosaro.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: govofiduy - {9c54a500-192f-4ced-9507-5b85b8eeaa35} - c:\windows\system32\pupezeri.dll
SSODL: vemimonij - {3eaa0603-ddfa-43ce-858a-a0ea18e3713e} - c:\windows\system32\laraguji.dll
STS: c:\windows\system32\iuv82ym44d.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuv82ym44d.dll
STS: jugezatag: {9c54a500-192f-4ced-9507-5b85b8eeaa35} - c:\windows\system32\pupezeri.dll
STS: mujuzedij: {3eaa0603-ddfa-43ce-858a-a0ea18e3713e} - c:\windows\system32\laraguji.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli ogrolit.dll yejenujo.dll

============= SERVICES / DRIVERS ===============

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-11 47640]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-4-9 2521880]
S0 cerc6;cerc6; [x]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\fastnetsrv.exe --> c:\windows\system32\FastNetSrv.exe [?]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10920.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10920.sys [?]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [2008-4-14 2304]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-22 11:25 <DIR> --d----- c:\program files\Active Security
2009-10-22 11:23 <DIR> --d----- c:\program files\Trend Micro
2009-10-22 11:18 <DIR> --d----- c:\program files\RICKYMARTIN
2009-10-21 17:42 148,496 a------- c:\windows\system32\drivers\99302243.sys
2009-10-21 17:41 148,496 a------- c:\windows\system32\drivers\86277165.sys
2009-10-21 17:40 148,496 a------- c:\windows\system32\drivers\17666044.sys
2009-10-21 17:30 <DIR> --d----- c:\windows\pss
2009-10-21 16:49 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-10-21 16:08 120 a------- c:\windows\Ttuyuy.dat
2009-10-21 16:08 0 a------- c:\windows\Frelul.bin
2009-10-21 16:06 121,344 a------- c:\windows\syssvc.exe
2009-10-21 16:04 0 a------- c:\windows\win32k.sys
2009-10-21 16:04 15,000 a------- c:\windows\system32\iuv82ym44d.dll
2009-10-21 16:04 <DIR> --dsh--- c:\windows\system32\lowsec
2009-10-21 16:04 52,736 a------- C:\ldvx.exe
2009-10-21 16:04 48,640 a------- C:\dtacmawh.exe
2009-10-21 16:04 314,368 a------- c:\windows\system32\~.exe
2009-09-24 17:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-10-22 10:54 1,682 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-10-02 08:07 87,352 a------- c:\windows\system32\LMIinit.dll
2009-10-02 08:07 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 08:07 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-08 08:09 11,552 a------- c:\windows\system32\lmimirr2.dll
2009-09-08 08:09 25,248 a------- c:\windows\system32\lmimirr.dll
2009-08-31 17:08 19,990 a------- c:\windows\rotyt.reg
2009-08-31 17:08 19,493 a------- c:\program files\common files\ejuwesu.dl
2009-08-31 17:08 19,438 a------- c:\program files\common files\igyw.exe
2009-08-31 17:08 18,669 a------- c:\windows\ymydyhi.dll
2009-08-31 17:08 17,090 a------- c:\program files\common files\ozixezoca.vbs
2009-08-31 17:08 16,669 a------- c:\docume~1\alluse~1\applic~1\tafagiv.exe
2009-08-31 17:08 15,843 a------- c:\program files\common files\muserupe.vbs
2009-08-31 17:08 13,875 a------- c:\windows\kivuped.reg
2009-08-31 17:08 12,282 a------- c:\program files\common files\lupetyf.dll
2009-08-31 17:08 12,160 a------- c:\program files\common files\nyhepus.vbs
2009-08-31 17:08 12,053 a------- c:\program files\common files\inidelofu.scr
2009-08-31 16:50 19,555 a------- c:\windows\yferovy.reg
2009-08-31 16:50 19,462 a------- c:\docume~1\jonath~1.bhm\applic~1\ynyqajav.scr
2009-08-31 16:50 17,879 a------- c:\docume~1\alluse~1\applic~1\ygep.reg
2009-08-31 16:50 15,200 a------- c:\windows\system32\eqynigyv.bin
2009-08-31 16:50 13,481 a------- c:\windows\fovozo.pif
2009-08-31 16:50 12,547 a------- c:\docume~1\alluse~1\applic~1\ezywa.pif
2009-08-31 15:33 18,258 a------- c:\program files\common files\voqetut.lib
2009-08-31 15:33 16,329 a------- c:\windows\otogoqibi.vbs
2009-08-31 15:33 14,730 a------- c:\program files\common files\niwykut._dl
2009-08-31 15:33 13,475 a------- c:\docume~1\alluse~1\applic~1\lanoniso.vbs
2009-08-31 15:33 12,957 a------- c:\windows\tohabi.dat
2009-08-31 15:33 11,951 a------- c:\program files\common files\tigiqonub.dll
2009-08-31 15:33 11,883 a------- c:\windows\idima.reg
2009-08-31 15:33 11,627 a------- c:\docume~1\alluse~1\applic~1\jebu.sys
2009-04-09 11:52 88 ---shr-- c:\docume~1\alluse~1\applic~1\9BE18B2552.sys

============= FINISH: 11:43:56.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:33 AM

Posted 31 October 2009 - 10:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:33 AM

Posted 05 November 2009 - 05:25 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users