Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool Virus and ad pop ups


  • This topic is locked This topic is locked
27 replies to this topic

#1 Slack

Slack

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 12 November 2009 - 01:27 PM

My computer has been infected by the Security Tool virus for several weeks now. I have tried to remove it with PC Tools Spyware Doctor and it seems to get rid of the Security Tool pop ups temporarily (I still get other pop up ads while on the internet). It will go for a couple of days like this and then the Security Tool will come back and I have to go through the process of deleting it again. Please Help! Below are the DDS, Attach, and Rootrepeal scans. Thank you.

DDS (Ver_09-10-26.01) - NTFSx86
Run by UserOne at 11:31:28.10 on Thu 11/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1085 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxducoms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\UserOne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 5600-6600 series\ezprint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [99518840] c:\documents and settings\all users\application data\99518840\99518840.exe
mRun: [71246727] c:\documents and settings\all users\application data\71246727\71246727.exe
mRun: [kozajazil] Rundll32.exe "c:\windows\system32\lojaloke.dll",a
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\fareruta.dll c:\windows\system32\kadisevo.dll c:\windows\system32\dinizuha.dll c:\windows\system32\mafutaje.dll kakojubo.dll c:\windows\system32\lojaloke.dll
SSODL: miherowos - {f8fbd46c-da5c-402d-a7be-353ee4d05569} - c:\windows\system32\fareruta.dll
SSODL: gakapedak - {103fa4dc-0fef-4d2b-94f4-dc7fd2e3b1b0} - c:\windows\system32\dinizuha.dll
SSODL: mujabanay - {ac5f15a2-c3fe-43f7-a92a-df9d3c9711a6} - c:\windows\system32\mafutaje.dll
SSODL: powogezum - {444af847-c1b5-4249-84ce-a4393f628e6e} - c:\windows\system32\lojaloke.dll
STS: gahurihor: {f8fbd46c-da5c-402d-a7be-353ee4d05569} - c:\windows\system32\fareruta.dll
STS: {796bf4ee-d947-43e7-bdd6-f19379a7a05e} - No File
STS: tokatiluy: {103fa4dc-0fef-4d2b-94f4-dc7fd2e3b1b0} - c:\windows\system32\dinizuha.dll
STS: kupuhivus: {ac5f15a2-c3fe-43f7-a92a-df9d3c9711a6} - c:\windows\system32\mafutaje.dll
STS: jugezatag: {444af847-c1b5-4249-84ce-a4393f628e6e} - c:\windows\system32\lojaloke.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli m ??$ zidajaji.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\userone\applic~1\mozilla\firefox\profiles\sbipzz3y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-31 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-26 206256]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-26 348824]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-3-1 87936]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-5-8 98984]

=============== Created Last 30 ================

2009-11-12 16:34:53 0 d-----w- c:\program files\Carbonite
2009-11-12 16:34:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Carbonite
2009-11-12 15:42:39 0 d-----w- c:\program files\Cobian Backup 8
2009-11-12 01:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\71246727
2009-11-10 14:59:08 0 d-----w- c:\program files\Microsoft
2009-10-31 14:59:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 13:58:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 13:57:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 13:56:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 11:22:38 3 --sh--w- c:\windows\system32\towozoha.dll
2009-10-31 11:22:35 3 --sh--w- c:\windows\system32\vopuvemi.dll
2009-10-30 13:11:07 135680 ----a-w- c:\windows\system32\explorer.exe
2009-10-29 22:32:15 0 d-----w- c:\docume~1\alluse~1\applic~1\99518840
2009-10-27 13:43:06 0 d-----w- c:\docume~1\alluse~1\applic~1\28252827
2009-10-26 16:15:40 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 14:27:36 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-26 14:27:27 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-26 14:27:27 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-10-26 14:27:27 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-26 14:27:20 0 d-----w- c:\program files\common files\PC Tools
2009-10-26 14:27:19 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-26 14:27:11 0 d-----w- c:\program files\Spyware Doctor
2009-10-26 14:27:11 0 d-----w- c:\docume~1\userone\applic~1\PC Tools
2009-10-26 14:27:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-21 14:55:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 14:50:54 4045544 ----a-w- C:\mbam-setup.exe
2009-10-21 14:31:47 3550592 ----a-w- C:\explorer.exe
2009-10-20 20:58:25 0 d-sh--w- c:\documents and settings\userone\PrivacIE
2009-10-20 20:54:27 0 d-----w- c:\docume~1\alluse~1\applic~1\09836935
2009-10-20 16:42:39 0 d-sh--w- c:\documents and settings\userone\IETldCache
2009-10-20 16:35:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-20 16:35:24 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-20 16:35:15 0 d-----w- c:\windows\ie8updates
2009-10-20 16:34:52 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-20 16:32:21 0 dc-h--w- c:\windows\ie8
2009-10-20 15:38:49 0 d-----w- c:\windows\system32\scripting
2009-10-20 15:38:48 0 d-----w- c:\windows\system32\en
2009-10-20 15:38:48 0 d-----w- c:\windows\system32\bits
2009-10-20 15:38:48 0 d-----w- c:\windows\l2schemas

==================== Find3M ====================

2009-09-17 15:53:04 70984 ----a-w- c:\documents and settings\userone\g2mdlhlpx.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 13:52:40 33308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-18 04:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-10 14:31:40 53760 --sha-w- c:\windows\system32\dekoyemu.dll
2009-07-28 13:41:11 37888 --sha-w- c:\windows\system32\dodedeva.dll
2007-03-02 20:14:30 5 --sha-w- c:\windows\system32\fadeafcfd5_d.dll
2009-07-30 12:44:54 38912 --sha-w- c:\windows\system32\forukabe.dll
2009-08-09 14:42:35 38912 --sha-w- c:\windows\system32\hiniripa.dll
2009-08-10 14:32:18 53760 --sha-w- c:\windows\system32\jopinowo.dll
2009-08-10 14:32:18 53760 --sha-w- c:\windows\system32\kakojubo.dll
2009-07-28 01:40:49 37888 --sha-w- c:\windows\system32\kapidapu.dll
2009-08-09 14:42:35 91648 --sha-w- c:\windows\system32\lejiwafe.dll
2009-08-10 14:31:40 92160 --sha-w- c:\windows\system32\lifikano.dll
2009-08-12 14:23:05 92672 --sha-w- c:\windows\system32\lojaloke.dll
2009-08-11 13:14:58 39424 --sha-w- c:\windows\system32\mikasova.dll
2009-07-21 14:03:02 51712 --sha-w- c:\windows\system32\nadojizu.dll
2009-08-10 14:31:41 39424 --sha-w- c:\windows\system32\nonowoda.dll
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/28/2007 1:46:35 PM
System Uptime: 11/12/2009 8:55:48 AM (3 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel® Pentium® M processor 1.60GHz | Microprocessor | 1324/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 24.098 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
a-squared Free 2.1
Ad-Aware
Ad-Aware SE Personal
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
ALPS Touch Pad Driver
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Broadcom Gigabit Integrated Controller
C-Major Audio
Carbonite
Conexant D110 MDC V.92 Modem
Dell Wireless WLAN Card
Easy CD Creator 5 Basic
Free Easy Burner V 1.0.313
GoToMeeting 4.1.0.366
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
Java™ 6 Update 13
Java™ 6 Update 4
Java™ 6 Update 5
Java™ SE Runtime Environment 6
K-Lite Codec Pack 3.1.5 Full
Lexmark 5600-6600 Series
Lexmark Printable Web
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.14)
mPfMgr
mPfWiz
mProSafe
mSSO
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mXML
mZConfig
Pdf995
PowerDVD 5.7
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Project 2007 (KB949046)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Skype web features
Skype™ 4.1
Spell Checker For OE 2.1
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.1
Texas Instruments PCIxx21/x515 drivers.
TI_Inst
Tweakui Powertoy for Windows XP
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/9/2009 5:35:43 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer OFFICECOMPUTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2A6A90A3-5BE1. The master browser is stopping or an election is being forced.
11/9/2009 3:10:15 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxduCATSCustConnectService service to connect.
11/9/2009 3:10:15 PM, error: Service Control Manager [7000] - The lxduCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/12/2009 9:13:22 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\taskmgr.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
11/12/2009 9:04:51 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file taskmgr.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
11/10/2009 8:51:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/12 11:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBAECB000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB20E7000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xba6e4d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xba6c59a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xba6c5b98

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaea14c4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xba6e5568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6e5820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xba6e3a80

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaea14b0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaea14b5

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xba6e5c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6e5036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaea14bf

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xbaea14ba

==EOF==
2009-08-09 02:43:52 38400 --sha-w- c:\windows\system32\nozuzito.dll
2009-08-12 01:13:41 39424 --sha-w- c:\windows\system32\pozogere.dll
2009-07-26 13:10:24 52224 --sha-w- c:\windows\system32\rajijofa.dll
2009-07-27 13:42:21 51200 --sha-w- c:\windows\system32\rarayuna.dll
2009-07-27 13:42:22 38400 --sha-w- c:\windows\system32\rijikoyi.dll
2009-08-12 01:13:40 112128 --sha-w- c:\windows\system32\saheloju.exe
2009-07-20 20:54:19 3 --sha-w- c:\windows\system32\siguzuwi.dll
2009-08-12 01:13:43 1212987 --sha-w- c:\windows\system32\suhokamo.exe
2009-08-11 13:14:58 92672 --sha-w- c:\windows\system32\telelepu.dll
2009-08-12 14:23:05 39424 --sha-w- c:\windows\system32\yuhisona.dll
2009-08-10 14:32:17 53760 --sha-w- c:\windows\system32\zidajaji.dll

============= FINISH: 11:33:19.03 ===============

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 20 November 2009 - 06:42 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 20 November 2009 - 10:21 AM

Elise,

Thanks for getting back to me. I am grateful for your help. Yes I am still having the same problems with the Security Tool Virus popping up every couple days. Also, I am getting annoying Ad pop ups when I am on the internet.

Below is the information you requested. I didn't include the attach.txt because the instructions didn't specifically ask for it. Let me know if you need it.

Thanks again.

Mat



DDS (Ver_09-10-26.01) - NTFSx86
Run by UserOne at 8:45:08.67 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1168 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxducoms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Documents and Settings\UserOne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 5600-6600 series\ezprint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [99518840] c:\documents and settings\all users\application data\99518840\99518840.exe
mRun: [71246727] c:\documents and settings\all users\application data\71246727\71246727.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [66127729] c:\docume~1\alluse~1\applic~1\66127729\66127729.exe
mRun: [kozajazil] Rundll32.exe "c:\windows\system32\hayeluze.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\fareruta.dll c:\windows\system32\kadisevo.dll c:\windows\system32\dinizuha.dll c:\windows\system32\mafutaje.dll kakojubo.dll c:\windows\system32\lojaloke.dll c:\windows\system32\kihinuga.dll c:\windows\system32\sekapehu.dll c:\windows\system32\gifeleho.dll c:\windows\system32\hayeluze.dll
SSODL: miherowos - {f8fbd46c-da5c-402d-a7be-353ee4d05569} - c:\windows\system32\fareruta.dll
SSODL: gakapedak - {103fa4dc-0fef-4d2b-94f4-dc7fd2e3b1b0} - c:\windows\system32\dinizuha.dll
SSODL: mujabanay - {ac5f15a2-c3fe-43f7-a92a-df9d3c9711a6} - c:\windows\system32\mafutaje.dll
SSODL: werebizuf - {f9d6d570-3755-41bc-a0be-0ce962fdd926} - c:\windows\system32\kihinuga.dll
SSODL: fazevapim - {abde5ed8-85c3-432a-8739-659d174b2288} - c:\windows\system32\hayeluze.dll
STS: gahurihor: {f8fbd46c-da5c-402d-a7be-353ee4d05569} - c:\windows\system32\fareruta.dll
STS: {796bf4ee-d947-43e7-bdd6-f19379a7a05e} - No File
STS: tokatiluy: {103fa4dc-0fef-4d2b-94f4-dc7fd2e3b1b0} - c:\windows\system32\dinizuha.dll
STS: kupuhivus: {ac5f15a2-c3fe-43f7-a92a-df9d3c9711a6} - c:\windows\system32\mafutaje.dll
STS: mujuzedij: {f9d6d570-3755-41bc-a0be-0ce962fdd926} - c:\windows\system32\kihinuga.dll
STS: tokatiluy: {abde5ed8-85c3-432a-8739-659d174b2288} - c:\windows\system32\hayeluze.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli m ??$ zidajaji.dll ??* ?;?? $ ?????????????????? ll ??*

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\userone\applic~1\mozilla\firefox\profiles\sbipzz3y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-31 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-26 206256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-16 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-26 348824]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-3-1 87936]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-5-8 98984]

=============== Created Last 30 ================

2009-11-16 16:45:31 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-16 16:44:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-12 22:22:20 0 d-----w- c:\windows\system32\NtmsData
2009-11-12 16:34:53 0 d-----w- c:\program files\Carbonite
2009-11-12 16:34:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Carbonite
2009-11-12 15:42:39 0 d-----w- c:\program files\Cobian Backup 8
2009-11-10 14:59:08 0 d-----w- c:\program files\Microsoft
2009-10-31 14:59:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 13:58:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 13:57:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 13:56:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 11:22:38 3 --sh--w- c:\windows\system32\towozoha.dll
2009-10-31 11:22:35 3 --sh--w- c:\windows\system32\vopuvemi.dll
2009-10-30 13:11:07 135680 ----a-w- c:\windows\system32\explorer.exe
2009-10-26 16:15:40 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 14:27:36 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-26 14:27:27 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-26 14:27:27 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-10-26 14:27:27 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-26 14:27:20 0 d-----w- c:\program files\common files\PC Tools
2009-10-26 14:27:19 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-26 14:27:11 0 d-----w- c:\program files\Spyware Doctor
2009-10-26 14:27:11 0 d-----w- c:\docume~1\userone\applic~1\PC Tools
2009-10-26 14:27:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-21 14:55:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 14:50:54 4045544 ----a-w- C:\mbam-setup.exe

==================== Find3M ====================

2009-10-21 14:31:55 3550592 ----a-w- C:\explorer.exe
2009-09-17 15:53:04 70984 ----a-w- c:\documents and settings\userone\g2mdlhlpx.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 13:52:40 33308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-16 14:51:38 1209915 --sha-w- c:\windows\system32\bimefili.exe
2009-08-20 02:19:15 39424 --sha-w- c:\windows\system32\bumujune.dll
2009-08-10 14:31:40 53760 --sha-w- c:\windows\system32\dekoyemu.dll
2009-07-28 13:41:11 37888 --sha-w- c:\windows\system32\dodedeva.dll
2009-08-19 14:19:10 39424 --sha-w- c:\windows\system32\dorebobo.dll
2007-03-02 20:14:30 5 --sha-w- c:\windows\system32\fadeafcfd5_d.dll
2009-07-30 12:44:54 38912 --sha-w- c:\windows\system32\forukabe.dll
2009-08-18 14:20:01 39424 --sha-w- c:\windows\system32\guhiziho.dll
2009-08-20 14:19:20 92672 --sha-w- c:\windows\system32\hayeluze.dll
2009-08-09 14:42:35 38912 --sha-w- c:\windows\system32\hiniripa.dll
2009-08-10 14:32:18 53760 --sha-w- c:\windows\system32\jopinowo.dll
2009-08-10 14:32:18 53760 --sha-w- c:\windows\system32\kakojubo.dll
2009-07-28 01:40:49 37888 --sha-w- c:\windows\system32\kapidapu.dll
2009-08-10 14:31:40 92160 --sha-w- c:\windows\system32\lifikano.dll
2009-08-16 14:51:39 39424 --sha-w- c:\windows\system32\meridewa.dll
2009-08-20 14:19:20 39424 --sha-w- c:\windows\system32\mojujebu.dll
2009-08-17 14:09:45 61440 --sha-w- c:\windows\system32\mubodigi.dll
2009-08-16 14:51:38 93184 --sha-w- c:\windows\system32\nabukeyu.dll
2009-07-21 14:03:02 51712 --sha-w- c:\windows\system32\nadojizu.dll
2009-08-10 14:31:41 39424 --sha-w- c:\windows\system32\nonowoda.dll
2009-08-20 02:19:15 93184 --sha-w- c:\windows\system32\nupuzidu.dll
2009-07-26 13:10:24 52224 --sha-w- c:\windows\system32\rajijofa.dll
2009-07-27 13:42:21 51200 --sha-w- c:\windows\system32\rarayuna.dll
2009-08-19 02:18:49 39424 --sha-w- c:\windows\system32\rayedutu.dll
2009-07-27 13:42:22 38400 --sha-w- c:\windows\system32\rijikoyi.dll
2009-07-20 20:54:19 3 --sha-w- c:\windows\system32\siguzuwi.dll
2009-08-13 14:36:48 61440 --sha-w- c:\windows\system32\teteripe.dll
2009-08-18 02:08:06 39424 --sha-w- c:\windows\system32\tiledovo.dll
2009-08-16 14:51:38 60928 --sha-w- c:\windows\system32\vutofudi.dll
2009-08-17 14:09:44 1144448 --sha-w- c:\windows\system32\wemipipo.exe
2009-08-17 14:09:44 39424 --sha-w- c:\windows\system32\wevetora.dll
2009-08-10 14:32:17 53760 --sha-w- c:\windows\system32\zidajaji.dll

============= FINISH: 8:46:15.12 ===============


GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-20 09:11:09
Windows 5.1.2600 Service Pack 3
Running: 2fvwi9c6.exe; Driver: C:\DOCUME~1\UserOne\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6E4D72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6C59A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6C5B98]
SSDT BAF8E7C4 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6E5568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6E5820]
SSDT BAF8E7E2 ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6E3A80]
SSDT BAF8E7B0 ZwOpenProcess
SSDT BAF8E7B5 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6E5C8A]
SSDT BAF8E7EC ZwReplaceKey
SSDT BAF8E7E7 ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6E5036]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA6C5656]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Apoint\Apntex.exe[216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001
.text C:\Program Files\Apoint\Apntex.exe[216] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Apoint\HidFind.exe[236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BA0001
.text C:\Program Files\Apoint\HidFind.exe[236] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\spoolsv.exe[356] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01120001
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01370001
.text C:\WINDOWS\system32\lxducoms.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001
.text C:\WINDOWS\System32\dllhost.exe[672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text C:\WINDOWS\System32\dllhost.exe[672] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\csrss.exe[716] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01440001
.text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015A0001
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01030001
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text ...
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[1964] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jqs.exe[1996] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015A0001
.text C:\WINDOWS\System32\vssvc.exe[2184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text C:\WINDOWS\System32\vssvc.exe[2184] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00970001
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2232] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[2536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00970001
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[2536] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D70001
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2608] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00970001
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2828] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Skype\Phone\Skype.exe[3024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02D30001
.text C:\Program Files\Skype\Phone\Skype.exe[3024] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Apoint\Apoint.exe[3200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F00001
.text C:\Program Files\Apoint\Apoint.exe[3200] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe[3236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe[3236] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe[3324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011E0001
.text C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe[3324] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F70001
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3332] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012D0001
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3432] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3480] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Documents and Settings\UserOne\Desktop\2fvwi9c6.exe[3548] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016E0001
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3760] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\dllhost.exe[3924] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text C:\WINDOWS\System32\dllhost.exe[3924] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\msdtc.exe[4024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text C:\WINDOWS\System32\msdtc.exe[4024] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 20 November 2009 - 12:55 PM

Hello Slack,

Well done :( Lets start some serious malware kicking here!

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • MBAM log
  • A new DDS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 20 November 2009 - 01:24 PM

Elise,

I received an error after hitting finish on the install of Malwarebytes that read:

Unable to execute file:
c:\Program files\Malwarebytes' Anti-Malware\mbam.exe
Create Process Failed; Code 2.
System Cannot Find the file specified.

How should I proceed?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 20 November 2009 - 01:45 PM

Do you have access to a clean (= free of malware) computer where you can install MBAM?

If so, install MBAM there, and after that copy the following file to your infected computer:

c:\Program Files\Malwarebytes Antimalware\mbam.exe

You should replace that same file on your infected computer with the mbam.exe from the clean computer.


If you need more help with this or if you have no access to a clean computer, please let me know :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 20 November 2009 - 03:04 PM

I am having difficulty.

I downloaded it onto a clean computer, no problems. I copied the Folder onto a removable disk to transfer it to my other computer, after loading it onto the infected computer clicking on the mbam.exe file I get two error boxes 1st:

vb Accelerator SGrid ll Control
Run Time error '0'

2nd error box:

Malwarebytes Anti-Malware
Run Time error '440'
Automation Error


I may be doing something wrong on the Copy process. Can you explain the best way to move the download from the healthy computer to the infected one?

Thanks

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 20 November 2009 - 03:13 PM

Hello Slack,

Don't worry, I think you succesfully copied the file, its just that the malware on your computer likes making life hard on you :( Lets try this a little different.

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


If Combofix ran succesfully, please try re-running MBAM.

In your next reply, please include the following:
  • Combofix.txt
  • A new DDS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 20 November 2009 - 05:19 PM

Elise,

Everything seemed to going great, I downloaded Combofix and went through the process with no problems. Then I was able to go back and successfully download the MBAM. It went through the scan and found virus' then it went through the removal process and finished and produced the log. It then said that the computer needed to be rebooted. I rebooted, while rebooting a Blue screen came up that said "A problem has been detected and windows has been shut down to prevent damage to your computer."

How should I proceed?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 21 November 2009 - 04:28 AM

Hello Slack,

Well that obviously was not what we intended :( Lets find out what causes this and how we can get things back in working order!

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter:

    exit
This should restart your computer.

Let me know if you were able to do those things. If so, we are going to try to copy the logs from mbam and Combofix to a flash drive. For that I need to know if you have a flashdrive at hand and if you know the drive letter of your flashdrive. Based on what I see that would be E:\

Please include the following in your next reply:
- Description of the BSOD code
- Let me know if you can access the Recovery Console as instructed (if not, let me know if you have an XP installation CD)
- Let me know if you have a flashdrive and if you can confirm the drive letter is E:\


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 November 2009 - 09:12 AM

Elise,

I went through the steps and the computer did not restart.

After I entered "exit" in the c\:Windows prompt the screen went back to the Choose which Operating System To Start screen for a split second then went to the screen with the Start Windows Normally highlighted and the Safe Mode options. I let it time out and it went back to the Blue screen. Should I choose the Start Windows Normally command that is highlighted?

The BSOD code is; OxOOOOOO7B
I was able to access the Recovery Console
I do not have an XP install CD
I do have a Flash drive
I believe that you are correct that the drive is E:\ (wasn't able to check since the computer didn't restart)

Thanks

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 22 November 2009 - 10:05 AM

Hello Slack,

Well done so far :( Lets see if we can retrieve the Combofix and MBAM log, so I can see what has been deleted that might cause this problem. Make sure your flashdrive is plugged in your computer!
  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type each of the following bolded lines, and press Enter after each line:

    set AllowAllPaths = TRUE

    set AllowRemovableMedia = TRUE

    copy c:\combofix.txt e:\

    copy "%appdata%"\Malwarebytes\Malwarebytes' Anti-Malware\Logs e:\

    exit
Your computer will now restart and your flash drive will contain two files: combofix.txt and a folder called Logs (which contains the MBAM log). Please copy both the combofix log and the MBAM log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 November 2009 - 10:42 AM

I typed in; copy c:combofix.txt e:\

And got a message; There is no floppy disk or CD in the drive

I tried f:\ also and got the same message

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:06 PM

Posted 22 November 2009 - 11:21 AM

Okay, there are two things we can try. :(

First of all, try to replace e: with all possible drive letters, beginning by d: (most likely d: will tell you it cannot write to the drive), until z:
See if you get a working drive letter (do not try c:, this will overwrite the existing log.

It that does not work, type the following bold line and press enter (make sure you have typed already the first two lines I gave in my previous post, the two lines that start with "set"). Note, the word "type" is part of the command.

type c:\combofix.txt

This will display the combofix log (to see the second page, press space).
First you will see a header with some information about date, computer and so on. Then you will see a section Other deletions
Its not needed to list all Other Deletions files, just look for files in c:\windows\system32\drivers
Also, look if you see the following Infected copy of <filename> was found, restored copy from....

List these files in your next reply.

I am aware this can be quite some typing to do, my apologies for that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Slack

Slack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 November 2009 - 11:55 AM

Here you go.

This is the only \drivers\ in the Other Deletions section:

c:\windows\system32\drivers\pciide.sys



Above that it says: Combofix encountered a terminal error!! Please upload this file - c:\combofix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

In the section, Files Created from 10-20 to 11-20, there are several \drivers\ listed, do you want to see those?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users