Security Tool - LSAS.Blaster.keyloger

miken707 · 4 Weeks Ago

My friend has done it again; clicked on something he should not have on the internet and now he's infected with Security Tool which keeps popping up to say harmful software has been detected and he should register to get rid of it. He tried to run Malawarebytes but it gets half way through and then shuts the machine down. He can't run Spybot - it says it is infected; and nothing happens when Ad-Aware. I had him try to run Revo Uninstaller, but nothing comes up.

Any suggestions?

Crush · 4 Weeks Ago

miken,

Please review the link for Prework located in my signature. This will guide you through the tried and tested method for Malware Removal here at PCHF. Once you have read the thread in its entirety and anything linked from it, please download and run the requested programs and post back here with the logfiles generated and we'll go from there

miken707 · 4 Weeks Ago

Crush,

We are unable to execute any program. I downloaded all the programs from the pre-work onto a USB drive and tried to execute them from there on my friend's computer. However, everytime I try to execute anything, there is a beep, and then nothing. I tried to get task mgr up, but it flashed on the screen and then closed.

Not looking good.

MikeN

Crush · 4 Weeks Ago

Miken,

Try in Safe Mode. In order to get into Safe Mode please reboot your PC. During bootup rapidly hit the F8 key and choose Safe Mode in the menu you are presented with

miken707 · 4 Weeks Ago

Crush,

SAFE mode worked. My friend first did it without networking and ran Malware bytes. That got rid of Rogue Multiple, both a file and a folder. After that, when he booted normally, Security Tool no longer appeared with a constant balloon. He ran Malware bytes afterwards and it came up with nothing. He ran Spybot in between and it found fraud.sysguard.\

Here are the logs from the prework:
----
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 08:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1B74000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79AF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0795000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7847000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\Recent
Status: Visible to the Windows API, but not on disk.

Path: C:\Quicken\Q01Files\Dc28.QDF
Status: Locked to the Windows API!

Path: C:\Quicken\Q01Files\Dc30.QEL
Status: Locked to the Windows API!

Path: C:\Quicken\Q01Files\Dc31.QPD
Status: Locked to the Windows API!

Path: C:\Quicken\Q01Files\Dc32.QPH
Status: Locked to the Windows API!

Path: C:\Quicken\Q01Files\Dc27.QSD
Status: Locked to the Windows API!

Path: C:\Quicken\Q01Files\Dc29.QTX
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc48.IDX
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc49.QEL
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc50.QPD
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc51.QPH
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc45.QSD
Status: Locked to the Windows API!

Path: C:\Quicken\BACKUP\Dc47.QTX
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc39.QDF
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc41.QEL
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc42.QPH
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc43.QSD
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc40.QTX
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 1\Dc38.QPB
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 2\Dc34.QDF
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 2\Dc36.QEL
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 2\Dc37.QPH
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 2\Dc33.QSD
Status: Locked to the Windows API!

Path: C:\Quicken\Backup 2\Dc35.QTX
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\SS9B7F~1.EXE
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\SPYSWE~4.EXE
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\SP2162~1.EXE
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\ADBERD~1.EXE
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\Dc40.QTX:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-584131787-4119869848-4215667669-1007\Newdata5.QDF
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc22.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc21.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Cyberlink:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Cyberlink:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc25.bmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc12.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc19.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc18.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc23.lnk
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc20.sav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc17.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc16.msi
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Work-Comp-Matt.doc:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc26.QPB
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc9.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc10.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc11.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc24.mbf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc7.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\CCWin:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc8.reg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc5.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc3.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Charles\My Documents\Dc6.txt
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a2811c8

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc6b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d01fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1cfec80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d02580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d16900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d16b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d1ab10

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a281498

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d02670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1cff210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d199f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d16280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d19f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d19f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1cff070

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d18180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d17f40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc76e

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8a281240

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a24d020

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d1a6f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d1a150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d01be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc72e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d02190

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a281330

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1cff440

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8a2a97b0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a281588

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a2813a8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb1bbc8ae

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a281510

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a2812b8

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d17200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1d17080

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a281420

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a281150

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a125818 Size: 2025

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8a0deb08 Size: 1273

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8a133300 Size: 963

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a29cc00 Size: 1024

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1f5838 Size: 314

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a1eeb38 Size: 1225

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a294ba0 Size: 1121

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a1e9780 Size: 2177

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fd4b30 Size: 1232

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89f33478 Size: 223

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89f66c20 Size: 834

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fd2470 Size: 2961

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0bfdb8 Size: 585

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a133410 Size: 691

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89f72fa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a26d6e8 Size: 2329

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a256838 Size: 1286

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a0a5af0 Size: 1296

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0fd8b8 Size: 190

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a12e6a8 Size: 1466

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a12b888 Size: 1913

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a1118f8 Size: 1800

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x8a296b18 Size: 1162

==EOF==

DDS (Ver_09-10-24.01) - NTFSx86
Run by Charles at 8:58:52.92 on Sat 10/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\s wg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn5\YTSingleInsta nce.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNo tifier.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [BrMfcWnd] "c:\program files\brother\brmfcmon\BrMfcWnd.exe" /AUTORUN
mRun: [SetDefPrt] "c:\program files\brother\brmfl06a\BrStDvPt.exe"
mRun: [ControlCenter3] "c:\program files\brother\controlcenter3\brctrcen.exe" /autorun
mRun: [bacstray] "BacsTray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [56196633] "c:\docume~1\alluse~1\applic~1\56196633\56196633.e xe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe " -t
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FC541648-A453-4711-9B41-41FA09271AF3} - hxxps://accounting.quickbooks.com/c26/v27.090/qboqbwimp7.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\charles\applic~1\mozilla\firefox\profi les\434p1rvr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dl l
FF - HiddenExtension: XUL Cache: {5E7C3161-936C-4809-863A-1D4CEAF4376F} - c:\documents and settings\charles\local settings\application data\{5E7C3161-936C-4809-863A-1D4CEAF4376F}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-23 20:43:38 11128 ----a-w- c:\windows\system32\drivers\PROCEXP100.SYS
2009-10-03 12:23:22 195440 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-13 23:57:16 4330 ----a-w- c:\docume~1\charles\applic~1\wklnhst.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 04:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 04:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2005-07-17 23:36:05 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-03-09 23:29:10 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-16 22:57:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080 915\index.dat
2008-09-22 16:32:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080 922\index.dat
2008-09-16 22:57:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080 917\index.dat
2008-09-29 17:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080 929\index.dat
2008-09-29 17:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080 930\index.dat
2008-10-02 18:12:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081 003\index.dat

============= FINISH: 8:59:26.26 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-24.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/28/2004 11:41:11 AM
System Uptime: 10/23/2009 5:02:14 PM (15 hours ago)

Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2790/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 41.184 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.2
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
AnswerWorks 5.0 English Runtime
avast! Antivirus
Banctec Service Agreement
Belarc Advisor 7.2
Broadcom Management Programs
Brother MFL-Pro Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
Dell Support Center (Support Software)
DellSupport
Digital Line Detect
Get High Speed Internet!
Google Toolbar for Internet Explorer
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 10
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Modem Helper
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
NetWaiting
PaperPort
Picture Package
PowerDVD 5.1
Qualxserve Service Agreement
Quicken 2008
Quicken WillMaker Plus 2005
QuickPayroll
QuickTime
RealPlayer
Revo Uninstaller 1.83
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony USB Driver
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
TweakNow RegCleaner Standard
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
Yahoo! Software Update
Yahoo! Toolbar
ZoneAlarm
ZoneAlarm Spy Blocker Toolbar

==== Event Viewer Messages From Past Week ========

10/23/2009 2:19:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/23/2009 2:19:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/23/2009 2:19:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant WS2IFSL
10/23/2009 2:19:21 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
10/23/2009 2:19:21 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/23/2009 2:19:21 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/23/2009 2:19:21 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/23/2009 2:19:21 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2009 12:13:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
10/22/2009 12:13:54 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/19/2009 3:25:16 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
10/18/2009 4:57:44 PM, error: SSIDRV [26] - Failed to set monitor event rule.

==== End Of File ===========================

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Antivirus
ZoneAlarm Spy Blocker Toolbar
ZoneAlarm
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Ad-Aware
ZoneAlarm Spy Blocker Toolbar
Spybot - Search & Destroy 1.4
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
Windows Defender
HijackThis 2.0.2
CCleaner (remove only)
TweakNow RegCleaner Standard
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

------------------------------------

Crush · 4 Weeks Ago

Miken,

Do you have the MBAM log? I will be unable to check in with you so, I'm going to have someone else from the Security Team take over from here

miken707 · 4 Weeks Ago

Crush,

Unfortunately, I can not find the mbam.log file. He ran mbam again after cleaning out things.

Miken

4 Weeks Ago	#1
miken707 Bronze Member Join Date: Jun 2008 Posts: 34 PC Experience: Very Experienced	Security Tool - LSAS.Blaster.keyloger My friend has done it again; clicked on something he should not have on the internet and now he's infected with Security Tool which keeps popping up to say harmful software has been detected and he should register to get rid of it. He tried to run Malawarebytes but it gets half way through and then shuts the machine down. He can't run Spybot - it says it is infected; and nothing happens when Ad-Aware. I had him try to run Revo Uninstaller, but nothing comes up. Any suggestions?

4 Weeks Ago	#2
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: Security Tool - LSAS.Blaster.keyloger miken, Please review the link for Prework located in my signature. This will guide you through the tried and tested method for Malware Removal here at PCHF. Once you have read the thread in its entirety and anything linked from it, please download and run the requested programs and post back here with the logfiles generated and we'll go from there __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

4 Weeks Ago	#3
miken707 Bronze Member Join Date: Jun 2008 Posts: 34 PC Experience: Very Experienced	Re: Security Tool - LSAS.Blaster.keyloger Crush, We are unable to execute any program. I downloaded all the programs from the pre-work onto a USB drive and tried to execute them from there on my friend's computer. However, everytime I try to execute anything, there is a beep, and then nothing. I tried to get task mgr up, but it flashed on the screen and then closed. Not looking good. MikeN

4 Weeks Ago	#4
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: Security Tool - LSAS.Blaster.keyloger Miken, Try in Safe Mode. In order to get into Safe Mode please reboot your PC. During bootup rapidly hit the F8 key and choose Safe Mode in the menu you are presented with __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
<News> Metasploit Windows Security Tool Now More Friendly	Newsie	IT News	0	03-28-2007 08:30 AM
<News> Free Security Tool Attracts 38 Million Downloads	Newsie	IT News	0	03-26-2007 08:31 AM
<News> AOL Offers Security Tool	Newsie	IT News	0	06-09-2006 06:32 AM
<News> AOL Tests Security Diagnostic Tool	Newsie	IT News	0	05-16-2006 06:32 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode