secure tools virus infection also known as spywareprotect2009

cyborama used Ask the Experts™
Hello there I have been batteling a serious virus infestation and have sizzled it almost completely out except for this one file called Nsrbgxod.bak that seems to be constantly resurfacing in normal mode and getting deleted when computer shots down and not resurfaced in safe mode.  Here is the issue

A friend of mine ended up with secure tools on their computer a rogue antispyware. Anyway come to find out this perticular infection seemed to be the worst of its kind infecting the system with at least 20 virus's, trojans, downloaders, etc.. some of which were, trojan.zlob.h, trojan.vundo.h, trojan,agent, malware.trace, disabled,security, etc...

Anyway initially this virus locked me down from doing anything and everything even gave me the blue screen of death when attempting to do a fix via safe mode. Finally to make a long story short I penetrated this virus by finding a shortcut to its true location that was generated on the desktop don't know how it happened but it sure helped me to get onto first base.

After spending quite some time in safe mode putting the computer through various iterations of malwarebytes and finally being able to progress to normal mode loading on spy doctor, and finally being able to uninstall and reinstall my norton internet security 2009 and get the latest updates successfully I was able to do extreme injury to this virus.

In fact after scanning it multiple times with malwarebytes,spy doctor, norton antivirus, and lavasoft adaware in normal mode I seemed to get it down to malware bytes telling me I had one infection which happened to be the strain.

As of the latest scan I did however I finally saw malwarebytes not showing that infection but showing a low risk one of Trojan.agent at which time I decided to do another session of scans with these antispyware, malware, etc.. programs.

The one thing that does seem persistant and concerning to me is this error I get upon windows load in normal mode which says the following:


The application or DLL c:\docume~1\networ~1\ntuser.dll is not a valid windows image

error loading c:\docume~1\networ~1\ntuser.dll %1 is not a valid win 32 application.


Now my guess is from what I have been researching in regards to these viruses I was invested with is that this particular message could indicate that a virus crumb or trojan crumb that steals information is still somehow lodged in my system after all that.

The other interesting tidbit is that when I am about ready to shutdown the computer I get like 3 different critical stops alerting me to memory references that could not be written to particular addresses which I didn't write down here.

I generated a log using hijackthis just after I rebooted from a hopefully cleaned trojan.agent which was found by malwarebytes. I had previously scanned (within the same windows session without reboot) with the latest of norton internet security 2009 as well as spy doctor with its latest definitions and found 0 threats but when I scanned with malware bytes found this one threat which I than restarted the computer generated this hijack log I will post below.

So I am presently doing one more scanning session with these 3 virus scanners I have installed just to double check them.

What I need to know is if you guys know anyway of finding a patching security breaches that this virus may have opened or I should say did open since it was such a nasty virus.

For now here is the hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:08 PM, on 10/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1252598573\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\\IPSBHO.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1252598573\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
O20 - AppInit_DLLs: c:\windows\system32\kohumoki.dll
O21 - SSODL: pibogegan - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O22 - SharedTaskScheduler: gahurihor - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Norton Internet Security\comHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: plasservice (ZeppelinService) - Unknown owner - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe (file missing)
End of file - 9991 bytes

on a side note I am getting rid of the ParetoLogic as it did not settle well in my system in regards to executing or uninstalling so am getting rid of this manually via the registry and files ont he computer. This was suppose to be a special tool to zap this trojan.vundo.h virus but apparently did not work well with my system.

Anyway hopefully that gives you enough information to help me out for the most part to know if my computer is now safe to re enable the internet and go do normal routines of nonsensitive and sensitive computer tasks such as online banking, browsing, etc...

By the way this is fully for my friend though I see I changed into first person here a couple times.

Anyway whatever help you can offer would be great more to know if I can let my friend know if its safe to surf the internet or know for me if its safe for me to go to microsoft site and get the latest service pack without the fear of being redirected by the virus to some malicious site as I have read the one I got seems to have the capability of doing.


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
From your HiJackThis log.
Please remove the following.
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
The above entry is a Trojan entry that is responsible for the ntuser.dll portion of the error message that you listed.

O20 - AppInit_DLLs: c:\windows\system32\kohumoki.dll

O21 - SSODL: pibogegan - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)

O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O22 - SharedTaskScheduler: gahurihor - {d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll (file missing)

I would also suggest that you do the following.
Download and run Combofix.
The free download and directions can be located here.
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs. Combofix should be saved to and run from your desktop.
You should rename Combofix as well as any other anti-malware suites to a different name prior to downloading as some threats can prevent them from running with their default names.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.

Top Expert 2009

Scan with Dr Web live cd


Hello just did what you said up to the combofix point.  I have spyware doctor on my system as well as internet security 2009 to knock out this virus and I have shutdown the spyware docotr as well as internet security 2009 (siabled) and yet upon executing combofix I get a warning that tells me "ComboFix has detected the following real time scanners to be active:

antivirus: Spyware Doctor with AntiVirus.  

Again I had shutdown this and was told it was totally disabled and it also left the system tray yet combofix thinks its still active.  

I looked in the processes and in the open applications and didn't see anything that looked like spydoctor but maybe their was a lingering process somehow.

Could spydoctor have a service that wasn't stopped.  I would let this run anyway but am afraid that if combofix message is for real and it spydoctor conflicts with its functioning it could cause for devistation.

Let me know as soon as you can


Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

It won't cause devistation, it might hang the application though.
In order to disable the Spyware Doctor scan on startup, please do the following.
Open Spyware Doctor
Click on the 'Settings' button on the left hand panel
Then click on 'General'
Uncheck the box on the right that says 'Run Scan at Windows Startup'.
Reboot and test.


Hello David,

I just looked and it looks as if this option was already unchecked. hmm.

Well I'll go ahead disable or shutdown the spyware doctor and reboot and run combofix since it won't cause any catastrophic results to the system.




Hello David,

I don't seem to have those errors any more but I just wanted to post the combofix log anyway just in case there's something in it I need to be concerned about.

Also If this did the trick against the trojan.vundo.h,, trojan.zlob.h and so forth can I feel free to get the latest windows updates and know my system is no longer compromised.

I know you could dig out a virus and still have a compromised system so just want to verify this.

Here is the log below

ComboFix 09-10-20.03 - DENA 10/21/2009 16:02.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.688 [GMT -5:00]
Running from: c:\documents and settings\Deena\Desktop\babblebox.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\Administrator\ntuser.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Deena\ntuser.dll
c:\documents and settings\Deena\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Deena\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2009-09-21 to 2009-10-21  )))))))))))))))))))))))))))))))

2009-10-21 06:08 . 2009-10-21 06:08      --------      d-----w-      c:\program files\CCleaner
2009-10-20 18:14 . 2009-10-20 18:14      --------      d-----w-      c:\program files\Symantec
2009-10-20 18:14 . 2009-10-20 18:14      60808      ----a-w-      c:\windows\system32\S32EVNT1.DLL
2009-10-20 18:14 . 2009-10-20 18:14      124464      ----a-w-      c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\windows\system32\drivers\NIS
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\program files\Norton Internet Security
2009-10-20 18:13 . 2009-10-20 18:13      --------      d-----w-      c:\program files\Windows Sidebar
2009-10-20 18:08 . 2009-09-03 09:17      15688      ----a-w-      c:\windows\system32\lsdelete.exe
2009-10-20 17:32 . 2009-09-23 12:55      64288      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2009-10-20 17:22 . 2009-10-20 17:22      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-20 17:22 . 2009-10-20 17:32      --------      d-----w-      c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-20 17:22 . 2009-10-20 17:22      --------      d-----w-      c:\program files\Lavasoft
2009-10-20 06:02 . 2009-10-20 06:02      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2009-10-20 05:58 . 2009-10-20 05:58      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-20 05:54 . 2009-10-20 12:20      7200      --sha-w-      c:\windows\system32\drivers\fidbox2.dat
2009-10-20 05:54 . 2009-10-20 12:20      10129440      --sha-w-      c:\windows\system32\drivers\fidbox.dat
2009-10-20 05:31 . 2009-10-08 18:14      59664      --s---w-      c:\windows\system32\drivers\TfSysMon.sys
2009-10-20 05:31 . 2009-10-08 18:14      33552      --s---w-      c:\windows\system32\drivers\TfNetMon.sys
2009-10-20 05:31 . 2009-10-08 18:14      51984      --s---w-      c:\windows\system32\drivers\TfFsMon.sys
2009-10-20 05:30 . 2009-10-20 05:30      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2009-10-20 05:25 . 2009-10-20 05:25      --------      d-----w-      c:\program files\ParetoLogic
2009-10-20 05:25 . 2009-10-20 05:25      --------      d-----w-      c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-10-20 04:10 . 2009-10-20 04:10      --------      d-----w-      c:\program files\Trend Micro
2009-10-20 03:55 . 2009-10-20 03:55      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-10-20 00:04 . 2009-10-20 00:04      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\Downloaded Installations
2009-10-19 23:53 . 2009-09-24 13:55      229304      ----a-w-      c:\windows\system32\drivers\pctgntdi.sys
2009-10-19 23:53 . 2009-10-06 21:31      87784      ----a-w-      c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-19 23:53 . 2009-09-23 21:10      207280      ----a-w-      c:\windows\system32\drivers\PCTCore.sys
2009-10-19 23:53 . 2009-09-03 14:45      70408      ----a-w-      c:\windows\system32\drivers\pctplsg.sys
2009-10-19 23:53 . 2009-10-21 20:52      --------      d-----w-      c:\program files\Spyware Doctor
2009-10-19 23:53 . 2009-10-20 05:31      --------      d-----w-      c:\documents and settings\All Users\Application Data\PC Tools
2009-10-19 23:53 . 2009-10-20 05:15      --------      d-----w-      c:\program files\Common Files\PC Tools
2009-10-19 23:53 . 2009-10-19 23:53      --------      d-----w-      c:\documents and settings\Deena\Application Data\PC Tools
2009-10-19 23:29 . 2009-10-21 20:53      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 17:58 . 2009-09-10 19:54      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 17:58 . 2009-10-19 18:00      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-10-19 17:58 . 2009-09-10 19:53      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-10-19 17:56 . 2009-09-10 19:53      1312080      ----a-w-      C:\mbam.exe
2009-10-19 15:36 . 2009-10-19 15:36      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 14:31 . 2009-10-19 14:31      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-19 03:59 . 2009-10-19 03:59      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\Symantec
2009-10-19 03:53 . 2009-10-19 03:53      --------      d-----w-      c:\documents and settings\Deena\Application Data\Malwarebytes
2009-10-19 03:53 . 2009-10-19 03:53      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 01:58 . 2009-10-19 01:58      120      ----a-w-      c:\windows\Amabejabive.dat
2009-10-19 01:58 . 2009-10-19 01:58      0      ----a-w-      c:\windows\Tsizifasocuke.bin
2009-10-19 01:58 . 2009-10-19 01:58      --------      d-----w-      c:\documents and settings\Deena\Local Settings\Application Data\{9B9AEECE-EE79-4BD9-85BC-5EE8ED210D12}
2009-10-19 01:41 . 2009-10-19 01:41      --------      d-----w-      C:\NBRT
2009-10-18 23:11 . 2009-10-18 23:11      0      --sha-w-      C:\scandisk.dll
2009-10-18 16:23 . 2009-10-18 16:23      251904      ----a-w-      C:\tfdp.exe

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-10-21 17:41 . 2007-01-28 00:52      --------      d-----w-      c:\program files\Google
2009-10-21 13:38 . 2007-03-01 21:08      1754      ----a-w-      c:\documents and settings\Deena\Application Data\SAS7_000.DAT
2009-10-20 18:36 . 2007-01-28 00:48      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2009-10-20 18:14 . 2009-10-20 18:14      806      ----a-w-      c:\windows\system32\drivers\SYMEVENT.INF
2009-10-20 18:14 . 2009-10-20 18:14      10635      ----a-w-      c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-20 18:13 . 2009-08-03 04:39      36272      ----a-r-      c:\windows\system32\drivers\SymIM.sys
2009-10-20 18:13 . 2009-08-03 04:38      --------      d-----w-      c:\documents and settings\All Users\Application Data\Norton
2009-10-20 18:12 . 2009-08-03 04:40      --------      d-----w-      c:\documents and settings\All Users\Application Data\Symantec
2009-10-20 12:20 . 2009-10-20 05:54      1748      --sha-w-      c:\windows\system32\drivers\fidbox2.idx
2009-10-20 12:20 . 2009-10-20 05:54      119780      --sha-w-      c:\windows\system32\drivers\fidbox.idx
2009-09-16 08:20 . 2009-10-19 23:53      7383      ----a-w-      c:\windows\system32\drivers\
2009-09-15 11:20 . 2009-10-19 23:53      7383      ----a-w-      c:\windows\system32\drivers\
2009-09-15 07:12 . 2009-10-19 23:53      7412      ----a-w-      c:\windows\system32\drivers\
2009-09-15 06:01 . 2009-10-19 23:53      7387      ----a-w-      c:\windows\system32\drivers\
2009-09-10 16:03 . 2007-01-28 00:46      --------      d-----w-      c:\program files\Common Files\AOL
2009-09-10 16:02 . 2007-01-28 00:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\AOL
2009-09-10 16:02 . 2009-09-10 16:02      --------      d-----w-      c:\documents and settings\All Users\Application Data\AOL Downloads
2009-09-10 06:48 . 2008-03-13 06:29      --------      d-----w-      c:\program files\America Online 9.0
2009-08-06 01:37 . 2009-08-06 01:37      411368      ----a-w-      c:\windows\system32\deploytk.dll
2009-08-05 09:11 . 2004-08-11 23:00      204800      ----a-w-      c:\windows\system32\mswebdvd.dll
2009-07-18 16:30 . 2009-07-18 16:30      1083426      --sha-w-      c:\windows\system32\barumoju.exe
2009-07-18 16:30 . 2009-07-18 16:30      24576      --sha-w-      c:\windows\system32\nolomipu.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-28 98304]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HostManager"="c:\program files\Common Files\AOL\1252598573\ee\AOLSoftware.exe" [2006-09-26 50736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2008-3-13 36954]

"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Deena^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\Deena\Start Menu\Programs\Startup\VersionTrackerPro.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W3SVC"=2 (0x2)
"MSFtpsvc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/20/2009 12:32 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 6:53 PM 207280]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1002000.007\SymEFA.sys [10/20/2009 1:13 PM 309296]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/20/2009 12:31 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/20/2009 12:31 AM 59664]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [10/20/2009 1:13 PM 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [10/20/2009 1:13 PM 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [10/20/2009 1:31 PM 329080]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/19/2009 6:53 PM 229304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1170768]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\\ccSvcHst.exe [10/20/2009 1:13 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/20/2009 3:00 AM 102448]
S2 ZeppelinService;plasservice;"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe" --> c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [?]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [10/19/2009 6:53 PM 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/19/2009 6:53 PM 358600]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/20/2009 12:31 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc      REG_MULTI_SZ         p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:39]

2009-10-21 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-10-20 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]
------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{d338034b-eb35-4041-a1f0-8ebc7d6b04e1} - c:\windows\system32\kohumoki.dll


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-10-21 16:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\\diMaster.dll\" /prefetch:1"
--------------------- LOCKED REGISTRY KEYS ---------------------

@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1328)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3452)
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
------------------------ Other Running Processes ------------------------
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
Completion time: 2009-10-21 16:13 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-21 21:13

Pre-Run: 45,790,502,912 bytes free
Post-Run: 51,645,620,224 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 99EB790807E3DED1E304FF7E17541062
Okay, big Combo log! I see where some malware entries normally associated with malware were removed. (Such as kohumoki.dll, and YUJUKUMI.EXE)
You are correct in that it's difficult to be sure that any system is "clean". However, if Malwarebytes, your anti-virus program and Combofix were ran and you are no longer receiving errors you have at a minimum removed the biggest known threats. That said, there is always the chance of rootkits but that is an entirely different animal to detect and remove. Just for future reference, if I know for certain that any system I touch has a rootkit, the data gets removed and the system formatted. The question that I always ask with relation to rootkits is this. Do you feel comfortable sitting at that system and conducting on line banking?
That question usually answers itself.
Just to have a greater degree of piece of mind you might download AVG or COMODO and give your system a scan with either of them. If those scans come up clean, you should be able to download your MS updates without issue.
Just make sure you select the FREE version.


actually I have norton internet security 2009 with the latest updates but interestingly enough at the beginning of this cleaning it only found 6 where as malwarebytes for 53 infections.

Anyway just out of curiousity and for future reference what are some indications that I might have a rootkit virus so I would know to leave it alone.  Here are a list of the viruses detected by malwarebytes originally


Also spy doctor found one like something .sysguard and a couple others such as something aobut packaged.gen.

Anyway that said in the future when scanning for viruses should I research each one to see if it tells me it is a root kit or is there a easier tool to use to determine this before spending a long time attempting a clean up


Most antimalware and antivirus suites do not scan for rootkits. There are various reasons for this. Some rootkits are detectabel while within the OS others run at boot and are loaded into memory.
There is some very good background and tools available here for rootkits.
As for indications that you have a rootkit, it all depends on the type. Meaning, if you have a keylogger installed you most likely won't "notice" anything as they are designed for stealth. No pop up's etc.
The vundo, zlog, etc. that you posted are known files and more times than not Malwarebytes will detect and remove them.


thanks for all your help and for doing so very quickly


Very helpful, very good.  He deserves more points than I can give for this question because the answers were absolutely accurate, prompt and a pleasing person to deal with.

Thanks again David for your help in this area.
You're very welcome. Be careful out there.

As an addendum, before you jump head-first into cleaning up a system you may want to perform a cost-benefit analysis of the time and resources that you're going to invest. In some cases, it may be more efficient simply to adopt a scorched earth policy: reboot, flash the BIOS/firmware, reinstall, patch, and pull out your data backups. Here's what an expert (Jamie Butler) has to say:

"Once a rootkit is found, there is no good solution to get rid of it. Usually, a complete format and re-install of the computer is suggested because it is unknown how deeply the rootkit has compromised the machine."

Keep in mind that this is an arms race we're talking about. The security software people are usually a couple of steps behind the Black Hats. You simply can't depend on A.V. products to catch everything (companies that claim they can detect everything are selling you snake oil).

Hope this helps.

-Bill Blunden
Principal Investigator
Below Gotham Labs


Thanks chhsit for that addendum,

Also I have heard that their are some trojan's that once they get in you can't give it a 100% guarantee against malicious activity without a reformat such is the case with  I certainly will take this to heart for the next time I run into a serious viral infection.  Once again thank you.



Actually cchsit,

Just out of curiousity why would one need to flash the bios in some cases.  I understand the reboot, format, install windows, patch and pull out backups but is it possible for a virus to attack say the cmos of your system.  

I have heard of bootkit viruses but not necessarily cmos ones.



Firmware-embedded rootkits are an evolving threat (as are rogue hypervisors and SMM-based malware). Check out the most recent Black Hat media downloads from the 2009 USA conference. The Invisible Things Lab from Poland has done some impressive work in this area.  

I wouldn't at all be surprised if some of the heavy hitters in this playing field (the ones who prefer to stay out of the spotlight) already have a working prototype of a firmware rootkit.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial