PDA

View Full Version : Help request for win32.luder.B



minortom
2011-05-24, 21:29
Hallo everyone.
I have been using SpyBot S&D for a couple of years (which I much apreciate) but this is my first post.
Recently, while attempting a usual disk-reconstruction I had a message by SpyBot S&D-Resident process termination about win32.Luder.B at mmc.exe in windows/system32.
I run SpyBot S&D (update-search/fix problems) but nothing is detected.
I run Avast but nothing is detected, as well
I downloaded and run AVG maleware removal tool (for Luder) -nothing detected
Meanwhile (before I got DDS and got this post) I run an old version of "Registry Mechanic" (which programme I use from time to time).
I kindly ask for any help, if possible.
Thanks in advance.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Makis at 20:48:34 on 2011-05-24
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.767.270 [GMT 3:00]
.
AV: avast! antivirus 4.8.1368 [VPS 110524-0] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Crypto\CRYPTO~1\TVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe
C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMediaServer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Documents and Settings\Makis\Επιφάνεια εργασίας\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.gr/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\DAPBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - blank
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAP Bar: {62999427-33fc-4baf-9c9c-bce6bd127f08} - c:\program files\dap\DAPIEBar.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - blank
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TVTray] c:\progra~1\crypto\crypto~1\TVTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
IE: &Download with &DAP - c:\progra~1\dap\dapextie.htm
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Download &all with DAP - c:\progra~1\dap\dapextie2.htm
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {669695BC-A811-4A9D-8CDF-BA8C795F261C} - c:\progra~1\dap\DAP.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intrasoftnet.com\lawdb
Trusted Zone: microsoft.com\office
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {DD9A2FB8-8ABC-4BD6-8235-7630C59F711F} = 195.170.0.1 195.170.2.2
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-1-3 138680]
R2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [2007-1-4 7168]
R2 TwonkyMedia;TwonkyMedia;c:\program files\nokia\nokia home media server\media server\twonkymedia.exe -serviceversion 0 --> c:\program files\nokia\nokia home media server\media server\TwonkyMedia.exe -serviceversion 0 [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-1-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-1-3 352920]
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\drivers\e4usbaw.sys [2007-2-15 114616]
R3 PhTVTune;Crypto PC TV Radio III WDM TVTuner (FM1216ME);c:\windows\system32\drivers\PhTVTune.sys [2007-1-4 27808]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S2 gupdate1ca0c45fd3cc358;Υπηρεσία Google Update (gupdate1ca0c45fd3cc358);c:\program files\google\update\GoogleUpdate.exe [2009-7-24 133104]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\drivers\e4ldr.sys [2007-2-15 63555]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 gupdatem;Υπηρεσία Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-24 133104]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-05-24 12:25:04 439296 ----a-w- c:\windows\system32\rmluder.nt
2011-05-23 06:25:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-23 06:25:39 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-21 07:56:11 -------- d-----w- c:\program files\AviSynth 2.5
2011-05-20 13:31:49 -------- d-----w- c:\program files\iCoolsoft Studio
2011-05-16 18:34:06 -------- d-----w- c:\program files\common files\xing shared
.
==================== Find3M ====================
.
2011-05-23 06:09:19 1409 ----a-w- c:\windows\QTFont.for
2011-05-16 18:32:59 348160 ----a-w- c:\windows\system32\msvcr71.dll
2007-05-18 06:33:31 15714552 ----a-w- c:\program files\Google_Earth_BZXD.exe
.
============= FINISH: 20:50:21,82 ===============

shelf life
2011-05-29, 00:47
hi minortom,

You can do a online a scan as another check:

ESET (http://www.eset.com/onlinescan/) online scanner:

Use Internet Explorer
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings
click scan. When it completes click "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"

minortom
2011-05-30, 12:22
Thank you, shelf life, for your reply.
I run ESET on line scanning, according to the instruction,
still nothing was found - so, at the end of scanning, there was not option: "List found threats", "Export to text file.." nor saved log to be post. (however, I didn't uninstall the created files).
I am coming to think that there is no any virus but only Spybot-Resident false alert (still the alert remains on any attmept of disk-reconstruction, I 've got not any allert on other processes, yet).
From my first prost I had missed to refer that the Spybot-Resident alert messages are always the same, but only the "process ID" is changing. I.e. last time was: 3996 (always a 4 digits number).
If you think there are firther steps, please tell me...

shelf life
2011-05-30, 23:49
hi,

Since you have run several apps, I would say its a false positive.

minortom
2011-05-31, 13:54
Hi,
I save the posts of this topic
soon, I get disk-reconstructed.
If relevant problems appear, I'll let you know in a new topic
Thank you very much for your kind reply :thanks:

shelf life
2011-06-01, 00:21
Ok. your welcome. Happy safe surfing.