So I’ve some how got myself a virus with 3 anti-virus programs running on my machine.

this virus is a malware virus called LOD_109d.exe, and avast keeps blocking it in my C:\Windows\TEMP folder, and it’s getting executed by a file in my System32 folder under C:\Windows\System32\wbem\WmiPrvSE.exe

I’ve tried everything to get rid of this and nothing works. Avast can block it but it can’t detect it to remove it from my machine even after doing several full-system scans, specific folder scans, boot-time scans, as well as other scans using 360 Total Secure and Malwarebytes. What the virus does from what i’ve researched is it can bury itself in your registry, and open back-doors to hackers, while disguising itself as important system files. It also uses a lot of your memory without being traced. Every time I start up my machine and only have my 3 anti-virus’s running, I usually sit around 4.3-4.5GB worth of ram being used, and when I check my processes nothing is using that much memory. I’m not quite sure how I got it, but it’s very dangerous and I would love to get it off my system.

I’ve looked up this file online but every website that tells you how to get rid of it suggests a program called SpyHunter 4, which is a virus itself. I’ve looked around here and there are no posts on it on these forums.

I would really love to get some help on this if it is at all possible.

Hello jigjaguo and welcome to avast!. I will be working on your Malware issues.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper

---

1. Please download Farbar Recovery Scan Tool (
   http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
   ) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.

2. Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type LOD_109d.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

.

3. Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*] After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

Hey there, thank you very much for the reply, and sorry for the late reply on my end, I wrote that around 3 AM for me so I went to bed shortly after writing it.

The logs for FRST are attachments on this post.

Now as far aw GMER goes, I can't even get it to start. When I double click / right click run as admin it pops up, does an initial run through of some files from what I can see, then it stops responding. I've tried running it a couple times and it does the same thing. Not quite sure what I can do to get it to start properly. If I get it working before you send me a reply i will make another post.

I got it to work, reply is below with the logs.

try to run GMER from safe mode … if no success wait for new instructions from magna86

------Okay I’ve got this scanning now as i’m typing this, i’ll update this post when everything is all done.

-EDIT-

Alright the scan is finished with GMER, the logs will be attachments

Anyone got any ideas?

Patient…magna86 does not work for avast, he is a voulnteer but trained and certified in malware removal
volunteer dont spend all there free time in here, they also have a life, family, work, different time zone … so be patient

I understand that, sorry. This problem has just been bugging me for about a week now and I’ve got literally no idea’s on how to fix it.

and why have you started a new topic? https://forum.avast.com/index.php?topic=164377.0
you only make it more difficult for the one helping … where is he to reply :

i am deleting the other topic, stay in one topic until case is closed, dont make chaos

Hello jigjaguo,

LOD_109d.exe file doesn’t exist on disk any more.

From Start > Control Panel > Programs and Features pls uninstall/remove the mal. program named as WinRAR Packages.

Posted logs also show me multiple AV programs. This isn’t good thing. You should remove one of them and keep the other one.

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: 360 Total Security (Enabled - Up to date) {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D}

GMER’s ARK logs are clean as well. This is good news.

Our primary diagnostic tool, FRST shows no malware as well. Your PC is malware free. Still, FRST shows slightly compromised your web browsers (Firefox and Chrome) from previus adware entries. Therefor, I shall proceed with some additional check with Zoek tool.

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Click on More Options button and check only box for AutoClean.

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”

Is this supposed to happen? I know you said turn off antivirus when downloading it but i’m very scared about everything right now and this popping up is worrying.

http://i.imgur.com/i0Op22o.png

I’ve used these tools before. They are reported because of potential dangers if misused.

Since Magna is helping you, chances are almost zilch it can be misused. disable your avast! shields, (Avast! Icon > Shield Controls > disable until restart)

Redownload then follow his directions.

Alright here is the zoek-result log… and then something that shows my system is not mal-ware free. Just over 5 mins after I reset my system and it pop up with the zoek log, this happens.

http://i.imgur.com/Kev94x2.png

I get a warning from avast saying the same thing that has happened for days now.

Also, my system memory will not go down, it keeps climbing and climbing. having close to nothing running i’m at 24% memory usage [3.91GB/16GB]. I know windows uses ram on start up, but this seems really wrong to me.

What ever mal-ware I have on my system is hiding from EVERYTHING or this is literally a false positive, but that makes no sense.

I average 4GB’s of RAM usage on Startup… (I also have 16GB’s.)

Not, if that isn’t normal for you (Keep in mind, I have a million different programs starting at once (Steam, Comodo FW, MCShield, Avast! Free, Malwarebytes, Unchecky, Origin, FRAPS and Chrome at basic starts :-)), find the process using the most (That is climbing).

Theoretically, it should be named: “LOD_109D.exe”. It also will most likely NOT be signed. End it, does it come back right after (Give it a min or so)…

Also, can you find that file, ZIP it with the password “Infected” and post me a D/L Link? I have an idea for this malware that might rough the task up. (Special Designed Program created by Me, which isn’t released anywhere except on my system…).

After I give you the All clear and received the file, if you could remove the D/L link, that’d be perfect (That way no one gets infected by accident).

@Magna, you obviously missed something. Best guess is something is re-writing that to the disk. I intend to find out what is doing that as well.

I can’t find it though, Like i’ve done searches for that specific file and it isn’t a thing. So Idk what to do about that. When it gets detected as you can see from the screenshot it starts up under the WmiPrvSE.exe which is what I had another topic open for but it got closed because it was essentially the same issue.

Here’s a pic from that other topic. Isn’t it normally under Microsoft Corporation for company? As you can see in the screenshot it has no info at all. I’m scared to shut it off just in case it brakes something.

http://i.imgur.com/TL8fmJb.png

And it’s actually still there as i’m typing this, from what I can see right now. no company name and no info or anything, can’t be traced.

And in case this helps at ALL, here’s a search i did with FRST

Farbar Recovery Scan Tool (x64) Version: 11-01-2015
Ran by Straz at 2015-01-12 19:17:15
Running from C:\Users\Straz\Desktop\Anti-virus programs\FRST
Boot Mode: Normal

================== Search Files: “WmiPrvSE.exe” =============

C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_78dd6e4cd6655603\WmiPrvSE.exe
[2013-10-22 19:38][2010-11-20 05:17] 0257536 ____A (Microsoft Corporation) 4FB491AC8D46AAF22BA8BC5C73DABEF7 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_76ac5a84d976d269\WmiPrvSE.exe
[2009-07-13 16:30][2009-07-13 18:14] 0254976 ____A (Microsoft Corporation) 203C3380A744CA5B9B1A9CAEB57F7D57 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSE.exe
[2013-10-22 19:38][2010-11-20 06:25] 0372736 ____A (Microsoft Corporation) 619A67C9F617B7E69315BB28ECD5E1DF [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_6c57b032a516106e\WmiPrvSE.exe
[2009-07-13 16:47][2009-07-13 18:39] 0368640 ____A (Microsoft Corporation) 64D757051B5B273E55C93E4503EA4F3E [File is signed]

C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
[2013-10-22 19:38][2010-11-20 05:17] 0257536 ____A (Microsoft Corporation) 4FB491AC8D46AAF22BA8BC5C73DABEF7 [File is signed]

C:\Windows\System32\wbem\WmiPrvSE.exe
[2013-10-22 19:38][2010-11-20 06:25] 0372736 ____A (Microsoft Corporation) 619A67C9F617B7E69315BB28ECD5E1DF [File is signed]

====== End Of Search ======

Farbar Recovery Scan Tool (x64) Version: 11-01-2015
Ran by Straz at 2015-01-12 19:37:03
Running from C:\Users\Straz\Desktop\Anti-virus programs\FRST
Boot Mode: Normal

================== Search Files: “LOD_109d.exe” =============

====== End Of Search ======

Is this supposed to happen?

Yes. Whenever Smeenk (Zoek developer) upload new version (inter code changed, different file size loaded in %temp%, new bat file added, different MD5 & hash ... etc) then all AntiVirus shall report the new for them unknown zoek.exe and all droper files as malware threat because the virus analysts do not check the file itself, they just add the file at detection rules. So answer is yes, whenever a file is added to the database without checking & testing the file itself, yes this supposed to happen.

Next time when I say disable your AV, please just do so.

Zoek logreprot came as clean as well. Well, let’s run one more ARK scan, shall we?

Also, can you repeat SearchFile for LOD_109d.exe file? Thus, this detection seems as FP since this file is used by some app and it just temporaly loaded in temp folder.

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

• ‘Could not load protection driver’. Click ‘OK’.
• ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

• Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
• When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

Hi, I actually went ahead and did some research into the LOD_109D file issue. You don’t happen to have Diablo II installed do you?

A’ight. I went hunting in your logs for the Diablo II Program and I found it.
2015-01-10 17:21 - 2013-07-10 12:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo II

So that answer THAT question. I suspect that the LOD_109D file is actually a Diablo II Patch.

read This: http://www.moddb.com/downloads/diablo2-lod-patch-109d-installer

However, the issue stands is that file is SERIOUSLY outdated (Dates back to July 11th, 2005). So unless Avast! made a modification to the scanners, it shouldn’t be picked up. Can you confirm now that you still Play Diablo II?

I do play DII still from time to time, but it isn’t on my machine currently, and that Diablo II folder is empty.

Anyways, here are the logs for MBAR, and even this came up with nothing detected. I really don’t know what to say right now.

I should’ve noticed that. My bad.

2015-01-10 17:21 - 2013-07-10 12:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo II

The bold(ed) numbers represents the total size of the Directory. 000000000 means, obviously, it is Empty. With that being said though, it is possible remnants are still on your system which are sparking the “Threat Detected”.

Wait for Magna though.