Jump to content

LicenseValidator, UpgradeChecker.exe

Recommended Posts

So normally I don't have any problems with removing any kind of spyware, trjoan ect ect however this one in paticular will not go away no matter what I do.

This paticular trojan reappears before I even restart the computer and as well changes its name from LicenseValidator.exe to UpgradeChecker.exe or Upgrader.exe and lastly Validator.exe. The product name and description name of the .exe is in russian, if that means anything.

Mbam successfully removes it but it just comes RIGHT back restart or not.

DDS Log:


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24

Run by Mahoraba at 13:47:50 on 2012-02-04

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1100 [GMT -4:00]


SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch


C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe




C:\Windows\system32\svchost.exe -k NetworkService


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe




C:\Program Files\Logitech Gaming Software\LCore.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\uTorrent\uTorrent.exe


C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-1.00.027\Applets\x86\LCDPop3.exe

C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-1.00.027\Applets\x86\LCDClock.exe

C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-1.00.027\Applets\x86\LCDRSS.exe

C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-1.00.027\Applets\x86\LCDCountdown.exe


C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

C:\Program Files\Windows Media Player\wmplayer.exe


C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe



C:\Windows\System32\svchost.exe -k WerSvcGroup






============== Pseudo HJT Report ===============


BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [LicenseValidator] c:\users\mahoraba\appdata\roaming\identities\{b1b09ad0-79ca-4aa5-809b-53b066747cea}\LicenseValidator.exe

mRun: [Launch LCore] "c:\program files\logitech gaming software\LCore.exe" /minimized

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

StartupFolder: c:\users\mahoraba\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

TCP: DhcpNameServer =

TCP: Interfaces\{507B6B4E-3DAA-4B83-858F-8C34E6D250FC} : DhcpNameServer =

TCP: Interfaces\{FCE1EEF7-5C1A-4184-B7EE-779C17A19AE0} : DhcpNameServer =

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL


================= FIREFOX ===================


FF - ProfilePath - c:\users\mahoraba\appdata\roaming\mozilla\firefox\profiles\n0ee1zq3.default\

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll



FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false


============= SERVICES / DRIVERS ===============


R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-10-15 381248]

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2011-3-4 19720]

R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2011-3-4 14856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-4 40776]

R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2011-3-4 13225]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]


=============== Created Last 30 ================


2012-02-04 17:36:42 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-02-04 16:18:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-02-04 16:18:02 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-02-04 16:09:13 -------- d-----w- c:\users\mahoraba\appdata\roaming\Windows Desktop Search

2012-02-04 15:38:49 -------- d-----w- c:\users\mahoraba\appdata\roaming\Google Inc

2012-01-31 15:21:26 877376 ----a-w- c:\windows\system32\nvgenco32.dll

2012-01-31 15:21:26 61248 ----a-w- c:\windows\system32\OpenCL.dll

2012-01-31 15:21:26 10327360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-01-31 15:21:25 919872 ----a-w- c:\windows\system32\nvdispco32.dll

2012-01-31 15:21:25 5578560 ----a-w- c:\windows\system32\nvcuda.dll

2012-01-31 15:21:25 2401088 ----a-w- c:\windows\system32\nvcuvid.dll

2012-01-31 15:21:25 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-01-31 15:21:25 17248576 ----a-w- c:\windows\system32\nvcompiler.dll

2012-01-30 12:27:00 -------- d-----w- c:\programdata\PopCap Games

2012-01-29 21:35:55 -------- d-----w- c:\users\mahoraba\appdata\roaming\TeamViewer

2012-01-29 20:13:41 -------- d-----w- c:\users\mahoraba\appdata\roaming\BigHugeEngine

2012-01-25 19:52:08 -------- d-----w- c:\users\mahoraba\appdata\roaming\Tiyq

2012-01-25 19:52:08 -------- d-----w- c:\users\mahoraba\appdata\roaming\Doelto

2012-01-24 12:18:42 -------- d-----w- c:\programdata\Electronic Arts

2012-01-24 12:18:42 -------- d-----w- c:\programdata\EA Core

2012-01-24 12:16:22 -------- d-----w- c:\programdata\Solidshield

2012-01-19 15:13:32 -------- d-----w- c:\users\mahoraba\appdata\roaming\RenPy

2012-01-19 15:02:13 -------- d-----w- c:\programdata\RELOADED

2012-01-19 15:01:38 163328 ----a-w- c:\windows\ext_driver.exe

2012-01-13 17:53:57 -------- d-----w- c:\program files\WB Games

2012-01-12 16:52:51 -------- d-----w- c:\users\mahoraba\appdata\roaming\MoreTerra

2012-01-07 20:46:02 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll

2012-01-07 20:46:02 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll

2012-01-07 20:46:01 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll

2012-01-07 20:46:01 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll

2012-01-07 01:52:54 -------- d-----w- c:\program files\Microsoft XNA

2012-01-07 01:50:26 -------- d-----w- c:\program files\Terraria


==================== Find3M ====================


2011-12-10 19:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys


============= FINISH: 13:48:40.84 ===============

Attach Log:


DDS (Ver_2011-08-26.01)


Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 3/4/2011 9:30:23 AM

System Uptime: 2/4/2012 1:30:13 PM (0 hours ago)


Motherboard: Intel Corporation | | D915PBL

Processor: Intel® Pentium® 4 CPU 3.40GHz | J2E1 | 3445/200mhz


==== Disk Partitions =========================


A: is Removable

C: is FIXED (NTFS) - 466 GiB total, 335.985 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 0 GiB total, 0.07 GiB free.


==== Disabled Device Manager Items =============


Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Intel® PRO/100 VE Network Connection

Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_305E8086&REV_01\4&23C0B1C&0&40F0

Manufacturer: Intel

Name: Intel® PRO/100 VE Network Connection

PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_305E8086&REV_01\4&23C0B1C&0&40F0

Service: E100B


Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Standard PS/2 Keyboard

Device ID: ACPI\PNP0303\4&22E16C7A&0

Manufacturer: (Standard keyboards)

Name: Standard PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&22E16C7A&0

Service: i8042prt


==== System Restore Points ===================


RP77: 2/1/2012 12:46:32 PM - Scheduled Checkpoint


==== Installed Programs ======================



Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader X (10.0.1)


BlackBerry App World Browser Plugin

BlackBerry Desktop Software 6.1



Curse Client

Game Booster 3

Java Auto Updater

Java 6 Update 24

Kingdoms of Amalur: Reckoning Demo

League of Legends

Logitech Gaming Software 7.00

Logitech Vid

Logitech Webcam Software

Logitech Webcam Software Driver Package

MagicDisc 2.7.106

Malwarebytes Anti-Malware version

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Excel 2010

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Office Excel 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Mozilla Firefox 10.0 (x86 en-US)


Mumble 1.2.3

NVIDIA 3D Vision Controller Driver 285.62

NVIDIA 3D Vision Driver 285.62

NVIDIA Control Panel 285.62

NVIDIA Graphics Driver 285.62

NVIDIA Install Application


NVIDIA PhysX System Software 9.11.0621

NVIDIA Stereoscopic 3D Driver

Portal 2

Razer Diamondback 3G

Skype™ 5.5

SpeedFan (remove only)

Spybot - Search & Destroy


System Requirements Lab for Intel


Ventrilo Client

VLC media player 1.1.9

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

WinRAR 4.00 (32-bit)

World of Logs Client (4.2)

World of Warcraft


==== Event Viewer Messages From Past Week ========


2/4/2012 1:30:29 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847

2/1/2012 12:42:40 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

1/29/2012 8:33:18 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0x87c300d8, 0x9192377e, 0x00000000, 0x0000000d). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 012912-17187-01.

1/29/2012 5:36:34 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

1/29/2012 5:36:34 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/29/2012 5:32:54 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0x85c7d008, 0x9192077e, 0x00000000, 0x0000000d). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 012912-17000-01.

1/29/2012 4:38:26 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80004005'. Restart your computer, and then restart the WMPNetworkSvc service.


==== End Of File ===========================\

Mbam Log:

Malwarebytes Anti-Malware


Database version: v2012.02.04.03

Windows 7 x86 NTFS

Internet Explorer 8.0.7600.16385

Mahoraba :: MAHORABA-PC [administrator]

2/4/2012 1:36:49 PM

mbam-log-2012-02-04 (13-36-49).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 265960

Time elapsed: 30 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|LicenseValidator (Trojan.Ransom.BP) -> Data: C:\Users\Mahoraba\AppData\Roaming\Identities\{B1B09AD0-79CA-4AA5-809B-53B066747CEA}\LicenseValidator.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Users\Mahoraba\AppData\Roaming\Identities\{B1B09AD0-79CA-4AA5-809B-53B066747CEA}\LicenseValidator.exe (Trojan.Ransom.BP) -> Quarantined and deleted successfully.

C:\Program Files\WB Games\Bastion\TDU1k.exe (Packer.ModifiedUPX) -> Quarantined and deleted successfully.

C:\Program Files\Terraria\TDU.exe (Packer.ModifiedUPX) -> Quarantined and deleted successfully.

C:\Users\Mahoraba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\5eb92d86-6f649fcf (Trojan.Ransom.BP) -> Quarantined and deleted successfully.

C:\Users\Public\Games\Bastion\TDU1k.exe (Packer.ModifiedUPX) -> Quarantined and deleted successfully.

Link to post
Share on other sites

It is worth mentioning I don't use Internet Explorer, the Trojan in question is opening two instances of Internet Explorer and making them hidden but still viewable and closeable in the Process tab of the Task Manager.

Also aware that I don't have an active prevention for Malware/Viruses other then having MalwareBytes after infection, all I'm looking for is how to remove what I currently have, not to install an active prevention program to prevent further infections.

Link to post
Share on other sites


We look for post with 0 replies, so when you replied to your own topic, we assumed you were being helped.

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.