PDA

View Full Version : S&D Teatimer going haywire...malware?



domino66
2009-04-12, 01:22
Hi, I originally piggy-backed / bumped someone else's post (http://forums.spybot.info/showthread.php?p=304338#post304338) b/c a google search led me here and I seemed to have a similar problem to him, but was told that the appropriate process here was to follow the "before you post" instructions and start my own thread. I'm new here, so plz feel free to tell me if I'm doing something else wrong.

The problem: 2 days ago, all of a sudden the S&D Resident started going haywire, alerting me of a registry change denied (b/c I selected "remember this action the first time I denied it) roughly every 1 second. Here's what the bottom-right portion of me screen looks like:

http://img11.imageshack.us/img11/8199/regerror.jpg

The only difference between the post I bumped and my problem is that when I right-click the Resident icon and select Show Log, the text I see does NOT reference a oembio.exe process, but rather in its place a bootwindows.exe process. But I'm aware that this could be the same problem with simply a different malware filename. So the Resident.log file (for me) looks like:

9/27/2008 2:23:55 AM Allowed (based on user decision) value "DellSupport" (new data: "") deleted in System Startup user entry!
9/29/2008 9:00:20 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Dan\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
9/29/2008 9:00:25 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
10/21/2008 9:03:11 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
10/21/2008 9:04:51 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
10/24/2008 9:03:42 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
11/7/2008 4:57:57 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
11/7/2008 4:58:14 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/10/2008 9:20:36 AM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/11/2008 6:12:48 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
11/23/2008 11:16:10 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
12/11/2008 9:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/11/2008 9:41:22 AM Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") changed in System Startup global entry!
1/24/2009 6:14:26 PM Allowed (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "") deleted in Global browser toolbar!
1/24/2009 6:15:12 PM Denied (based on user decision) value "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}" (new data: "") added in Browser Helper Object!
1/24/2009 6:15:16 PM Denied (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "hex:00") added in Global browser toolbar!
3/24/2009 7:10:36 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/2/2009 7:33:56 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/4/2009 2:43:48 PM Allowed (based on user decision) value "Gnewuh" (new data: "rundll32.exe "C:\WINDOWS\iqoguvimupagidi.dll",e") added in System Startup global entry!
4/10/2009 9:24:55 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:24:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:04 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:08 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:10 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:59 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:00 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:01 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:02 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!

(there are literally thousands of clone entries of the above...like I said, this S&D error msg is popping up every 1 second).

Some pertinent info:
- I use XP and run my school's corporate edition of Symantec Antivirus, and a complete scan comes up clean (also use S&D and AdAware)
- One other thing I noticed: Firefox has been REAAAALLY slow for me...like slowed to an absolute crawl, but IE, and all my other internet-based app's run just fine

What I've tried so far
- On the suggestion of a dif forum, I downloaded SUPERAntiSpyware and ran it, and it found something it labeled a Trojan.backdoor or something (sounds bad, obv) so I used the program to remove that file, but even after a reboot, S&D is still going haywire.

- I also ran Malwareybtes' Anti-Malware, and the results looked like this:
http://img220.imageshack.us/img220/6240/malw.jpg

I had Anti-Malware clean/delete the nasty looking things, rebooted, but the S&D teatimer was still going haywire. It's not right now, but that's only because I followed the instructions in the "before you post" thread and disabled it.

Here is my HJT log. I highlighted one line in bold below b/c in eyeballing the log (i don't really know what any of it means), i saw that line, which seems similar to the error that S&D was flashing at me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:13 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.0\bin\postmaster.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-3969601634-894110467-613912118-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\Dan\Desktop\SetAffinity\\setaffinity_service.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13251 bytes

pskelley
2009-04-13, 15:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, there are no excuses for not following the directions.

Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dialup. The logs will suffice and are best read in default black font, thank you.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
First time I have seen this one and I am showing this as a dangerous trojan:
C:\WINDOWS\system32\bootwindows.exe <<< not a log of information available, but enough:
http://www.threatexpert.com/files/bootwindows.exe.html
http://www.threatexpert.com/report.aspx?md5=a07fe470e502f188598111b474aed209

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

I believe you should look at this information:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

domino66
2009-04-13, 15:42
Thank you for your reply. A few things to start:

1) I read the "before you post" thread, as I mentioned; I must have missed the part about not posting images. Sorry, I thought they'd be helpful for a fixer.

2) About having tried other fixes first, you have to understand that these forums aren't necessarily the first place people will come for help, and that they will often have tried partial fixes on their own (as i did). Your reply implied that I was consciously flouting the instructions here. Please understand that I only tried what any reasonable person would have tried before discovering these forums, and was not consciously disregarding your instructions.

OK, on to the questions:

1) I know what a keylogger is...but is there any way to tell whether my keystrokes actually WERE logged and sent to a remote person/server? What I mean is that all we discovered to this point is that the bootwindows.exe file was on my computer, right? But it would be more helpful/scary if we were to determine whether any data actually WAS sent to a 3rd party without my consent. Is there a way to tell that?

2) How could I have picked up this virus...I always have my AVS and firewall running...?

3) I would NEVER have actually activated / run the bootwindows.exe file...but could it have been run anyway without my knowledge?

4) Should I go into the Windows/system32 directory and manually delete that file? i.e. you mention that the trojan can be "killed"...how? by just deleting it? Or by running some other type of program?

5)

pskelley
2009-04-13, 15:57
I have provided the information I have available about this keylogger, I have no way of knowing the answers to your questions.

Here is some information that may help provide answers.
http://forums.spybot.info/showthread.php?t=279

Yes, that file can be deleted, either manually or by a program/s that will look for any hidden malware not showing in the HJT log, but there is no way I can guarantee the computer is safe even when this is done.

http://www.google.com/search?hl=en&q=what+is+a+rootkit&btnG=Search
http://www.google.com/search?hl=en&q=what+is+a+keylogger&btnG=Search

Thanks