Hello i ran a scan of my laptop and after it was over I restarted the computer and spybot said it found "perfect keylogger" it asked to delete it and did and now computer is Very slow.
Thanks in advance.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Dell at 21:03:43.18 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.268 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe
C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
c:\program files\clearwire\connection manager\Location Finder\mylocal.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Dell\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15494&l=dis
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {465E08E7-F005-4389-980F-1D8764B3486C} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\documents and settings\dell\start menu\programs\startup\Logitech . Product Registration.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {9D47044B-7F0E-438E-839E-1A4A7FD02AD9} = 156.154.70.22,156.154.71.22
TCP: {D0EAC57D-D3B1-46BC-B087-E298162F42CD} = 156.154.70.22,156.154.71.22
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\xb9tdwg8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2496572&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\dell\application data\mozilla\firefox\profiles\xb9tdwg8.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\dell\application data\mozilla\firefox\profiles\xb9tdwg8.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\sonne video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\sonne video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-10 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-10 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-10 243024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-31 532224]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-10 308136]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-10-1 282112]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-10-1 51712]
R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
S3 cpuz132;cpuz132;\??\c:\docume~1\dell\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\dell\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-08-11 19:15:29 0 d--h--w- C:\$AVG
2010-08-10 23:03:52 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-10 23:03:49 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-10 23:03:41 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-10 23:03:14 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-10 22:59:41 0 d-----w- c:\program files\AVG
2010-08-10 22:59:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-08-10 22:48:54 0 d-----w- C:\AVGTemp
2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-06-01 04:22:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat

============= FINISH: 21:06:53.17 ===============

Hi jamper,

My name is Blottedisk and I will be helping you with your log. We apologize for the delay in responding to your request for help. Here at Safer-Networking we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools menu to the right of your topic title and selecting "Suscribe to this Thread".

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 5 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Reply to this topic until I say your computer is clean. Please bear with me, I will post back to you as soon as I can.

:thanks:

Hello, thanks for helping.

Jamper

Hi again jamper :)


Are you still experiencing this slowness? Have you spot any additional symptom so far?
Please follow these steps in order:


Step 1 | Let´s have a look at Spybot´s logfiles. Navigate to the following location:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs

Copy the contents of your last fixes and checks logfiles and paste them in your next reply. You will recognize the last ones because they are dated, in this format:

Checks.yymmdd-hhmm and Fixes.yymmdd-hhmm


Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)


http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif)
Click the image to enlarge it


Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm).


Please post back with:
-Spybot S&D logs
-GMER log

Hello, yes i am still running slow but no new problems here is the requested info. I also included spybot resident log because it has the "perfect keylogger" entry.
Thanks

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-02 11:44:16
Windows 5.1.2600 Service Pack 3
Running: bnki8ei6.exe; Driver: C:\DOCUME~1\Dell\LOCALS~1\Temp\fwdoapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAA55C534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAA556782]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAA5756DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAA55CCC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAA56FEB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAA5702A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAA579916]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAA55CDF6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAA557398]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAA576FE4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAA57693C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAA56EDF0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAA57793C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAA577B44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAA556FAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAA5721CE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAA571DF8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAA5788D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAA578208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAA55C0F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAA5792A4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAA55C7DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAA55775C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xAA578E12]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAA5760C4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAA570F0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAA570C86]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501C74 12 Bytes [C0, CC, 55, AA, B4, FE, 56, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1944] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3712] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----
__________________________________________________________________________________________________________________________________
CHECKS.
--- Report generated: 2010-08-26 13:34 ---

GameVance: [SBI $9D3D13BA] Application data folder (Directory, nothing done)
C:\Documents and Settings\Dell\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-08-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-02 Includes\KeyloggersC.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-08-24 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti (*)
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-08-24 Includes\TrojansC-05.sbi (*)
2010-08-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

__________________________________________________________________________________________________________________________________ FIXES


--- Report generated: 2010-08-26 18:08 ---

GameVance: [SBI $9D3D13BA] Application data folder (Directory, fixed)
C:\Documents and Settings\Dell\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\

Log: Activity: SchedLgU.Txt (Backup file, fixed)
C:\WINDOWS\SchedLgU.Txt

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (10 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, fixed)
HKEY_USERS\S-1-5-21-166070640-231741892-2153587266-1006\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-08-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-02 Includes\KeyloggersC.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-08-24 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti (*)
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-08-24 Includes\TrojansC-05.sbi (*)
2010-08-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

__________________________________________________________________________________________________________________________________ RESIDENT

8/26/2010 6:08:51 PM Allowed (based on user decision) value "SpybotDeletingB6883" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup user entry!
8/26/2010 6:09:06 PM Allowed (based on user decision) value "SpybotDeletingD4656" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup user entry!
8/26/2010 6:09:06 PM Allowed (based on user decision) value "SpybotDeletingA9970" (new data: "command.com /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
8/26/2010 6:09:23 PM Allowed (based on user decision) value "SpybotDeletingC4716" (new data: "cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"") added in System Startup global entry!
8/26/2010 8:41:44 PM (based on ) value "Malwarebytes Anti-Malware (reboot)" (new data: ""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript") in System Startup global entry!
8/26/2010 8:46:02 PM Allowed (based on user decision) value "SpybotDeletingB6883" (new data: "") deleted in System Startup user entry!
8/26/2010 8:46:04 PM Allowed (based on user decision) value "SpybotDeletingD4656" (new data: "") deleted in System Startup user entry!
8/26/2010 8:46:11 PM Allowed (based on authenticode whitelist) value "Adobe ARM" (new data: ""C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"") added in System Startup global entry!
8/26/2010 8:46:21 PM Allowed (based on lassh blacklist) value "Apoint" (new data: "C:\Program Files\Apoint\Apoint.exe") added in System Startup global entry!
8/26/2010 8:46:31 PM Allowed (based on lassh blacklist) value "ISUSPM Startup" (new data: "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup") added in System Startup global entry!
8/26/2010 8:46:44 PM Allowed (based on lassh blacklist) value "ISUSScheduler" (new data: ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start") added in System Startup global entry!
8/26/2010 8:46:57 PM Allowed (based on lassh blacklist) value "Dell QuickSet" (new data: "C:\Program Files\Dell\QuickSet\quickset.exe") added in System Startup global entry!
8/26/2010 8:47:02 PM Encountered and terminated PerfectKeylogger in C:\WINDOWS\system32\lsass.exe!
8/26/2010 8:47:03 PM Allowed (based on user decision) value "ZoneAlarm Client" (new data: ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"") added in System Startup global entry!
8/26/2010 8:47:13 PM Allowed (based on lassh blacklist) value "igfxtray" (new data: "C:\WINDOWS\system32\igfxtray.exe") added in System Startup global entry!
8/26/2010 8:47:29 PM Allowed (based on user decision) value "igfxhkcmd" (new data: "C:\WINDOWS\system32\hkcmd.exe") added in System Startup global entry!
8/26/2010 8:47:45 PM Allowed (based on lassh blacklist) value "igfxpers" (new data: "C:\WINDOWS\system32\igfxpers.exe") added in System Startup global entry!
8/26/2010 8:47:55 PM Allowed (based on authenticode whitelist) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
8/26/2010 8:48:05 PM Allowed (based on user decision) value "AVG9_TRAY" (new data: "C:\PROGRA~1\AVG\AVG9\avgtray.exe") added in System Startup global entry!
8/26/2010 8:48:14 PM Allowed (based on authenticode whitelist) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Common Files\Java\Java Update\jusched.exe"") added in System Startup global entry!
8/26/2010 8:48:24 PM Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\QTTask.exe" -atboottime") added in System Startup global entry!
8/26/2010 8:48:24 PM Allowed (based on user decision) value "SpybotDeletingA9970" (new data: "") deleted in System Startup global entry!
8/26/2010 8:48:24 PM Allowed (based on user decision) value "SpybotDeletingC4716" (new data: "") deleted in System Startup global entry!

Hello jamper,


You did well including the resident log, thanks.
Please do the following:


Step 1 | Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

Step 2 | Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com)

Click on Browse, and upload the following file for analysis:

C:\WINDOWS\system32\lsass.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Hi, thanks again for your help.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF79C7000 \WINDOWS\system32\KDCOM.DLL
0xF78D7000 \WINDOWS\system32\BOOTVID.dll
0xF7398000 ACPI.sys
0xF79C9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7387000 pci.sys
0xF74C7000 isapnp.sys
0xF78DB000 compbatt.sys
0xF78DF000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A8F000 pciide.sys
0xF7747000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF79CB000 intelide.sys
0xF7369000 pcmcia.sys
0xF74D7000 MountMgr.sys
0xF734A000 ftdisk.sys
0xF774F000 PartMgr.sys
0xF74E7000 VolSnap.sys
0xF7332000 atapi.sys
0xF74F7000 disk.sys
0xF7507000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7312000 fltmgr.sys
0xF7300000 sr.sys
0xF72E9000 KSecDD.sys
0xF725C000 Ntfs.sys
0xF722F000 NDIS.sys
0xF7757000 risdptsk.sys
0xF7517000 ohci1394.sys
0xF7527000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7215000 Mup.sys
0xF7617000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7983000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6BC5000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6BB1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77AF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6B8D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6B4A000 \SystemRoot\system32\drivers\STAC97.sys
0xF6B26000 \SystemRoot\system32\drivers\portcls.sys
0xF7627000 \SystemRoot\system32\drivers\drmk.sys
0xF6B03000 \SystemRoot\system32\drivers\ks.sys
0xF6AD2000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF69D3000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF692B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77BF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7637000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF6911000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7647000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7657000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7667000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF68D4000 \SystemRoot\system32\DRIVERS\iwca.sys
0xF7B88000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7677000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF798F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF68BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7687000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7697000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF77DF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79D7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF685F000 \SystemRoot\system32\DRIVERS\update.sys
0xF7997000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\omci.sys
0xF76B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76E7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79DD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF71DC000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79DF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B15000 \SystemRoot\System32\Drivers\Null.SYS
0xF79E1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77FF000 \SystemRoot\System32\drivers\vga.sys
0xF79E3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79E5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7807000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF780F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF71D8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA6C5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xAA66C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA632000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAA60C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7707000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA5E4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA563000 \SystemRoot\System32\vsdatant.sys
0xAA541000 \SystemRoot\System32\drivers\afd.sys
0xF7717000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA516000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA47E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7737000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7817000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAA44A000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF781F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7547000 \SystemRoot\system32\DRIVERS\BcmBusCtr.sys
0xF6D25000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7557000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7827000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAA405000 \SystemRoot\system32\DRIVERS\drxvi314.sys
0xF782F000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF7567000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAA394000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF6D21000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7837000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xF6D1D000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF7597000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA354000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79EF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA704000 \SystemRoot\System32\drivers\Dxapi.sys
0xF783F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B0D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAA218000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAA214000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xAA1EC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9BF7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A67000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xA9BBA000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9DD4000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9D04000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9A4D000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9385000 \SystemRoot\System32\Drivers\HTTP.sys
0xF788F000 \??\C:\WINDOWS\system32\PCTINDIS5.SYS
0xA8CF7000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):
0 System Idle Process
4 System
392 C:\WINDOWS\system32\smss.exe
444 csrss.exe
472 C:\WINDOWS\system32\winlogon.exe
516 C:\WINDOWS\system32\services.exe
528 C:\WINDOWS\system32\lsass.exe
676 C:\WINDOWS\system32\svchost.exe
732 svchost.exe
792 C:\WINDOWS\system32\svchost.exe
844 C:\Program Files\AVG\AVG9\avgchsvx.exe
852 C:\Program Files\AVG\AVG9\avgrsx.exe
888 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
956 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
976 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1052 svchost.exe
1120 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
1232 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1244 svchost.exe
1252 C:\WINDOWS\explorer.exe
1460 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
172 C:\WINDOWS\system32\spoolsv.exe
344 svchost.exe
376 C:\Program Files\AVG\AVG9\avgwdsvc.exe
648 C:\Program Files\Java\jre6\bin\jqs.exe
1024 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
1160 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1588 C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
1904 C:\Program Files\AVG\AVG9\avgnsx.exe
1940 C:\WINDOWS\system32\searchindexer.exe
2864 alg.exe
2872 wmiprvse.exe
3216 C:\Program Files\Apoint\Apoint.exe
3240 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3248 C:\Program Files\Dell\QuickSet\quickset.exe
3256 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
3280 C:\WINDOWS\system32\hkcmd.exe
3288 C:\WINDOWS\system32\igfxpers.exe
3324 C:\PROGRA~1\AVG\AVG9\avgtray.exe
3380 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3524 C:\WINDOWS\system32\ctfmon.exe
3552 C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
3632 C:\Program Files\Apoint\ApntEx.exe
3732 C:\Program Files\Digital Line Detect\DLG.exe
3784 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
3640 C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe
3736 C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
2464 C:\Program Files\Mozilla Firefox\firefox.exe
448 C:\Program Files\Clearwire\Connection Manager\Location Finder\mylocal.exe
1556 C:\Program Files\Mozilla Firefox\plugin-container.exe
2120 C:\WINDOWS\system32\wscntfy.exe
1132 C:\Documents and Settings\Dell\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK8026GAX, Rev: PA002D

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 693F9ADCDAC5860A7960F13D1FACD10AE3DDB257


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
__________________________________________________________________________________________________________________________________

VirusTotal

VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼
VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in

Sign in
Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account
Edit my profile
View my profile
Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
lsass.exe
Submission date:
2010-09-03 02:06:32 (UTC)
Current status:
queued queued analysing finished
Result:
1/ 43 (2.3%)

VT Community

goodware
Safety score: 100.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.03.00 2010.09.03 -
AntiVir 8.2.4.46 2010.09.02 -
Antiy-AVL 2.0.3.7 2010.09.02 -
Authentium 5.2.0.5 2010.09.03 -
Avast 4.8.1351.0 2010.09.02 -
Avast5 5.0.594.0 2010.09.02 -
AVG 9.0.0.851 2010.09.02 -
BitDefender 7.2 2010.09.03 -
CAT-QuickHeal 11.00 2010.09.02 -
ClamAV 0.96.2.0-git 2010.09.02 -
Comodo 5950 2010.09.03 -
DrWeb 5.0.2.03300 2010.09.03 -
Emsisoft 5.0.0.37 2010.09.03 -
eSafe 7.0.17.0 2010.09.01 Win32.Banker
eTrust-Vet 36.1.7833 2010.09.02 -
F-Prot 4.6.1.107 2010.09.01 -
F-Secure 9.0.15370.0 2010.09.03 -
Fortinet 4.1.143.0 2010.09.02 -
GData 21 2010.09.03 -
Ikarus T3.1.1.88.0 2010.09.03 -
Jiangmin 13.0.900 2010.09.03 -
K7AntiVirus 9.63.2424 2010.09.02 -
Kaspersky 7.0.0.125 2010.09.03 -
McAfee 5.400.0.1158 2010.09.03 -
McAfee-GW-Edition 2010.1B 2010.09.03 -
Microsoft 1.6103 2010.09.02 -
NOD32 5419 2010.09.02 -
Norman 6.05.11 2010.09.02 -
nProtect 2010-09-02.01 2010.09.02 -
Panda 10.0.2.7 2010.09.02 -
PCTools 7.0.3.5 2010.09.03 -
Prevx 3.0 2010.09.03 -
Rising 22.63.03.03 2010.09.02 -
Sophos 4.57.0 2010.09.02 -
Sunbelt 6826 2010.09.02 -
SUPERAntiSpyware 4.40.0.1006 2010.09.03 -
Symantec 20101.1.1.7 2010.09.03 -
TheHacker 6.5.2.1.362 2010.09.03 -
TrendMicro 9.120.0.1004 2010.09.02 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.03 -
VBA32 3.12.14.0 2010.09.02 -
ViRobot 2010.8.31.4017 2010.09.02 -
VirusBuster 12.64.15.0 2010.09.02 -
Additional information
Show all
MD5 : bf2466b3e18e970d8a976fb95fc1ca85
SHA1 : de5a73cbb5f51f64c53fb4277ef2c23e70db123f
SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501
ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4
File size : 13312 bytes
First seen: 2008-05-21 07:59:13
Last seen : 2010-09-03 02:06:32
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: LSA Shell (Export Version)
original name: lsass.exe
internal name: lsass.exe
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x14BD
timedatestamp....: 0x48025186 (Sun Apr 13 18:31:34 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x10D0, 0x1200, 6.00, 7d33d24893e1db0fa0ecbd7a8fa637bd
.data, 0x3000, 0x6C, 0x200, 0.20, 86a789a893c60d5e207d053188cdc250
.rsrc, 0x4000, 0x1B30, 0x1C00, 7.15, 54488850c25258396b2c9492c36b0bd5

[[ 5 import(s) ]]
ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
SAMSRV.dll: SamIInitialize, SampUsingDsData

VT Community

1

User:
Anonymous
Reputation:
1 credits
Comment date:
2010-09-02 12:47:36 (UTC)
Tags: Goodware, banker

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

User:
Anonymous
Reputation:
1 credits
Comment date:
2010-09-02 12:47:36 (UTC)
Tags: Goodware, banker

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
Loading...

Prev1Next



Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
text -- strikethrough

text -- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download


Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.
Preview comment Edit comment
Post comment
Posting comment...
Comment successfully posted




ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com - Terms of Service & Privacy Policy

Hi jamper,


The file that was flagged as PerfectKeylogger by Spybot is, apparently, just a false positive. I'll later give you some directions to the false positives subforum so you can report it. Now, please do the following:


Step 1 | Download mbr.exe (http://www2.gmer.net/mbr/mbr.exe) and save it to your desktop.

Go to Start ==>> Run and copy & paste the following bolded text (include the quotes) into the box and then press Enter:

"%userprofile\desktop\mbr" -f > "%userprofile\desktop\mbrfixlog.txt"
A logfile called mbrfixlog.txt will be created in your desktop. Please copy it's contents and paste them in your next reply.

Step 2 | Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.

Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.


Step 3 | Please download Malwarebytes' Anti-Malware (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.besttechie.net%2Ftools%2Fmbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Step 4 | Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan. Note: Internet Explorer should be used.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next.


Please post back with:

mbrfixlog.txt
Malwarebyte´s Antimalware log
Kaspersky log

Hi,
I can not get mbr to work, everytime i try to copy and past in the start/run option, it says - windows can not find "%userprofile\desktop\mbr' make sure you typed the name correctly and try again.

I already have Malewarebyte's should I uninstall and reinstall it or just run the one I have as is?

My apologies jamper, both issues are my fault :yuck:


1) Please ignore my previous Malwarebyte´s Antimalware instructions and follow these ones:


Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform Quick scan, then click on Scan
When done, you will be prompted. Click OK. If Items are found, then click on Show Results
Check all items then click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply.

2) Regarding to mbr.exe, please follow those instructions again, but with this text:


"%userprofile%\desktop\mbr.exe" -f > "%userprofile%\desktop\mbrfixlog.txt"

Hello, here are the reports-

MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
__________________________________________________________________________________________________________________________________Maltwarebytes-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4540

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/3/2010 9:29:27 PM
mbam-log-2010-09-03 (21-29-27).txt

Scan type: Quick scan
Objects scanned: 131678
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________________________________________________________________________________________________________________________________
Kaspersky-

No infected objects found, no report generated.

Hi jamper


Thanks for performing those scans. We´re almost done, please follow these steps:


Step 1 | Let´s remove older versions of Java.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and select (highlight) the following version of Java:
Java 2 Runtime Environment, SE v1.4.2_03
Click the Remove or Change/Remove button.

Step 2 | Go into the Control Panel (classic view) and double-click the Java Icon (looks like a coffee cup).

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and Applets
Trace and Log Files
Click OK on Delete Temporary Files Window (Note: This deletes ALL the Downloaded Applications and Applets from the CACHE).
Click OK to leave the Temporary Files Window.
Click OK to leave the Java Control Panel.

Step 3 | Double click on MBRCheck.exe to run it,
type in Y and press Enter when asked if you wish to see more options
Type in 1 to "Dump the MBR of a physical disk to file" and press Enter
Type in 0 to select your disk and press Enter
Type in dump.txt as the file name and press Enter
Type in -1 to exit and press Enter.
Please attach dump.txt to your next reply for me.

:oops: um, i hope this is right, i accidentally skipped the step where you said type in dump.txt and instead typed -1 as the one to dump and it said it was dumped successfully, then i realized what i did closed it down and did it again and this is what the dump text says-

ú¸ ŽÐ¼ |ûŽØü¹€ ‹ô¿ ŽÀóf¥ê/ 
 °ùúæpë äq¨° ë æpû¿UuTèÉ ¿F´ÍtH= ‰uC´Í3ÛƇ¾ €¿ÂÛtƒÃƒû@rì¾bé� Ƈ¾€Æ‡Â.Ç# ¸C †Ä²€¾ÍrÛ
äu×3Û3ÉŠ‡¾< t<€t¾”ëXA‹ëƒÃƒû@r侟 €ù
uC¾s‹ÅÁè Dÿ×f‹†Æf.£'.Ç# |´B²€¾Í¾‹r
äu¾„ÿ×¾ª�>þ}Uªuéùt¿Fÿ×´ Í͸ ͸ ¸ŽÀ3ÿ¸ ¹P ó«±¾V¿D ¬«âü´· º Í´†¹ º€„Íì< t ´» ÍëòÃÃwww.dell.comCannot restore
Loading PBR 1... done
failed
Bad flag
0 active
Bad PBR
ŒsôÐ

Þþ?? Éõ
€
þÿÿö
šƒÙ ÁÿÛþÿÿ¢yÛku

Hi there,


The log is ok. Your computer seems to be clean. We've found no infections on your machine, which is consecuence of the good security measures you are taking :bigthumb:


Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Also delete the following files in your desktop (move the files to the bin or right-click the files and choose "Send to recycle bin"):
mbr.exe
MBRCheck.exe
mbrlogfix.txt
The logfiles genereted by MBRCheck (MBRCheck_mm.dd.yy_hh.mm.ss.txt)
attach 1.txt
attach 1.zip

Regarding to the false positive, I would suggest you to open a new thread at the False Positive Subforum (http://forums.spybot.info/forumdisplay.php?f=16), where an expert will give you a hand with that. Be sure to include all the neccesary information, as described in the following thread: How to report possible False Positives (http://forums.spybot.info/showthread.php?t=19117). You can also include a link to this thread, as the expert may found additional information in order to help you.


Thank you for your patience, and performing all of the procedures requested :)

Do you have any questions?

:thanks:
Thanks for all of your help, I really appreciate everything you did and how fast you returned all of my posts. :rockon:

jamper

You are welcome jamper :)

We can close and shelve this thread then.

Good luck, stay safe :greeting: