Results 1 to 4 of 4

Thread: S&D Teatimer going haywire...malware?

  1. #1
    Junior Member
    Join Date
    Apr 2009
    Posts
    6

    Default S&D Teatimer going haywire...malware?

    Hi, I originally piggy-backed / bumped someone else's post b/c a google search led me here and I seemed to have a similar problem to him, but was told that the appropriate process here was to follow the "before you post" instructions and start my own thread. I'm new here, so plz feel free to tell me if I'm doing something else wrong.

    The problem: 2 days ago, all of a sudden the S&D Resident started going haywire, alerting me of a registry change denied (b/c I selected "remember this action the first time I denied it) roughly every 1 second. Here's what the bottom-right portion of me screen looks like:



    The only difference between the post I bumped and my problem is that when I right-click the Resident icon and select Show Log, the text I see does NOT reference a oembio.exe process, but rather in its place a bootwindows.exe process. But I'm aware that this could be the same problem with simply a different malware filename. So the Resident.log file (for me) looks like:

    9/27/2008 2:23:55 AM Allowed (based on user decision) value "DellSupport" (new data: "") deleted in System Startup user entry!
    9/29/2008 9:00:20 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Dan\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
    9/29/2008 9:00:25 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
    10/21/2008 9:03:11 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
    10/21/2008 9:04:51 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
    10/24/2008 9:03:42 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
    11/7/2008 4:57:57 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
    11/7/2008 4:58:14 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
    11/10/2008 9:20:36 AM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
    11/11/2008 6:12:48 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
    11/23/2008 11:16:10 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
    12/11/2008 9:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
    12/11/2008 9:41:22 AM Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") changed in System Startup global entry!
    1/24/2009 6:14:26 PM Allowed (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "") deleted in Global browser toolbar!
    1/24/2009 6:15:12 PM Denied (based on user decision) value "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}" (new data: "") added in Browser Helper Object!
    1/24/2009 6:15:16 PM Denied (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "hex:00") added in Global browser toolbar!
    3/24/2009 7:10:36 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
    4/2/2009 7:33:56 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
    4/4/2009 2:43:48 PM Allowed (based on user decision) value "Gnewuh" (new data: "rundll32.exe "C:\WINDOWS\iqoguvimupagidi.dll",e") added in System Startup global entry!
    4/10/2009 9:24:55 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:24:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:25:04 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:25:08 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:25:10 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:25:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:25:59 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:26:00 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:26:01 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
    4/10/2009 9:26:02 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!

    (there are literally thousands of clone entries of the above...like I said, this S&D error msg is popping up every 1 second).

    Some pertinent info:
    - I use XP and run my school's corporate edition of Symantec Antivirus, and a complete scan comes up clean (also use S&D and AdAware)
    - One other thing I noticed: Firefox has been REAAAALLY slow for me...like slowed to an absolute crawl, but IE, and all my other internet-based app's run just fine

    What I've tried so far
    - On the suggestion of a dif forum, I downloaded SUPERAntiSpyware and ran it, and it found something it labeled a Trojan.backdoor or something (sounds bad, obv) so I used the program to remove that file, but even after a reboot, S&D is still going haywire.

    - I also ran Malwareybtes' Anti-Malware, and the results looked like this:


    I had Anti-Malware clean/delete the nasty looking things, rebooted, but the S&D teatimer was still going haywire. It's not right now, but that's only because I followed the instructions in the "before you post" thread and disabled it.

    Here is my HJT log. I highlighted one line in bold below b/c in eyeballing the log (i don't really know what any of it means), i saw that line, which seems similar to the error that S&D was flashing at me.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:10:13 PM, on 4/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
    C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
    C:\Program Files\PostgreSQL\8.0\bin\postmaster.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\OpenVPN\bin\openvpn-gui.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=0061215
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/defa...=ca&l=en&s=gen
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/defa...=ca&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=0061215
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=0061215
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-21-3969601634-894110467-613912118-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
    O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
    O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
    O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
    O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
    O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
    O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
    O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\Dan\Desktop\SetAffinity\\setaffinity_service.exe (file missing)
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 13251 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    You must have read and followed the "Before you Post" instructions, there are no excuses for not following the directions.
    Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dialup. The logs will suffice and are best read in default black font, thank you.
    Do NOT run 'FIXES' before helpers have analyzed the HJT log
    http://forums.spybot.info/showthread.php?t=16806
    First time I have seen this one and I am showing this as a dangerous trojan:
    C:\WINDOWS\system32\bootwindows.exe <<< not a log of information available, but enough:
    http://www.threatexpert.com/files/bootwindows.exe.html
    http://www.threatexpert.com/report.a...8111b474aed209
    A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
    I believe you should look at this information:
    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
    Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    http://www.dslreports.com/faq/10451

    When Should I Format, How Should I Reinstall
    http://www.dslreports.com/faq/10063

    Let us know what you have decided to do in your next post.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Apr 2009
    Posts
    6

    Default

    Thank you for your reply. A few things to start:

    1) I read the "before you post" thread, as I mentioned; I must have missed the part about not posting images. Sorry, I thought they'd be helpful for a fixer.

    2) About having tried other fixes first, you have to understand that these forums aren't necessarily the first place people will come for help, and that they will often have tried partial fixes on their own (as i did). Your reply implied that I was consciously flouting the instructions here. Please understand that I only tried what any reasonable person would have tried before discovering these forums, and was not consciously disregarding your instructions.

    OK, on to the questions:

    1) I know what a keylogger is...but is there any way to tell whether my keystrokes actually WERE logged and sent to a remote person/server? What I mean is that all we discovered to this point is that the bootwindows.exe file was on my computer, right? But it would be more helpful/scary if we were to determine whether any data actually WAS sent to a 3rd party without my consent. Is there a way to tell that?

    2) How could I have picked up this virus...I always have my AVS and firewall running...?

    3) I would NEVER have actually activated / run the bootwindows.exe file...but could it have been run anyway without my knowledge?

    4) Should I go into the Windows/system32 directory and manually delete that file? i.e. you mention that the trojan can be "killed"...how? by just deleting it? Or by running some other type of program?

    5)

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    I have provided the information I have available about this keylogger, I have no way of knowing the answers to your questions.

    Here is some information that may help provide answers.
    http://forums.spybot.info/showthread.php?t=279

    Yes, that file can be deleted, either manually or by a program/s that will look for any hidden malware not showing in the HJT log, but there is no way I can guarantee the computer is safe even when this is done.

    http://www.google.com/search?hl=en&q...it&btnG=Search
    http://www.google.com/search?hl=en&q...er&btnG=Search

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •