Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lemir Password Capture


  • This topic is locked This topic is locked
13 replies to this topic

#1 MontanaDeb

MontanaDeb

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 13 June 2009 - 10:31 PM

Hello :flowers:
This is my CA Anti-Spyware Log. I quarantine the bugger and it keeps coming back, even after system restore off & on again. CA says this is critical.
I am posting entire log in case anything else is there is a part of it.
How do I get rid of it?
How do I know if it stole my passwords?
I do notice sometimes having to click twice, and extreme slow 256 :thumbsup:
...Thank you!
-Montana Deb

CA Anti-Spyware Log Report
This report was generated on: 6/13/2009-8:03:28 PM

1/6/2009-7:01:44 PM , Detected , IndexTools.com , Tracking Cookie , Cookie "owner@indextools[2].txt" File "C:\Documents and Settings\Owner\cookies\owner@indextools[2].txt" , 1536055702
1/23/2009-6:06:08 PM , Detected , Startpage 656 , Trojan , File "C:\Documents and Settings\Owner\Desktop\Games\dawgprotrialsetup.exe" , 1205768542
1/23/2009-7:55:24 PM , Detected , Startpage 656 , Trojan , File "C:\System Volume Information\_restore{656118C6-1F2F-4267-959B-ED159A5344C6}\RP15\A0003828.exe" , 1205768542
2/5/2009-7:01:57 PM , Detected , quantserve.com , Tracking Cookie , Cookie "owner@quantserve[2].txt" File "C:\Documents and Settings\Owner\cookies\owner@quantserve[2].txt" , -25785559
2/23/2009-5:51:27 PM , Detected , 2o7.net , Tracking Cookie , Cookie "owner@2o7[1].txt" File "C:\Documents and Settings\Owner\cookies\owner@2o7[1].txt" , 1186404678
3/9/2009-7:03:33 PM , Detected , Ad.YieldManager.com Cookie , Tracking Cookie , Cookie "owner@ad.yieldmanager[1].txt" File "C:\Documents and Settings\Owner\cookies\owner@ad.yieldmanager[1].txt" , -2123309738
3/9/2009-7:03:36 PM , Detected , quantserve.com , Tracking Cookie , Cookie "owner@quantserve[2].txt" File "C:\Documents and Settings\Owner\cookies\owner@quantserve[2].txt" , -1444338558
3/9/2009-7:03:36 PM , Detected , Tacoda cookie , Tracking Cookie , Cookie "owner@tacoda[2].txt" File "C:\Documents and Settings\Owner\cookies\owner@tacoda[2].txt" , -767423041
4/2/2009-7:00:52 PM , Detected , KaZaA , P2P , Key "hkey_users \S-1-5-21-1645522239-1844823847-725345543-1003\software\kazaa" , -1
4/2/2009-7:01:00 PM , Detected , WinSpywareProtect , Rogue Security Software , Key "hkey_users \S-1-5-21-1645522239-1844823847-725345543-1003\software\microsoft\windows\currentversion\drivers" , -1
5/2/2009-8:22:55 PM , Detected , Kiwee , Toolbar , Folder "c:\documents and settings\owner\local settings\application data\kiwee toolbar2" , -1
6/3/2009-12:38:17 AM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/3/2009-12:38:28 AM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
6/11/2009-1:52:06 PM , Detected , Droplet FF , Trojan , Key "hkey_local_machine \system\currentcontrolset\services\aec\enum" value "nextinstance" data "1" , -1
6/11/2009-1:52:07 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/11/2009-1:52:08 PM , Detected , Droplet FF , Trojan , Key "hkey_local_machine \system\currentcontrolset\services\aec\enum" value "count" data "1" , -1
6/11/2009-1:52:08 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
6/12/2009-10:54:49 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/12/2009-10:55:01 PM , Detected , Searchin1Step , Toolbar , Key "hkey_classes_root \clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}\inprocserver32" value "threadingmodel" data "apartment" , -1
6/12/2009-10:55:02 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
6/13/2009-12:47:20 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/13/2009-12:47:23 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
6/13/2009-2:02:42 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/13/2009-2:02:47 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
6/13/2009-7:44:55 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "nextinstance" data "1" , -1
6/13/2009-7:45:02 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
***End Report***
It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 13 June 2009 - 11:02 PM

Hello, you don't know if it did. You are better served to believe it has.
It is A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) . It was designed to steal Game passwords,but it doesn't have to stop there.
Trojan-PWS.Lemir
http://www.threatexpert.com/report.aspx?md...9d52aa076b1c86a

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Now an Online scan.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 13 June 2009 - 11:40 PM

Thank you, Boopme...

-My passwords are saved on computer. No new passwords except for the one created 'here' and typing one for logging on to my computer.

-I do not have any banking, shopping etc. information on my computer.

-What type of sensitive personal information?

-I have Malwarebytes' installed. it did not catch it. Also have Super AntiSpyware Free Edition installed. It also didn't catch it. Do I need to delete and re-install Malwarebytes'? If not, do I go to C drive to rename it?

-Most of all... I don't currently have access to another computer. :thumbsup:

-Should I proceed to BitDefender? Should I turn off my CA security or anything else?

-I don't play Legend of Mir, I do play on myspace & pogo.

-I am using Mozilla Firefox current 3.0.10. When it starts, all tabs from previous updates load along with my homepage.

-Deb

Edited by MontanaDeb, 14 June 2009 - 12:18 AM.

It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 14 June 2009 - 04:05 PM

Hi Deb.. All is running normally except the keylogger,correct?

do a earch.. Start >>searac,all files ...for C:\Windows\System\win.exe. Tell me if it exists.

Yes run bitdefender.
Does Mbam run normally? Rename it if it will not run.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 15 June 2009 - 06:46 PM

Hello-

Search for C:\Windows\System\win.exe was not found.

Ran Bitdefender twice. Both times it froze after running 2hrs 06min, with time remaining 56min. Both times had to re-start computer to get it off of my screen. I did wait for two and three hours before restarting to see if it would start up again.

Malwarebytes' Anti-Malware 1.37
Database version: 2285
Windows 5.1.2600 Service Pack 3

6/15/2009 5:13:05 PM
mbam-log-2009-06-15 (17-13-04).txt

Scan type: Quick Scan
Objects scanned: 95511
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


CA Anti-Spyware report:

6/15/2009-5:35:36 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 15 June 2009 - 08:47 PM

Hi, sorry this is being so difficult. I would like you to try one more online scan.

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 17 June 2009 - 06:29 PM

Hello...

Tried to run TrendMicro™ HouseCall Java Scan many times. Each time received virtual memory too low.
Changed VM and finally got to 13 3/4 min left. Java console disappeared and scan froze again. It does this each time.
-Deb
It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 17 June 2009 - 07:44 PM

Ok, sorry you have so much difficulty, malware can be really frustrating.
I would like to try one more thing.
Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 17 June 2009 - 11:44 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/17/2009 at 10:00 PM

Application Version : 4.26.1004

Core Rules Database Version : 3945
Trace Rules Database Version: 1887

Scan type : Complete Scan
Total Scan Time : 02:33:03

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 6477
Registry threats detected : 13
File items scanned : 92446
File threats detected : 2

Adware.MyWebSearch/FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Type
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Start
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#Count


HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security


HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security#Security

Adware.MyWebSearch-Installer
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\CHECK IT

OUT\CARDS\MYFUNCARDSSETUP2.3.50.45.ZUFOX000.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\MY

DOCUMENTS\MYFUNCARDSSETUP2.3.50.45.ZUFOX000.EXE
It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 18 June 2009 - 09:57 AM

Still popping under?

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 18 June 2009 - 06:15 PM

Hello...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/18 16:39
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0808000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF97C6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF982B000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF9D1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF976A000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Owner\My Documents\Check It Out\Save These\DebStuffmore\The Today Show - Matt Lauer, Meredith Vieira, Ann Curry, Al Roker, Natalie Morales - News, Celebrities, Recipes, Video, Tips and Advice, Entertainment and Live Concerts -- MSNBC.com - TODAYshow.com.url
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\My Documents\Check It Out\Save These\DebStuffmore\The Today Show - Matt Lauer, Meredith Vieira, Ann Curry, Al Roker, Natalie Morales - News, Celebrities, Recipes, Video, Tips and Advice, Entertainment and Live Concerts -- MSNBC_com - TODAYshow_com.mht
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\My Documents\Check It Out\Save These\DebStuffmore\BANKIN~1.URL:favicon
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\My Documents\Check It Out\Save These\Insert smileys and other emoticons - Help and How-to - Microsoft Office Online_files\HA011196081033_files\01_files\IWKxxxxxxIMPRTxxxxmscomIWorker_files\activity;src=1379696;dcnet=1379696;boom=6803;sz=1x1;ord=1.gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\My Documents\Check It Out\Save These\Insert smileys and other emoticons - Help and How-to - Microsoft Office Online_files\HA011196081033_files\01_files\IWKxxxxxxIMPRTxxxxmscomIWorker_files\activity;src=1564648;dcnet=4856;boom=7491;sz=1x1;ord=1234567.gif
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf08ebdf0

==EOF==

Error:
16:50:23: DeviceIoControl Error! Error Code = 0xc0000001
16:50:23: Could not read system registry! Please contact the author!
It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 18 June 2009 - 09:28 PM

Hello you have one possible rootkit but I don't want to remove it here.

You need to run HJT/DDS.
Please follow this guide. ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 MontanaDeb

MontanaDeb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montana
  • Local time:01:20 PM

Posted 18 June 2009 - 10:00 PM

Thank you very much! :thumbsup:

Does this mean Lemir is a possible rootkit, part of a rootkit or something different?
CA Anti-Spyware report:
6/18/2009-8:42:40 PM , Detected , Lemir , Password Capture , Key "hkey_local_machine \system\currentcontrolset\services\cdaudio\enum" value "count" data "1" , -1
***End Report***

Do I let you know under this post?

Hugs to you :trumpet:
-Deb
Edit: When I back up, can I use SanDisk Cruzer 8GB safely & are there instructions on how to do this?
Edit Two: I would need to type in my password for the SanDisk. It is a U3 (?) :flowers:
Edit Three: I posted without backup.

Edited by MontanaDeb, 19 June 2009 - 12:51 AM.

It used to be less complicated problems, my imagination of such, or my knowledge & experience has improved to handle the little problems. Can't remember what they were. Never forgot about that bleeping computer or the name of www.bleepingcomputer.com :D

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 19 June 2009 - 12:40 PM

Sorry i couldn't get back sooner. Yopu did well and should be OK.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users