Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Proxy server on this computer" - is this a rootkit?


  • This topic is locked This topic is locked
9 replies to this topic

#1 marfan

marfan

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 13 December 2010 - 02:16 PM

Hi,

I've been asked to help "speed up" a friend's laptop. I've done similar maintenance on family/friends computers before, but have never run into a problem this severe. This seems like a fantastic community and I'm hoping to find some assistance. I will try to describe the current situation below:

Computer:
IBM Thinkpad T60
XP Professional, Service Pack 3
avast! antivirus and internet security

Initial problems and my efforts thus far:
The computer was painfully slow when I offered to take a look. One major problem was a cripping shortage of RAM, that is now 2.5GB which has sped things up but uncovered other issues, which I initially thought were primarily spyware. I installed and ran Spybot S&D as well as CCleaner, which didn't change much. I encountered substantial problems reaching the Windows Update website, which seemed to be somehow blocked. I definitely encountered a Google Redirect problem. Before finding BleepingComputer, I also installed and ran MBAM as well as SUPERantispyware and HitmanPro. A combination of these allowed me to get to the Windows website and install many long-neglected updates. At least one program, I can't recall which, warned about the presence of a rootkit, and several different "rounds" revealed and quarantined malware.

Current problem:
HitmanPro continues to identify a "Proxy server on this computer (User) 127.0.0.1:23012." This seems to occur whether or not the avast is enabled, and is detected in Safe mode as well. Internet connectivity seems otherwise fine, but avast reports an "Error: cannot connect to server" when I ask it to manually update virus definitions. I'm unsure if these are related.

Any and all assistance would be greatly appreciated. If any logs are needed, I have those available or can create new ones.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:55 AM

Posted 13 December 2010 - 05:02 PM

Hello, this sounds like the tricks of a few malwares. fakealert.rootkit,trojan Obfuscator. Any way let's do this.

open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 marfan

marfan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 13 December 2010 - 07:04 PM

Ok, thanks for the help. Here are the results:

Step 1: In Lan settings, the "Use proxy..." box was not checked, however the "Use automatic configuration script" box was checked and set to an address of "http://wwwproxy1.fluent.com/cgi-bin/proxy.pac" I went ahead and unchecked this. A google search reveals that fluent.com is a computational fluid dynamics software company - the owner of the computer wouldn't have anything to do with that and I can't see any definitely related software on this machine.

TDSS: No infection found

MBAM Log:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5309

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2010 6:46:50 PM
mbam-log-2010-12-13 (18-46-50).txt

Scan type: Quick scan
Objects scanned: 173996
Time elapsed: 11 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\lisa pastel\application data\sdghzxfg.bat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\sdghzxfg.bat (Malware.Trace) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:55 AM

Posted 13 December 2010 - 08:05 PM

You're welcome,next a safe mode scan.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 marfan

marfan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 13 December 2010 - 11:15 PM

Ok, was able to restart in Safe mode and run both programs.

SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2010 at 10:21 PM

Application Version : 4.46.1000

Core Rules Database Version : 5999
Trace Rules Database Version: 3811

Scan type : Complete Scan
Total Scan Time : 01:05:58

Memory items scanned : 219
Memory threats detected : 0
Registry items scanned : 6743
Registry threats detected : 0
File items scanned : 85371
File threats detected : 1

Adware.Tracking Cookie
secure-us.imrworldwide.com [ C:\Documents and Settings\Lisa Pastel\Application Data\Macromedia\Flash Player\#SharedObjects\VLGNL9GY ]


As far as performance, the computer seems to be working fine. There are no redirects, and I was able to determine that the avast connection problem is probably because the subscription has expired since I have had the computer in my posession.


Hitman Pro continues to report the following:

Proxy server on this computer (User)
127.0.0.1:23012

It reports this error twice with each scan, and this occurs whether or not the antivirus / network shields are running or not. Same findings in safe mode. The program offers to repair the problem, does so successfully, and does not reidentify the problem on repeat scan, but it reappears at the next reboot.

The LAN settings panel has no boxes checked. Still unsure how the automatic configuration box with the associated proxy address came into use or if that is even relevant.

Should I be worried about the continued "proxy server" finding? Thanks again for the assistance.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:55 AM

Posted 14 December 2010 - 03:52 PM

If Gmer sees nothing then we won't worry about it.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 marfan

marfan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 14 December 2010 - 09:25 PM

Ok, sorry for the delay. GMER scan was positive for rootkit activity. What now?

GMER Log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-14 21:17:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HTS54104 rev.MB2I
Running: kkn73ydo.exe; Driver: C:\DOCUME~1\LISAPA~1\LOCALS~1\Temp\ugtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA2A90CAE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA2AAD9A5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA2A92B34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA2A92B8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA2A92CA2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA2AAD359]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA2A92A8A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA2A92BDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA2A92ADE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA2A92C50]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA2A90CD2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA2AAE06B]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA2AAE321]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA2A933D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA2AADED6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA2AADD41]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA2A90ADA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA2A90CF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA2A93548]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA2A917F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA2A92B64]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA2A92BB4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA2A92CCC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA2AAD6B5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA2A92AB6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA2A9320C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA2A92C1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA2A92B0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA2A932F0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA2A92C7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA2AADBBC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA2A916BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA2AADA0E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA2AE122E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwReplyWaitReceivePort [0xA2A9357E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwReplyWaitReceivePortEx [0xA2A93142]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA2AAC9CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA2A90D1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA2A90D3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA2A90B34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA2AAE172]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA2A90C44]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA2A90C56]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA6BB3620]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA2AEDBAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C71 8050450D 7 Bytes [2B, A9, A2, 8C, 2B, A9, A2]
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP A2AE95D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP A2AEAFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A2AEDBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[924] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1468] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1468] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9AA8AD20
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 10000000-10000000 (0 bytes)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\11d5ca43-3bdd-4098-9c01-1a5eddc59727 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\00b924dc-d817-4f6e-991c-c190e0cf74fb 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_505bae67-9b36-44e0-912a-328cc52f09c2 52 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_505bae67-9b36-44e0-912a-328cc52f09c2 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_505bae67-9b36-44e0-912a-328cc52f09c2 1715 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_505bae67-9b36-44e0-912a-328cc52f09c2 893 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\hwkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\11d5ca43-3bdd-4098-9c01-1a5eddc59727 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\00b924dc-d817-4f6e-991c-c190e0cf74fb 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1744252823-2700352947-3132431050-1005 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1744252823-2700352947-3132431050-1005\533145ef011ddf5ca3983e2545a902b4_505bae67-9b36-44e0-912a-328cc52f09c2 2075 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1744252823-2700352947-3132431050-1005\83aa4cc77f591dfc2374580bbd95f6ba_505bae67-9b36-44e0-912a-328cc52f09c2 45 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1744252823-2700352947-3132431050-1005\8f71098770f72c7a67cd8f1151619865_505bae67-9b36-44e0-912a-328cc52f09c2 54 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1744252823-2700352947-3132431050-1005\c9798e80543eba1dd95ff4dbefa1b526_505bae67-9b36-44e0-912a-328cc52f09c2 1700 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\CREDHIST 296 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\924a0bcf-5c8e-41d6-a7dc-c992efc26d84 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\1b2809b0-e684-4e2f-95d3-04381c8982d2 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\1c4df746-2c20-4ec8-86ce-c5f11687b576 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\1feee0ea-7c28-4580-b7a0-065c5a3a47c8 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\2d4bd593-7915-4784-a6bf-ca31f97bb6b2 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\3f685bf3-8d66-4166-a00f-89e442789427 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\621e51fb-2d38-4539-8efe-cb7aba0e9941 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\8ef960b9-f5a2-433f-b891-abb0b4de9993 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\939c9433-aa93-49c7-83c0-c6f4d71a13d0 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\98b9a14d-0c85-4a4f-94ae-025b4d2aec87 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\9c6d4085-44ba-48b5-9adb-381206f7a9c5 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\b0ef934c-624b-4c24-934f-b8dd46be2226 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\b27a4cef-2af9-48c2-8ec5-ceca98bbeb5a 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\b54b84fe-82e8-44a9-a163-96aed2cf84cd 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\d2b61cec-757a-4c10-a5b3-67c9cad0c267 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\d57e7e13-e359-45a8-98f1-2a925f70814c 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\fe440fdf-e962-4078-8d94-b8f5566626c2 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-1744252823-2700352947-3132431050-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\11d5ca43-3bdd-4098-9c01-1a5eddc59727 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-2771357851-1840157821-726002671-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\00b924dc-d817-4f6e-991c-c190e0cf74fb 388 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\Protect\S-1-5-21-3372985810-1319992997-3852686504-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security\encobject.dat 8040 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security\hwkeys.dat 6372 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Lisa Pastel\Application Data\ThinkVantage\Client Security\symkeys.dat 2624 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\hints.dat 8192 bytes
File C:\RRbackups\regcerts.dat 8192 bytes
File C:\RRbackups\rr.log 7448 bytes
File C:\RRbackups\SAM 262144 bytes
File C:\RRbackups\system 12058624 bytes
File C:\RRbackups\system.dat 12288 bytes
File C:\RRbackups\tvt.txt 9092 bytes
File C:\RRbackups\usersids.dat 15600 bytes
File C:\Documents and Settings\Lisa Pastel\Local Settings\Temp\~DF8FCD.tmp 16384 bytes
File C:\Documents and Settings\Lisa Pastel\Local Settings\Temp\~DF8FE2.tmp 512 bytes

---- EOF - GMER 1.0.15 ----

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:55 AM

Posted 14 December 2010 - 10:22 PM

OK, marfan. We need you to start a new topic as we need specialized tools and the use of one of our rootkit removal experts.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Just copy te DMER log from here to there.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 marfan

marfan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 15 December 2010 - 10:20 PM

boopme-

Thanks so much for your help. I followed your last instructions and posted in the other forum. It seems quite a bit busier over there, my post is already on page 13 with no replies yet. I'm happy to wait, but wondering if I need to "bump" it for attention or if the mods will get around to it based on the reply count of zero. Again, thanks for getting me this far!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:55 AM

Posted 15 December 2010 - 10:50 PM

Hello yes we are very busy and we don't even have the new Christmas PC rush yet,LOL. Do not bump see below.
It may be a couple days but ALL logs are answered.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users