RTHDBPL

Hi all, was looking in msconfig at startup programs and came across RTHDBPL in there, it says manufacturer unknown and it’s in c:\users\suszannah\AppData\Roaming\SystemProc\lsass.exe

Is this a genuine file? or virus/malware?

Have googled, but not clear if i need it or not

If i don’t need it, how would i remove it?

thanks all :slight_smile:

'Tis bad Suze

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Well the lsass.exe file name is a legit file name, but that means nothing, especially if it isn’t in the right location for the legit file name.

However the whole thing in combination is undesirable:
See http://www.bleepingcomputer.com/startups/RTHDBPL-25560.html and http://www.systemlookup.com/Startup/20964-lsass_exe.html.

Scan the c:\users\suszannah\AppData\Roaming\SystemProc\lsass.exe file with avast and if no detection, add it to the chest and submit to avast as undetected malware.

Hi essexboy, long time no see, thank you for the reply, i have scanned as instructed and yes it was in there :frowning:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4168

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03/06/2010 23:10:48
mbam-log-2010-06-03 (23-10-48).txt

Scan type: Quick scan
Objects scanned: 120206
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\suszannah\AppData\Roaming\SystemProc (Trojan.Agent) → Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

hi David, thanks for replying, as malwarebytes has removed it, what do i do now for Avast?

Hi Babes how ya going ;D

It should be in MBAM’s quarantine - you can restore it - scan with Avast. If it doesn’t detect it submit it and then get MBAM to kill it again

Would you like me to have a look to see if there is anything left ? If so

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
drivers32
%SYSTEMDRIVE%*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /180

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

cheers essex, as it’s a little late to get my head around that one (work tomorrow) will do OTS on saturday my next day off and post the log…once again thanks both for your help:)

Hi Susz,

How are you, little ol’ gal?
This is a Yahoo Browser Redirector, here is a malware cleansing routine for it and I think our mutual friend essexboy will also lead you through a GooredFix routine:
http://forums.malwarebytes.org/lofiversion/index.php/\"http:/web.kxnwricdcykqghhxsqkc.com/t15208.html

greets,

Damian

@ SUSZANNAH

Go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

In Account Related Settings select Hide email address from public to prevent scammers and spammers harvesting your aol.com email address.

Hi Polonus, nice to hear from you, hope you are keeping well, starting to get better slowly :slight_smile: will take a look at that too Polonus :slight_smile:

YoKenny, will set that up saturday when i am on next, using win7 on a Toshiba satellite just for reference…i should have remembered but been a long time since i have been in here…i forget things easily lol

See you saturday girl ;D

Just a quickie before bed…although it was running at startup, i just checked Avast chest and it was transferred there on the 28/5/2010…

so why was it still there? hmmmmmmmmm

There is a spawner there somewhere possibly in the tasks folder

grrrrrr, did ots but can’t fathom out how to upload it ???

You can either add it as an attachment here - select additional options, bottom left on the post window, browse to the file and then post — or upload to Mediafire and post the sharing link.

ummmm hope i did it right

Sure did Suse - ok that looked clean, any problems ?

not that i have noticed, she seems to be running ok…only found that entry by accident and googled it, once again thanks for the help :slight_smile:

i may be back soon lol

To remove OTS just run it and hit the cleanup button and poof it’s gone ;D

thanks hun, wish i could do that to people ;D