voight75

Rootkit.tdss

63 posts in this topic

Hi. :)

OK, please download a fresh copy of ComboFix from here or here and save it to the desktop please.

Then create a new Registry backup with ERUNT before proceeding to the below. <-- This step must be completed.

Please navigate to Start >> All Programs >> ERUNT >> ERUNT

  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
  • System registry
  • Current user registry
  • Next click on OK
  • When the Question pop-up appears click on Yes
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

Custom ComboFix-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    KILLALL::

    Rootkit::
    \\?\globalroot\Device\Ide\IdePort1\mqpikbfn\mqpikbfn\tdlwsp.dll

    FCOPY::
    c:\windows\system32\dllcache\iexplore.exe | C:\Program Files\internet explorer\iexplore.exe

    Snapshot::

    SysRst::


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Share this post


Link to post
Share on other sites

Dakeyras,

I have run into the same problem as before. Everything else was fine, execpt Combofix will not Autoscan. It loads as normal, creates registry back-up, states that the scan is about to begin, then....nothing. I left for about 30 minutes and still nothing. The one and only success we have had running combofix has been in safe mode, yesterday. Should I try again in safe mode?

Share this post


Link to post
Share on other sites

Hi. :)

No do not run ComboFix in Safe Mode again at his time. What stage did the scan reach please?

Check for updates with Malwarebytes Anti-Malware, close the application. Then boot into Safe Mode and run a full scan with it please.

Then boot back into Normal mode.

Post a new GMER log please along with the Malwarebytes Anti-Malware log, thank you.

Share this post


Link to post
Share on other sites

Dakeyras,

The scan never actually began. It sticks at the point where it says "scan will take around 10 minutes. Time for badly infected machines could easily double", then nothing happens at all. The exact same thing has happened every time I have trie to run combofix, except the one successful attempt in Safe mode.

Here is the MBAM full scan log, run from Safe mode:

Malwarebytes' Anti-Malware 1.41

Database version: 2842

Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/22/2009 12:40:40 PM

mbam-log-2009-09-22 (12-40-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 201959

Time elapsed: 1 hour(s), 37 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\IdePort1\jucrnmxg\jucrnmxg\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\Device\Ide\IdePort1\jucrnmxg\jucrnmxg\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Here is the new GMER log:

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-22 12:57:52

Windows 5.1.2600 Service Pack 3

Running: c6dkf72x.exe; Driver: C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\uxldrpob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA922F4EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA922F581]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA922F498]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA922F4AC]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA922F595]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA922F5C1]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA922F62F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA922F619]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA922F52A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA922F65B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA922F56D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA922F470]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA922F484]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA922F4FE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA922F697]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA922F603]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA922F5ED]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA922F5AB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA922F683]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA922F66F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA922F4D6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA922F4C2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA922F5D7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA922F559]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA922F645]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA922F540]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA922F514]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Ntfs \Ntfs FdRedir.sys (File Disk Redirector/UPEK Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [208] 0x10000000

Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [4876] 0x10000000

Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [5420] 0x10000000

Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [5664] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

Hi. :)

I will be sending your good self a PM shortly, follow the advice within and then post back the log created here is in this topic.

This is so I can try and workout what is hiding this particular malware.

Share this post


Link to post
Share on other sites

Hi. :)

Ok, that's great. Thank you for your continued patience and persistence.
You're welcome!

OK we will try another method for pinpointing the malware as follows:

Scan with GMER:

  • Launch GMER.
  • At the top of the GMER interface, click the [>>>] button to reveal the hidden tabs.
  • Select Registry
  • Then navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  • Click/Highlight the Services button and click the Export button located on the upper right to save a log.
  • The log will be very large in size and cannot be posted.
  • So save it to your desktop then send to a zip file and attach it to your next reply.
  • Gmer-Registry.png

Share this post


Link to post
Share on other sites
Dakeyras,

Ok, here we are.

Thanks, I'll be back soon as, it will take myself some time to research the log. :)

Share this post


Link to post
Share on other sites

Hi. :)

Unfortunately so far I have been unable to identify what exactly is using this variation of TDSS as a launch point/used to respawn the malware after every system reboot. It does appear however to be a type of memory resident malware, which is deleting the launch vector after initiation to help evade detection.

So I will require your good self to download some applications and run two other specific scans please as follows.

As I mentioned in a prior post if not done so as of yet, do begin to backup any personal files and folders.

Next:

  • Please download Process Explorer v11.33.
  • Save the Zip file to the Desktop. Then extract to the Desktop.
  • Do not use this yet please.

Scan with The Avenger:

  • Please download The Avenger by Swandog46 from here.
  • Save the Zip file to the Desktop. Then extract to the Desktop.
  • Double click on avenger.exe to run The Avenger.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

Scan with Runscanner:

  • Please download Runscanner form here and save yo your Desktop.
  • Double click on Runscanner.exe to start the application and select Beginner Mode
  • On the next page select Save a binary .Run file then click Scan Computer at the top.
  • Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log.
  • Please zip the .run file by right clicking and selecting send to Zip file
  • Then upload that as an attachment in your next post.

When completed the above, please post back the following:

  • How is you computer performing now? Any problems encountered and or any further symptoms?
  • Avenger.txt.
  • Runscanner attachment.
  • A new RSIT Log.

Share this post


Link to post
Share on other sites

Dakeyras,

Ok. My computer is no better, no worse Nothing new to report.

Here is the avenger report:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

Runscanner is attached.

Here is the new RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)

Run by Richard Lunan at 2009-09-23 09:13:00

Microsoft Windows XP Professional Service Pack 3

System drive C: has 83 GB (72%) free of 114 GB

Total RAM: 2039 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:13:05 AM, on 9/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\lxdfcoms.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\thpsrv.exe

C:\WINDOWS\system32\TPSODDCtl.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\Protector Suite QL\psqltray.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\LogMeIn\LogMeInSystray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Lexmark 6500 Series\lxdfmon.exe

C:\Program Files\Lexmark 6500 Series\lxdfamon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Documents and Settings\Richard Lunan\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\Richard Lunan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup

O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"

O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: 00THotkey.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: McAfee Application Installer Cleanup (0017481253713625) (0017481253713625mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\001748~1.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe

O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

End of file - 13579 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\McDefragTask.job

C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]

McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-07-08 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]

scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-07-08 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-07-27 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-07-27 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-07-27 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]

"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe [2004-08-18 184320]

"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-13 88204]

"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-24 196608]

"PSQLLauncher"=C:\Program Files\Protector Suite QL\launcher.exe [2006-05-05 30208]

"ThpSrv"=thpsrv /logon []

"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2006-04-24 315392]

"TPSODDCtl"=C:\WINDOWS\system32\TPSODDCtl.exe [2006-04-24 110592]

"TOSDCR"=C:\WINDOWS\system32\TOSDCR.EXE [2005-12-13 57344]

"PadTouch"=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [2005-12-06 1077322]

"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2006-02-02 73728]

"NDSTray.exe"=NDSTray.exe []

"TFncKy"=TFncKy.exe []

"TosHKCW.exe"=C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe [2005-05-17 49152]

"TouchED"=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe [2005-06-28 126976]

"DDWMon"=C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe [2006-04-25 299008]

"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-06-30 77824]

"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-06-30 118784]

"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2005-12-05 667718]

"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2005-11-28 602182]

"LogMeIn GUI"=C:\Program Files\LogMeIn\LogMeInSystray.exe [2006-10-06 303864]

"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-07-10 645328]

"lxdfmon.exe"=C:\Program Files\Lexmark 6500 Series\lxdfmon.exe [2007-06-11 455600]

"lxdfamon"=C:\Program Files\Lexmark 6500 Series\lxdfamon.exe [2007-06-01 20480]

"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-02-08 488984]

"LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam10\QuickCam10.exe [2007-02-08 774168]

"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe [2007-11-26 1206600]

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-18 68856]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

00THotkey.exe

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\WINDOWS\system32\igfxdev.dll [2006-06-30 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]

C:\WINDOWS\system32\LMIinit.dll [2006-10-06 11504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]

C:\WINDOWS\system32\psqlpwd.dll [2006-05-05 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"_NoDriveTypeAutoRun"=145

"NoDriveAutoRun"=67108863

"NoDriveTypeAutoRun"=323

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-09-23 08:57:50 ----D---- C:\Avenger

2009-09-23 08:57:49 ----A---- C:\avenger.txt

2009-09-22 10:14:56 ----SD---- C:\Combo-Fix

2009-09-22 10:14:49 ----A---- C:\WINDOWS\system32\CF6370.exe

2009-09-21 19:08:34 ----SHD---- C:\RECYCLER

2009-09-21 18:06:47 ----A---- C:\WINDOWS\ntbtlog.txt

2009-09-21 13:04:33 ----D---- C:\rsit

2009-09-21 12:33:46 ----D---- C:\_OTM

2009-09-21 12:28:33 ----D---- C:\Program Files\ERUNT

2009-09-21 12:05:01 ----A---- C:\WINDOWS\msoffice.ini

2009-09-18 16:21:20 ----A---- C:\Boot.bak

2009-09-18 16:21:10 ----RASHD---- C:\cmdcons

2009-09-18 16:16:59 ----A---- C:\WINDOWS\zip.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWSC.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWREG.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\sed.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\PEV.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\NIRCMD.exe

2009-09-18 16:16:59 ----A---- C:\WINDOWS\grep.exe

2009-09-18 16:16:23 ----D---- C:\WINDOWS\ERDNT

2009-09-18 16:15:40 ----D---- C:\Qoobox

2009-09-18 15:37:46 ----A---- C:\WINDOWS\system32\MPFServiceFailureCount.txt

2009-09-17 11:27:59 ----D---- C:\Program Files\Trend Micro

2009-09-17 11:01:34 ----D---- C:\Program Files\Enigma Software Group

2009-09-16 22:23:58 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\Malwarebytes

2009-09-16 22:23:48 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-09-16 22:23:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-09-16 18:55:41 ----A---- C:\WINDOWS\wininit.ini

2009-09-16 18:31:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-16 18:16:58 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

2009-09-09 15:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$

2009-09-09 15:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$

2009-09-09 15:00:57 ----HDC---- C:\WINDOWS\$NtUninstallKB973768$

2009-08-27 10:29:34 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$

======List of files/folders modified in the last 1 months======

2009-09-23 09:13:04 ----D---- C:\WINDOWS\Temp

2009-09-23 09:06:59 ----D---- C:\WINDOWS

2009-09-23 09:06:50 ----D---- C:\WINDOWS\system32\drivers

2009-09-23 09:06:48 ----D---- C:\WINDOWS\system32\CatRoot2

2009-09-23 09:04:43 ----D---- C:\WINDOWS\Registration

2009-09-23 08:57:20 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-09-23 08:57:02 ----D---- C:\WINDOWS\Prefetch

2009-09-23 08:57:00 ----HD---- C:\WINDOWS\inf

2009-09-23 08:51:01 ----D---- C:\WINDOWS\system32\CatRoot

2009-09-22 10:15:04 ----D---- C:\WINDOWS\system32

2009-09-22 07:46:13 ----SHD---- C:\WINDOWS\Installer

2009-09-22 07:45:41 ----D---- C:\Program Files

2009-09-22 07:45:40 ----D---- C:\Program Files\Common Files\Research In Motion

2009-09-22 07:41:06 ----A---- C:\WINDOWS\ModemLog_TOSHIBA Software Modem.txt

2009-09-22 07:40:11 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt

2009-09-21 18:52:35 ----A---- C:\WINDOWS\system.ini

2009-09-21 18:41:22 ----D---- C:\WINDOWS\system32\config

2009-09-21 18:30:50 ----D---- C:\WINDOWS\AppPatch

2009-09-21 18:30:47 ----D---- C:\Program Files\Common Files

2009-09-21 14:18:16 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\Skype

2009-09-21 12:13:18 ----D---- C:\Program Files\Pure Networks

2009-09-21 12:13:18 ----D---- C:\Program Files\Common Files\AOL

2009-09-21 12:11:35 ----SD---- C:\WINDOWS\Tasks

2009-09-21 12:11:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

2009-09-21 12:07:53 ----D---- C:\Documents and Settings\All Users\Application Data\AOL

2009-09-21 12:05:34 ----A---- C:\WINDOWS\win.ini

2009-09-21 12:05:17 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\AOL

2009-09-21 11:58:28 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\skypePM

2009-09-18 16:21:21 ----RASH---- C:\boot.ini

2009-09-16 22:38:55 ----D---- C:\Program Files\DIGStream

2009-09-16 20:02:34 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-09-16 19:34:18 ----D---- C:\Program Files\Internet Explorer

2009-09-12 17:56:32 ----D---- C:\WINDOWS\network diagnostic

2009-09-09 15:02:07 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-09-09 15:02:03 ----A---- C:\WINDOWS\imsins.BAK

2009-09-09 15:01:58 ----HD---- C:\WINDOWS\$hf_mig$

2009-09-09 15:01:49 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2009-09-09 15:00:59 ----D---- C:\WINDOWS\ehome

2009-09-08 09:29:13 ----D---- C:\WINDOWS\Microsoft.NET

2009-08-28 16:38:20 ----A---- C:\WINDOWS\system32\MRT.exe

2009-08-24 10:42:14 ----D---- C:\Program Files\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-02 102384]

R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-07-08 214024]

R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]

R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.9.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-12-22 21275]

R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-08-18 8552]

R2 FdRedir;FdRedir; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys []

R2 FileDisk2;FileDisk Protector Kernel Driver; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys []

R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\RaInfo.sys []

R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]

R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-11-28 13568]

R2 smihlp;SMI helper driver; \??\C:\Program Files\Protector Suite QL\smihlp.sys []

R2 tdudf;TOSHIBA UDF File System Driver; C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 98816]

R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []

R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-02-28 176128]

R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]

R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-12-13 1124097]

R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-05-08 101833]

R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]

R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-06-30 1169980]

R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]

R3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2006-10-06 8048]

R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-02-06 25632]

R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-07-08 79816]

R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-07-08 35272]

R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-07-08 40552]

R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]

R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]

R3 tbiosdrv;Toshiba Logical Tbios Device; C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys [2005-08-24 9472]

R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-05-05 28800]

R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 15360]

R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-11-30 162560]

R3 Tvs;TOSHIBA Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2006-05-30 45696]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]

R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2005-12-05 1428096]

S3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2006-04-01 471264]

S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

S3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2005-10-10 163328]

S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-03-21 179200]

S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2007-02-03 22560]

S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-02-06 1691808]

S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-02-06 1964064]

S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2007-02-03 1507232]

S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-02-03 41504]

S3 LVUVC;QuickCam for Notebooks Deluxe(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2007-02-03 1939360]

S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-07-08 34248]

S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

S3 QV2KUX;Casio Digital Camera; C:\WINDOWS\system32\DRIVERS\qv2kux.sys [2001-08-17 3328]

S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys []

S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 26752]

S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-10 5888]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 tosrfec;Bluetooth ACPI from TOSHIBA; C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 9344]

S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]

R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-28 110592]

R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-04-09 237568]

R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]

R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-11-28 114753]

R2 LVPrcSrv;Process Monitor; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [2007-02-06 109344]

R2 lxdf_device;lxdf_device; C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 598960]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-10 865832]

R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]

R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]

R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-07-08 144704]

R2 MSK80Service;McAfee SpamKiller Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-07-08 26640]

R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-11-28 217164]

R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-11-28 540745]

R2 Swupdtmr;Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [2005-07-12 40960]

R2 Thpsrv;TOSHIBA HDD Protection; C:\WINDOWS\system32\ThpSrv.exe [2005-12-20 176128]

R2 wwEngineSvc;Window Washer Engine; C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]

R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-07-08 606736]

R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-07-10 894136]

S2 0017481253713625mcinstcleanup;McAfee Application Installer Cleanup (0017481253713625); C:\WINDOWS\TEMP\001748~1.EXE [2009-08-18 316312]

S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]

S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-02-06 105248]

S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 99248]

S2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]

S2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\WINDOWS\system32\TODDSrv.exe [2006-05-25 114688]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-29 182768]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]

S3 MBackMonitor;MBackMonitor; C:\Program Files\McAfee\MBK\MBackMonitor.exe [2009-01-09 68112]

S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-07-08 365072]

S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\RaMaint.exe [2006-10-06 62200]

S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\LogMeIn.exe [2006-10-06 1622768]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

runscanner.zip

Share this post


Link to post
Share on other sites

Hi. :)

Unfortunately the scans have not revealed any pertinent information and it appears several of my colleagues are dealing with this infection also.

Proving to be quite elusive what is actually launching tdlwsp.dll. I'm afraid yet again more scans to see if I can pinpoint exactly what is being used to both launch/re-spawn the malware.

Create a Procexp RP Log:

  • Double click on procexp.exe to start the application.
  • Now go to File >> Save as... and save the Procexp text file to the desktop.
  • Post the contents of this file in your next reply.

USEC Radix RK Scan:

Please download radix_installer.zip to a convenient location and extract it to your Desktop.

  • Double click on radixgui.exe to start the application.
  • Then without making any changes click the Check button to start the scan.
  • Once it has completed click the Save Log... button and save that to your Desktop.
  • Close the application.
  • Now the Log saved will be a very large logfile, so zip a copy of it and attach it to your next reply please.
  • Note: Your installed security applications might warn about Radix requiring internet access, please allow.

!!!Caution: The Radix scanner has numerous settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

Share this post


Link to post
Share on other sites

Dakeyras,

Well, I appreciate your continued help. I also saw that a number of you guys were helping others who appear to have the same problem as me! I suppose the more people working on it, the sooner we will crack it, right?

One side question: my desktop is becoming rather cluttered, can I remove some of the stuff I have downloaded? (At this point, everything you have asked me to download is still on my desktop. I was planning on keeping MBAM, RSIT, GMER, HiJack This and Erunt for now, but can I get rid of the other stuff for now?

Here is the ProceXP log:

Process PID CPU Description Company Name

System Idle Process 0 93.48

Interrupts n/a Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4

smss.exe 600 Windows NT Session Manager Microsoft Corporation

csrss.exe 652 Client Server Runtime Process Microsoft Corporation

winlogon.exe 684 Windows NT Logon Application Microsoft Corporation

services.exe 732 2.17 Services and Controller app Microsoft Corporation

svchost.exe 924 Generic Host Process for Win32 Services Microsoft Corporation

LVComSX.exe 2452 LVCom Server Logitech Inc.

Dot1XCfg.exe 2444 Intel 802.1x Server Intel Corporation

COCIManager.exe 4156 Camera Control Interface Logitech Inc.

mcupdmgr.exe 2732 McAfee Update Manager Service McAfee, Inc.

wmiprvse.exe 4352 WMI Microsoft Corporation

mcupdui.exe 2648 McAfee McUpdUI EXE McAfee, Inc.

svchost.exe 1012 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1128 Generic Host Process for Win32 Services Microsoft Corporation

EvtEng.exe 1188 Intel® PROSet/Wireless Event Log Intel Corporation

S24EvMon.exe 1380 Wireless Management Service Intel Corporation

svchost.exe 1528 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1604 Generic Host Process for Win32 Services Microsoft Corporation

spoolsv.exe 1796 Spooler SubSystem App Microsoft Corporation

LVPrcSrv.exe 1896 Logitech LVPrcSrv Module. Logitech Inc.

svchost.exe 1960 Generic Host Process for Win32 Services Microsoft Corporation

AppleMobileDeviceService.exe 136 Apple Mobile Device Service Apple Inc.

mDNSResponder.exe 272 Bonjour Service Apple Inc.

CFSvcs.exe 424 Service of ConfigFree. TOSHIBA CORPORATION

DVDRAMSV.exe 1036 DVD-RAM Utility Helper Service Matsushita Electric Industrial Co., Ltd.

ehrecvr.exe 1544 Media Center Receiver Service Microsoft Corporation

ehSched.exe 1712 Media Center Scheduler Service Microsoft Corporation

lxdfcoms.exe 628 Printer Communication System

McSACore.exe 1312 SiteAdvisor McAfee, Inc.

mcmscsvc.exe 1500 McAfee Services McAfee, Inc.

McNASvc.exe 2096 McAfee Network Agent McAfee, Inc.

RegSrvc.exe 2980 Intel® PROSet/Wireless Registry Service Intel Corporation

svchost.exe 3480 Generic Host Process for Win32 Services Microsoft Corporation

swupdtmr.exe 3832

ThpSrv.exe 4064 TOSHIBA HDD Protection Service TOSHIBA Corporation

WasherSvc.exe 592 Window Washer Engine Webroot Software, Inc.

dllhost.exe 3204 COM Surrogate Microsoft Corporation

svchost.exe 3596 Generic Host Process for Win32 Services Microsoft Corporation

alg.exe 1868 Application Layer Gateway Service Microsoft Corporation

MpfSrv.exe 3376 McAfee Personal Firewall Service McAfee, Inc.

Mcshield.exe 5276 On-Access Scanner service McAfee, Inc.

mcsysmon.exe 1152 McAfee SystemGuards Service McAfee, Inc.

McProxy.exe 4324 McAfee Proxy Service Module McAfee, Inc.

msksrver.exe 4628 McAfee Anti-Spam Server McAfee, Inc.

RapportMgmtService.exe 2552 RapportMgmtService Trusteer Ltd.

lsass.exe 744 LSA Shell (Export Version) Microsoft Corporation

explorer.exe 404 0.72 Windows Explorer Microsoft Corporation

smax4pnp.exe 2500 SMax4PNP Analog Devices, Inc.

ltmoh.exe 2508 LtMoh MFC Application Agere Systems

agrsmmsg.exe 2540 SoftModem Messaging Applet Agere Systems

Apoint.exe 2560 Alps Pointing-device Driver Alps Electric Co., Ltd.

ThpSrv.exe 2620 TOSHIBA HDD Protection Service TOSHIBA Corporation

TPSODDCtl.exe 2728 TOSHIBA Corporation

PadExe.exe 2760 PadTouch Main TOSHIBA

TvsTray.exe 2964 TOSHIBA Virtual Sound Taskbar Module TOSHIBA Corporation

NDSTray.exe 3032 ConfigFree Tray TOSHIBA CORPORATION

TFncKy.exe 3064 TFncKy TOSHIBA Corporation

TosHKCW.exe 3088 Wireless Hotkey TOSHIBA CORPORATION

TouchED.exe 3128 TouchPad On/Off Utility TOSHIBA Corporation

DDWMon.exe 3156 TOSHIBA Direct Disc Writer - Event Monitor TOSHIBA Corporation

hkcmd.exe 3224 hkcmd Module Intel Corporation

igfxpers.exe 3296 persistence Module Intel Corporation

ZCfgSvc.exe 3328 ZeroCfgSvc MFC Application Intel Corporation

iFrmewrk.exe 3340 Intel Framework MFC Application Intel Corporation

LogMeInSystray.exe 3360 LogMeIn Desktop Application LogMeIn, Inc.

mcagent.exe 3368 McAfee Integrated Security Platform McAfee, Inc.

lxdfmon.exe 3388 Printer Device Monitor

lxdfamon.exe 3456 Printer Card Transfer Monitor

Communications_Helper.exe 3508 Communications Manager Logitech Inc.

QuickCam10.exe 3532 Camera Software Logitech Inc.

GrooveMonitor.exe 3576 GrooveMonitor Utility Microsoft Corporation

QTTask.exe 3740 QuickTime Task Apple Inc.

GoogleToolbarNotifier.exe 3820 GoogleToolbarNotifier Google Inc.

ctfmon.exe 3976 CTF Loader Microsoft Corporation

00THotkey.exe 144 THotkey TOSHIBA Corporation

LogitechDesktopMessenger.exe 956 Logitech Desktop Messenger Logitech Inc.

RAMASST.exe 1672 CD Burning of Windows XP disabling tool for DVD MULTI Drive Matsushita Electric Industrial Co., Ltd.

iexplore.exe 5604 Internet Explorer Microsoft Corporation

iexplore.exe 4320 Internet Explorer Microsoft Corporation

iexplore.exe 5164 1.47 Internet Explorer Microsoft Corporation

procexp.exe 5660 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

psqltray.exe 3108 Protector Suite QL Tray Application Launcher UPEK Inc.

TPSBattM.exe 3352 TOSHIBA Corporation

ApntEx.exe 3696 Alps Pointing-device Driver for Windows NT/2000/XP Alps Electric Co., Ltd.

RapportService.exe 5824 RapportService Trusteer Ltd.

Share this post


Link to post
Share on other sites

The Radix log is too large to post, even a s zip file, it will not allow me to attach it. What should I do?

Share this post


Link to post
Share on other sites

Hi. :blink:

Well, I appreciate your continued help. I also saw that a number of you guys were helping others who appear to have the same problem as me! I suppose the more people working on it, the sooner we will crack it, right?
You're welcome!

That is the theory one hopes plus I will be sharing my research with my colleagues soon as I have something definite and visa versa as this is how we collaborate against the fight with malware.

One side question: my desktop is becoming rather cluttered, can I remove some of the stuff I have downloaded? (At this point, everything you have asked me to download is still on my desktop. I was planning on keeping MBAM, RSIT, GMER, HiJack This and Erunt for now, but can I get rid of the other stuff for now?
I would prefer you leave everything in-place, as some applications will require a specific removal process. By all means delete any logs on the desktop you have already posted.

One work around I can suggest is create a new folder on the desktop called say My Log Tools. Move all into this folder and as/if I request them, move them temp' back to the desktop then back again when finished scanning etc. When finished with all move all to the desktop prior to my complete removal instructions for all, thank you.

The Radix log is too large to post, even a s zip file, it will not allow me to attach it. What should I do?
OK, I ran a scan with this on my test box and it is indeed rather large(my own is around the 160 KB mark in in size). Try splitting it into two logs(or three) if the need and post/attach each individually. Not ideal I admit and in the mean time I will see if another viable method for myself to be able to research the Radix log created.

Share this post


Link to post
Share on other sites

Dakeyras,

I have tried to split it up, even into 5 different pieces, and it is still too large to post. There appears to be some sort of attachment size limit for each thread, and it looks like we have used 321.18k of 500k, or am I misunderstanding that? Either way, I cannot think of a way to post these logs. Do you have an ftp site or something similar? Or could I e-mail you maybe?

Share this post


Link to post
Share on other sites

Try and upload it to my submission channel here please, if no success we will try something else. :blink:

Share this post


Link to post
Share on other sites

Ok, it worked, I hope. I submitted it to your channel in 4 parts, all sent successfully.

Share this post


Link to post
Share on other sites

Nicely done, got all the uploads thanks! :blink:

Rather a lot for myself to research and at a quick glance at all, something does grab my attention. So please be patient until I have throughly researched all.

In the meantime I would like for your good self to carry out the following please:

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE Runtime Environment (JRE) 6 Update 16. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u16-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u16-windows-i586-p.exe to install Java.

Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

  • How is you computer performing now? Any problems encountered and or any further symptoms?
  • Kaspersky report.

Share this post


Link to post
Share on other sites

Dakeyras,

Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!) :)

No other new problems etc to report.

Here is the Kaspersky log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, September 23, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, September 24, 2009 00:17:03

Records in database: 2876926

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 96455

Threats found: 2

Infected objects found: 8

Suspicious objects found: 0

Scan duration: 03:17:43

File name / Threat / Threats count

winlogon.exe\LMIinit.dll/winlogon.exe\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1

C:\WINDOWS\system32\LMIinit.dll/C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1

globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll/globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll Infected: Packed.Win32.TDSS.z 4

C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1

C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1

Selected area has been scanned.

Share this post


Link to post
Share on other sites

Hi. :)

Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!)
Aye sometimes it can be a lengthy scan indeed.

A question please: have you got a Genuine Windows XP installation CD-ROM?

Please remove/uninstall both LogMeIn & Protector Suite QL. They are not malicious but I suspect they will hinder the overall malware removal process and may be inadvertently used as a vector for the malware to launch. By all means reinstall both applications when we are finished.

Run a File Search:

Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "jvtmz.sys" >> "%userprofile%\desktop\look.txt"

A blank command window will open on your desktop, then close in a minute or two. This is normal.

A file called look.txt should appear on your Desktop. Please post the contents of this file.

Share this post


Link to post
Share on other sites

Dakeyras,

Ok, I have uninstalled the two programs you mentioned. I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers. Would Windows XP be included on that (XP was installed when I bought the laptop.)

The look.txt file was blank, nothing to post.

Share this post


Link to post
Share on other sites

Hi. :)

I apoligise for the delay had some personal matters to attend to for most of yesterday/all evening.

I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers.
Ah I see, I was going to ask you to install the Recovery Console as a precaution but I do not think we can with the type CD's mentioned. I will have a think about this, in the meantime please carry out the below, thank you.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract it to the Desktop.

From within the newly created tdsskiller folder move TDSSKiller.exe to the desktop and delete the tdsskiller folder.

Click on Start >> Run... >> copy in the following text, and press Enter:

"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v

There will be a log on your desktop with the name report.

Copy and paste the contents of this log into your next reply.

MBR Rootkit Detector:

Please download The MBR Rootkit Detector by GMER

Be sure to download it to the root of your drive, e.g. C:\MBR.exe

Once the download has finished, click Start >> Run... >> copy in the following text, and press Enter:

\mbr

A log will be generated called MBR.txt. Post it in your next reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.