Dakeyras Posted September 22, 2009 ID:131150 Share Posted September 22, 2009 Hi. OK, please download a fresh copy of ComboFix from here or here and save it to the desktop please.Then create a new Registry backup with ERUNT before proceeding to the below. <-- This step must be completed.Please navigate to Start >> All Programs >> ERUNT >> ERUNTClick on OK within the pop-up menu.In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:System registryCurrent user registryNext click on OKWhen the Question pop-up appears click on YesAfter a short duration the Registry backup is complete! popup will appearNow click on OK. A backup has been created.Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.Custom ComboFix-Script:A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: KILLALL::Rootkit::\\?\globalroot\Device\Ide\IdePort1\mqpikbfn\mqpikbfn\tdlwsp.dll FCOPY::c:\windows\system32\dllcache\iexplore.exe | C:\Program Files\internet explorer\iexplore.exe Snapshot::SysRst:: Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.If that happened we want to know, and also what process you had to end. Link to post Share on other sites More sharing options...
voight75 Posted September 22, 2009 Author ID:131165 Share Posted September 22, 2009 Dakeyras,I have run into the same problem as before. Everything else was fine, execpt Combofix will not Autoscan. It loads as normal, creates registry back-up, states that the scan is about to begin, then....nothing. I left for about 30 minutes and still nothing. The one and only success we have had running combofix has been in safe mode, yesterday. Should I try again in safe mode? Link to post Share on other sites More sharing options...
Dakeyras Posted September 22, 2009 ID:131168 Share Posted September 22, 2009 Hi. No do not run ComboFix in Safe Mode again at his time. What stage did the scan reach please?Check for updates with Malwarebytes Anti-Malware, close the application. Then boot into Safe Mode and run a full scan with it please.Then boot back into Normal mode.Post a new GMER log please along with the Malwarebytes Anti-Malware log, thank you. Link to post Share on other sites More sharing options...
voight75 Posted September 22, 2009 Author ID:131241 Share Posted September 22, 2009 Dakeyras,The scan never actually began. It sticks at the point where it says "scan will take around 10 minutes. Time for badly infected machines could easily double", then nothing happens at all. The exact same thing has happened every time I have trie to run combofix, except the one successful attempt in Safe mode.Here is the MBAM full scan log, run from Safe mode:Malwarebytes' Anti-Malware 1.41Database version: 2842Windows 5.1.2600 Service Pack 3 (Safe Mode)9/22/2009 12:40:40 PMmbam-log-2009-09-22 (12-40-40).txtScan type: Full Scan (C:\|)Objects scanned: 201959Time elapsed: 1 hour(s), 37 minute(s), 33 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:\\?\globalroot\Device\Ide\IdePort1\jucrnmxg\jucrnmxg\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:\\?\globalroot\Device\Ide\IdePort1\jucrnmxg\jucrnmxg\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.Here is the new GMER log:GMER 1.0.15.15087 - http://www.gmer.netRootkit scan 2009-09-22 12:57:52Windows 5.1.2600 Service Pack 3Running: c6dkf72x.exe; Driver: C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\uxldrpob.sys---- System - GMER 1.0.15 ----Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA922F4EA]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA922F581]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA922F498]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA922F4AC]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA922F595]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA922F5C1]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA922F62F]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA922F619]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA922F52A]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA922F65B]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA922F56D]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA922F470]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA922F484]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA922F4FE]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA922F697]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA922F603]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA922F5ED]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA922F5AB]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA922F683]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA922F66F]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA922F4D6]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA922F4C2]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA922F5D7]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA922F559]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA922F645]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA922F540]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA922F514]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFileCode \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSectionCode \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcessCode \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThreadCode \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)AttachedDevice \FileSystem\Ntfs \Ntfs FdRedir.sys (File Disk Redirector/UPEK Inc.)AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)---- Processes - GMER 1.0.15 ----Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [208] 0x10000000 Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [4876] 0x10000000 Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [5420] 0x10000000 Library \\?\globalroot\Device\Ide\IdePort1\nlbjrnfy\nlbjrnfy\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [5664] 0x10000000 ---- Registry - GMER 1.0.15 ----Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yesReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Dakeyras Posted September 22, 2009 ID:131271 Share Posted September 22, 2009 Hi. I will be sending your good self a PM shortly, follow the advice within and then post back the log created here is in this topic.This is so I can try and workout what is hiding this particular malware. Link to post Share on other sites More sharing options...
voight75 Posted September 22, 2009 Author ID:131272 Share Posted September 22, 2009 Ok, that's great. Thank you for your continued patience and persistence. Link to post Share on other sites More sharing options...
voight75 Posted September 22, 2009 Author ID:131274 Share Posted September 22, 2009 Dakeyras,Here it is:TDSSserv not found Link to post Share on other sites More sharing options...
Dakeyras Posted September 22, 2009 ID:131277 Share Posted September 22, 2009 Hi. Ok, that's great. Thank you for your continued patience and persistence.You're welcome!OK we will try another method for pinpointing the malware as follows:Scan with GMER:Launch GMER.At the top of the GMER interface, click the [>>>] button to reveal the hidden tabs.Select RegistryThen navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ServicesClick/Highlight the Services button and click the Export button located on the upper right to save a log. The log will be very large in size and cannot be posted. So save it to your desktop then send to a zip file and attach it to your next reply. Link to post Share on other sites More sharing options...
voight75 Posted September 22, 2009 Author ID:131282 Share Posted September 22, 2009 Dakeyras,Ok, here we are.Services_log.zip Link to post Share on other sites More sharing options...
Dakeyras Posted September 22, 2009 ID:131284 Share Posted September 22, 2009 Dakeyras,Ok, here we are.Thanks, I'll be back soon as, it will take myself some time to research the log. Link to post Share on other sites More sharing options...
Dakeyras Posted September 23, 2009 ID:131770 Share Posted September 23, 2009 Hi. Unfortunately so far I have been unable to identify what exactly is using this variation of TDSS as a launch point/used to respawn the malware after every system reboot. It does appear however to be a type of memory resident malware, which is deleting the launch vector after initiation to help evade detection.So I will require your good self to download some applications and run two other specific scans please as follows.As I mentioned in a prior post if not done so as of yet, do begin to backup any personal files and folders.Next:Please download Process Explorer v11.33.Save the Zip file to the Desktop. Then extract to the Desktop.Do not use this yet please.Scan with The Avenger:Please download The Avenger by Swandog46 from here.Save the Zip file to the Desktop. Then extract to the Desktop.Double click on avenger.exe to run The Avenger. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it. Click the Execute button. You will be asked No script has been entered. Do you want to execute a rootkit scan only?. Click Yes. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes. Your PC will now be rebooted. After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please post this log in your next reply.Scan with Runscanner:Please download Runscanner form here and save yo your Desktop.Double click on Runscanner.exe to start the application and select Beginner ModeOn the next page select Save a binary .Run file then click Scan Computer at the top.Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log. Please zip the .run file by right clicking and selecting send to Zip fileThen upload that as an attachment in your next post.When completed the above, please post back the following:How is you computer performing now? Any problems encountered and or any further symptoms?Avenger.txt.Runscanner attachment.A new RSIT Log. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:131799 Share Posted September 23, 2009 Dakeyras,Ok. My computer is no better, no worse Nothing new to report.Here is the avenger report:Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Completed script processing.*******************Finished! Terminate.Runscanner is attached.Here is the new RSIT log:Logfile of random's system information tool 1.06 (written by random/random)Run by Richard Lunan at 2009-09-23 09:13:00Microsoft Windows XP Professional Service Pack 3System drive C: has 83 GB (72%) free of 114 GBTotal RAM: 2039 MB (69% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:13:05 AM, on 9/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exec:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\lxdfcoms.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\WINDOWS\system32\thpsrv.exeC:\WINDOWS\system32\TPSODDCtl.exeC:\Program Files\TOSHIBA\Touch and Launch\PadExe.exeC:\Program Files\Toshiba\Tvs\TvsTray.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exeC:\Program Files\Protector Suite QL\psqltray.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\LogMeIn\LogMeInSystray.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Lexmark 6500 Series\lxdfmon.exeC:\Program Files\Lexmark 6500 Series\lxdfamon.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exeC:\Program Files\Logitech\QuickCam10\QuickCam10.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\QuickTime\qttask.exec:\TOSHIBA\IVP\swupdate\swupdtmr.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ThpSrv.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Webroot\Washer\WasherSvc.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\system32\dllhost.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exeC:\Documents and Settings\Richard Lunan\Desktop\RSIT.exeC:\Program Files\Trend Micro\HijackThis\Richard Lunan.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%sR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startupO4 - HKLM\..\Run: [ThpSrv] thpsrv /logonO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exeO4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXEO4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exeO4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hideO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exeO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: 00THotkey.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: McAfee Application Installer Cleanup (0017481253713625) (0017481253713625mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\001748~1.EXEO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exeO23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exeO23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exeO23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exeO23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exeO23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe--End of file - 13579 bytes======Scheduled tasks folder======C:\WINDOWS\tasks\AppleSoftwareUpdate.jobC:\WINDOWS\tasks\McDefragTask.jobC:\WINDOWS\tasks\McQcTask.job======Registry dump======[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-07-08 246800][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-07-08 62784][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-07-27 256112][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-07-27 458736][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-07-27 256112][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe [2004-08-18 184320]"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-13 88204]"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-24 196608]"PSQLLauncher"=C:\Program Files\Protector Suite QL\launcher.exe [2006-05-05 30208]"ThpSrv"=thpsrv /logon []"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2006-04-24 315392]"TPSODDCtl"=C:\WINDOWS\system32\TPSODDCtl.exe [2006-04-24 110592]"TOSDCR"=C:\WINDOWS\system32\TOSDCR.EXE [2005-12-13 57344]"PadTouch"=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [2005-12-06 1077322]"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2006-02-02 73728]"NDSTray.exe"=NDSTray.exe []"TFncKy"=TFncKy.exe []"TosHKCW.exe"=C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe [2005-05-17 49152]"TouchED"=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe [2005-06-28 126976]"DDWMon"=C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe [2006-04-25 299008]"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-06-30 77824]"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-06-30 118784]"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2005-12-05 667718]"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2005-11-28 602182]"LogMeIn GUI"=C:\Program Files\LogMeIn\LogMeInSystray.exe [2006-10-06 303864]"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-07-10 645328]"lxdfmon.exe"=C:\Program Files\Lexmark 6500 Series\lxdfmon.exe [2007-06-11 455600]"lxdfamon"=C:\Program Files\Lexmark 6500 Series\lxdfamon.exe [2007-06-01 20480]"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-02-08 488984]"LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam10\QuickCam10.exe [2007-02-08 774168]"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe [2007-11-26 1206600]"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-18 68856]"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]C:\Documents and Settings\All Users\Start Menu\Programs\Startup00THotkey.exeLogitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeRAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]C:\WINDOWS\system32\igfxdev.dll [2006-06-30 139264][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]C:\WINDOWS\system32\LMIinit.dll [2006-10-06 11504][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]C:\WINDOWS\system32\psqlpwd.dll [2006-05-05 40448][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]"dontdisplaylastusername"=0"legalnoticecaption"="legalnoticetext"="shutdownwithoutlogon"=1"undockwithoutlogon"=1"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]"_NoDriveTypeAutoRun"=145"NoDriveAutoRun"=67108863"NoDriveTypeAutoRun"=323"NoDrives"=0[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]"HonorAutoRunSetting"="NoDriveAutoRun"="NoDriveTypeAutoRun"="NoDrives"=[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype""C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"======List of files/folders created in the last 1 months======2009-09-23 08:57:50 ----D---- C:\Avenger2009-09-23 08:57:49 ----A---- C:\avenger.txt2009-09-22 10:14:56 ----SD---- C:\Combo-Fix2009-09-22 10:14:49 ----A---- C:\WINDOWS\system32\CF6370.exe2009-09-21 19:08:34 ----SHD---- C:\RECYCLER2009-09-21 18:06:47 ----A---- C:\WINDOWS\ntbtlog.txt2009-09-21 13:04:33 ----D---- C:\rsit2009-09-21 12:33:46 ----D---- C:\_OTM2009-09-21 12:28:33 ----D---- C:\Program Files\ERUNT2009-09-21 12:05:01 ----A---- C:\WINDOWS\msoffice.ini2009-09-18 16:21:20 ----A---- C:\Boot.bak2009-09-18 16:21:10 ----RASHD---- C:\cmdcons2009-09-18 16:16:59 ----A---- C:\WINDOWS\zip.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWXCACLS.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWSC.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\SWREG.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\sed.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\PEV.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\NIRCMD.exe2009-09-18 16:16:59 ----A---- C:\WINDOWS\grep.exe2009-09-18 16:16:23 ----D---- C:\WINDOWS\ERDNT2009-09-18 16:15:40 ----D---- C:\Qoobox2009-09-18 15:37:46 ----A---- C:\WINDOWS\system32\MPFServiceFailureCount.txt2009-09-17 11:27:59 ----D---- C:\Program Files\Trend Micro2009-09-17 11:01:34 ----D---- C:\Program Files\Enigma Software Group2009-09-16 22:23:58 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\Malwarebytes2009-09-16 22:23:48 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes2009-09-16 22:23:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware2009-09-16 18:55:41 ----A---- C:\WINDOWS\wininit.ini2009-09-16 18:31:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2009-09-16 18:16:58 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP2009-09-09 15:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$2009-09-09 15:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$2009-09-09 15:00:57 ----HDC---- C:\WINDOWS\$NtUninstallKB973768$2009-08-27 10:29:34 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$======List of files/folders modified in the last 1 months======2009-09-23 09:13:04 ----D---- C:\WINDOWS\Temp2009-09-23 09:06:59 ----D---- C:\WINDOWS2009-09-23 09:06:50 ----D---- C:\WINDOWS\system32\drivers2009-09-23 09:06:48 ----D---- C:\WINDOWS\system32\CatRoot22009-09-23 09:04:43 ----D---- C:\WINDOWS\Registration2009-09-23 08:57:20 ----A---- C:\WINDOWS\SchedLgU.Txt2009-09-23 08:57:02 ----D---- C:\WINDOWS\Prefetch2009-09-23 08:57:00 ----HD---- C:\WINDOWS\inf2009-09-23 08:51:01 ----D---- C:\WINDOWS\system32\CatRoot2009-09-22 10:15:04 ----D---- C:\WINDOWS\system322009-09-22 07:46:13 ----SHD---- C:\WINDOWS\Installer2009-09-22 07:45:41 ----D---- C:\Program Files2009-09-22 07:45:40 ----D---- C:\Program Files\Common Files\Research In Motion2009-09-22 07:41:06 ----A---- C:\WINDOWS\ModemLog_TOSHIBA Software Modem.txt2009-09-22 07:40:11 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt2009-09-21 18:52:35 ----A---- C:\WINDOWS\system.ini2009-09-21 18:41:22 ----D---- C:\WINDOWS\system32\config2009-09-21 18:30:50 ----D---- C:\WINDOWS\AppPatch2009-09-21 18:30:47 ----D---- C:\Program Files\Common Files2009-09-21 14:18:16 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\Skype2009-09-21 12:13:18 ----D---- C:\Program Files\Pure Networks2009-09-21 12:13:18 ----D---- C:\Program Files\Common Files\AOL2009-09-21 12:11:35 ----SD---- C:\WINDOWS\Tasks2009-09-21 12:11:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft2009-09-21 12:07:53 ----D---- C:\Documents and Settings\All Users\Application Data\AOL2009-09-21 12:05:34 ----A---- C:\WINDOWS\win.ini2009-09-21 12:05:17 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\AOL2009-09-21 11:58:28 ----D---- C:\Documents and Settings\Richard Lunan\Application Data\skypePM2009-09-18 16:21:21 ----RASH---- C:\boot.ini2009-09-16 22:38:55 ----D---- C:\Program Files\DIGStream2009-09-16 20:02:34 ----SD---- C:\WINDOWS\Downloaded Program Files2009-09-16 19:34:18 ----D---- C:\Program Files\Internet Explorer2009-09-12 17:56:32 ----D---- C:\WINDOWS\network diagnostic2009-09-09 15:02:07 ----RSHDC---- C:\WINDOWS\system32\dllcache2009-09-09 15:02:03 ----A---- C:\WINDOWS\imsins.BAK2009-09-09 15:01:58 ----HD---- C:\WINDOWS\$hf_mig$2009-09-09 15:01:49 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help2009-09-09 15:00:59 ----D---- C:\WINDOWS\ehome2009-09-08 09:29:13 ----D---- C:\WINDOWS\Microsoft.NET2009-08-28 16:38:20 ----A---- C:\WINDOWS\system32\MRT.exe2009-08-24 10:42:14 ----D---- C:\Program Files\McAfee======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-02 102384]R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-07-08 214024]R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.9.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-12-22 21275]R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-08-18 8552]R2 FdRedir;FdRedir; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys []R2 FileDisk2;FileDisk Protector Kernel Driver; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys []R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\RaInfo.sys []R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-11-28 13568]R2 smihlp;SMI helper driver; \??\C:\Program Files\Protector Suite QL\smihlp.sys []R2 tdudf;TOSHIBA UDF File System Driver; C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 98816]R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-02-28 176128]R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-12-13 1124097]R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-05-08 101833]R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-06-30 1169980]R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]R3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2006-10-06 8048]R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-02-06 25632]R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-07-08 79816]R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-07-08 35272]R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-07-08 40552]R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]R3 tbiosdrv;Toshiba Logical Tbios Device; C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys [2005-08-24 9472]R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-05-05 28800]R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 15360]R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-11-30 162560]R3 Tvs;TOSHIBA Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2006-05-30 45696]R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2005-12-05 1428096]S3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2006-04-01 471264]S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]S3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]S3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2005-10-10 163328]S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-03-21 179200]S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2007-02-03 22560]S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-02-06 1691808]S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-02-06 1964064]S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2007-02-03 1507232]S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-02-03 41504]S3 LVUVC;QuickCam for Notebooks Deluxe(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2007-02-03 1939360]S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-07-08 34248]S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]S3 QV2KUX;Casio Digital Camera; C:\WINDOWS\system32\DRIVERS\qv2kux.sys [2001-08-17 3328]S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys []S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 26752]S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-10 5888]S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]S3 tosrfec;Bluetooth ACPI from TOSHIBA; C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 9344]S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-28 110592]R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-04-09 237568]R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-11-28 114753]R2 LVPrcSrv;Process Monitor; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [2007-02-06 109344]R2 lxdf_device;lxdf_device; C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 598960]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-10 865832]R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-07-08 144704]R2 MSK80Service;McAfee SpamKiller Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-07-08 26640]R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-11-28 217164]R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-11-28 540745]R2 Swupdtmr;Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [2005-07-12 40960]R2 Thpsrv;TOSHIBA HDD Protection; C:\WINDOWS\system32\ThpSrv.exe [2005-12-20 176128]R2 wwEngineSvc;Window Washer Engine; C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-07-08 606736]R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-07-10 894136]S2 0017481253713625mcinstcleanup;McAfee Application Installer Cleanup (0017481253713625); C:\WINDOWS\TEMP\001748~1.EXE [2009-08-18 316312]S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-02-06 105248]S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 99248]S2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]S2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\WINDOWS\system32\TODDSrv.exe [2006-05-25 114688]S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-29 182768]S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]S3 MBackMonitor;MBackMonitor; C:\Program Files\McAfee\MBK\MBackMonitor.exe [2009-01-09 68112]S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-07-08 365072]S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\RaMaint.exe [2006-10-06 62200]S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\LogMeIn.exe [2006-10-06 1622768]S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]-----------------EOF-----------------runscanner.zip Link to post Share on other sites More sharing options...
Dakeyras Posted September 23, 2009 ID:131936 Share Posted September 23, 2009 Hi. Unfortunately the scans have not revealed any pertinent information and it appears several of my colleagues are dealing with this infection also.Proving to be quite elusive what is actually launching tdlwsp.dll. I'm afraid yet again more scans to see if I can pinpoint exactly what is being used to both launch/re-spawn the malware.Create a Procexp RP Log:Double click on procexp.exe to start the application.Now go to File >> Save as... and save the Procexp text file to the desktop.Post the contents of this file in your next reply.USEC Radix RK Scan:Please download radix_installer.zip to a convenient location and extract it to your Desktop.Double click on radixgui.exe to start the application.Then without making any changes click the Check button to start the scan.Once it has completed click the Save Log... button and save that to your Desktop.Close the application.Now the Log saved will be a very large logfile, so zip a copy of it and attach it to your next reply please.Note: Your installed security applications might warn about Radix requiring internet access, please allow.!!!Caution: The Radix scanner has numerous settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:131964 Share Posted September 23, 2009 Dakeyras,Well, I appreciate your continued help. I also saw that a number of you guys were helping others who appear to have the same problem as me! I suppose the more people working on it, the sooner we will crack it, right? One side question: my desktop is becoming rather cluttered, can I remove some of the stuff I have downloaded? (At this point, everything you have asked me to download is still on my desktop. I was planning on keeping MBAM, RSIT, GMER, HiJack This and Erunt for now, but can I get rid of the other stuff for now?Here is the ProceXP log:Process PID CPU Description Company NameSystem Idle Process 0 93.48 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 smss.exe 600 Windows NT Session Manager Microsoft Corporation csrss.exe 652 Client Server Runtime Process Microsoft Corporation winlogon.exe 684 Windows NT Logon Application Microsoft Corporation services.exe 732 2.17 Services and Controller app Microsoft Corporation svchost.exe 924 Generic Host Process for Win32 Services Microsoft Corporation LVComSX.exe 2452 LVCom Server Logitech Inc. Dot1XCfg.exe 2444 Intel 802.1x Server Intel Corporation COCIManager.exe 4156 Camera Control Interface Logitech Inc. mcupdmgr.exe 2732 McAfee Update Manager Service McAfee, Inc. wmiprvse.exe 4352 WMI Microsoft Corporation mcupdui.exe 2648 McAfee McUpdUI EXE McAfee, Inc. svchost.exe 1012 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1128 Generic Host Process for Win32 Services Microsoft Corporation EvtEng.exe 1188 Intel® PROSet/Wireless Event Log Intel Corporation S24EvMon.exe 1380 Wireless Management Service Intel Corporation svchost.exe 1528 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1604 Generic Host Process for Win32 Services Microsoft Corporation spoolsv.exe 1796 Spooler SubSystem App Microsoft Corporation LVPrcSrv.exe 1896 Logitech LVPrcSrv Module. Logitech Inc. svchost.exe 1960 Generic Host Process for Win32 Services Microsoft Corporation AppleMobileDeviceService.exe 136 Apple Mobile Device Service Apple Inc. mDNSResponder.exe 272 Bonjour Service Apple Inc. CFSvcs.exe 424 Service of ConfigFree. TOSHIBA CORPORATION DVDRAMSV.exe 1036 DVD-RAM Utility Helper Service Matsushita Electric Industrial Co., Ltd. ehrecvr.exe 1544 Media Center Receiver Service Microsoft Corporation ehSched.exe 1712 Media Center Scheduler Service Microsoft Corporation lxdfcoms.exe 628 Printer Communication System McSACore.exe 1312 SiteAdvisor McAfee, Inc. mcmscsvc.exe 1500 McAfee Services McAfee, Inc. McNASvc.exe 2096 McAfee Network Agent McAfee, Inc. RegSrvc.exe 2980 Intel® PROSet/Wireless Registry Service Intel Corporation svchost.exe 3480 Generic Host Process for Win32 Services Microsoft Corporation swupdtmr.exe 3832 ThpSrv.exe 4064 TOSHIBA HDD Protection Service TOSHIBA Corporation WasherSvc.exe 592 Window Washer Engine Webroot Software, Inc. dllhost.exe 3204 COM Surrogate Microsoft Corporation svchost.exe 3596 Generic Host Process for Win32 Services Microsoft Corporation alg.exe 1868 Application Layer Gateway Service Microsoft Corporation MpfSrv.exe 3376 McAfee Personal Firewall Service McAfee, Inc. Mcshield.exe 5276 On-Access Scanner service McAfee, Inc. mcsysmon.exe 1152 McAfee SystemGuards Service McAfee, Inc. McProxy.exe 4324 McAfee Proxy Service Module McAfee, Inc. msksrver.exe 4628 McAfee Anti-Spam Server McAfee, Inc. RapportMgmtService.exe 2552 RapportMgmtService Trusteer Ltd. lsass.exe 744 LSA Shell (Export Version) Microsoft Corporationexplorer.exe 404 0.72 Windows Explorer Microsoft Corporation smax4pnp.exe 2500 SMax4PNP Analog Devices, Inc. ltmoh.exe 2508 LtMoh MFC Application Agere Systems agrsmmsg.exe 2540 SoftModem Messaging Applet Agere Systems Apoint.exe 2560 Alps Pointing-device Driver Alps Electric Co., Ltd. ThpSrv.exe 2620 TOSHIBA HDD Protection Service TOSHIBA Corporation TPSODDCtl.exe 2728 TOSHIBA Corporation PadExe.exe 2760 PadTouch Main TOSHIBA TvsTray.exe 2964 TOSHIBA Virtual Sound Taskbar Module TOSHIBA Corporation NDSTray.exe 3032 ConfigFree Tray TOSHIBA CORPORATION TFncKy.exe 3064 TFncKy TOSHIBA Corporation TosHKCW.exe 3088 Wireless Hotkey TOSHIBA CORPORATION TouchED.exe 3128 TouchPad On/Off Utility TOSHIBA Corporation DDWMon.exe 3156 TOSHIBA Direct Disc Writer - Event Monitor TOSHIBA Corporation hkcmd.exe 3224 hkcmd Module Intel Corporation igfxpers.exe 3296 persistence Module Intel Corporation ZCfgSvc.exe 3328 ZeroCfgSvc MFC Application Intel Corporation iFrmewrk.exe 3340 Intel Framework MFC Application Intel Corporation LogMeInSystray.exe 3360 LogMeIn Desktop Application LogMeIn, Inc. mcagent.exe 3368 McAfee Integrated Security Platform McAfee, Inc. lxdfmon.exe 3388 Printer Device Monitor lxdfamon.exe 3456 Printer Card Transfer Monitor Communications_Helper.exe 3508 Communications Manager Logitech Inc. QuickCam10.exe 3532 Camera Software Logitech Inc. GrooveMonitor.exe 3576 GrooveMonitor Utility Microsoft Corporation QTTask.exe 3740 QuickTime Task Apple Inc. GoogleToolbarNotifier.exe 3820 GoogleToolbarNotifier Google Inc. ctfmon.exe 3976 CTF Loader Microsoft Corporation 00THotkey.exe 144 THotkey TOSHIBA Corporation LogitechDesktopMessenger.exe 956 Logitech Desktop Messenger Logitech Inc. RAMASST.exe 1672 CD Burning of Windows XP disabling tool for DVD MULTI Drive Matsushita Electric Industrial Co., Ltd. iexplore.exe 5604 Internet Explorer Microsoft Corporation iexplore.exe 4320 Internet Explorer Microsoft Corporation iexplore.exe 5164 1.47 Internet Explorer Microsoft Corporation procexp.exe 5660 Sysinternals Process Explorer Sysinternals - www.sysinternals.compsqltray.exe 3108 Protector Suite QL Tray Application Launcher UPEK Inc.TPSBattM.exe 3352 TOSHIBA CorporationApntEx.exe 3696 Alps Pointing-device Driver for Windows NT/2000/XP Alps Electric Co., Ltd.RapportService.exe 5824 RapportService Trusteer Ltd. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:131968 Share Posted September 23, 2009 The Radix log is too large to post, even a s zip file, it will not allow me to attach it. What should I do? Link to post Share on other sites More sharing options...
Dakeyras Posted September 23, 2009 ID:131983 Share Posted September 23, 2009 Hi. Well, I appreciate your continued help. I also saw that a number of you guys were helping others who appear to have the same problem as me! I suppose the more people working on it, the sooner we will crack it, right?You're welcome!That is the theory one hopes plus I will be sharing my research with my colleagues soon as I have something definite and visa versa as this is how we collaborate against the fight with malware.One side question: my desktop is becoming rather cluttered, can I remove some of the stuff I have downloaded? (At this point, everything you have asked me to download is still on my desktop. I was planning on keeping MBAM, RSIT, GMER, HiJack This and Erunt for now, but can I get rid of the other stuff for now?I would prefer you leave everything in-place, as some applications will require a specific removal process. By all means delete any logs on the desktop you have already posted.One work around I can suggest is create a new folder on the desktop called say My Log Tools. Move all into this folder and as/if I request them, move them temp' back to the desktop then back again when finished scanning etc. When finished with all move all to the desktop prior to my complete removal instructions for all, thank you.The Radix log is too large to post, even a s zip file, it will not allow me to attach it. What should I do?OK, I ran a scan with this on my test box and it is indeed rather large(my own is around the 160 KB mark in in size). Try splitting it into two logs(or three) if the need and post/attach each individually. Not ideal I admit and in the mean time I will see if another viable method for myself to be able to research the Radix log created. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:131992 Share Posted September 23, 2009 Dakeyras,I have tried to split it up, even into 5 different pieces, and it is still too large to post. There appears to be some sort of attachment size limit for each thread, and it looks like we have used 321.18k of 500k, or am I misunderstanding that? Either way, I cannot think of a way to post these logs. Do you have an ftp site or something similar? Or could I e-mail you maybe? Link to post Share on other sites More sharing options...
Dakeyras Posted September 23, 2009 ID:131995 Share Posted September 23, 2009 Try and upload it to my submission channel here please, if no success we will try something else. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:131997 Share Posted September 23, 2009 Ok, I am submitting it to your channel in parts. First part just sent. Link to post Share on other sites More sharing options...
voight75 Posted September 23, 2009 Author ID:132001 Share Posted September 23, 2009 Ok, it worked, I hope. I submitted it to your channel in 4 parts, all sent successfully. Link to post Share on other sites More sharing options...
Dakeyras Posted September 23, 2009 ID:132011 Share Posted September 23, 2009 Nicely done, got all the uploads thanks! Rather a lot for myself to research and at a quick glance at all, something does grab my attention. So please be patient until I have throughly researched all.In the meantime I would like for your good self to carry out the following please:New Java Installation:Click here to visit Java's website.Scroll down to Java SE Runtime Environment (JRE) 6 Update 16. Click on Download.Select Windows from the drop-down list for Platform.Select Multi-language from the drop-down list for Language.Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.Click on jre-6u16-windows-i586-p.exe link to download it and save this to a convenient location.Double click on jre-6u16-windows-i586-p.exe to install Java.Run Kaspersky Online AV Scanner:Go to this Kaspersky website and perform an online antivirus scan.Note: Use Internet Explorer for this scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs ArchivesMail databases[*]Click on My Computer under Scan.[*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Please post this log in your next reply.This online tuturial will help explain how to use the aforementioned online scan.When completed the above, please post back the following:How is you computer performing now? Any problems encountered and or any further symptoms?Kaspersky report. Link to post Share on other sites More sharing options...
voight75 Posted September 24, 2009 Author ID:132149 Share Posted September 24, 2009 Dakeyras,Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!) No other new problems etc to report.Here is the Kaspersky log:--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, September 23, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, September 24, 2009 00:17:03 Records in database: 2876926--------------------------------------------------------------------------------Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yesScan area - My Computer: C:\ D:\Scan statistics: Objects scanned: 96455 Threats found: 2 Infected objects found: 8 Suspicious objects found: 0 Scan duration: 03:17:43File name / Threat / Threats countwinlogon.exe\LMIinit.dll/winlogon.exe\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1C:\WINDOWS\system32\LMIinit.dll/C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll/globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll Infected: Packed.Win32.TDSS.z 4C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1Selected area has been scanned. Link to post Share on other sites More sharing options...
Dakeyras Posted September 24, 2009 ID:132319 Share Posted September 24, 2009 Hi. Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!)Aye sometimes it can be a lengthy scan indeed.A question please: have you got a Genuine Windows XP installation CD-ROM?Please remove/uninstall both LogMeIn & Protector Suite QL. They are not malicious but I suspect they will hinder the overall malware removal process and may be inadvertently used as a vector for the malware to launch. By all means reinstall both applications when we are finished.Run a File Search:Press Start->Run, copy/paste the following command into the box and press OK:cmd /c dir C:\*.* /L /A /B /S|Find "jvtmz.sys" >> "%userprofile%\desktop\look.txt"A blank command window will open on your desktop, then close in a minute or two. This is normal. A file called look.txt should appear on your Desktop. Please post the contents of this file. Link to post Share on other sites More sharing options...
voight75 Posted September 24, 2009 Author ID:132516 Share Posted September 24, 2009 Dakeyras,Ok, I have uninstalled the two programs you mentioned. I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers. Would Windows XP be included on that (XP was installed when I bought the laptop.)The look.txt file was blank, nothing to post. Link to post Share on other sites More sharing options...
Dakeyras Posted September 25, 2009 ID:132911 Share Posted September 25, 2009 Hi. I apoligise for the delay had some personal matters to attend to for most of yesterday/all evening.I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers.Ah I see, I was going to ask you to install the Recovery Console as a precaution but I do not think we can with the type CD's mentioned. I will have a think about this, in the meantime please carry out the below, thank you.Scan with TDSSKiller:Please download TDSSKiller.zip and extract it to the Desktop.From within the newly created tdsskiller folder move TDSSKiller.exe to the desktop and delete the tdsskiller folder.Click on Start >> Run... >> copy in the following text, and press Enter:"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -vThere will be a log on your desktop with the name report.Copy and paste the contents of this log into your next reply.MBR Rootkit Detector:Please download The MBR Rootkit Detector by GMERBe sure to download it to the root of your drive, e.g. C:\MBR.exeOnce the download has finished, click Start >> Run... >> copy in the following text, and press Enter:\mbrA log will be generated called MBR.txt. Post it in your next reply. Link to post Share on other sites More sharing options...
Recommended Posts