Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Duplicate processes, strange port actions. Please help.


  • Please log in to reply
12 replies to this topic

#1 abarbs07

abarbs07

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 22 February 2011 - 08:59 PM

Hello,

I removed several viruses and various malware from my computer using an online walkthrough. I no longer recieve reports of infection, but McAffee frequently blocks port actions stating that it is trying to prevent mass-mailing worms from sending out information. I found that this ceases when I access the task manager and stop the process "policyservice.exe" from running. I tried this because there are two instances where policyservice appears, one of which will regenerate if I do not stop both. I appreciate your help in advance and apologize for the lack of knowledge of what I am dealing with!

-Adam B.

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 26 February 2011 - 08:46 AM

hi,

your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 26 February 2011 - 10:14 AM

yep. still need help. thanks!

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 26 February 2011 - 12:34 PM

Post a DDS log as a starting point:

Please download DDS and save it to your desktop.

Double click dds.scr to run the tool. When done, DDS.txt will open.

Save both reports to your desktop.

Please Copy/paste both logs in your reply.

How Can I Reduce My Risk to Malware?


#5 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 26 February 2011 - 08:55 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2010 4:46:08 AM
System Uptime: 2/26/2011 8:04:07 PM (0 hours ago)

Motherboard: TOSHIBA | | NWQAA
Processor: Intel® Core™ i3 CPU M 370 @ 2.40GHz | CPU | 2399/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 453 GiB total, 408.003 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP66: 2/17/2011 3:00:11 AM - Windows Update
RP67: 2/18/2011 6:44:30 AM - Windows Update
RP68: 2/22/2011 9:10:34 AM - Windows Update
RP69: 2/24/2011 5:58:25 AM - Windows Update
RP70: 2/25/2011 6:22:54 AM - Windows Update

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2
Apple Application Support
Apple Software Update
Creative Audio Control Panel
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
DJ_SF_03_D1500_Software_Min
FrostWire 4.21.3
Google Chrome
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Components
Intel® Rapid Storage Technology
Internet TV for Windows Media Center
Java Auto Updater
Java™ 6 Update 20
JMicron Flash Media Controller Driver
Label@Once 1.0
MATLAB R2007b
McAfee Agent
McAfee VirusScan Enterprise
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MotoHelper 2.0.24 Driver 4.7.1
MotoHelper MergeModules
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mulberry
myRemote
Netflix in Windows Media Center
QuickTime
RarZilla Free Unrar
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Toolbox
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Sleep Utility
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Utility Common Driver
Verizon V CAST Media Manager
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Volume Panel

==== Event Viewer Messages From Past Week ========

2/22/2011 9:14:00 PM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom3.

==== End Of File ===========================

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Adam at 20:42:06.90 on Sat 02/26/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.2495 [GMT -5:00]

AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\windows\system32\mfevtps.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\ThpSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\ProgramData\policyservice.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\ProgramData\policyservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\servicing\TrustedInstaller.exe
C:\Users\Adam\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sirius.com/
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: {34C85D32-4C9C-92B2-6C5B-48C43818F264} - No File
BHO: {3BEE68FD-A026-6673-B7F2-AB74AB01FC46} - No File
BHO: {3FE445D8-36B4-D4C3-A78B-76DA73CEFAB1} - No File
BHO: {444B85AE-02E8-5998-FA1A-A186DE72CDA5} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO: {86B3F09A-B265-C73A-64AD-A5B35AE4FA0A} - No File
BHO: {B9CF44EE-BBCF-8D59-3812-E380EF8214AB} - No File
BHO: {BE9DCC48-D089-D174-D0C3-880FE45A8703} - No File
BHO: {D1B0DF8C-D2DF-B853-3714-E5676E635929} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: {DDBD5893-B143-3DB3-9F69-67CB362303DA} - No File
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO: {FA37AFDA-6C4D-FBFB-A2A5-E7AD6AF44010} - No File
BHO: {FB6E1630-7988-8B4D-9173-5CA0C99CAB9B} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [c25c4e8a] C:\ProgramData\policyservice.exe -AutoStart
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
BHO-X64: scriptproxy - No File
mRun-x64: [(Default)]
mRun-x64: [IgfxTray] C:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\windows\system32\igfxpers.exe
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [ThpSrv] C:\windows\system32\thpsrv /logon
mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun-x64: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun-x64: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun-x64: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun-x64: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun-x64: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun-x64: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun-x64: [IntelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash
mRun-x64: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
mRun-x64: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-12-31 470808]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\Windows\System32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2010-10-13 482384]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2010-6-7 408576]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2010-8-25 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-8-25 103744]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2010-8-25 181480]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2010-12-31 77968]
R2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2010-9-7 202048]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-7-28 267192]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-13 2320920]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2010-6-7 911872]
R3 bpenum;bpenum;C:\Windows\System32\drivers\bpenum.sys [2010-5-16 71168]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\Windows\System32\drivers\bpmp.sys [2010-5-16 175104]
R3 bpusb;bpusb;C:\Windows\System32\drivers\bpusb.sys [2010-5-16 81920]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-10-13 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-2-26 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-2-3 271872]
R3 ksaud;Creative USB Audio Driver;C:\Windows\System32\drivers\ksaud.sys [2011-1-1 1148288]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-12-31 120224]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-5-31 7689216]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2010-10-13 35008]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-10-13 331880]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-7-22 822192]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2010-6-18 39832]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 acpials;ALS Sensor Filter;C:\Windows\System32\drivers\acpials.sys [2009-7-14 9728]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-1 79360]
S3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2010-5-18 164464]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-12-31 78768]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-5 340240]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-13 51512]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-27 1255736]

=============== Created Last 30 ================

2011-02-25 11:23:17 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{CFA445EA-E432-42DB-A2D4-E8236F4AADFE}\mpengine.dll
2011-02-24 10:58:58 367104 ----a-w- C:\windows\System32\wcncsvc.dll
2011-02-24 10:58:58 276992 ----a-w- C:\windows\SysWow64\wcncsvc.dll
2011-02-23 14:34:05 442880 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2011-02-23 14:34:04 662528 ----a-w- C:\windows\System32\XpsPrint.dll
2011-02-23 14:34:04 475648 ----a-w- C:\windows\System32\XpsGdiConverter.dll
2011-02-23 14:34:02 288256 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll
2011-02-19 03:53:30 737072 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-5\Microsoft.MediaCenter.Sports.UI.dll
2011-02-13 17:21:21 -------- d-----w- C:\Program Files\iTunes
2011-02-13 17:21:21 -------- d-----w- C:\Program Files\iPod
2011-02-13 17:21:21 -------- d-----w- C:\Program Files (x86)\iTunes
2011-02-10 13:01:26 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2011-02-10 07:07:28 714752 ----a-w- C:\windows\System32\kerberos.dll
2011-02-10 07:06:59 3957120 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-02-10 07:06:59 3901824 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-02-10 07:06:58 366080 ----a-w- C:\windows\System32\atmfd.dll
2011-02-10 07:06:57 46080 ----a-w- C:\windows\System32\atmlib.dll
2011-02-10 07:06:57 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
2011-02-10 07:06:57 294400 ----a-w- C:\windows\SysWow64\atmfd.dll
2011-02-08 18:13:59 -------- d-----w- C:\Program Files (x86)\Common Files\MSSoap
2011-01-31 20:22:29 -------- d-----w- C:\Users\Adam\AppData\Roaming\MathWorks
2011-01-31 20:21:32 203976 ----a-w- C:\windows\SysWow64\RICHTX32.OCX
2011-01-31 20:12:46 407104 ----a-w- C:\windows\SysWow64\MSHFLXGD.OCX
2011-01-31 20:12:45 647872 ----a-w- C:\windows\SysWow64\mscomct2.ocx
2011-01-31 13:11:32 737072 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-3\Microsoft.MediaCenter.Sports.UI.dll
2011-01-31 00:02:54 -------- d-----w- C:\Users\Adam\AppData\Roaming\FrostWire
2011-01-31 00:02:20 -------- d-----w- C:\Program Files (x86)\FrostWire
2011-01-30 19:57:00 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

==================== Find3M ====================

2011-02-02 22:11:20 270720 ------w- C:\windows\System32\MpSigStub.exe
2011-01-26 06:52:25 982912 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:52:25 265088 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2011-01-26 06:28:16 144384 ----a-w- C:\windows\System32\cdd.dll
2011-01-18 05:02:47 102400 ----a-w- C:\windows\SysWow64\temp.004
2011-01-18 05:02:46 539648 ----a-w- C:\windows\SysWow64\temp.003
2011-01-18 05:02:45 134144 ----a-w- C:\windows\SysWow64\temp.002
2011-01-18 05:02:42 143872 ----a-w- C:\windows\SysWow64\temp.001
2011-01-18 05:02:24 10752 ----a-w- C:\windows\SysWow64\temp.000
2011-01-18 05:02:16 73216 ----a-w- C:\windows\ST6UNST.EXE
2011-01-18 05:02:16 249856 ------w- C:\windows\Setup1.exe
2011-01-15 16:57:53 3569152 --sh--w- C:\PROGRA~3\policyservice.exe
2011-01-14 04:00:20 49752 ----a-w- C:\windows\System32\drivers\SBREDrv.sys
2011-01-14 01:33:48 203776 --sh--w- C:\PROGRA~3\unrar.exe
2011-01-05 06:20:30 612352 ----a-w- C:\windows\System32\vbscript.dll
2011-01-05 05:37:33 428032 ----a-w- C:\windows\SysWow64\vbscript.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\windows\System32\win32k.sys
2010-12-21 06:16:27 97280 ----a-w- C:\windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\windows\System32\wscapi.dll
2010-12-21 06:16:16 214016 ----a-w- C:\windows\System32\winsrv.dll
2010-12-21 06:16:14 442880 ----a-w- C:\windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\windows\SysWow64\davclnt.dll
2010-12-20 23:08:40 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2010-12-18 06:11:41 57856 ----a-w- C:\windows\System32\licmgr10.dll
2010-12-18 05:29:40 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- C:\windows\SysWow64\kerberos.dll
2010-12-18 04:55:03 482816 ----a-w- C:\windows\System32\html.iec
2010-12-18 04:20:55 386048 ----a-w- C:\windows\SysWow64\html.iec
2010-12-18 04:13:40 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2010-12-18 03:47:59 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2010-11-29 22:38:30 94208 ----a-w- C:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts

============= FINISH: 20:43:04.45 ===============

thanks in advance, i apologize for any errors in my reply!

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 27 February 2011 - 07:57 AM

You can get a download that you can keep and use. Lets see if it digs up anything:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*


When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

How Can I Reduce My Risk to Malware?


#7 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 February 2011 - 10:55 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5892

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/27/2011 12:13:31 PM
mbam-log-2011-02-27 (12-13-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 403326
Time elapsed: 1 hour(s), 31 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 01 March 2011 - 07:38 PM

First; look here in order to help show all files. Iam assuming the .exe is malware but we can check it out first. Go here and using the browse button navigate to
C:\ProgramData\policyservice.exe on your computer.
Upload the file (policyservice.exe) using the send button. It will get checked out. you shouldnt see anything in the result column if the file is ok. When the scan is done you can copy/paste in the URL.
If you do see results in red in the result column then continue with the step below:

Next:
Boot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Log in to your normal account. Once at the safe mode desktop:
navigate to:C:\ProgramData and delete policyservice.exe.
Reboot computer normally and you should no longer see it in task manager

How Can I Reduce My Risk to Malware?


#9 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 02 March 2011 - 08:08 AM

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 8df26881431a833cea198aa533445438
Date first seen: 2011-01-30 18:14:54 (UTC)
Date last seen: 2011-02-02 11:10:36 (UTC)
Detection ratio: 21/41

As a side note... this is the message in my McAfee log:
Blocked by port blocking rule C:\ProgramData\policyservice.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

And this one too:
Blocked by port blocking rule C:\ProgramData\policyservice.exe Anti-virus Standard Protection:Prevent IRC communication

My internet is markedly slower with the process running as well. The two processes are different in memory usage by a substantial amount as well. Hope something I added can help, and once again, thanks for your time!

#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 02 March 2011 - 07:16 PM

This is good enough for me:

Detection ratio: 21/41


Boot into safe mode and delete the .exe

Blocked by port blocking rule

Is it port 6667 thats being blocked, just out of curiosity?

How Can I Reduce My Risk to Malware?


#11 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 03 March 2011 - 05:51 AM

It appears to be ports 6666 and 6667. More of 6666 shows up in my log than 6667. I will remove the .exe and reply with the results.

#12 abarbs07

abarbs07
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 03 March 2011 - 08:29 AM

Booted into safe mode and deleted the file. It no longer appears in my task manager and McAfee is not reporting anything funny. Thanks for everything, I know this might have seemed very simple to you, but it was giving me a hell of a time!

#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:21 PM

Posted 04 March 2011 - 05:15 PM

Ok good. Your welcome. Keep malwarebytes and note that it must be updated manually and a scan started manually. Its good practice to keep it up to date even if you dont scan with it that much.
If all is good on your end, some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9)A slide show how to for securing Internet Explorer 8.0 for safer surfing. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Files can be named anything, be nothing but malware or have malware bundled in them. Can you really trust the source of the file?

More info/tips with pictures, links below
Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users