Posted 06 June 2011 - 05:07 AM
1st post, I'm looking for advice on a malware infection I've picked up. I've managed to identify some of it but can't clear it up.
I have a Dell Latitude E6400, XP SP3. I first noticed the problem when Winlogon.exe application errors during login began occurring. I was able to carry on working by leaving the error msg open - if I closed or debugged my laptop blue-screened. When I tried to boot into safe mode it blue-screened even before I reached the login box.
I limped along in this state for a few days and a day or two ago Internet Explorer stopped working. If I try to run it the screen seems to flash but then nothing happens.
I checked out regkeys for Winlogon and found an extra executable had been added to the Userinit line:
UserInit key = "C:\WINDOWS\system32\userinit.exe,,C:\Program Files\lwkewdbu\tdcqhdkl.exe"
When I browsed to C:\Program Files\lwkewdbu it appeared to be empty but would not delete as there were apparently files still within it. Whatever I did to view/hidden files I couldn't see anything within it. If I deleted the entry for it in the Userinit key above it would reappear after a reboot.
Last night I read up a bit on malware, and downloaded a utility called IceSword with which I could browse to the C:\Program Files\lwkewdbu folder and see the tdcqhdkl.exe file within. How does IceSword do that?
Also using process explorer I was able to identify the process under which tdcqhdkl.exe was running, and it was running under iexplore.exe. Task Manager showed *four* instances of iexplore.exe running under 'System'. When I killed these using Task Mgr I was able to delete tdcqhdkl.exe. I also found using IceSword that there were five copies of tdcqhdkl.exe on the systems, in the root of c:, in startup of docs & settings of several local accounts, and on in c:\windows\system32\config\systemprofile. I deleted them all, removed the Userinit entry in the registry again, and rebooted.
But it STILL comes back. Iexplore.exe is again running multiple instances under 'system' and tdcqhdkl.exe is back in the registry and in C:\Program Files\lwkewdbu and in the root of C:.
So I can manually stop the malware running after I login(I think) but not remove it. I'm thinking the next step is to identify what command is loading iexplore.exe and stop that from happening. I don't know where to start though.
I've run SuperAntiSpyware on the machine and it finds nothing spectacular - some cookies and "unticked security features" but nothing that seems to relate to this. McAfee AV finds lots of instances of W32/Ramnit.a, but seems to clean that off without a problem. Whatever this evil malware is it's clever: I've now switched to the Safari browser, but it blocked the homepages for IceSword, Process Explorer and Malwarebytes - I had to use 3rd party download sites.
Any help gratefully received! Let me know if there's any more info I can supply.