[RQDriftnet]

Hi everyone,

Happy New Year to each & everyone!

My 1st time here and I'm pleased to have found this forum (Thank you!)

My issues are as follow and a Trogon got a foothold on my unit with my unfortunate mistake of accepting a Codec I believed necessary for Window Movie Maker. It was that Codec that took advantage of a minor security issue with my Logitech G- series keyboard by camouflaging itself in the normally innocuous "LGDCore.exe" executable.

Please review the article I found to have alerted me to that vulnerability after I was infected. ("http://www.file.net/process/lgdcore") being:

Description: File LGDCore.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 1122304 bytes (80% of all occurrence), 1110079 bytes, 69632 bytes.
There is an icon for this program on the taskbar next to the clock. The program has a visible window. The file is not a Windows core file. You can uninstall this program in the control panel. LGDCore.exe is able to record inputs. Therefore the technical security rating is 8% dangerous, however also read the users reviews.

Recommendation: If LGDCore.exe is located in a subfolder of "C:\Program Files\Common Files" then the security rating is 1% dangerous. File size is 1126400 bytes (66% of all occurrence), 1132056 bytes. The program has a visible window. The process can be removed using the control panel Add\Remove programs applet. File LGDCore.exe is not a Windows system file. LGDCore.exe is able to record inputs, monitor applications.
Important: Some malware camouflage themselves as LGDCore.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the LGDCore.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.

My objective is:

Removal & Deletion of:

1.) Launch LGDCore ~ "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

from

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

and,

2.) TSClientAXDisabler ~ "cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tsdsbl.bat"

and TSClientMSIUninstaller ~ "cmd.exe /C ""cscritp %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

from

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Has anyone come across this issue, or a similar one, and is there a resolution I can use please?

Other Information thus far:

1.) I've Downloaded SDFix and run it, with no final outcome that helped.

2.) The SDFix, the report was as follows:

SDFix: Version 1.240
Run by Quentin on Mon 05/01/2009 at 09:10 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 09:24:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Quentin\\Desktop\\Buzzen & MSN WizBiz Chat & Forum\\As @ Home, SoulFly & mIRC Software & Licenses\\SoulFly UnZipped Folder\\SoulFly[Buzzen]_1-5\\mirc.exe"="C:\\Documents and Settings\\Quentin\\Desktop\\Buzzen & MSN WizBiz Chat & Forum\\As @ Home, SoulFly & mIRC Software & Licenses\\SoulFly UnZipped Folder\\SoulFly[Buzzen]_1-5\\mirc.exe:*:Enabled:mIRC"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Download Express\\dep.exe"="C:\\Program Files\\Download Express\\dep.exe:*:Enabled:Browser download plugin"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"="C:\\Program Files\\Corel\\DVD9\\WinDVD.exe:*:Enabled:WinDVD"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Quentin\\Desktop\\Buzzen & MSN WizBiz Chat & Forum\\As @ Home, SoulFly & mIRC Software & Licenses\\SoulFly UnZipped Folder\\SoulFly[Buzzen]_1-5\\mirc.exe"="C:\\Documents and Settings\\Quentin\\Desktop\\Buzzen & MSN WizBiz Chat & Forum\\As @ Home, SoulFly & mIRC Software & Licenses\\SoulFly UnZipped Folder\\SoulFly[Buzzen]_1-5\\mirc.exe:*:Enabled:mIRC"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

Remaining Files :

Files with Hidden Attributes :

Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SH. --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 1 Jan 2009 8 ..SHR --- "C:\WINDOWS\system32\500A6DB57A.sys"
Sat 26 Apr 2008 23 A.SH. --- "C:\WINDOWS\system32\ebdccacc1_z.dll"
Tue 29 Jan 2008 23 A.SH. --- "C:\WINDOWS\system32\fd4_r.dll"
Fri 2 Jan 2009 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 1 Jan 2009 8 ..SHR --- "C:\Documents and Settings\All Users\Application Data\500A6DB57A.sys"
Sat 3 Jan 2009 2,828 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Thu 1 Jan 2009 10,024,504 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Thu 1 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP443\A0102952.sys"
Thu 1 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP443\A0103093.sys"
Thu 1 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP443\A0103137.sys"
Thu 1 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP461\A0104001.sys"
Thu 1 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP461\A0104005.sys"
Fri 2 Jan 2009 2,828 A.SH. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP462\A0104270.sys"
Sat 11 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT9.tmp"
Thu 26 Jun 2008 52,736 ...H. --- "C:\Documents and Settings\Quentin\Application Data\Microsoft\Word\~WRL0237.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Quentin\Application Data\U3\temp\Launchpad Removal.exe"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Quentin Thomas\Application Data\U3\temp\Launchpad Removal.exe"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Ra`ishah\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

3.) When I reboot and run again I get these results and the offending entries return and reappear in the registry.

a. Attached Image 1, ~  4th_S___D_Change_Detected__050109_x2.jpg (90.29K)
Number of downloads: 0

b. Attached Image 2, ~  5th_S___D_Change_Detected__050109_x2.jpg (162.54K)
Number of downloads: 0

c. Attached Image 3, ~  6th_S___D_Change_Detected__050109_x2.jpg (208.42K)
Number of downloads: 0.

I'm now beyond my level of self help and trust wiser heads in here may know what I should do next.

Thank You.

Quentin.

This post has been edited by RQDriftnet: 05 January 2009 - 07:03 AM

[Billy O'Neal]

Hello, RQDriftnet
While I seriously doubt that executable is at fault, we can check it for you.

:welcome: to 247Fixes.com

My name is BillyIII and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
  
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Finally, please reply using the http://www.247fixes.com/forums/style_images/killspyware/t_reply.gif button in the lower left hand corner of your screen.

We need to upload a file for further inspection

• Please go to this page.
  
• Where it asks for the "Link to where the file was requested" copy and paste in

  http://www.247fixes.com/forums/index.php?showtopic=2754

  
  
• Where it says "Browse to the file you want to submit", browse to

  C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe

  
  
• Press the http://billy-oneal.com/Canned%20Speeches/speechimages/MRC/sendfile.png button.

We need to run a Scan with DDS

• Please download DDS, and save it to your desktop, from one of the following mirrors:
  
  • This is a mirror
    
  • This is another mirror
  
  
• Disable any type of "Script Blockers" or "Script Protection" installed on your system.
  
• Double click http://billy-oneal.com/Canned%20Speeches/speechimages/DDS/ddsDesktopIcon.png on your desktop.
  
• If prompted by any script blocking tools, please allow any actions taken by DDS.
  
• Two reports will open. Please reply with the generated reports:
  
  • DDS.txt <-- Copy and paste into your next post
    
  • Attach.txt <-- Attach to your next post

We need to scan for Rootkits with GMER

• Please download GMER from one of the following mirrors:
  • This is the Primary mirror
    
  • This is a Secondary mirror
    
  • This is a Secondary mirror
  
  
• Close any and all open programs, as this process may crash your computer.
  
• Unzip the downloaded file to your desktop.
  
• Double click http://billy-oneal.com/Canned%20Speeches/speechimages/gmer/gmerDesktopIcon.png on your desktop.
  
• Allow the gmer.sys driver to load if asked.
  
• You may see this window. If you do, click No.
  http://billy-oneal.com/Canned%20Speeches/speechimages/gmer/gmerNoDialog.png
  
• Click on http://billy-oneal.com/Canned%20Speeches/speechimages/gmer/btnScan.png and wait for the scan to finish.
  
• If you see a rootkit warning window, click OK.
  
• Push http://billy-oneal.com/Canned%20Speeches/speechimages/gmer/btnSave.png and save the logfile to your desktop.
  
• Copy and Paste the contents of that file in your next post.

In your next reply, please include the following:

• DDS.txt
  
• Attach.txt
  
• GMER's Log

BillyIII

[RQDriftnet]

G'day again Roomies! :thumbup:

Thank you for your prompt reply BillyIII. I really did think I might have been out of my depth for a moment, but a rest and time away from the problem and constructing the post was the distraction needed to have me look at it afresh.

Your message got to me too late and I've made significant changes already. :oops:

However, you may be please to learn it appears I might have be successful in cleaning up my mess myself. :D

It was the executable, and it was myself that authorised the changes for it to be a part of the mess I made, ... before I realised the Codec I loaded was a trap for young players. :o Once I did that, the rest was a mater of time. Once I found out the Codec was not what I thought it was, I was able to find more and more answers and finally got to one that was the solution. SDFix helped, but didn't significantly improve the situation unfortunately.

In the end, and in Safe Mode, jv16 Power Tools & UniBlue eventually narrowed down the list of registry changes I needed to address. The most telling were in "C:/System Volume Information/ ..... / _restore ..... " and it was behind the function that kept reinstalling the problems. Once they were removed, the problem corrected almost immediately and I have control once more.

My mistake was believing the Codec was necessary for the Vidio Editing I was doing on a family vidio prank I pull on the wife with her Christmas Turkey, and in my rush to get it to family and friends that have known it was on since November, saw me fail to be attentive at a juncture I should have been so. :(

I can't be sure I've totally solved it yet, and I'm testing and running up the system once more. Nonetheless, it is looking very good thus far and I shall keep you notified.

For the moment, ..... no more needs to be done, ....and time will be the acid test if I've had a win.

Thank you again.

Regards,

Quentin :cheers:

[Billy O'Neal]

This thread is being closed because it has been resolved. If you would like it to be reopened please contact me or another member of the Moderating team.

As always, we'd like to thank you for using 247fixes. Have a great day!

This only applies to the original poster if you're not the original poster please start a new topic in this forum.