Hugh_LA_Tech

Ok, I'll start this again tomorrow... I ran another utility that found two .DLL files in SYSTEM32 that were called by the registry key: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify That seemed to allow MBAM to actually run, which I'm doing now! So far MBAM has found 3 infected files, so I'm hopeful that I may have ripped the spine out of this infection. After this runs, I'll re-run HijackThis and post to the other board.

Here's a DDS.SCR run: DDS.TXT (I'll upload ATTACH.ZIP) DDS (Ver_09-01-19.01) - NTFSx86 Run by Mary at 21:30:48.60 on Tue 01/27/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.592 [GMT -8:00] AV: Norton AntiVirus *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs SVCHOST.EXE SVCHOST.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\CD\RootkitRevealer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe C:\CD\rr.com C:\CD\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://www.google.com uDefault_Page_URL = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://www.dell4me.com/myway mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.dell4me.com/myway uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie mWinlogon: Userinit=c:\windows\system32\Userinit.exe BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\windows\system32\vumer.dll BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.2.0.7\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe" mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [iAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe mRun: [Adobe Reader Speed Launcher] C:\PROCMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: turbotax.com Trusted Zone: musicmatch.com\online DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109305373906 DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_8.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.costcophotocenter.com/CostcoUpload.cab DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.panattoni.com/dana-cached/setup/JuniperSetupSP1.cab Notify: cafaeffebf - c:\windows\system32\cafaeffebf.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\mary\applic~1\mozilla\firefox\profiles\apffyazj.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll ============= SERVICES / DRIVERS =============== R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2008-9-12 15172] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1002000.007\SymEFA.sys [2009-1-23 309296] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-1-23 255536] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-1-23 362544] R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090120.002\IDSxpx86.sys [2009-1-27 274808] R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);c:\windows\system32\drivers\NEOFLTR_550_11711.sys [2007-4-10 63264] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-25 99376] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090127.025\naveng.sys [2009-1-27 89104] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090127.025\navex15.sys [2009-1-27 876112] R4 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [2005-7-1 4032] R4 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [2005-7-1 27696] R4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-2-3 34916] R4 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-1-23 115560] R4 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [2005-7-1 26304] R4 SemLPT;SemLPT;c:\windows\system32\drivers\SEMLPT.SYS [1997-11-25 41984] S0 513a1dfbf38f5911cfbf12132cfeb4d3;513a1dfbf38f5911cfbf12132cfeb4d3;c:\windows\system32\513a1dfbf38f5911cfbf12132cfeb4d3.sys --> c:\windows\system32\513a1dfbf38f5911cfbf12132cfeb4d3.sys [?] S3 BSKXX;BSKXX;c:\docume~1\mary\locals~1\temp\BSKXX.exe [2009-1-27 97280] S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2007-5-6 17976] S3 FOVARL;FOVARL;c:\docume~1\mary\locals~1\temp\FOVARL.exe [2009-1-27 97280] S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-19 33752] S3 Ntsclocmdmcw;Ntsclocmdmcw; [x] S3 QWNV;QWNV;c:\docume~1\mary\locals~1\temp\QWNV.exe [2009-1-27 97280] S3 VikingRWD;Description of NT service here;c:\windows\system32\drivers\VikingRW.sys [2005-1-31 33851] S3 YHBTDK;YHBTDK;c:\docume~1\mary\locals~1\temp\YHBTDK.exe [2009-1-27 97280] =============== Created Last 30 ================ 2009-01-27 21:02 59,492 a------- C:\procmon.chm 2009-01-27 21:02 2,608,168 a------- C:\Procmon.exe 2009-01-27 19:12 <DIR> --d----- C:\rkr 2009-01-24 16:48 <DIR> --d----- c:\program files\MyWindowsDoctor SpyAd Process Wiper 2009-01-24 12:40 <DIR> --d----- C:\CD 2009-01-24 12:34 <DIR> --d----- c:\windows\ERUNT 2009-01-24 12:33 <DIR> --d----- C:\SDFix 2009-01-24 12:33 1,529,241 a------- C:\SDFix.exe 2009-01-23 18:29 194 a------- c:\windows\system32\RBDELDRV.BAT 2009-01-23 16:57 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys 2009-01-23 16:57 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-01-23 16:57 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2009-01-23 16:57 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-01-23 16:57 806 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-01-23 16:57 <DIR> --d----- c:\windows\system32\drivers\NAV 2009-01-23 16:57 <DIR> --d----- c:\program files\NortonInstaller 2009-01-23 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings 2009-01-23 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton 2009-01-23 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-01-23 15:52 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files 2009-01-22 21:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\1579854295 2009-01-17 12:21 54,156 a---h--- c:\windows\QTFont.qfn 2009-01-17 12:21 1,409 a------- c:\windows\QTFont.for ==================== Find3M ==================== 2008-12-12 09:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll 2008-12-11 03:57 333,184 a------- c:\windows\system32\drivers\srv.sys 2008-12-11 03:57 333,184 -------- c:\windows\system32\dllcache\srv.sys 2008-11-06 09:42 721,912 a------- c:\documents and settings\mary\gotomypc_428.exe 2007-08-20 21:54 3,902,784 a------- c:\documents and settings\mary\gosetup.exe 2005-07-20 20:32 8 a------- c:\docume~1\mary\applic~1\usb.dat.bin ============= FINISH: 21:31:08.35 =============== attach.zip attach.zip

I've run Norton, AntiVir, SDFix, and MBAM (with suspect drive slaved to clean host machine). Rootkit Revealers just want to look at the booted drive. If anyone knows of one that will look for root-kit on other than C:, please chime in! Originally I had an "Anti-virus warning" pop-up, but I think I nailed that one over the weekend -- obviously this system has/had at least two or three trojans at work. The symptom at this point is that I can't search for anything anti-malware related. When I did, the browser (any browser) would terminate. Until I killed wdmaud.sys, it re-directed to 7.7.7.0 then terminated, now it just terminates without that re-direct -- not much of an improvement. Other search results are bogus. No anti-virus program I've found will install, regardless of how I rename it. I copied in SDFIX and ran it in safe mode but it doesn't find anything. (SDFix is the only one I know of that can be copied in -- the others scatter all over the drive and registry, and won't run without all their footprints in place from an install) I have to go to a CMD prompt to access either DVD-ROM drive. Explorer won't open them. So nothing builds a log without booting the drive. Nothing runs if I BOOT the drive. Since nothing has found the culprit, I don't know what it is. (they are?) Does anyone have any suggestions of other programs to try? Thanks!

I'm seeing something like this too. I tried running Norton Anti-virus on the machine and it blue-screened. Now I'm running Norton against it, connected to another machine, so we'll see. I'd like to try MBAM, but it won't install, and it doesn't find anything running on another machine. HijackThis won't load, and since it only shows running processes, it doesn't do any good to run it on another machine.

It acts like lsas-blaster keyloger, and Norton calls it trojan.spamthru, but it doesn't have the footprint of either one. It doesn't have the registry keys or entries, and it didn't change the hosts file, etc. I can't load MBAM, or HijackThis (even in safe mode), and SDFIX can't find anything! MBAM doesn't find anything when I run it against the hard drive, connected to another machine. Does HijackThis throw a registry festival when it installs like MBAM does? Or can I install it on another computer and move it manually? As I said, Norton AntiVirus keeps stopping it, then it says it removed it, then it keeps blocking it again, so it is obviously a passenger on this donkey ride to hell! The real culprit is probably something else that Norton can't find, but keeps spawning trojan.spamthru as a shield. The symptom is that I can't install anything useful, I can't browse or search for any anti-malware tool, and most Google searches come up with random "finds". When it's disconnected from the network (and the internet) for a few minutes, it blue-screens with an IRQ NOT EQUAL error and starts a memory dump. I'd just re-format the system and start over, but it will take days to re-install everything, and I'm sure to run into this thing again so I want a real solution. Thanks for any responses!

At this point, I'm ready to try figuring out what MBAM does when it installs, so i can perform a MANUAL installation! This trojan is obviously afraid of the thing if it stops it from loading, and it must be looking at the properties of the program, not its name when looking to kill it. I've tried changing the properties, but it is "packed", so the data isn't in the clear anywhere. A retro-install seems the only option. I've tried virtually every other tool already and none of them touches this trojan. As far as I know, it doesn't even have a name.

I've got exactly the same problem on a Dell PC running XP Pro SP3! I suspect the trojan is looking at the product name property of the executable, so renaming the installer does not good! (right-click on mbam-setup.exe and hit Properties, then Version, then Product Name -- THAT'S what it's looking at, not the program name) I wish there were some way to get in there and change those properties to throw this thing off, but I also noticed all you got in response was the sound of wind whistling through the trees!... Guess no one has any solution for this virus other than a complete system rebuild. People say it's Lsas-blaster keyloger, but it doesn't have the ###################.exe file under Documents and Settings\Username... tree, and there isn't a process in the queue that looks like the description either. That would be an easy one to kill! I've tried the latest SDFix, both in Safe mode, and running the hard drive slaved to another machine, running the software against the suspect drive. I've tried Spybot and several others -- all either find nothing, or target some innocuous cookie. I think it's pretty clear this isn't a cookie. So far, I haven't found anything that can find or touch this one. Has anyone pondered the value of just cutting the 3rd world off the internet? If those turds want to turn the internet into a cat rodeo, I think we can do without their participation and commerce! Maybe just "another" internet is in order -- one you have to register for so the traffic can be traced?