Jump to content

Got something Norton calls "trojan.spamthru"


Recommended Posts

It acts like lsas-blaster keyloger, and Norton calls it trojan.spamthru, but it doesn't have the footprint of either one. It doesn't have the registry keys or entries, and it didn't change the hosts file, etc.

I can't load MBAM, or HijackThis (even in safe mode), and SDFIX can't find anything! MBAM doesn't find anything when I run it against the hard drive, connected to another machine.

Does HijackThis throw a registry festival when it installs like MBAM does? Or can I install it on another computer and move it manually?

As I said, Norton AntiVirus keeps stopping it, then it says it removed it, then it keeps blocking it again, so it is obviously a passenger on this donkey ride to hell! The real culprit is probably something else that Norton can't find, but keeps spawning trojan.spamthru as a shield.

The symptom is that I can't install anything useful, I can't browse or search for any anti-malware tool, and most Google searches come up with random "finds".

When it's disconnected from the network (and the internet) for a few minutes, it blue-screens with an IRQ NOT EQUAL error and starts a memory dump.

I'd just re-format the system and start over, but it will take days to re-install everything, and I'm sure to run into this thing again so I want a real solution.

Thanks for any responses!

Link to post
Share on other sites

  • Root Admin

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: I'm infected - What do I do now?

Someone will be happy to assist you further with cleaning your system if required

During this scan and cleanup process you should not install any other software unless requested to do so.

Link to post
Share on other sites

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: I'm infected - What do I do now?

Someone will be happy to assist you further with cleaning your system if required

During this scan and cleanup process you should not install any other software unless requested to do so.

Here's a DDS.SCR run: DDS.TXT (I'll upload ATTACH.ZIP)

DDS (Ver_09-01-19.01) - NTFSx86

Run by Mary at 21:30:48.60 on Tue 01/27/2009

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.592 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS\System32\svchost.exe -k netsvcs

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe

C:\QUICKENW\QWDLLS.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\CD\RootkitRevealer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\CD\rr.com

C:\CD\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.dell4me.com/myway

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell4me.com/myway

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\windows\system32\vumer.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.2.0.7\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [iAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe

mRun: [Adobe Reader Speed Launcher] C:\PROCMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109305373906

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_8.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.costcophotocenter.com/CostcoUpload.cab

DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.panattoni.com/dana-cached/setup/JuniperSetupSP1.cab

Notify: cafaeffebf - c:\windows\system32\cafaeffebf.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mary\applic~1\mozilla\firefox\profiles\apffyazj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll

FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2008-9-12 15172]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1002000.007\SymEFA.sys [2009-1-23 309296]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-1-23 255536]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-1-23 362544]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090120.002\IDSxpx86.sys [2009-1-27 274808]

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);c:\windows\system32\drivers\NEOFLTR_550_11711.sys [2007-4-10 63264]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-25 99376]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090127.025\naveng.sys [2009-1-27 89104]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090127.025\navex15.sys [2009-1-27 876112]

R4 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [2005-7-1 4032]

R4 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [2005-7-1 27696]

R4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-2-3 34916]

R4 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-1-23 115560]

R4 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [2005-7-1 26304]

R4 SemLPT;SemLPT;c:\windows\system32\drivers\SEMLPT.SYS [1997-11-25 41984]

S0 513a1dfbf38f5911cfbf12132cfeb4d3;513a1dfbf38f5911cfbf12132cfeb4d3;c:\windows\system32\513a1dfbf38f5911cfbf12132cfeb4d3.sys --> c:\windows\system32\513a1dfbf38f5911cfbf12132cfeb4d3.sys [?]

S3 BSKXX;BSKXX;c:\docume~1\mary\locals~1\temp\BSKXX.exe [2009-1-27 97280]

S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2007-5-6 17976]

S3 FOVARL;FOVARL;c:\docume~1\mary\locals~1\temp\FOVARL.exe [2009-1-27 97280]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-19 33752]

S3 Ntsclocmdmcw;Ntsclocmdmcw; [x]

S3 QWNV;QWNV;c:\docume~1\mary\locals~1\temp\QWNV.exe [2009-1-27 97280]

S3 VikingRWD;Description of NT service here;c:\windows\system32\drivers\VikingRW.sys [2005-1-31 33851]

S3 YHBTDK;YHBTDK;c:\docume~1\mary\locals~1\temp\YHBTDK.exe [2009-1-27 97280]

=============== Created Last 30 ================

2009-01-27 21:02 59,492 a------- C:\procmon.chm

2009-01-27 21:02 2,608,168 a------- C:\Procmon.exe

2009-01-27 19:12 <DIR> --d----- C:\rkr

2009-01-24 16:48 <DIR> --d----- c:\program files\MyWindowsDoctor SpyAd Process Wiper

2009-01-24 12:40 <DIR> --d----- C:\CD

2009-01-24 12:34 <DIR> --d----- c:\windows\ERUNT

2009-01-24 12:33 <DIR> --d----- C:\SDFix

2009-01-24 12:33 1,529,241 a------- C:\SDFix.exe

2009-01-23 18:29 194 a------- c:\windows\system32\RBDELDRV.BAT

2009-01-23 16:57 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys

2009-01-23 16:57 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-23 16:57 60,808 a------- c:\windows\system32\S32EVNT1.DLL

2009-01-23 16:57 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-23 16:57 806 a------- c:\windows\system32\drivers\SYMEVENT.INF

2009-01-23 16:57 <DIR> --d----- c:\windows\system32\drivers\NAV

2009-01-23 16:57 <DIR> --d----- c:\program files\NortonInstaller

2009-01-23 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings

2009-01-23 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2009-01-23 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2009-01-23 15:52 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files

2009-01-22 21:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\1579854295

2009-01-17 12:21 54,156 a---h--- c:\windows\QTFont.qfn

2009-01-17 12:21 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-12 09:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll

2008-12-11 03:57 333,184 a------- c:\windows\system32\drivers\srv.sys

2008-12-11 03:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

2008-11-06 09:42 721,912 a------- c:\documents and settings\mary\gotomypc_428.exe

2007-08-20 21:54 3,902,784 a------- c:\documents and settings\mary\gosetup.exe

2005-07-20 20:32 8 a------- c:\docume~1\mary\applic~1\usb.dat.bin

============= FINISH: 21:31:08.35 ===============

attach.zip

attach.zip

Link to post
Share on other sites

  • Root Admin

Not sure who asked for DDR, those instructions didn't ask for it.

Please post this information in the HJT forum per the posted instructions not here in the General forum.

The reason we ask you to post in the HJT forum is that we don't work on any logs in the General forum and different helpers like using different tools to help. So posting the DDR may or may not be what the one to assist you will want to use.

Thank you.

I'm infected - What do I do now?

Link to post
Share on other sites

Ok, I'll start this again tomorrow... I ran another utility that found two .DLL files in SYSTEM32 that were called by the registry key:

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify

That seemed to allow MBAM to actually run, which I'm doing now! So far MBAM has found 3 infected files, so I'm hopeful that I may have ripped the spine out of this infection. After this runs, I'll re-run HijackThis and post to the other board.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.