New Malware/Trojan/Virii ??

[yourguide]

Hello Everyone.... I have been using Malwarebytes to remove ALL kinds of nasty things from PC's for almost a year now... absolutely love the product!

That said I have a new one that is really giving me a headache.

I can remote in to this PC via Logmein, but would rather not go onsite just yet.... if at all possible... I am pretty sure I could boot to a BartPE CD or HawkPE or similar and probably remove this beast... but I would really like to find a way to do this remotely.

I CAN reboot into safe mode.

Here goes:

Every program I install that runs ANY sort of scan get's shutdown and blocked from running again.

Examples: Malwarebytes = Installs fine, updates fine, run scan and 2 seconds later its gone... won't let you run anymore scans until reinstall.

RootRepeal = Run scan for files.... runs a little while then gets shut down, never to run again... tried renaming it... won't run then... so no go.

HijackThis = Starts to run scan... same thing... blam no more HijackThis... no matter what it's named.

AntiVir = Installs, updates, runs scan... found some stuff... wouldn't remove it... reboot.... now it wont scan anymore...

What it found: Fakealert.CO.712 and tr/dropper.gen

Sooooo.... anyone have any thoughts on how I should proceed.

I tried running all these apps in safe mode.... same thing happens.

I can run processexplorer and even in safe mode I don't see anything strange running as an active process...

Help.

[yourguide]

I was able to get ComboFix to run... here is the log file from it:

ComboFix 09-11-23.01 - tech 11/23/2009 17:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.679 [GMT -6:00]

Running from: c:\tmp\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))

.

2009-11-23 23:03 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-23 23:03 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-23 23:03 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\program files\Avira

2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-23 22:59 . 2009-11-23 22:59 34816 ----a-w- c:\windows\system32\drivers\tt.sys

2009-11-23 22:44 . 2009-11-23 22:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-11-23 22:11 . 2009-11-23 22:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-23 22:06 . 2009-11-23 22:06 -------- d-sh--w- c:\documents and settings\tech\IETldCache

2009-11-23 22:04 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-11-23 22:04 . 2009-11-23 22:04 -------- d-----w- c:\windows\ie8updates

2009-11-23 22:04 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-11-23 22:04 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2009-11-23 22:04 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-11-23 22:04 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-11-23 22:04 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-11-23 22:04 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll

2009-11-23 22:02 . 2009-11-23 22:04 -------- dc-h--w- c:\windows\ie8

2009-11-23 22:01 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2009-11-23 21:49 . 2009-11-23 21:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-11-23 21:45 . 2009-11-23 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-23 20:35 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\LogMeIn

2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn

2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS

2009-11-23 20:23 . 2009-09-29 01:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2009-11-23 20:23 . 2009-09-29 01:34 28984 ----a-w- c:\windows\system32\LMIport.dll

2009-11-23 20:23 . 2008-08-11 18:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2009-11-23 20:23 . 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\program files\LogMeIn

2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\TeamViewer

2009-11-23 20:01 . 2009-11-23 23:56 -------- d--h--w- c:\windows\PIF

2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\tech\Application Data\Malwarebytes

2009-11-23 19:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-23 19:59 . 2009-11-23 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-23 19:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Mozilla

2009-11-23 19:51 . 2009-11-23 23:45 -------- d-----w- C:\tmp

2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\Application Data\TeamViewer

2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\temp

2009-11-23 00:57 . 2009-11-23 01:07 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Temp

2009-11-23 00:55 . 2009-11-23 00:56 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Deployment

2009-11-23 00:42 . 2009-11-23 23:36 0 ----a-r- c:\windows\win32k.sys

2009-11-19 23:26 . 1993-09-21 06:00 58192 ----a-w- c:\windows\system\MHRUN300.DLL

2009-11-19 23:26 . 1993-05-12 06:00 398416 ----a-w- c:\windows\system\VBRUN300.DLL

2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- C:\WEBSTERS

2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- c:\documents and settings\tech\WINDOWS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-11-23 12:27 . 2007-12-14 22:54 -------- d-----w- c:\documents and settings\tech\Application Data\Wave Systems Corp

2009-11-09 20:17 . 2009-11-09 20:17 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.12\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll

2009-10-19 18:18 . 2009-10-19 18:18 -------- d-----w- c:\program files\D-PDU API

2009-10-19 18:18 . 2007-12-18 21:58 -------- d-----w- c:\program files\GM MDI Software

2009-10-19 18:13 . 2009-07-02 15:01 -------- d-----w- c:\program files\GDS

2009-10-12 15:02 . 2009-10-12 15:02 98304 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.11\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_DAT.dll

2009-10-05 15:22 . 2009-10-05 15:22 1954816 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.10\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\xerces-c_3_0.dll

2009-10-02 15:19 . 2009-10-02 15:19 84992 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\wsibridge.dll

2009-10-02 15:19 . 2009-10-02 15:19 40517 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\jRegistryKey.dll

2009-09-22 14:11 . 2009-09-22 14:11 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.08\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll

2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 23:57 . 2007-12-10 04:00 12720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-29 08:08 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

GM MDI APIMonitor Disable.lnk - c:\program files\GM MDI Software\J2534 Configuration\J2534ConfigApp.exe [2009-8-5 1160704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GM MDI APIMonitor Disable.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GM MDI APIMonitor Disable.lnk

backup=c:\windows\pss\GM MDI APIMonitor Disable.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register.lnk

backup=c:\windows\pss\Register.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wallpaper Changer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wallpaper Changer.lnk

backup=c:\windows\pss\Wallpaper Changer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=

"c:\\Program Files\\GM MDI Software\\GM MDI Identification Service\\GM_MDI_Ident.exe"=

"c:\\WINDOWS\\system32\\lxczcoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 5:03 PM 108289]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/23/2009 2:23 PM 47640]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/23/2009 1:59 PM 269648]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/23/2009 1:59 PM 19160]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2007 9:57 PM 29744]

S3 tt;tt;c:\windows\system32\drivers\tt.sys [11/23/2009 4:59 PM 34816]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.autopartners.net/apps/gcportal/login.html

mSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = 127.0.0.1:81

uInternet Settings,ProxyOverride = local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

LSP: c:\windows\system32\biolsp.dll

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose

AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint\Uninstap.exe ADDREMOVE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-23 17:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\windows\system32\LMIinit.dll

c:\windows\System32\BCMLogon.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(720)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(588)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\lxczcoms.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\wscntfy.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2009-11-23 18:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-24 00:01

Pre-Run: 61,348,057,088 bytes free

Post-Run: 65,986,924,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 99D15A2C83F8936A4FDAC5A9FD013562

[screen317]

Hi and welcome to Malwarebytes.

My apologies for the delay.

Please delete all copies of ComboFix that you have. Then, update MBAM, run a Quick Scan, and post its log.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!