Where to start?
Ok, how i acquired this malware/trojan, i'm unsure of, but it is very, very malicious. First and foremost, it spits out a random executable into my "Temp" folder that is in the "Local Settings" folder, which is located in my "Documents and Settings" under my current W-XP name "Blake Weatherly" The pathfile would read:
"C:\Documents And Settings\Blake Weatherly\Local Settings\Temp". Then after putting those files into Temp, there are short-cuts placed on my desktop, and in my documents for them, also on my start-bar with an "Installed" message tagged to it as if it were a program.
When i first found this stuff, i booted into safemade, and manually removed it. There were 20+ files all trojan related in there. Then a few minutes after booting into normal mode. They are there again.
This is where it gets tricky: There has to be a file installed somewhere on my computer that is spitting this random executable/trojans out. It renames each one by numbers. For instance: "19024.exe" - "24350.exe." - "42304.exe" And so on and so fourth.
So now I know that it replicates itself and runs more than one instance of itself at a time. Ultimately causing internet pop-ups and what i think are "Installation Requests" i can't know for sure though, because most of the wording is in Spanish.
Now it gets EVEN more complicated. I'm going to describe the files that it is putting into my "Temp".
On this trojan/malware's initial start-up, it add's these files to the "Temp":
"Perflib_Perfdata_324.dat"(DAT File 16 KB)
"Perflib_Perfdata_e78.dat"(DAT File 16 KB)
"Perflib_Perfdata_8f0.dat"(DAT File 0 KB)
"mmmxl.log"(Text Document 4 KB)
"aim0809005310.tmp"(TMP File 0 KB)
"JET9A04.tmp"(TMP File 0 KB)
"~DFC1E2.tmp"(TMP File 32 KB)
"1F1205F7.TMP"(TMP File 1 KB)
Then two Folders(I'm Assuming randomized each time)
"Draa"
"hsperfdata_Blake Weatherly"(Containing "3776"(File 16 KB))
Now, these files will grow in size as the duration of my computer being on(In Normal Mode) increases. There will also be more executable files installed with randomized numbers for names each time. Even more interesting is the "mmmxl.log" file which has this trojan/maleware's operations in detail:
The file "mmmxl.log" Reads:
[08/09/05 at 00:50:40] **** MXL_Install **** Entering. Current build; value = 122
[08/09/05 at 00:50:40] The driver is up and running fine. Going to check other install settings; value = 0
[08/09/05 at 00:50:40] (CheckForCurrentFiles) About to check driver version; value = 0
[08/09/05 at 00:50:40] (CheckForCurrentFiles) About to check wnapsixx.dll; value = 0
[08/09/05 at 00:50:40] (CheckForFiles) Every file is there and ok; value = 0
[08/09/05 at 00:50:40] Installation check shows that everything was already installed right; value = 0
[08/09/05 at 00:50:40] Install ok, no reboot required; value = 0
[08/09/05 at 00:50:40] ---- MXL_Install ---- Exit...; value = 0
[08/09/05 at 00:51:14] **** MXL_Install **** Entering. Current build; value = 122
[08/09/05 at 00:51:14] The driver is up and running fine. Going to check other install settings; value = 0
[08/09/05 at 00:51:14] (CheckForCurrentFiles) About to check driver version; value = 0
[08/09/05 at 00:51:19] (CheckForCurrentFiles) About to check wnapsixx.dll; value = 0
[08/09/05 at 00:51:19] (CheckForFiles) Every file is there and ok; value = 0
[08/09/05 at 00:51:19] Installation check shows that everything was already installed right; value = 0
[08/09/05 at 00:51:19] Install ok, no reboot required; value = 0
[08/09/05 at 00:51:19] ---- MXL_Install ---- Exit...; value = 0
[08/09/05 at 00:51:19] **** MXL_Install **** Entering. Current build; value = 122
[08/09/05 at 00:51:19] The driver is up and running fine. Going to check other install settings; value = 0
[08/09/05 at 00:51:19] (CheckForCurrentFiles) About to check driver version; value = 0
[08/09/05 at 00:51:20] (CheckForCurrentFiles) About to check wnapsixx.dll; value = 0
[08/09/05 at 00:51:22] (CheckForFiles) Every file is there and ok; value = 0
[08/09/05 at 00:51:22] Installation check shows that everything was already installed right; value = 0
[08/09/05 at 00:51:22] Install ok, no reboot required; value = 0
[08/09/05 at 00:51:22] ---- MXL_Install ---- Exit...; value = 0
[08/09/05 at 00:51:22] **** MXL_Install **** Entering. Current build; value = 122
[08/09/05 at 00:51:22] The driver is up and running fine. Going to check other install settings; value = 0
[08/09/05 at 00:51:22] (CheckForCurrentFiles) About to check driver version; value = 0
[08/09/05 at 00:51:22] (CheckForCurrentFiles) About to check wnapsixx.dll; value = 0
[08/09/05 at 00:51:22] (CheckForFiles) Every file is there and ok; value = 0
[08/09/05 at 00:51:22] Installation check shows that everything was already installed right; value = 0
[08/09/05 at 00:51:22] Install ok, no reboot required; value = 0
[08/09/05 at 00:51:22] ---- MXL_Install ---- Exit...; value = 0
[08/09/05 at 00:51:22] **** MXL_Install **** Entering. Current build; value = 122
[08/09/05 at 00:51:22] The driver is up and running fine. Going to check other install settings; value = 0
[08/09/05 at 00:51:22] (CheckForCurrentFiles) About to check driver version; value = 0
[08/09/05 at 00:51:22] (CheckForCurrentFiles) About to check wnapsixx.dll; value = 0
[08/09/05 at 00:51:22] (CheckForFiles) Every file is there and ok; value = 0
[08/09/05 at 00:51:22] Installation check shows that everything was already installed right; value = 0
[08/09/05 at 00:51:22] Install ok, no reboot required; value = 0
[08/09/05 at 00:51:22] ---- MXL_Install ---- Exit...; value = 0
--------------------------------------------------------------------------------
It mentions "wnapsixx.dll" i am unable to find this anywhere on my computer.
By the way, i have ran the following programs, and they have unsuccessfully removed it:
Spysweeper
CWShredder
Ad-Aware SE Personal
TrojanHunter
Ewido Security Suite
CleanUp40
Microsoft AntiSpyware
Spybot Search and Destroy.
Now for my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:34:09 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\?ppPatch\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Blake Weatherly\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new-access.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RqltFkBL] C:\WINDOWS\mmtcl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tmc] C:\WINDOWS\system32\?ppPatch\rundll32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
---------------------------------------------------------(The End )
Well guys, i've spent alot of hours trying to destroy this thing, but it keeps coming back. It will run multiple instances of itself (A attempted Installer) And destroy CPU Usage, usually lagging the computer pretty bad. The pop-ups it produces are targetted at "http://www.new-access.biz". And i've seen itself call it self "Private Internet Zone" on the Installer title.
All help is appreciated, and i thank you for taking the time to help me.