Malwarebyte's Anti-malware - runs for a minute, then the process is killed and security is taken away from the executable. This also happens to TrendMicro Housecall, HiJackThis, AdAware, Spybot S&D, and Symantec.
RootRepeal - locks hard
OTL - Gets shut down within a minute of running it.
Somehow PC Anti-Spyware got on my machine. It changed DNS entries, removed me from the Administrator group, installed other spyware, took away folder options and hid files, took away access to the registry, seems to have attached to lsass.exe, login.exe, services.exe. Continually changed registry entries under Run until I took away access to my temp folder under my Profile. It also kept running braviax.exe and b.exe...
It no longer reinstalls itself or populates the registry, but I can't run any type of spyware/anti-virus program, it simply shuts them down and then takes away permission.
I was able to get one decent log from GMER by renaming the executable, however that does not work for the anti-virus programs. The hidden dll seems to change names frequently and it can't be unloaded with regsvr32.
GMER 1.0.15.15077 [melissa.exe] - http://www.gmer.net
Rootkit scan 2009-08-24 22:24:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT 86096B08 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xED2D6DC0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xED2D7020]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\WINDOWS\Explorer.EXE[3284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\WINDOWS\Explorer.EXE[3284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [304] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Executive Software\Diskeeper\DkService.exe [444] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [732] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1044] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1140] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1212] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1276] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\LogMeIn\x86\LogMeIn.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\Rtvscan.exe [1576] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [2032] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2224] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3284] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [3656] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [3664] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [3692] 0x35670000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c4276e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c4276e@0007e09fc77a 0x10 0x19 0x82 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272c4276e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272c4276e@0007e09fc77a 0x10 0x19 0x82 0xB1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}
Reg HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer@ ole2disp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@InprocServer32 ,(GnBmGFa=nZ7]6MJA+rGIANT_AntiSpyware_Files>M5KDYSUnf(HA*L[xeX)y?=ouZR)rmr9,WgJMaGmi0SAVMain>M5KDYSUnf(HA*L[xeX)y?Z~kh3YoA$AuPrr=9NVP+>M5KDYSUnf(HA*L[xeX)y?B0JbNJ^1@9GyZx5Y[jne>M5KDYSUnf(HA*L[xeX)y?4LbmQhlx~@{QYCY]4.0H>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\AutoConvertTo@ {00020906-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\Ole1Class@ WordDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\ProgID@ WordDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{BFF999F3-9FC2-E2A7-1D90-EF423684D808}\InprocServer32@ %SystemRoot%\System32\msoeacct.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{BFF999F3-9FC2-E2A7-1D90-EF423684D808}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}
Reg HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}@SE4K5INHHR1EDZYY15BVZC6TKG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}
Reg HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}@SE4K5INHHR1EDZYY15BVZC6TKG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}
Reg HKLM\SOFTWARE\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...