Another Google redirect virus/rootkit, initial steps completed

[riverland1]

Today's ESET scan log:

# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=21ab28d4b5418f4badb0eaaef87b47e4
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-20 09:16:25
# local_time=2010-05-20 03:16:25 (-0700, Mountain Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1796373 1796373 0 0
# compatibility_mode=5121 16776869 100 96 3629560 27216793 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 949526 949526 0 0
# scanned=117109
# found=1
# cleaned=0
# scan_time=10116
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

 

[riverland1]

Regarding my earlier comments on the logitech dll file, I found this post which to my uneducated eye seems reassuring this is a legit file that could interact with ComboFix, but I will leave that to your judgment.

http://forums.logitech.com/t5/Webcams/Temp-Folder-installation-LVPrcInj01-dll/m-p/323837

The LvPrcInj.dll is injected into running processes using the ProcMon service ( "Process Monitor" ). The injector is used by the Video Effects engine to replace streaming video with the video effect. It is always enabled, as you could turn on and off a video effects in a video app at any time. The injector must be loaded into the application memory-space to be useful.

However, because the injector is loaded into a process, the file is now locked by Windows. It can not be deleted. Prior to 11.7, this caused some uninstall and upgrade issues -- as the injector can not be deleted or replaced without a computer restart. Sometimes the older injector would attempted to be loaded by a new Process Monitor service.

In 11.7, the Process Monitor service was updated to copy the injector to the Windows\Temp directory and inject from this location. This fixed the problem as the Process Monitor tries to clean itself up when unloading (as during uninstall). And during the upgrade, the LvPrcInj.dll in the %COMMONFILES%\LogiShrd\LVMVFM directory is not locked, so it can be overwritten. When the Process Monitor is restarted, it will copy the injector to Windows\Temp and begin injecting using the upgraded file. This is also why the file is named "LvPrcInj01.dll"... The Process Monitor renames the injector to the new name if necessary. ("LvPrcInj02.dll... LvPrcInj03.dll... etc)

You might want to disable the "Process Monitor" service and restarting your system. That should disable the injection. However, you won't be able to use Video Effects if the service (and the injector) are disabled.

I'll add this as a suggestion for future improvement - perhaps using a different directory from Windows\Temp. However a single injector needs to be available to all users (during Fast User Switching, Logon/Logoff, etc). This is why Windows\Temp was decided.

Hope that helps!
-geepers
Install Software Engineer
QuickCam Software Team
Logitech Inc.

 

[Bobbye]

According to Errors, it looks like the system crashed 4/29/2010 1:23:06 AM
Do you have automatic updates scheduled for this time?
All of the Services stopped: At 4/29/2010 1:24:17 AM, error: Service Control Manager [7032] - The Service Control Manager tried Restart the McAfee Services service, but this action failed with the following error: An instance of the service is already running.

The last actions on the system were the night before 4/28/2010 9:31:35 PM, when these Bus Extenders failed to load:
AliIde IntelIdaliide ViaIde AKA:
"ALI IDE Bus Driver
"Intel IDE BUS Driver",
"VIA IDE Bus Driver",

These are usually found in the Txtsetup.sif is a setup information file (sif) used primarily for text mode setup

Right before that:

4/28/2010 9:30:49 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

And between 4/28/2010 5:33:54 AM and 4/27/2010 11:22:32 PM, 2 crash dumps failed with instructions to "Make sure there is a page file on the boot partition and that is large enough to contain all physical memory."

DDS (Ver_10-03-17.01) - NTFSx86 Run at 1:55:02.42 on Thu 04/29/2010DDS was run a System Uptime: 4/29/2010 1:30:43 AM

At the time of these logs, you were running Hitman Pro.
=========================
It would be interested to know what went on on your system between 9:30PM on 4/28 and 1:23AM on 4/29. Let me know when you get back and we'll finish this up.

 

[riverland1]

Bobbye,

Not sure I have an answer for you regarding what happened then. I could have been ineptly trying to clear the malware at that point if Hitman Pro was running. I will touch base again in mid-June for finishing the clean up. Thanks for keeping the thread open til I'm back, and of course thank you for all of your able assistance up to this point...

Keep well,
Riverland1

 

[Bobbye]

Writing myself a note to keep open..

Bobbye, OP will return in Jun. Keep thread active.