Cannot delete C:\Windows\lpt1.idm - AV reports as a Win32/Small.JR

[Guest]

When windows tries to delete this file "lpt1.idm" it messagebox's

"Cannot delete lpt1: The parameter is incorrect"

Nod32 (my AntiVirus) errors when deleting / quarantining it.
The virus warning appears everytime I load an application such as: Internet
Explorer, FireFox, MSN Messenger, Microsoft ActiveSync etc. I ofcourse
thought "C:\Windows\System32\RunDll32.exe" was infected, but after replacing
that file in Windows SafeMode, the virus remains. Incidentely, this
"lpt1.idm" file does not appear at its location in Windows SafeMode. While in
safemode I tryed to create a blank file with the name "lpt1.idm" in the
"C:\Windows\" folder, hoping this would prevent the virus being recreated
next time Windows loads, but Windows would not let me create it, it errored
"make sure the disk is not full or write protected".

I did a search through the registery and found in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"

I ofcourse deleted the value, but a refresh brought the same value back. The
same happened when I deleted the key itsself.

I then went into Control panel > software explorer and looked in all 4
categories and found nothing with the name "lpt1.idm" nor referencing it.

It is not on my other computers so it definately is not required for another
application.
Can someone help me get rid of this file?

Neil.

 

[Malke]

When windows tries to delete this file "lpt1.idm" it messagebox's

"Cannot delete lpt1: The parameter is incorrect"

Nod32 (my AntiVirus) errors when deleting / quarantining it.
The virus warning appears everytime I load an application such as:
Internet Explorer, FireFox, MSN Messenger, Microsoft ActiveSync etc. I
ofcourse thought "C:\Windows\System32\RunDll32.exe" was infected, but
after replacing that file in Windows SafeMode, the virus remains.
Incidentely, this "lpt1.idm" file does not appear at its location in
Windows SafeMode. While in safemode I tryed to create a blank file
with the name "lpt1.idm" in the "C:\Windows\" folder, hoping this
would prevent the virus being recreated next time Windows loads, but
Windows would not let me create it, it errored "make sure the disk is
not full or write protected".

I did a search through the registery and found in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows

The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"

I ofcourse deleted the value, but a refresh brought the same value
back. The same happened when I deleted the key itsself.

The problem is that the trojan has cleverly given itself a protected and
reserved name - "lpt1". See this MS Knowledge Base article about
removing files with reserved names in XP:

http://support.microsoft.com/?kbid=315226

However, it also sounds like the trojan is one that respawns. It has a
"guard" file somewhere.

Depending on your skill and available tools, you might be able to boot
with a Bart's PE and remove the "guard" file and then delete the "lpt1"
file(s). However, I would suggest that you run HijackThis and post your
log and a description of the problem at one of these specialty forums
(not here, please):

http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forums.subratam.org/index.php?showforum=7
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke

 

[David H. Lipman]

From: "Malke" <[email protected]>

| Neil wrote:
||
| The problem is that the trojan has cleverly given itself a protected and
| reserved name - "lpt1". See this MS Knowledge Base article about
| removing files with reserved names in XP:
|
| http://support.microsoft.com/?kbid=315226
|
| However, it also sounds like the trojan is one that respawns. It has a
| "guard" file somewhere.
|
| Depending on your skill and available tools, you might be able to boot
| with a Bart's PE and remove the "guard" file and then delete the "lpt1"
| file(s). However, I would suggest that you run HijackThis and post your
| log and a description of the problem at one of these specialty forums
| (not here, please):
|
| http://www.atribune.org/forums/index.php?showforum=9
| http://aumha.net/viewforum.php?f=30
| http://www.bleepingcomputer.com/forums/forum22.html
| http://castlecops.com/forum67.html
| http://www.dslreports.com/forum/cleanup
| http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
| http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
| http://gladiator-antivirus.com/forum/index.php?showforum=170
| http://forums.subratam.org/index.php?showforum=7
| http://spywarewarrior.com/viewforum.php?f=5
| http://forums.techguy.org/54-security/
| http://forums.tomcoyote.org/
|
| Malke

Malke:

Does this SOUND familiar ?
It wreaks of the RottKit malware we were discussing based upon the document by "Eraser".

 

[Malke]

Malke:

Does this SOUND familiar ?
It wreaks of the RottKit malware we were discussing based upon the
document by "Eraser".

Yes, it does. I thought it sounded familiar but your memory is better
than mine and I couldn't remember the name of the particular malware.
Link Optimizer? If this is that rootkit, then the OP should just back
up his stuff and clean install. You know I hate to say that, but if
there's a *real* rootkit (not just *perceived*) it's the only way to be
sure the machine is clean. If I get a box in here infected with Linkie,
I might play with it just to see what happens but I wouldn't be happy
giving it back to the client without flattening the system.

We'll see if the OP comes back.

Cheers,

Malke

 

[David H. Lipman]

From: "Malke" <[email protected]>

| Yes, it does. I thought it sounded familiar but your memory is better
| than mine and I couldn't remember the name of the particular malware.
| Link Optimizer? If this is that rootkit, then the OP should just back
| up his stuff and clean install. You know I hate to say that, but if
| there's a *real* rootkit (not just *perceived*) it's the only way to be
| sure the machine is clean. If I get a box in here infected with Linkie,
| I might play with it just to see what happens but I wouldn't be happy
| giving it back to the client without flattening the system.
|
| We'll see if the OP comes back.
|
| Cheers,
|
| Malke

Yes...

According to Eraser...

"After the rootkit is loaded, it modifies the APPInit_DLLs key at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
loading itself (with the \\?\ prefix if it is using a reserved name and not the ADS
method)."

Neil indicated he has a reserved file name (not a NTFS alternative data streem)...
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"


Eraser's document was a very good read.
This is a very nasty RootKit infection and requires "professional and personal attention" !

Without such professional and personal attention, a wipe and re-load is duly warranted.

 

[David H. Lipman]

From: "Neil" <[email protected]>

| When windows tries to delete this file "lpt1.idm" it messagebox's
|
| "Cannot delete lpt1: The parameter is incorrect"

< snip >

Neil:

This is a bad and insidious Trojan RootKit and Adware combo and needs expert attention.

I am obtaining the *best* place for you to post uor problem to get quick and personal
attention and I am awaiting that information.

In the mean time, I have been asked to query you if you have "Brave Sentry" on your PC.

 

[Guest]

Hi, thankyou all for the many replies .
I tried that site explaining dos commands for my NTFS system but it returned
"invalid network path".
I have not tryed the HijackThis application just yet but from reading later
replies I assume it is no longer neccessary seeing as you have figured out
what the virus is.
I can tell you I have not got "Brave Sentry" installed.
A rebuild would be acceptable as a last resort but I would rather remove the
virus so I will await your reply before doing anything else.

Awaiting your wisdom ,
Neil.

 

[Guest]

I see no way of editing my previous post so I'll post again. I got a small
question about this virus, what does it actually do?

 

[Malke]

Hi, thankyou all for the many replies .
I tried that site explaining dos commands for my NTFS system but it
returned "invalid network path".
I have not tryed the HijackThis application just yet but from reading
later replies I assume it is no longer neccessary seeing as you have
figured out what the virus is.
I can tell you I have not got "Brave Sentry" installed.
A rebuild would be acceptable as a last resort but I would rather
remove the virus so I will await your reply before doing anything
else.

Neil, we should wait for David to come back. I don't know why he asked
you specifically about Brave Sentry. Brave Sentry is another of the
many Smitfraud/Spyaxe/SpySheriff etc. variants. If you have the trojan
we think you have, then removing it and then being sure your computer
is 100% clean will be quite difficult, even for a professional. I'm not
dissing your mad skilz, just being practical.

Unless David has some other advice, here's mine:

1. Back up your data.
2. Either take the machine to a local professional who is extremely
skilled at removing malware (not a BigStoreUSA type of place!) OR do a
clean install of Windows. Even if you take the machine to a pro, the
pro may feel a clean install is necessary. The pro must be up on the
very latest developments in malware because the infection we think you
may have (and remember, we can't see your computer so David and I are
making educated guesses) is quite new.

After you get cleaned up, review the information at at least some of the
"Safe Hex" sites linked below so this doesn't happen again.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#reinstall_Windows - What
you will need on-hand

Safe Hex:

http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs

Malke

 

[David H. Lipman]

From: "Neil" <[email protected]>

| Hi, thankyou all for the many replies .
| I tried that site explaining dos commands for my NTFS system but it returned
| "invalid network path".
| I have not tryed the HijackThis application just yet but from reading later
| replies I assume it is no longer neccessary seeing as you have figured out
| what the virus is.
| I can tell you I have not got "Brave Sentry" installed.
| A rebuild would be acceptable as a last resort but I would rather remove the
| virus so I will await your reply before doing anything else.
|
| Awaiting your wisdom ,
| Neil.


OK:

This comes from an "Expert" dealing with this family of malware...

Please register at :-

http://mr.malwareremoval.net/phpbb3/

Tell ChrisRLG that I sent 'ya.

 

[David H. Lipman]

From: "Neil" <[email protected]>

| I see no way of editing my previous post so I'll post again. I got a small
| question about this virus, what does it actually do?
|


It is NOT a virus but a Trojan RootKit working with with Adware.

Do to the sensitive nature of the malware, I'd rather NOT discuss it in public.

You have two choices...

Wipe your PC of all data and reinstall the OS from scratch

or

Go to the forum I directed you and ask an/all questions there.

 

[Guest]

I have registered and are now awaiting my account's activation, thankyou both
for all your help .

Neil.

 

[Malke]

From: "Neil" <[email protected]>

| I see no way of editing my previous post so I'll post again. I got a
| small question about this virus, what does it actually do?
|


It is NOT a virus but a Trojan RootKit working with with Adware.

Do to the sensitive nature of the malware, I'd rather NOT discuss it
in public.

You have two choices...

Wipe your PC of all data and reinstall the OS from scratch

or

Go to the forum I directed you and ask an/all questions there.

Thanks for handling this David. Neil, you now know your choices. I
completely concur with David. If you want to put the time and effort
into cleaning the computer, then you need to register and post at the
link David gave you. Otherwise, it's a clean install.

Good luck whatever you choose,

Malke

 

[David H. Lipman]

From: "Neil" <[email protected]>

| I have registered and are now awaiting my account's activation, thankyou both
| for all your help .
|
| Neil.

OK. Please discontinue this thread. I will ask about your progress in a "private" forum.

Good luck !