When windows tries to delete this file "lpt1.idm" it messagebox's

"Cannot delete lpt1: The parameter is incorrect"

Nod32 (my AntiVirus) errors when deleting / quarantining it.
The virus warning appears everytime I load an application such as: Internet
Explorer, FireFox, MSN Messenger, Microsoft ActiveSync etc. I ofcourse
thought "C:\Windows\System32\RunDll32.exe" was infected, but after replacing
that file in Windows SafeMode, the virus remains. Incidentely, this
"lpt1.idm" file does not appear at its location in Windows SafeMode. While in
safemode I tryed to create a blank file with the name "lpt1.idm" in the
"C:\Windows\" folder, hoping this would prevent the virus being recreated
next time Windows loads, but Windows would not let me create it, it errored
"make sure the disk is not full or write protected".

I did a search through the registery and found in here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"

I ofcourse deleted the value, but a refresh brought the same value back. The
same happened when I deleted the key itsself.

I then went into Control panel > software explorer and looked in all 4
categories and found nothing with the name "lpt1.idm" nor referencing it.

It is not on my other computers so it definately is not required for another
application.
Can someone help me get rid of this file?

Neil.

Neil wrote:

> When windows tries to delete this file "lpt1.idm" it messagebox's
>
> "Cannot delete lpt1: The parameter is incorrect"
>
> Nod32 (my AntiVirus) errors when deleting / quarantining it.
> The virus warning appears everytime I load an application such as:
> Internet Explorer, FireFox, MSN Messenger, Microsoft ActiveSync etc. I
> ofcourse thought "C:\Windows\System32\RunDll32.exe" was infected, but
> after replacing that file in Windows SafeMode, the virus remains.
> Incidentely, this "lpt1.idm" file does not appear at its location in
> Windows SafeMode. While in safemode I tryed to create a blank file
> with the name "lpt1.idm" in the "C:\Windows\" folder, hoping this
> would prevent the virus being recreated next time Windows loads, but
> Windows would not let me create it, it errored "make sure the disk is
> not full or write protected".
>
> I did a search through the registery and found in here:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows
>
> The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"
>
> I ofcourse deleted the value, but a refresh brought the same value
> back. The same happened when I deleted the key itsself.

The problem is that the trojan has cleverly given itself a protected and
reserved name - "lpt1". See this MS Knowledge Base article about
removing files with reserved names in XP:

http://support.microsoft.com/?kbid=315226

However, it also sounds like the trojan is one that respawns. It has a
"guard" file somewhere.

Depending on your skill and available tools, you might be able to boot
with a Bart's PE and remove the "guard" file and then delete the "lpt1"
file(s). However, I would suggest that you run HijackThis and post your
log and a description of the problem at one of these specialty forums
(not here, please):

http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forums.subratam.org/index.php?showforum=7
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

From: "Malke" >

| Neil wrote:
|
>> When windows tries to delete this file "lpt1.idm" it messagebox's
>>
>> "Cannot delete lpt1: The parameter is incorrect"
>>
>> Nod32 (my AntiVirus) errors when deleting / quarantining it.
>> The virus warning appears everytime I load an application such as:
>> Internet Explorer, FireFox, MSN Messenger, Microsoft ActiveSync etc. I
>> ofcourse thought "C:\Windows\System32\RunDll32.exe" was infected, but
>> after replacing that file in Windows SafeMode, the virus remains.
>> Incidentely, this "lpt1.idm" file does not appear at its location in
>> Windows SafeMode. While in safemode I tryed to create a blank file
>> with the name "lpt1.idm" in the "C:\Windows\" folder, hoping this
>> would prevent the virus being recreated next time Windows loads, but
>> Windows would not let me create it, it errored "make sure the disk is
>> not full or write protected".
>>
>> I did a search through the registery and found in here:
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Windows
>>
>> The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"
>>
>> I ofcourse deleted the value, but a refresh brought the same value
>> back. The same happened when I deleted the key itsself.
|
| The problem is that the trojan has cleverly given itself a protected and
| reserved name - "lpt1". See this MS Knowledge Base article about
| removing files with reserved names in XP:
|
| http://support.microsoft.com/?kbid=315226
|
| However, it also sounds like the trojan is one that respawns. It has a
| "guard" file somewhere.
|
| Depending on your skill and available tools, you might be able to boot
| with a Bart's PE and remove the "guard" file and then delete the "lpt1"
| file(s). However, I would suggest that you run HijackThis and post your
| log and a description of the problem at one of these specialty forums
| (not here, please):
|
| http://www.atribune.org/forums/index.php?showforum=9
| http://aumha.net/viewforum.php?f=30
| http://www.bleepingcomputer.com/forums/forum22.html
| http://castlecops.com/forum67.html
| http://www.dslreports.com/forum/cleanup
| http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
| http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
| http://gladiator-antivirus.com/forum/index.php?showforum=170
| http://forums.subratam.org/index.php?showforum=7
| http://spywarewarrior.com/viewforum.php?f=5
| http://forums.techguy.org/54-security/
| http://forums.tomcoyote.org/
|
| Malke

Malke:

Does this SOUND familiar ?
It wreaks of the RottKit malware we were discussing based upon the document by "Eraser".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

> Malke:
>
> Does this SOUND familiar ?
> It wreaks of the RottKit malware we were discussing based upon the
> document by "Eraser".
>

Yes, it does. I thought it sounded familiar but your memory is better
than mine and I couldn't remember the name of the particular malware.
Link Optimizer? If this is that rootkit, then the OP should just back
up his stuff and clean install. You know I hate to say that, but if
there's a *real* rootkit (not just *perceived*) it's the only way to be
sure the machine is clean. If I get a box in here infected with Linkie,
I might play with it just to see what happens but I wouldn't be happy
giving it back to the client without flattening the system.

We'll see if the OP comes back.

Cheers,

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

From: "Malke" >

| Yes, it does. I thought it sounded familiar but your memory is better
| than mine and I couldn't remember the name of the particular malware.
| Link Optimizer? If this is that rootkit, then the OP should just back
| up his stuff and clean install. You know I hate to say that, but if
| there's a *real* rootkit (not just *perceived*) it's the only way to be
| sure the machine is clean. If I get a box in here infected with Linkie,
| I might play with it just to see what happens but I wouldn't be happy
| giving it back to the client without flattening the system.
|
| We'll see if the OP comes back.
|
| Cheers,
|
| Malke

Yes...

According to Eraser...

"After the rootkit is loaded, it modifies the APPInit_DLLs key at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
loading itself (with the \\?\ prefix if it is using a reserved name and not the ADS
method)."

Neil indicated he has a reserved file name (not a NTFS alternative data streem)...
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
The key "AppInit_DLLs" holds the value "\\?\C:\WINDOWS\lpt1.idm"


Eraser's document was a very good read.
This is a very nasty RootKit infection and requires "professional and personal attention" !

Without such professional and personal attention, a wipe and re-load is duly warranted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Neil" >

| When windows tries to delete this file "lpt1.idm" it messagebox's
|
| "Cannot delete lpt1: The parameter is incorrect"

< snip >

Neil:

This is a bad and insidious Trojan RootKit and Adware combo and needs expert attention.

I am obtaining the *best* place for you to post uor problem to get quick and personal
attention and I am awaiting that information.

In the mean time, I have been asked to query you if you have "Brave Sentry" on your PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi, thankyou all for the many replies :D.
I tried that site explaining dos commands for my NTFS system but it returned
"invalid network path".
I have not tryed the HijackThis application just yet but from reading later
replies I assume it is no longer neccessary seeing as you have figured out
what the virus is.
I can tell you I have not got "Brave Sentry" installed.
A rebuild would be acceptable as a last resort but I would rather remove the
virus so I will await your reply before doing anything else.

Awaiting your wisdom :),
Neil.

"David H. Lipman" wrote:

> From: "Neil" >
>
> | When windows tries to delete this file "lpt1.idm" it messagebox's
> |
> | "Cannot delete lpt1: The parameter is incorrect"
>
> < snip >
>
> Neil:
>
> This is a bad and insidious Trojan RootKit and Adware combo and needs expert attention.
>
> I am obtaining the *best* place for you to post uor problem to get quick and personal
> attention and I am awaiting that information.
>
> In the mean time, I have been asked to query you if you have "Brave Sentry" on your PC.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

I see no way of editing my previous post so I'll post again. I got a small
question about this virus, what does it actually do?

"David H. Lipman" wrote:

> From: "Neil" >
>
> | When windows tries to delete this file "lpt1.idm" it messagebox's
> |
> | "Cannot delete lpt1: The parameter is incorrect"
>
> < snip >
>
> Neil:
>
> This is a bad and insidious Trojan RootKit and Adware combo and needs expert attention.
>
> I am obtaining the *best* place for you to post uor problem to get quick and personal
> attention and I am awaiting that information.
>
> In the mean time, I have been asked to query you if you have "Brave Sentry" on your PC.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Neil wrote:

> Hi, thankyou all for the many replies :D.
> I tried that site explaining dos commands for my NTFS system but it
> returned "invalid network path".
> I have not tryed the HijackThis application just yet but from reading
> later replies I assume it is no longer neccessary seeing as you have
> figured out what the virus is.
> I can tell you I have not got "Brave Sentry" installed.
> A rebuild would be acceptable as a last resort but I would rather
> remove the virus so I will await your reply before doing anything
> else.

Neil, we should wait for David to come back. I don't know why he asked
you specifically about Brave Sentry. Brave Sentry is another of the
many Smitfraud/Spyaxe/SpySheriff etc. variants. If you have the trojan
we think you have, then removing it and then being sure your computer
is 100% clean will be quite difficult, even for a professional. I'm not
dissing your mad skilz, just being practical.

Unless David has some other advice, here's mine:

1. Back up your data.
2. Either take the machine to a local professional who is extremely
skilled at removing malware (not a BigStoreUSA type of place!) OR do a
clean install of Windows. Even if you take the machine to a pro, the
pro may feel a clean install is necessary. The pro must be up on the
very latest developments in malware because the infection we think you
may have (and remember, we can't see your computer so David and I are
making educated guesses) is quite new.

After you get cleaned up, review the information at at least some of the
"Safe Hex" sites linked below so this doesn't happen again.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#reinstall_Windows - What
you will need on-hand

Safe Hex:

http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

From: "Neil" >

| Hi, thankyou all for the many replies :D.
| I tried that site explaining dos commands for my NTFS system but it returned
| "invalid network path".
| I have not tryed the HijackThis application just yet but from reading later
| replies I assume it is no longer neccessary seeing as you have figured out
| what the virus is.
| I can tell you I have not got "Brave Sentry" installed.
| A rebuild would be acceptable as a last resort but I would rather remove the
| virus so I will await your reply before doing anything else.
|
| Awaiting your wisdom :),
| Neil.


OK:

This comes from an "Expert" dealing with this family of malware...

Please register at :-

http://mr.malwareremoval.net/phpbb3/

Tell ChrisRLG that I sent 'ya.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Neil" >

| I see no way of editing my previous post so I'll post again. I got a small
| question about this virus, what does it actually do?
|


It is NOT a virus but a Trojan RootKit working with with Adware.

Do to the sensitive nature of the malware, I'd rather NOT discuss it in public.

You have two choices...

Wipe your PC of all data and reinstall the OS from scratch

or

Go to the forum I directed you and ask an/all questions there.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I have registered and are now awaiting my account's activation, thankyou both
for all your help :).

Neil.

"David H. Lipman" wrote:

> From: "Neil" >
>
> | Hi, thankyou all for the many replies :D.
> | I tried that site explaining dos commands for my NTFS system but it returned
> | "invalid network path".
> | I have not tryed the HijackThis application just yet but from reading later
> | replies I assume it is no longer neccessary seeing as you have figured out
> | what the virus is.
> | I can tell you I have not got "Brave Sentry" installed.
> | A rebuild would be acceptable as a last resort but I would rather remove the
> | virus so I will await your reply before doing anything else.
> |
> | Awaiting your wisdom :),
> | Neil.
>
>
> OK:
>
> This comes from an "Expert" dealing with this family of malware...
>
> Please register at :-
>
> http://mr.malwareremoval.net/phpbb3/
>
> Tell ChrisRLG that I sent 'ya.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman wrote:

> From: "Neil" >
>
> | I see no way of editing my previous post so I'll post again. I got a
> | small question about this virus, what does it actually do?
> |
>
>
> It is NOT a virus but a Trojan RootKit working with with Adware.
>
> Do to the sensitive nature of the malware, I'd rather NOT discuss it
> in public.
>
> You have two choices...
>
> Wipe your PC of all data and reinstall the OS from scratch
>
> or
>
> Go to the forum I directed you and ask an/all questions there.
>

Thanks for handling this David. Neil, you now know your choices. I
completely concur with David. If you want to put the time and effort
into cleaning the computer, then you need to register and post at the
link David gave you. Otherwise, it's a clean install.

Good luck whatever you choose,

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

From: "Neil" >

| I have registered and are now awaiting my account's activation, thankyou both
| for all your help :).
|
| Neil.

OK. Please discontinue this thread. I will ask about your progress in a "private" forum.

Good luck !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm