I am writing this from my laptop as my desktop has a pretty nasty infection. Internet searches have turned up some similar infections that this seems to be a variation of. When I first noticed the infection a few days ago I started to do a System Restore but my computer did not have any restore points. I wonder if the virus was able to delete or hide these files since I have always kept it active and have used it before with success.
Symptoms:
Sometimes start up will hang on a black screen in place of the XP sign on but the mouse pointer will be active.
ZoneAlarm catches multiple instances of svchost.exe after startup and an instance of Apache.exe that I do not remember. If I deny access some of the following systems will not manifest themselves.
The following fake Windows Security Center box will pop up. I first thought it was real until I noticed that the setting were different from the Control Panel.
After a lag, a security alert pops up warning me of an infection.
At the same time, another box appears asking me to download a free Protection System piece of software.
My computer will then continue to nag me occasionally with the following notification. Notice the fake Windows Security Center shields.
After a period of time, ZoneAlarm gives another alert that Installer.exe is requesting internet access. If I allow it, the following box pops up and starts downloading from the internet. My modem shows activity at this point too. I have not allowed it to fully download. At this point there are also three internet links added to my dektop for "unsavory" sites.
After Installer starts running, I have a limited amount of time before the system freezes up.
Links to Adaware and MalwareBytes were blocked and the programs were unable to run until being renamed.
I'll also add that I usually see IEXPLORE.exe running the the Task Manager. This happens in Safe Mode as well. I tried upgrading to IE8 to see if it would write over the infected files, but it did not work. Now, occasionally on startup and even in Safe Mode, the introductory tour message will appear on it's own. When I open up an IE window, the process that starts is named iexplore.exe.
Fixes attempted:
TrendMicro Housecall - found malicious files and deleted them. They regenerate.
Adaware - found malicious files and deleted them. They regenerate.
MalwareBytes - found the greatest number of malicious files and deletes them, but after required restart everything is generated again. Ran in safe mode with same results.
RootRepeal will not scan my drives. The program hangs at initialization and freezes my system forcing a restart. If there is a workaround or another scanner to use I will run it and update the post with the log.
Here is the DDS log.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 0:00:44.81 on Sat 09/12/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1590 [GMT -5:00]
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\TEMP\Installer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [NVIDIA nTune] "d:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Network Drv] snshost.exe
mRun: [Internet Connection Wizard Setup Tool] c:\program files\internet explorer\connection wizard\icwsetup.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunServices: [Network Drv] snshost.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\uaj850s0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\uaj850s0.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\uaj850s0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: d:\program files\gametap\bin\release\npgametaptool.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-17 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 2d353bcb;2d353bcb;c:\windows\system32\drivers\2d353bcb.sys --> c:\windows\system32\drivers\2d353bcb.sys [?]
S2 fyohig;fyohig;c:\windows\system32\drivers\zmffh.sys --> c:\windows\system32\drivers\zmffh.sys [?]
S2 trzf;trzf;c:\windows\system32\drivers\lhsrqi.sys --> c:\windows\system32\drivers\lhsrqi.sys [?]
S3 drmraudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-7-13 23096]
S3 drmrvideo;drmrvideo;c:\windows\system32\drivers\DrmRVideo.sys [2009-7-13 3768]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-1-11 42512]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
=============== Created Last 30 ================
2009-09-11 23:04 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-11 22:42 159,956 a------- c:\windows\system32\nvapps.nvb
2009-09-11 22:41 <DIR> --d----- c:\windows\NV12121216.TMP
2009-09-11 22:29 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-09-11 22:27 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-09-11 22:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-11 22:25 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-11 22:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-11 22:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-11 22:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-11 22:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-08 21:27 <DIR> --d----- c:\program files\Protection System
2009-09-08 18:45 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-07 21:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-07 19:55 <DIR> -cd-h--- c:\windows\ie8
2009-09-07 19:38 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-09-07 19:38 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-09-07 19:10 <DIR> --d-h--- c:\windows\$hf_mig$
2009-09-07 17:05 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-07 16:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 16:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-07 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-07 09:38 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-09-07 08:55 1,010,176 a------- c:\windows\system32\wscsvc32.exe
==================== Find3M ====================
2009-09-11 22:24 23,348 a------- c:\windows\system32\emptyregdb.dat
2009-09-07 09:38 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-05 16:00 138,184 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-05 15:59 183,112 a------- c:\windows\system32\PnkBstrB.exe
2009-08-03 19:57 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-04-28 22:58 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
============= FINISH: 0:02:21.40 ===============
Attached Files
Edited by downinit25i, 12 September 2009 - 05:58 PM.