Your System Is Infected Background

[HiDesertRat]

This past weekend I had the "Your System Is Infected" background as has been previously posted by crunchie on 20 Jan. I'm running WinXp Sp2, and use Firefox V3.5.7 as my browser. I've run the "standard" set of software (mostly) per your instructions in the sticky. I already had SAS and had run that prior to finding your forum. So here's what I've done:

Ran SAS. Here's the initial log.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2010 at 07:42 PM

Application Version : 4.33.1000

Core Rules Database Version : 4561
Trace Rules Database Version: 2373

Scan type : Quick Scan
Total Scan Time : 00:03:30

Memory items scanned : 629
Memory threats detected : 1
Registry items scanned : 524
Registry threats detected : 6
File items scanned : 2084
File threats detected : 27

Trojan.Agent/Gen-FA[SMSS32]
C:\WINDOWS\SYSTEM32\SMSS32.EXE
C:\WINDOWS\SYSTEM32\SMSS32.EXE
[smss32.exe] C:\WINDOWS\SYSTEM32\SMSS32.EXE
[smss32.exe] C:\WINDOWS\SYSTEM32\SMSS32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#smss32.exe [ C:\WINDOWS\system32\smss32.exe ]
HKU\S-1-5-21-1299688689-410260076-1703155899-1007\Software\Microsoft\Windows\CurrentVersion\Run#smss32.exe [ C:\WINDOWS\system32\smss32.exe ]

Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-1299688689-410260076-1703155899-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com
HKU\S-1-5-21-1299688689-410260076-1703155899-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com#http

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@apmebf[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@interclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media6degrees[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@questionmarket[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@accountonline[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][4].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@imrworldwide[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@mediaplex[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@pointroll[2].txt

Trojan.Agent/Gen
C:\WINDOWS\system32\41.exe

Rebooted

Got the "Your System is Infected" background again.
Booted into Safe Mode.
Ran SAS again.
Got this logfile:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2010 at 08:08 PM

Application Version : 4.33.1000

Core Rules Database Version : 4561
Trace Rules Database Version: 2373

Scan type : Quick Scan
Total Scan Time : 00:14:05

Memory items scanned : 629
Memory threats detected : 0
Registry items scanned : 523
Registry threats detected : 0
File items scanned : 10419
File threats detected : 1

Trojan.Agent/Gen-FA[WL32]
C:\WINDOWS\SYSTEM32\WINLOGON32.EXE

Rebooted again.
Got the "Infected" notice again.
Found your site and began following instructions in the sticky.
...
Ran AMW, logfile:
Malwarebytes' Anti-Malware 1.44
Database version: 3703
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

2/7/2010 2:23:44 PM
mbam-log-2010-02-07 (14-23-44).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 321801
Time elapsed: 57 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\U.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\pdfupd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\GN3RJT25\update[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZNILGZ3Q\update[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Reboot
Ran GMER; logfile:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-08 06:26:02
Windows 5.1.2600 Service Pack 2
Running: kz8zxo01.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uxldypob.sys


---- System - GMER 1.0.15 ----

SSDT 8A16E6F8 ZwAlertResumeThread
SSDT 8A15D768 ZwAlertThread
SSDT 8A49EAE0 ZwAllocateVirtualMemory
SSDT 89F33860 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB637D7D0]
SSDT 89929B88 ZwCreateMutant
SSDT 89C04770 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB637DA40]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB637E100]
SSDT 8A13D730 ZwFreeVirtualMemory
SSDT 8A16E768 ZwImpersonateAnonymousToken
SSDT 8A16E730 ZwImpersonateThread
SSDT 8A353AC0 ZwMapViewOfSection
SSDT 8A16C710 ZwOpenEvent
SSDT 8A1606E0 ZwOpenProcessToken
SSDT 89C536F8 ZwOpenThreadToken
SSDT 8A6C7818 ZwQueryValueKey
SSDT 89C53730 ZwResumeThread
SSDT 8A13D768 ZwSetContextThread
SSDT 8A161730 ZwSetInformationProcess
SSDT 8A169768 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB637E330]
SSDT 8A16A7C8 ZwSuspendProcess
SSDT 8A15D730 ZwSuspendThread
SSDT 8A17C768 ZwTerminateProcess
SSDT 8A15D6F8 ZwTerminateThread
SSDT 8A13D6F8 ZwUnmapViewOfSection
SSDT 8A15F758 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2BD0 805039A4 4 Bytes JMP F00C8A49
? jfcbtov.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB92ED380, 0x24192E, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs AFE16400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----

Rebooted
Ran HJT, logfile in next post