Symantec finds Trojan.gen but it keeps replicating itself

[roadrash05]

Symantec has found the Trojan.gen virus but as soon as it quarantines it a new copy is found and it has to quarantine the new copy. At one point I had over 9000 of these in the quarantine file. I tried running MBAM but it got stuck for over 2 hours trying to scan the quarantine files. I was finally able to delete the quarantine files so maybe MBAM would work now but I though I’d ask first quick before scanning for another couple of hours.

Thanks for any help

DDS Output

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Run at 13:27:51 on 2012-01-18

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1983.903 [GMT -6:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\rundll32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\Windows\system32\vmnat.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Windows\system32\vmnetdhcp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\taskmgr.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Internet Explorer\IELowutil.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.nanosys1.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [wCBzyuvSb4msJEK] c:\users\jim milligan\appdata\roaming\dwme.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

LSP: mswsock.dll

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75

TCP: Interfaces\{243E8BF4-86D6-4B94-8004-D0BE0B33FF93} : DhcpNameServer = 75.75.76.76 75.75.75.75

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jim milligan\appdata\roaming\mozilla\firefox\profiles\qymahsce.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\jim milligan\appdata\roaming\mozilla\firefox\profiles\qymahsce.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll

.

============= SERVICES / DRIVERS ===============

.

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-23 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]

S2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-2-28 2440120]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-23 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-01-18 04:37:58 98816 ----a-w- c:\windows\sed.exe

2012-01-18 04:37:58 518144 ----a-w- c:\windows\SWREG.exe

2012-01-18 04:37:58 256000 ----a-w- c:\windows\PEV.exe

2012-01-18 04:37:58 208896 ----a-w- c:\windows\MBR.exe

2012-01-18 04:37:50 -------- d-s---w- C:\ComboFix

2012-01-13 04:21:01 376320 ----a-w- c:\windows\system32\winsrv.dll

2012-01-10 04:59:19 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll

2012-01-10 04:59:19 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll

2012-01-10 04:59:19 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll

2012-01-10 04:59:19 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll

2012-01-03 14:22:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2012-01-03 14:22:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-12-27 16:24:04 -------- d-----w- c:\program files\iPod

2011-12-27 16:24:01 -------- d-----w- c:\program files\iTunes

.

==================== Find3M ====================

.

2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-09 14:03:19 1393736 ----a-w- c:\users\jim milligan\gotomypc_635.exe

2011-12-02 15:20:33 60304 ----a-w- c:\users\jim milligan\g2mdlhlpx.exe

2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys

2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll

2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll

2011-11-17 06:48:37 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2011-11-16 16:23:44 377344 ----a-w- c:\windows\system32\winhttp.dll

2011-11-16 16:23:08 72704 ----a-w- c:\windows\system32\secur32.dll

2011-11-16 16:23:05 278528 ----a-w- c:\windows\system32\schannel.dll

2011-11-16 16:21:57 1259008 ----a-w- c:\windows\system32\lsasrv.dll

2011-11-16 14:12:25 9728 ----a-w- c:\windows\system32\lsass.exe

2011-11-13 15:57:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll

2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 15:58:55 1314816 ----a-w- c:\windows\system32\quartz.dll

2011-10-25 15:58:54 497152 ----a-w- c:\windows\system32\qdvd.dll

2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

============= FINISH: 13:28:26.21 ===============

.Attach.txt output

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 3/5/2009 7:37:37 PM

System Uptime: 1/18/2012 1:13:24 PM (0 hours ago)

.

Motherboard: | | N68PV-GS

Processor: AMD Athlon 64 X2 Dual Core Processor 5600+ | CPUSocket | 2892/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 91.846 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

7-Zip 9.20

Ad-Aware

Ad-Aware Security Toolbar

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.0

Apple Application Support

Apple Mobile Device Support

Apple Software Update

BlackBerry Desktop Software 6.0.2

BlackBerry Device Software Updater

Bonjour

Call of Duty® 2

Google Chrome

Google Update Helper

GoToMeeting 5.1.0.880

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

iCloud

iTunes

J2SE Development Kit 5.0 Update 7

J2SE Runtime Environment 5.0 Update 7

Java Auto Updater

Java 6 Update 24

LightScribe System Software 1.10.13.1

LiveUpdate 3.3 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.60.0.1800

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2000 SR-1 Disc 2

Microsoft Office 2000 SR-1 Professional

Microsoft Silverlight

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MobileMe Control Panel

Mozilla Firefox 9.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 7 Essentials

neroxml

NVIDIA Drivers

NVIDIA PhysX

PowerDVD

QuickTime

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Symantec Endpoint Protection

Typing Instructor Deluxe

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

VZAccess Manager for RIM

WinZip 14.5

.

==== Event Viewer Messages From Past Week ========

.

1/18/2012 1:16:55 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Symantec Settings Manager service to connect.

1/18/2012 1:16:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service Symantec AntiVirus with arguments "" in order to run the server: {5CEC0E13-CF22-414C-8D67-D44B06420FC1}

1/18/2012 1:16:17 PM, Error: Schannel [36872] - The SSL server specified certificate's chain could not be retrieved: Failure Status: 0x5 Flags: 0x0 The attached data contains the certificate.

1/18/2012 1:13:42 PM, Error: Microsoft-Windows-Kernel-Processor-Power [6] - Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.

1/17/2012 7:36:23 PM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.

1/17/2012 12:28:24 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.

1/17/2012 12:28:24 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/17/2012 10:39:55 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

1/17/2012 1:29:10 PM, Error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).

1/16/2012 7:12:16 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.

1/16/2012 7:12:16 PM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/16/2012 7:12:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

1/12/2012 10:41:14 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

1/12/2012 10:41:14 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/12/2012 10:41:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

1/12/2012 10:37:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.

1/12/2012 10:37:52 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

[roadrash05]

Being a bit impatient I ran combofix (I know I should have expert help first) but anyway combofix found rootkit.zeroaccess. I checked back here and read several threads about the rootkit virus/trojan and based on your expert comments I'm not even going to play around with this sucker. I purchased Win 7 (to upgrade from Vista) so I'm going to nuke this sucker with a hard drive wipe and fresh OS install.

New Question. I have copied some thing I want to save to a flash drive (pictures, resume, itunes music, etc). After loading the files to the flashdrive I scanned the flash with a full scan from MBAM and it didn't find anything. Will I be safe using these files on my new PC OS install? If not, what can I do to clean the files I have saved to my flashdrive as I really want to save them.

Any help is appreciated.

[roadrash05]

Does anyone know if Trojan.gen and/or rootkit.zeroaccess might infect a word, pdf, mp3, or excel file? I'm waiting to reformat and install Win7 until I know that these files that I want/need to keep are safe to install on the new OS. So I hope I don't need the full blown let's clean your PC kind of help. From reading threads here It looks like rootkit likes to hide in the network and communications area of a computer so I'm thinking my files should be clean of that infection. That leaves the Trojan.gen virus and maybe symantec was trying to clean the rootkit virus and misnamed rootkit thus it's a misnamed infection.

Any and all help is appreciated

[MrCharlie]

Scan the system with the ESET Online Scanner first:

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is unchecked

Click Scan

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

[roadrash05]

HI Mrc,

The log file only contains this:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

I guess I'll run it again tonight.

Thanks

[MrCharlie]

Did it find anything when it was done?

MrC

[roadrash05]

I did another scan of ESET and it found 4 items

C:\Documents and Settings\JM\Downloads\RegZooka.exe a variant of Win32/Adware.RegGenie application

C:\Documents and Settings\JM\Downloads\regzookasetup.exe a variant of Win32/Adware.RegGenie application

C:\Users\JM\Downloads\RegZooka.exe a variant of Win32/Adware.RegGenie application

C:\Users\JM\Downloads\regzookasetup.exe a variant of Win32/Adware.RegGenie application

That's all it found MrC

[MrCharlie]

Looks OK...your files aren't infected.

I would just delete these:

C:\Documents and Settings\JM\Downloads\RegZooka.exe

C:\Documents and Settings\JM\Downloads\regzookasetup.exe

C:\Users\JM\Downloads\RegZooka.exe

C:\Users\JM\Downloads\regzookasetup.exe

any questions...post back, MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.