TechSpot

Mysterious DM Virus/Worm that shuts down Ad-Aware and NAV

By Fuzzylogik
Apr 8, 2006
  1. I've been working on this problem off and on all week and now I need your help.

    The first sign of problems was when my ZA firewall blue screened during an update last week. When I tried to scan my HD with NAV, NMAIN.EXE routinely hits 99% of system resources and will sit there for hours if left uninterrupted (it never accomplishes anything but Task Manager never reports that the program hangs. When I attempt to terminate the service, I receive the following error: "The opeation could not be completed. Access is denied." I am logged in as the administrator of a XP Pro box. The only way to terminate this file is to reboot.

    Since then, I have found that I have mysterious files that show up in my HKEY_LOCAL_MACHINE: Run that always start with "DM" (example: dmydd.exe, dmfne.exe, dmppg.exe, etc). The names of the files do not seem to be important, but they always begin with DM, they replicate with time, and they point to c:\windows\system32. The problem: these files do not exist anywhere. I have "show hidden files and folders" checked, so I should see all files on my computer. A further complication: Ad-Aware hangs within 15-30 seconds into the scan and Task Manager IMMEDIATELY reports that it is not running as soon as it hangs. I have successfully run Spybot and it has located "Windows Security Center" errors for anitvirus and Firewall, but when I checked out these errors in my registry, they did not exist at all (ie HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityCenter does exist but the FirewallDisableNotify key (for instance) does NOT exist within SecurityCenter). It did find Pipas.A and Findspy.A in that scan as well, but they do not appear to be able to cause the damage that I am experiencing.

    Out of frustration, I ran TrendMicro's scan twice today. The first time it found a number of worms, but did not report what they were specifically. I had it fix the problems remotely and it appeared to work. After experiencing further problems thereafter, I ran TrendMicro's viruscan again to double check and it came back clean.

    I have installed and reinstalled NAV several times (each time after I feel like I've discovered part of the problem). Currently I have no AV on my computer. And if you are going to lamblast me for using NAV, hey, you are preaching to the choir right now. I've never had a virus/worm slip through like this and I am NOT a happy camper. The only other SW that I use as a filter is Spyware Blaster (vs. Spybot's immunization, which I've had some problems with historically). Truthfully this program probably has not been updated in the last 3-4 months.

    I've been looking for bugs that can cause these specific problem through Techspot and the like to no avail. I'm pretty damn frustrated right now and would appreciate ANY helpful thoughts, critiques, name calling, etc.

    Thanks in advance for your help. (BTW, I'll post a Hijack, but I typically don't like to post it until it has been requested).

    Fuzzylogik
     
  2. Peddant

    Peddant TS Rookie Posts: 1,446

    People don`t normally wait to be asked :) - http://www.techspot.com/vb/topic47014.html
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Lets check to see if there`s anything nasty on your system.

    Go HERE and follow the instructions.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :)
     
  4. Fuzzylogik

    Fuzzylogik TS Rookie Topic Starter

    We have a fixed computer

    Sorry, Peddant, different boards have different protocols and I tend towards the conservative.

    The hijack this website had an analysis feature which I was previously unaware that helped me find some of my holes, but it was the Fixwareout SW that finally found and removed all my ills. My DNS had also been hijacked, which I had forgotten to look at before posting. For the record, Sophos identified the baddie as W32-SDBOT-AFM (it was setting in system32 under the filename CSR.exe), which was identified in late January. Unfortuately NAV has been setting on their laurels and has yet to identify the bugger, which partially explains how it was able to get through everything.

    I appreciate your time and help. As far as I'm concerned this matter is closed. :bounce: :bounce: :bounce:

    Best regards,
    Fuzzylogik
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...