z-connect dialer terminate VZAccess, opens new dialer

Both my PC and laptop have been infected with an apparent trojan which constantly disconnects my broadband access and pops up a dialer to a new "z-connect" network connection. The problem I've had appears to be very similar to http://forums.majorgeeks.com/showthread.php?p=1295913 .

The problem popped up on 6/17/09 or 6/18/00 (3-4 days ago). I’d just installed a number of security updates from Microsoft and thought one or more of them had interfered with a USB tethered Blackberry 8830 when used as a modem via VZAccess. The Blackberry would disconnect every few seconds. I spent an hour on the phone with Verizon rebooting and re-installing everything without success.

After talking with Verizon, I thought the problem might be virus related.

The only other thing I remember doing out of the ordinary was installing/trying new Firefox add-ons to download Flash video (I’ve used Flash Video Resources Downloader for some time but it didn’t seem to be working so tried two others).

I ran SpyBot, SuperAntiSyware and Malwarebytes (after updates, and in safe mode). They found a bunch of tracking cookies and a couple of suspicious things. All problems were quarantined then deleted. No luck.

After googling “z-connect” I ran across your excellent site.

The PC is running Win XP SP 2 (auto updates are turned on, with approval before install; for whatever reason SP 3 hasn’t been installed yet). SpyBot is used to control startup processes. I'm trying to get the PC disinfected before starting on the laptop.

Symptoms:

If I connect to Verizon’s “NationalAccess – BroadBandAccess” I get disconnected after a short period and a dialer opens up with a new “z-connect” network connection with a dialup number of 000. A different site suggested using a dialup number of #777 (Verizon) and I tried that. At least that keeps a network connection alive. In retrospect this might not be good idea if the dialer is bogus. I can access any site I want to, including the Microsoft and anti-malware sites.

A number of .exe files have been created in “C:\Documents and Settings\doug.OFFICE2” with names like:

f5j6e25b8.exe
u2v8q67n2.exe
Update.exe

If you delete these files, different files with similar names appear (the 8 letter/digit filenames are always 48.5 KB).

I replaced Update.exe with a null file and set it to read only. Something tries to execute Update.exe periodically (sometimes at long intervals, sometimes every minute or so) with a popup error: “16 bit MS-DOS Subsystem, C:\DOCUMENT~1\DOUG~1.OFF\Update.exe The NTVDM CPU has encountered an illegal instruction. CS:e981 IP:ce8b OP:fe e8 ec cd b8 Choose ‘Close’ to terminate the application.”. After going through the XP cleaning procedures I thought Update.exe went away but it's back.

I also tried to create a new dialup account “Verizon” on the PC with the #777 number but that gets disconnected too. It seems like when the disconnect happens one of the 8 letter/digit .exe files is created.

Preparation:

I’ve followed all the initial steps in the “READ & RUN ME FIRST”:

Uninstalling malware programs – done

Updating Sun Java – OK. But older versions just didn’t want to go away. Manually deleted remnants in directories.

MSconfig is set for Normal Startup , using Spybot to disable startup programs

Recycle Bin and Norton Nprotect emptied – done

Download and install CCleaner – whoa, lots of orphan entries; all deleted (some time ago I deleted a lot of uninstall information). Deleted all extraneous temp files.

Have always viewed hidden files, system files and file extensions.

Ran SuperAntiSpyWare again using the specified settings

- 6 new detections of Trojan.Agent/Gen-FraudDrop

- The 6 new Trojan.Agent/Gen-FraudDrop detections included the f5j6e25b8.exe and u2v8q67n2.exe files. Quarantined and deleted after reboot.

I thought I was home free but the same symptoms continued.

Ran Malwarebytes – nothing found

Ran ComboFix, saved log

Ran RootRepeal, got two errors then it died:

C:\docs & settings\doug.office2\local settings\temp\etilqs_ygl588hmlc…
Allocation size mismatch (API: 32768, Raw: 0)

C:\docs & settings\doug.office2\application data\microsoft\word\autor …
Size mismatch (API: 45568, Raw: 0)

Then RootRepeal Error
Exception Address: 0x004f3399

RootRepeal_crash_062109.192931.txt contains:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000094
Exception Address: 0x004f3399

Ran MGTools, log created.

I'd sure appreciate some help. This virus/Trojan seems extra nasty.

It should be a felony to unleash these things on the net.

Logs are attached in this post (RootRepeal log above)

 

Re: z-connect dialer terminate VZAccess, opens new dialer; Maybe solved

Kestral13! -

No logs - Doh! My mistake, I thought they were properly attached.

I've made pretty good headway finding the problem so will re-run then attach the logs. This time I'll double check.

The malware appears to be a Trojan horse. The link here shows part of the problem. The description of next.exe program under 'Virus Characteristics' matches what I saw. A separate problem was with the PeAcE.exe program. There may be other things I don't know about yet.

When the broadband dialer VZAccess runs, something was terminating the dialer. When that happened, the z-connect dialer appeared and a strange filename appeared in c:\documents and settings\{localuser}. If I overwrote the new .exe file with a file (set as read only) which just popped up a window for 1 second then terminated, the dialer would be OK for one or two sessions, then the disconnects started again.

I finally began searching the registery for next.exe and peace.exe, deleting the entries. My notes are at home, but stuff seemed to be created in the same registry locations. Additional file locations included c:\CONFIG, c:\MEMORY and c:\NEXT (all as hidden files). When I tried to delete the directories, the message "next.exe or peace.exe are busy and can't be deleted" appeared. So, back to safe mode and deleted the directories.

At each iteration I deleted all the dialers and created new ones on the theory the dialers had been corrupted and had been working with the strange .exe's.

The things seems to morph. At one point it dropped something into the c:\documents and settings\{localuser}\Start Menu\Programs\Startup directory.

My USB memory stick may have contributed to the problem. The same MEMORY, CONFIG, NEXT directories were also on the memory stick, plus an autorun.inf file.

Will post more if there's anything in my notes at home.

 

Kestrral13!

The procedures were run front to end once.

A couple notes:

I also found the Next\ directories (+ an autorun.inf) on my USB memory stick and on my camera's CF card.

Log notes:

Root repeal had a fault. The complete log file is:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00412d1a
Attempt to read from address: 0x011a1004

I missed the following when clearing out quarantined files:

"C:\Qoobox\Quarantine\C\Documents and Settings\doug.OFFICE2\"
u2v8q6~1.vir Jun 21 2009 49709 "u2v8q67n2.exe.vir"
update~1.vir Jun 21 2009 12288 "Update.exe.vir"


The files below are ones that I overwrote with a simple popup form to let me know something was trying to execute them:

"C:\Documents and Settings\doug.OFFICE2\"

dysx5.exe Jun 21 2009 12288 "dysx5.exe"
sfffff.exe Jun 21 2009 12288 "sfffff.exe"
ysx5.exe Jun 21 2009 12288 "ysx5.exe"

There certainly is an amazing amount of info in the logs.

Thanks,

Doug

 

Kestral13!

Followed the instructions and logs are attached.

2 glitches:

(1) Please go to Add/Remove Programs and uninstall the below old softwares:


* Hijackthis 1.99.1 <== removed
* J2SE Runtime Environment 5.0 Update 2 <== fatal error on remove
* J2SE Runtime Environment 5.0 Update 4 <== fatal error on remove
* J2SE Runtime Environment 5.0 Update 6 <== fatal error on remove

I don't know what I did with the J2SE old version uninstall files, but they're gone. The disk version of these files were deleted.

(2) There was a Hijack This error, but no internet connection to report the error.

Everything seems just fine. Thanks very much. Will let you know in a day or so, but at this point the virus seems gone.

Doug

 

Kestral13!

CCleaner returns the following errors when trying to uninstall or delete the J2SE entries:

J2SE Runtime Environment 5.0 Update 2 &
J2SE Runtime Environment 5.0 Update 4

Run Uninstaller:

You already have this version of the JRE installed.
Please uninstall the product through your add/remove
programs utility before reinstalling.​

Delete Entry:

Cannot delete MSI installer​

J2SE Runtime Environment 5.0 Update 6

Run Uninstaller:

Error applying transforms. Verify that the specified
transform paths are valid.
​

Delete Entry:

Cannot delete MSI installer​

Note that about 6 months ago I did something 'clever' which trashed the uninstall info for quite a few applications.

The fixME.reg returned a success message.

After running fixME.reg I checked CCleaner and the J2SE entries are still there and still cannot be removed.

 

Kestral13!

Thanks very much. Your efforts are very much appreciated.

The scum releasing this stuff onto the internet should go to prison for a long time.

Doug