2010-DEC-24_10:45pm: “System Tool” VIRUS infected computer.
Was in Firefox version 3.6.3, perusing OkCupid site, but had a lot of other tabs open.
NIS2005 had started a system scan at 8pm, but I had paused it.
Firefox got really slow, I believe, coming almost to a halt.
I might conjecture that this virus gets in by exploiting a weakness in Firefox. Or possibly coming in through an external Ad on a website.
NIS2005 firewall alerted:
Outbound TCP connection.
Remote address,service is (91.193.194.40,http(80)).
Process name is "C:\Documents and Settings\All Users\Application Data\pNnPp08200\pNnPp08200.exe".
|
I blocked it This One Time, despite NIS's recommendation to allow it.
NIS should always give you that option to block or allow once; most times it doesn't.
|
Found the file there in its own folder, in All Users. The note you get when rolling over it in Windows Explorer said it was Microsoft, and is a registry editor.
There’s another 1kb file there: “pNnPp08200” with no extension.
I Googled pNnPp08200, but got nothing.
|
Then I saw a red shield that looks like Windows Security Center, in my clock tray with a bubble that said my system was infected with spyware, and to click it to download critical updates.
When I clicked it, a so called utility came up: “System Tool” and scanned my hard drive. NIS2005 appeared to be gone and disabled, as well as Task Manager and System Restore wouldn’t appear when run. I think this virus puts up a desktop screen that looks normal, but hides all other applications you have running. When I pushed the power button on my computer, it said it was shutting down firefox (which I thought I already had closed).
System tool also replaces your desktop wallpaper with one that warns you of spyware.
|
The NIS2005 CD I have doesn’t boot scan. NIS2003 boot scans, but doesn’t see the SATA drive or because it is NTFS.
So I booted the computer, and powered off before it could finish, so it would give me the: Windows did not finish booting normally” menu.
||
I chose “boot with last configuration that worked,” cause I thought that would do a system restore. It did not, and the virus was still there.
|
So I did it again, and booted into Safe Mode.
||
From there, there’s a dialogue box that tells you you’re in safe mode, and it asks if you are going to do system restore, to choose “No”. I chose no, and did a system restore.
||
System seems fine now; back to normal. I ran CCleaner in case there was anything in the browser cache.
The pNnPp08200.exe above is gone, but the other file and the folder are still there. I ran a complete scan, with bloodhound set to its’ highest level, but it didn't find anything.
|
I wonder how the infection got on my computer. NIS2005 was supposedly still working, and had virus defs of December-22, two days ago. Maybe it infected Firefox? How did it get access to All Users\Application Data ?