Khan
2008-10-03, 05:09
One hell of a time!
Yesterday I used the computer at noon and found it as normal as it could be. I had problems before last night that include:
1. Random erratic RAM behaviour, sometimes it is not detected. Power management issues, and the former are probably hardware problems.
2. Cannot open ANY help file. When I select, it displays something like "....cannot open....(.)chm file"
3. I had Norton Antivirus 2005, and after it failed to update for the hundredth time, I switched to AVG.
I logged on last night to find my computer devastated. I could not find C:\, D:\ drives(they don't show up in the My Computer, but can be accessed), no All Programs list, and three new icons which were links to to a website distributing antivirus product. My systray had a "Your computer is affected" icon and the clock had "VIRUS ALERT!" displayed. TaskManager and Display Properties were disabled, although I am the administrator. Every few minutes two copies each of the two type of pop-ups said I had a virus in my computer and asked to click "Yes" to download the same program. I clicked "No" every time, yet two instances of internet explorer opened often(which displayed, funnily enough, two of the same unknown toolbar) to harmful sites. Everything bogged down. I started cleaning with AVG Free Anti-virus, and opened Spybot too. I found a forum which suggested "SmitfraudFix", I downloaded it, but it wouldn't open! My applications kept switching automatically, and AVG detected two adwares(which I moved to the Virus Vault), I pissed off and started deleting processes using Novin Process Manager 2. I found nothing out of the ordinary, except more svchost.exe(which I stay away from interfering) than normal. I worked offline to avoid downloading crapware, only connecting when necessary. I killed crss.exe(just because I was desperate) and the system reboot. The on-going scan on AVG had nothing to show, but SB showed at least nine trojans and spyware including zlob and freeantivirus2009. I opened in safe mode, run SmitFraudFix(although a spybot entry suggested I had SmitFraud) and finally managed to get rid of them! At least that's what I thought :sad:.
I forced myself to install ZoneAlarm Firewall(the only time I installed a firewall other than Windows was a Comodo which failed to update and had to be manually removed), used CCleaner and Glary Utilities to clean up everything. Although Spybot did ask to reboot when scanning virtumonde.dll, I ignored it last time.
Now, on to the problem. I restarted to find a notification on the systray telling me Automatic Updates are turned off, and this doesn't show on the Security Center that I have Automatic Updates running. I didn't receive updates for quite a while, the update balloon only scanned for updates. Manually turning it on in Services is not possible, showing Error 1058. Firefox, my default browser, cannot download anythng, but can access sites. I submitted a HijackThis report to an automated site, which showed "nfbvxmxl.dll"(AVG found nothing, and Firefox cannot upload it) as a potential malware. I can't delete it from system32, its loaded as a process but I can't unload it. A Spybot scan found only five malware, including "zlob", after SmitFraudFix cleaned it up. AVG shows two entries as Generic Trojans, both in system32, geBrpNDS.dll and mlJDtttr.dll. I removed gerBrpNDS from the start-up with SpyBot. A new Spybot search found nothing until virtumonde.dll and asks me to reboot.
The HijackThis log file(current) is shown below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:21, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\AVG\avgui.exe
D:\Software\Installs\AVG\avgscanx.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Software\Installs\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Software\Installs\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4402 bytes
Yesterday I used the computer at noon and found it as normal as it could be. I had problems before last night that include:
1. Random erratic RAM behaviour, sometimes it is not detected. Power management issues, and the former are probably hardware problems.
2. Cannot open ANY help file. When I select, it displays something like "....cannot open....(.)chm file"
3. I had Norton Antivirus 2005, and after it failed to update for the hundredth time, I switched to AVG.
I logged on last night to find my computer devastated. I could not find C:\, D:\ drives(they don't show up in the My Computer, but can be accessed), no All Programs list, and three new icons which were links to to a website distributing antivirus product. My systray had a "Your computer is affected" icon and the clock had "VIRUS ALERT!" displayed. TaskManager and Display Properties were disabled, although I am the administrator. Every few minutes two copies each of the two type of pop-ups said I had a virus in my computer and asked to click "Yes" to download the same program. I clicked "No" every time, yet two instances of internet explorer opened often(which displayed, funnily enough, two of the same unknown toolbar) to harmful sites. Everything bogged down. I started cleaning with AVG Free Anti-virus, and opened Spybot too. I found a forum which suggested "SmitfraudFix", I downloaded it, but it wouldn't open! My applications kept switching automatically, and AVG detected two adwares(which I moved to the Virus Vault), I pissed off and started deleting processes using Novin Process Manager 2. I found nothing out of the ordinary, except more svchost.exe(which I stay away from interfering) than normal. I worked offline to avoid downloading crapware, only connecting when necessary. I killed crss.exe(just because I was desperate) and the system reboot. The on-going scan on AVG had nothing to show, but SB showed at least nine trojans and spyware including zlob and freeantivirus2009. I opened in safe mode, run SmitFraudFix(although a spybot entry suggested I had SmitFraud) and finally managed to get rid of them! At least that's what I thought :sad:.
I forced myself to install ZoneAlarm Firewall(the only time I installed a firewall other than Windows was a Comodo which failed to update and had to be manually removed), used CCleaner and Glary Utilities to clean up everything. Although Spybot did ask to reboot when scanning virtumonde.dll, I ignored it last time.
Now, on to the problem. I restarted to find a notification on the systray telling me Automatic Updates are turned off, and this doesn't show on the Security Center that I have Automatic Updates running. I didn't receive updates for quite a while, the update balloon only scanned for updates. Manually turning it on in Services is not possible, showing Error 1058. Firefox, my default browser, cannot download anythng, but can access sites. I submitted a HijackThis report to an automated site, which showed "nfbvxmxl.dll"(AVG found nothing, and Firefox cannot upload it) as a potential malware. I can't delete it from system32, its loaded as a process but I can't unload it. A Spybot scan found only five malware, including "zlob", after SmitFraudFix cleaned it up. AVG shows two entries as Generic Trojans, both in system32, geBrpNDS.dll and mlJDtttr.dll. I removed gerBrpNDS from the start-up with SpyBot. A new Spybot search found nothing until virtumonde.dll and asks me to reboot.
The HijackThis log file(current) is shown below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:21, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\AVG\avgui.exe
D:\Software\Installs\AVG\avgscanx.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Software\Installs\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Software\Installs\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4402 bytes