I have a Dell Inspiron 2200 running on Windows XP. The Antivirus I use is AVG (free). For almost 2-3 months, I have had the following symptoms:
1. Comp is terribly slow. Especially while booting up. The network connections take forever to load!
2. Antivirus will not get any updates. It will report a connection failure with the site.
3. Antivirus will stop working. AVG window will say "No components installed"!
4. I cannot visit any antivirus website.
After some research, I found that the problem was with a process called svchost.exe (NETWORK SERVICE). I have 2 such processes running all the time in the task manager. One is a malware process. Other one is the windows process. However, I am unable to distinguish! So, I take a chance and kill one process.
If I kill the malware process, I am able to run AV, update AV and open AV websites. If I kill the windows process, comp shuts down.
Now, I ran AV a few times (trial and error of finding the right network service process) but none of the ones I tried could fix the problem. So, everytime I shut down and reboot, the malware (and the bad svchost.exe) is back!
I am totally at my wits end and hope someone here can help me out! I followed the instructions on the guidelines post and I have the log files of malwarebytes and GMER. However, I am unable to complete the OTL scan. It says "scanning Netsvcs settings..." and does not proceed from there. The task manager shows OTL and services.exe combining to eat up 100%. And OTL stops responding. I have waited for over 30 minutes for OTL to resume but it just does not.
Here is the GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 01:11:32
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\KGBED8~1.RAM\LOCALS~1\Temp\fxtdqpow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \FileSystem\Fastfat \Fat A92A2C8A
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gxnnwxr <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@DisplayName Shell Config
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr@Description Allows remote users to view through WEB browsers your authorized multimedia content managed by Roxio Media Manager9.
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr\Parameters@ServiceDll C:\WINDOWS\system32\qzlyolb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@DisplayName Shell Config
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr@Description Allows remote users to view through WEB browsers your authorized multimedia content managed by Roxio Media Manager9.
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr\Parameters@ServiceDll C:\WINDOWS\system32\qzlyolb.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}
---- EOF - GMER 1.0.15 ----
Here is the mbam log:
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11
12/25/2009 11:23:24 PM
mbam-log-2009-12-25 (23-23-24).txt
Scan type: Quick Scan
Objects scanned: 122200
Time elapsed: 15 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspimgr (Trojan.Asprox) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp-39fa7609 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Newfolder Fix Wizard (Rogue.NewFolderFixWizard) -> Quarantined and deleted successfully.
C:\Program Files\Newfolder Fix Wizard\backuped (Rogue.NewFolderFixWizard) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4 (Worm.AutoRun) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\com.run (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\MicrosoftPowerPoint\svchost.exe (Worm.Muha) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\com.run (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.EDT (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ul.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\_check32.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.
-------------------------------------
Hoping for some light at the end of this tunnel! Thanks all!