Options
Serious blaster infection?
Hello everyone! I'm a new member here, so...hello
First of all I wanna thank you for providing such awesome free computer help ^^ It's incredibly useful, browsing those forums helped me a huge deal.
However, I come to you this time with a pretty serious issue, and I can't seem to find a real solution...
Here it is: I formatted my computer three days ago, and here's why. I would get random "Generic Host Process for Win32" errors, and shortly after, the lethal RPC message ("RPC Call procedure, your computer has to restart and will shutdown in [less than a minute]", blah blah blah). This feels a lot like a Blaster Worm, doesn't it... I applied the quick fix (the shutdown-a command), and thought i was done with the problem. BUT I still had Generic Host Process errors, and noticed that the wifi connection was not working properly. Then I managed to narrow down the problem to one specific thing: the error would pop up the second i enabled the wifi connection. Which means the virus (or worm, or trojan or whatever) was clearly messing around with the wifi connection, and probably with lots of other things I'm not aware of...
After formatting my computer, everything was working perfectly, wifi included. I then disabled the wifi, as I was already connected through ethernet. Today, I re-enabled the wifi connection for a little checkup, and as soon as i did, I got the same exact RPC message, computer restart and generic host process error... For the moment I have just disabled the wifi to keep my computer running.
Here's what I think for the moment:
-I have read that a Blaster variant known as Blaster-D or "Nachi" could mess with the wifi connection and spread through it, then deleting the msblast.exe file and hiding itself as Dllhost.exe, allowing it to act undectected. However I'm not sure this is what's happening, as Blaster-D is known to be a "good-doing" worm.
-I also think that when I caught the virus for the first time, I may have spread it over my home network, infecting the only other computer on the network, which then infected me back when both computers were working on wifi.
-I have noticed, in the past, high memory usage caused by the only svchost.exe process tagged under NETWORK SERVICE user name in the task manager. I don't really know what to think about that, but I know that it's pretty common evidence for a Blaster Worm infection...
And I have absolutely no idea how to fix it. No anti-virus softwares could detect it (I tried NOD32, my default antivirus, which I have decided to stop using, and AVG free edition, and right now I'm running a system scan with Kaspersky) I spent a great amount of time trying to get rid of it, unsuccessfully. And it's...well, frustrating, for the least :bigggrin:. I'd be forever thankful if you guys could help me fix it, or even just tell me exactly what's happening to my computer...
Thank you!
First of all I wanna thank you for providing such awesome free computer help ^^ It's incredibly useful, browsing those forums helped me a huge deal.
However, I come to you this time with a pretty serious issue, and I can't seem to find a real solution...
Here it is: I formatted my computer three days ago, and here's why. I would get random "Generic Host Process for Win32" errors, and shortly after, the lethal RPC message ("RPC Call procedure, your computer has to restart and will shutdown in [less than a minute]", blah blah blah). This feels a lot like a Blaster Worm, doesn't it... I applied the quick fix (the shutdown-a command), and thought i was done with the problem. BUT I still had Generic Host Process errors, and noticed that the wifi connection was not working properly. Then I managed to narrow down the problem to one specific thing: the error would pop up the second i enabled the wifi connection. Which means the virus (or worm, or trojan or whatever) was clearly messing around with the wifi connection, and probably with lots of other things I'm not aware of...
After formatting my computer, everything was working perfectly, wifi included. I then disabled the wifi, as I was already connected through ethernet. Today, I re-enabled the wifi connection for a little checkup, and as soon as i did, I got the same exact RPC message, computer restart and generic host process error... For the moment I have just disabled the wifi to keep my computer running.
Here's what I think for the moment:
-I have read that a Blaster variant known as Blaster-D or "Nachi" could mess with the wifi connection and spread through it, then deleting the msblast.exe file and hiding itself as Dllhost.exe, allowing it to act undectected. However I'm not sure this is what's happening, as Blaster-D is known to be a "good-doing" worm.
-I also think that when I caught the virus for the first time, I may have spread it over my home network, infecting the only other computer on the network, which then infected me back when both computers were working on wifi.
-I have noticed, in the past, high memory usage caused by the only svchost.exe process tagged under NETWORK SERVICE user name in the task manager. I don't really know what to think about that, but I know that it's pretty common evidence for a Blaster Worm infection...
And I have absolutely no idea how to fix it. No anti-virus softwares could detect it (I tried NOD32, my default antivirus, which I have decided to stop using, and AVG free edition, and right now I'm running a system scan with Kaspersky) I spent a great amount of time trying to get rid of it, unsuccessfully. And it's...well, frustrating, for the least :bigggrin:. I'd be forever thankful if you guys could help me fix it, or even just tell me exactly what's happening to my computer...
Thank you!
0
Comments
Lets see what HijackThis shows...
Download HJTInstall.exe to your Desktop.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:02:45, on 07/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\PowerForPhone\PowerForPhone.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloaded Programs\System Security\HijackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Program Files\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ASUS Security Protect Manager e-Wallet - {1009C944-97D5-44A9-9E32-DFF54F498968} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWallet.dll
O9 - Extra 'Tools' menuitem: ASUS Security Protect Manager e-&Wallet - {1009C944-97D5-44A9-9E32-DFF54F498968} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWallet.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C26FBE2-12A4-4693-A81C-EDF9DA9393DC}: NameServer = 80.10.246.130,81.253.149.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{52F0DF05-8C07-4CB8-B644-38ECA1107E38}: NameServer = 80.10.246.130,81.253.149.10
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7746 bytes
Some new stuff also just started happening to my computer, thought you should know:
-Download speed capped at around 60 kB/s (I have a fiber connection offering 100 MBit downstream ) for several hours
-Upload speed apparently capped at around 280 kB/s (I have 10 Mbit upstream) during the same time
-I noticed some punctual system slowdowns, but for the moment they're not dramatic enough to be relevant.
-I also noticed some random elements don't work, for example the text formatting commands on the very window I'm writing this answer in...I have no idea if this is connected, though.
Again, thanks a lot for caring about my issue. =)
You mentioned earlier that you formatted your computer, therefore any infections would have been removed. You also said... Could you also post HijackThis logs from those computers so I can check if they are infected.
I'd like you to scan a file...