Win Firewall Disabled, Redirects, Remote Attacks

Slider51Slider51 Michigan USA New
edited July 2010 in Spyware & Virus Removal
A week or so ago while browsing the web my machine was infected with 2 or 3 virus/malware applications. Two types of rogue anti-virus attacks, complete with fake infection alerts and attempted redirects to fake "scanner" sites, and a remote takeover trojan. The rogue AV attack included a persistent attempt at uninstalling AVG9.0 free, which I use as my AV solution. I was able to stop the uninstall both times. A couple of full scans with free MBAM and AVG free each seemingly cleaned everything up. I then registered MBAM and I'm now running the full paid version. My OS is Win XP Pro SP3, with all current updates and patches. My machine accesses the internet through a cable modem and a wired DLink router, which is used only as an internet "splitter" for this machine and another PC of my wife's. The two PC's are not networked or connected in any way other than through the wired router.

I'm left with two types of problems...

(1) My Win firewall is stopped and I cannot restart it...The red "X" Shield for Windows Security Alerts is on in my tray, indicating the Win firewall is disabled. Attempting to turn the firewall back on results in a query window advising that Win Firewall/ICS is not running and asking if I want to start the service. Selecting "yes" results in an error window stating that the Win Firewall/ICS service cannot be started. I get the same result whether trying to start the service thorugh the Security Center or through Control Panel. Checking the system Event Viewer, I find repeated sets of two Information events followed by an error Event, as follows:

Service Control Manager Event 7035: "The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a start control."
Service Control Manager Event 7036: "The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state."Service Control Manager Event number 7023: "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified."

In addition, I see several occurances of FTDisk Error 49: "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory." immediately followed by FTDisk Error 45: "The system could not sucessfully load the crash dump driver."

I have had several instances of my machine hanging on shutdown or during program launches and having no choice other than a hard shutdown to get out of the hang. I am assuming the "crash dump" is a service to help shut the system down in a hang situation?

Also affected was my ability to download Windows updates and install them when notified that they are available by the yellow shield appreaing in my system tray. I have always had the option "Prompt me, but do not download or install updates automatically" selected, but after this attack, the shield would apprear but clicking on it would not start the download. I reset to Automatic downloads to try to re-enable the updates, but I don;t now if either service is working properly now.

(2) Since cleaning the system as best as is possible with AVG and MBAM, I get continual remote attacks being noted in the system tray by MBAM, both while not connected to the internet and while connected. The following is a list of the attacker's IP's, and is not necessarily complete:

These come in waves, 15-20 minutes apart, and generally go through the entire list above. Meantime, I am getting occasional redirects upon launching IE8, mostly to "get rich quick" scheme websites, although other times to what seem to just be random legit sites.
I believe I have been infected on some level for months, my machine often runs incredibly slow, with command latencies up to 10-15 seconds in any number of applications, including extremely slow start-ups and shutdowns of the machine.

Additionally, I cannot even post on this forum using my machine, whatever I am infected with immediately sends me to the "IE8 cannot open this page" when I click "Submit new thread" or "preview post". I'm actally using a different machine to post this.

Please help! I feel pretty vulnerable without the firewall running and this machine should run much better than it does now...thanks in advance for your expert help.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:26:35 PM, on 6/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file.
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\APPLICATION DATA\\Mozilla\\Profiles\\default\\lxcunvvv.slt");
user_pref("", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, windows-1252, ISO-8859-1");
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MANDP.Local
O17 - HKLM\Software\..\Telephony: DomainName = MANDP.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MANDP.Local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
End of file - 9260 bytes


  • edited July 2010
    I caught this trojan last week and made the mistake of rebooting. Whatever you do DO NOT TURN OFF YOUR MACHINE!!!. I have caught it two more times on different sites. It slips right past my symantec AV. Here is what happens and how to beat it. It installs a folder in this location "C:\Documents and Settings\[your account]\Local Settings\Application Data". The Folder usually looks like a bunch of suspicious giberish letters and inside there is an executable file. Open the folder and note the name of the exe file. The next part is tricky. You need to open the task manager and kill the process. The trojan will attempt to close the task manager before you can kill the process and you will probably have to try a few dozen times. Once you succeed you need to delete the exe you found. While you were trying to kill the process it was busy notifying all of those IP addresses in Amsterdam and Russia that you listed. Even after you get rid of the infection these IPs, whatever they are, will continue to port scan you in an attempt to open a back door. They will fail since you already defeated the trojan.
  • edited July 2010
    also...if you did reboot, then it would be a good idea for you to reinstall your system files from your operating system repair do not need to do a complete windows reinstall...just system files..

    And to get your Internet connectivity back you need to open tools>Internet options>coonections>lan settings...and uncheck the box for a proxy server...the trojan checked it for you so you could not access the internet.
  • edited July 2010
    one more prevent this from happening again you need to use an account that does not have admin privs when surfing the I do this? no
Sign In or Register to comment.