Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web pages being re-directed and slow computer


  • Please log in to reply
1 reply to this topic

#1 edinburgh

edinburgh

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 February 2010 - 02:27 PM

Hi, my computer is going really slow, crashing sometimes and my web page is being directed constantly, i tried various spyware programs, such as malwarebytes, but it cant update (cant find any trojans without update), i tried spyware doctor, and it cant find anything,


DDS (Ver_09-12-01.01) - NTFSx86
Run by Quinn at 19:11:43.63 on 18/02/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1918.1039 [GMT 0:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\sYSteM32\SvchOst.eXE -k okogrp
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Quinn\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\quinn\appdata\roaming\mozilla\firefox\profiles\fb2xi768.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-17 207280]
R1 oko6;oko6;c:\windows\system32\drivers\oko6.sys [2010-2-15 32768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-17 112592]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-5-14 38240]
R2 okosrv;okosrv;c:\windows\system32\SvchOst.eXE -k okogrp [2009-7-13 20992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-17 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-17 1141712]
S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-17 233136]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-2-17 70408]

=============== Created Last 30 ================

2010-02-18 19:07:34 0 d-----w- c:\program files\GridinSoft Trojan Killer
2010-02-18 17:57:11 0 d-----w- c:\program files\FileASSASSIN
2010-02-17 22:00:48 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-17 22:00:15 0 d-----w- c:\users\quinn\appdata\roaming\SUPERAntiSpyware.com
2010-02-17 22:00:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-17 21:59:00 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-17 19:31:27 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-17 19:31:27 880 ----a-w- c:\windows\RegISSImport.xml
2010-02-17 19:31:27 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-17 19:31:27 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-17 19:31:27 131 ----a-w- c:\windows\IDB.zip
2010-02-17 19:31:26 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-17 19:31:26 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-17 19:31:26 1152444 ----a-w- c:\windows\UDB.zip
2010-02-17 19:29:01 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-17 19:29:00 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 19:29:00 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-17 19:28:55 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-17 19:28:55 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-17 19:28:55 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 19:28:54 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 19:28:43 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-17 19:28:43 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 19:28:20 0 d-----w- c:\program files\common files\PC Tools
2010-02-17 19:28:19 0 d-----w- c:\programdata\PC Tools
2010-02-17 19:28:18 0 d-----w- c:\users\quinn\appdata\roaming\PC Tools
2010-02-17 19:16:58 0 d-----w- c:\program files\Spyware Doctor
2010-02-17 18:58:07 0 d-----w- c:\users\quinn\appdata\roaming\FreeFixer
2010-02-17 18:58:02 0 d-----w- c:\program files\FreeFixer
2010-02-16 20:30:05 0 d-----w- c:\users\quinn\appdata\roaming\Malwarebytes
2010-02-16 20:30:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 20:29:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 20:29:58 0 d-----w- c:\programdata\Malwarebytes
2010-02-16 20:29:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 20:00:00 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-16 20:00:00 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-16 17:31:13 0 d-----w- c:\users\quinn\Office Genuine Advantage
2010-02-16 17:27:28 0 d---a-w- c:\programdata\TEMP
2010-02-16 17:14:32 195072 ----a-w- c:\windows\rdr_1266340466.exe
2010-02-16 17:14:19 0 d-----w- c:\programdata\Office Genuine Advantage
2010-02-15 19:13:07 32768 ----a-w- c:\windows\system32\drivers\oko6.sys
2010-02-15 19:13:07 101888 ----a-w- c:\windows\system32\oko6.dll
2010-02-14 17:06:02 0 ----a-w- c:\windows\rdr_1266167162.exe
2010-02-14 17:06:02 0 ----a-w- c:\windows\rdr_1266167152.exe
2010-02-14 16:19:10 1 ----a-w- c:\windows\conf21113.dat
2010-02-10 19:16:05 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 19:16:04 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 19:16:04 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-02-10 19:16:01 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 19:16:01 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 19:15:59 91648 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 19:15:59 84480 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 19:15:59 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 19:15:59 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 19:15:58 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 19:15:58 22016 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 19:15:58 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 19:15:58 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 19:15:56 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 19:15:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-08 18:23:38 0 d-----w- c:\programdata\Adobe
2010-02-06 17:03:37 0 d-----w- c:\program files\common files\Canon
2010-01-27 20:16:42 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 20:16:41 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-22 18:22:24 977920 ----a-w- c:\windows\system32\wininet.dll

==================== Find3M ====================

2010-01-14 06:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-10-29 15:25:49 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:12:23.27 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-18 19:21:07
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Quinn\AppData\Local\Temp\aglcipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8817DCDC]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8817DECE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8817E0D6]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8817D982]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3DAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3D104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3D3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C262D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C25898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3D1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3D958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3D6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3DF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3E1A8

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp oko6.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp oko6.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:260] 85901930

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 19 February 2010 - 11:50 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users