Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer not running right


  • This topic is locked This topic is locked
5 replies to this topic

#1 TarynC

TarynC

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:54 PM

Posted 26 January 2013 - 12:55 PM

it was redirecting about 2 weeks ago and i took it to a local computer shop to check it out, he ran some programs and told me i have a rootkit, id like to make sure what he told me is either correct or incorrect. I dont know how reputable his shop is.
Malwarebytes,spybot and superantispyware scans are clean, avast is also clean.
Thank you for any assistance.
dds log.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by home at 12:48:51 on 2013-01-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.1977 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\AsHookDevice.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://asus.msn.com
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{5CD5CC2B-960F-4E87-B2FA-A1998EEF73A4} : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\r7alwd3i.Default User\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-12-27 20:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\r7alwd3i.Default User\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-10-30 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-10-30 370288]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-21 202752]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-10-30 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-10-30 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-4 44808]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2011-4-21 203392]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-19 399432]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-10-19 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-4-21 406632]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-4-21 38456]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2011-4-21 1349232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-19 676936]
S3 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2011-4-21 234040]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-9-25 57280]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2011-4-21 702976]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-24 1255736]
.
=============== Created Last 30 ================
.
2013-01-26 17:08:47 -------- d-----w- C:\FRST
2013-01-26 16:20:20 -------- d-----w- C:\ProgramData\Sophos
2013-01-25 19:16:31 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BD0407CC-94B2-4DCE-881E-722A5FBC9AD4}\mpengine.dll
2013-01-25 16:49:22 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-25 04:30:37 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-01-22 17:52:22 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2013-01-20 18:13:03 -------- d--h--w- C:\ProgramData\CanonIJEPPEX2
2013-01-20 18:13:03 -------- d--h--w- C:\ProgramData\CanonEPP
2013-01-20 18:11:11 361472 ----a-w- C:\Windows\System32\CNMXLMAA.DLL
2013-01-20 18:10:43 -------- d-----w- C:\ProgramData\CanonIJMSetup
2013-01-20 18:05:50 -------- d-----w- C:\ProgramData\CanonIJWSpt
2013-01-20 18:04:27 -------- d-----w- C:\Program Files\Canon
2013-01-20 18:02:11 -------- d-----w- C:\Program Files (x86)\Canon
2013-01-09 18:58:54 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-01-09 18:58:54 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-01-09 18:58:52 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2013-01-09 18:58:51 1882624 ----a-w- C:\Windows\System32\msxml3.dll
2013-01-09 18:58:51 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2013-01-09 18:58:51 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2013-01-09 18:58:48 68608 ----a-w- C:\Windows\System32\taskhost.exe
2013-01-09 18:58:47 750592 ----a-w- C:\Windows\System32\win32spl.dll
2013-01-09 18:58:47 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 18:57:27 3149824 ----a-w- C:\Windows\System32\win32k.sys
2013-01-09 18:55:54 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 18:55:54 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-31 17:49:18 -------- d-----w- C:\Program Files (x86)\stinger
2012-12-28 04:28:58 -------- d-----w- C:\Users\home\AppData\Roaming\JGsoft
2012-12-28 04:28:48 -------- d-----w- C:\Program Files\Just Great Software
.
==================== Find3M ====================
.
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-23 17:59:37 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-11-23 17:59:37 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-11-16 07:34:48 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-11-16 07:34:48 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-08 16:29:12 1402312 ----a-w- C:\Windows\SysWow64\msxml4.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
.
============= FINISH: 12:49:12.26 ===============

Edited by TarynC, 26 January 2013 - 01:02 PM.


BC AdBot (Login to Remove)

 


#2 TarynC

TarynC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:54 PM

Posted 26 January 2013 - 04:07 PM

Why are all the new posts being helped before me and ive been here waiting patiently for hrs.

Edited by TarynC, 26 January 2013 - 06:58 PM.


#3 TarynC

TarynC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:54 PM

Posted 26 January 2013 - 07:00 PM

Why are all the new posts being helped before me and I have been waiting for hrs..

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:54 AM

Posted 29 January 2013 - 05:07 PM

Hello TarynC, and welcome to Bleeping Computer! :thumbsup:

Why are all the new posts being helped before me and I have been waiting for hrs..

This can sometimes happen due to many reasons. There is a limited number of helpers helping here, and there are also people waiting longer than you have already. Some people have waited a week or longer, so please be patient! All of the helpers here do so out of the kindness of their hearts, not for profit. And we all have lives outside of this website which almost always comes first.

It really depends on the the helpers' skill level, experience, and willingness to take on new challenges. There are plenty of people that are still waiting longer than you have, but I have opted to take this topic nonetheless.

==========

  • Now that I have taken the topic, could you please post a fresh DDS log and also post the "attach.txt" to your next post please?
  • Also, please uninstall SuperAntiSpyware from your Programs and Features uninstall list.
  • I also see that you have run FRST. So please post the contents of the folder C:\FRST in your next reply.
bloopie

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:54 AM

Posted 01 February 2013 - 08:27 PM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:54 AM

Posted 03 February 2013 - 01:58 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users