Jump to content

BSOD, exe's dont start, very slow pc, unremovable trojans


Recommended Posts

Hello,

I recently got troubles with my pc. There are numerous issues happening, here are the ones that consistently happen.

- Very slow performance.

- Exe files don't work. I can click them or run in cmd, but they just wont start up. For example, pressing Ctrl+Alt+Del yields the following error message:

The logon process could not display the security options .. etc and it will not show taskmanager. Programs that were running already will continue to work fine, as long as they don't require a new exe file. For example, Chrome will work, also opening a new tab is possible, however this tab will not load or do anything, but it will stay empty. (As it needs a new chrome.exe to run).

- Sometimes BSOD's

- Sometimes parts of the W7 theme will look like win95 theme. For example the titlebar+menubar of one single program (but not of others) will have the old theme, or the taskbar is old and everything else still looks like W7, etc.

The problem is that on a fresh reboot, the pc works fine. At a certain point, the above things will happen simulataneously. I don't know what the trigger is. Sometimes this is triggered by opening flash on a website, for example going to youtube. However the above has also happened without any browser open in that session.

What I've done:

- I succesively run AVG, Nod32, Avira and MBAM. They all find trojans and remove them, but the problems remain.

- Defogger and DDS.

- Tried running GMER, but it will BSOD. It will find some things (svchost.exe -> ntll.dll -> write virtual memory, if I recall correctly), but at some point in the scan it will always BSOD. If required I can run GMER and take a picture of its results just before it BSOD's.

Attach.zip contains Attach.txt and the MBAM log.

Obviously much thanks in advance for looking at this problem.

DDS (Ver_10-12-05.01) - NTFSx86

Run by John at 19:39:16,19 on vr 10-12-2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.31.1033.18.2046.1171 [GMT 1:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\aestsrv.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\dgdersvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\FsUsbExService.Exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\STacSV.exe

C:\Windows\OEM02Mon.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\RMClock\RMClock.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\John\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.nl/

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = 127.0.0.1:8118

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [RMClock] "c:\program files\rmclock\RMClockLauncher.exe"

uRun: [Google Update] "c:\users\john\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [KiesTrayAgent]

uRun: [RockMelt Update] "c:\users\john\appdata\local\rockmelt\update\RockMeltUpdate.exe" /c

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.872

StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenote 2007 schermopname en snel starten.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

uPolicies-system: dpjzcgjwhkxlugwqfoqxTaskMgr = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: line6.net

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\dmnjtiss.default\

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\users\john\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\users\john\appdata\local\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dll

FF - plugin: c:\users\john\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\john\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R?2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2009-9-10 14464]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-9-10 73728]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-9 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-9 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-9 61960]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-9-15 95568]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-15 217088]

R2 OS Selector;Acronis OS Selector activeren;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-7-13 2159224]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-9-15 18120]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-15 36640]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-9-10 4608]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S1 UGM96_AA;Service for ESI UGM96 Controller driver;c:\windows\system32\drivers\UGMDRV.sys [2010-4-22 51808]

S2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2010-3-4 24645]

S2 dcods;Windows Autenthification Service;c:\windows\system32\dcods.exe [2010-12-9 22016]

S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-3 136176]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-10-15 30312]

S3 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe [2010-3-10 909312]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BlackfishSQL;BlackfishSQL;c:\program files\embarcadero\rad studio\7.0\bin\BSQLServer.exe [2009-11-18 65536]

S3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\system32\drivers\L6TPortGX.sys [2010-4-3 571136]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-6 38224]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-10-15 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-10-15 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-10-15 121576]

S3 UGM96_01;Service for ESI UGM96 Audio driver;c:\windows\system32\drivers\UGMwdm.sys [2010-4-22 27232]

S3 WinDriver;WinDriver Kernel Module;c:\windows\system32\drivers\windrvr.sys [2010-2-25 236981]

=============== Created Last 30 ================

2010-12-09 08:56:45 -------- d-----w- c:\users\john\appdata\roaming\Avira

2010-12-09 08:52:00 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-09 08:51:59 -------- d-----w- c:\progra~2\Avira

2010-12-09 08:51:58 -------- d-----w- c:\program files\Avira

2010-12-09 08:42:58 22016 ----a-w- c:\windows\system32\dcods.exe

2010-12-09 00:42:35 -------- d-----w- c:\users\john\appdata\local\ESET

2010-11-28 15:10:26 -------- d-----w- c:\users\john\appdata\local\RockMelt

2010-11-12 18:46:58 4280320 ----a-w- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2010-11-02 16:44:02 112 ----a-w- c:\windows\system32\msvcsv60.dll

2010-09-15 08:37:40 95568 ----a-w- c:\windows\system32\dgdersvc.exe

2010-09-15 08:37:40 763216 ----a-w- c:\windows\system32\dgderapi.dll

2010-09-15 08:33:32 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2010-09-15 08:33:32 217088 ----a-w- c:\windows\system32\FsUsbExService.Exe

2010-09-15 08:33:32 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: ST9120822AS rev.3.CDD -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86278446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8627e504]; MOV EAX, [0x8627e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x83077458] -> \Device\Harddisk0\DR0[0x86253488]

3 CLASSPNP[0x8940559E] -> ntkrnlpa!IofCallDriver[0x83077458] -> [0x8649BF08]

\Driver\atapi[0x86268B98] -> IRP_MJ_CREATE -> 0x86278446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskST9120822AS_____________________________3.CDD___#5&2f3b31c8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user != kernel MBR !!!

sectors 234441646 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 19:41:26,60 ===============

attach.zip

Link to post
Share on other sites

This thread can be closed for now, with the knowledge available on this board and other help I've fixed it.

In short here's what I did:

- In Safe Mode, a Malwarebytes and Spybot scan

- Manually deleting suspicious files in c:, c:\windows and c:\windows\system32

- Fix mbr with the Windows 7 install cd. (On boot: repair windows -> command prompt -> "bootsect /nt60 c: /mbr")

No more problems and no items come up in any scanner, malware or rootkit.

Thanks for whoever already started working on this.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.