Spybot does not load + google problem

W

Writhe

New member
I've read the stickies and searched but havent been able to figure this out.

When I click a result in a google search in Firefox the page takes approx 4-6 to load. My connection is 7mbs, and everything else loads fast. When I click google link in IE, it sometimes redirects me to another site other than the one I want to go to. I ran adaware, it detected 1 piece of malware and removed it.

Also, spybot does not open. I checked to see if there was a spybotsd.exe file in the folder, and there wasnt. I installed the program to a usb drive, dropped it into my spyware folder and it asks me if I want to replace the file (wtf? show all files is on!) I tried to coolwww program also.

Heres my HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:20 AM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Eset2\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Eset2\nod32kui.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\James\Desktop\gmer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset2\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134679400937
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99079606fdd5a) (gupdate1c99079606fdd5a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset2\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 4180 bytes
[/CODE]

And heres my GMER log:

Code: 
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-08 03:52:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code            86E3A280                                                                                                                                              ZwEnumerateKey
Code            86E33268                                                                                                                                              ZwFlushInstructionCache
Code            86E3A2B6                                                                                                                                              IofCallDriver
Code            86E1B27E                                                                                                                                              IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!IofCallDriver                                                                                                                            804EE130 5 Bytes  JMP 86E3A2BB 
.text           ntkrnlpa.exe!IofCompleteRequest                                                                                                                       804EE1C0 5 Bytes  JMP 86E1B283 
PAGE            ntkrnlpa.exe!ZwFlushInstructionCache                                                                                                                  805ABEC4 5 Bytes  JMP 86E3326C 
PAGE            ntkrnlpa.exe!ZwEnumerateKey                                                                                                                           8061AB70 5 Bytes  JMP 86E3A284 

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Program Files\AIM\aim.exe[2088] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!SelectObject]                                                          003F0040
IAT             C:\Program Files\AIM\aim.exe[2088] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!SelectObject]                                                         003F0040
IAT             C:\Program Files\AIM\aim.exe[2088] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!SelectObject]                                                         003F0040
IAT             C:\Program Files\AIM\aim.exe[2088] @ C:\WINDOWS\system32\ole32.dll [GDI32.dll!SelectObject]                                                           003F0040

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                amon.sys (Amon monitor/Eset )
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                              amon.sys (Amon monitor/Eset )
---- Processes - GMER 1.0.15 ----

Library         \\?\globalroot\systemroot\system32\gxvxcrsefrdovynubldlyajkyjcbknekxvnrr.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3216]  0x10000000                                                                            

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys (*** hidden *** )                                                               [SYSTEM] gxvxcserv.sys                                                                 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys                                                                                                  
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start                                                                                            1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type                                                                                             1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath                                                                                        \systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group                                                                                            file system
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules                                                                                          
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv                                                                                \\?\globalroot\systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl                                                                                   \\?\globalroot\systemroot\system32\gxvxcrsefrdovynubldlyajkyjcbknekxvnrr.dll
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys                                                                                                      
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start                                                                                                1
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type                                                                                                 1
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath                                                                                            \systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group                                                                                                file system
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules                                                                                              
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv                                                                                    \\?\globalroot\systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl                                                                                       \\?\globalroot\systemroot\system32\gxvxcrsefrdovynubldlyajkyjcbknekxvnrr.dll
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys                                                                                                      
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@start                                                                                                1
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@type                                                                                                 1
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@imagepath                                                                                            \systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@group                                                                                                file system
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules                                                                                              
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcserv                                                                                    \\?\globalroot\systemroot\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcl                                                                                       \\?\globalroot\systemroot\system32\gxvxcrsefrdovynubldlyajkyjcbknekxvnrr.dll
Apparently I have a rootkit?

Service         C:\WINDOWS\system32\drivers\gxvxcqvpxurqatbbowbnrjnvpwsrsoniexvim.sys (*** hidden *** )                                                               [SYSTEM] gxvxcserv.sys                                                                 <-- ROOTKIT !!!
 
Last edited by a moderator:
Yes, unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
The problem with rootkits is they are very hard to detect and extremely hard to remove completely.
Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.

At this point you have 2 options :-

OPTION 1

We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.

OPTION 2

We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.


I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.
 
Blade81 said:
Yes, unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
The problem with rootkits is they are very hard to detect and extremely hard to remove completely.
Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.

At this point you have 2 options :-

OPTION 1

We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.

OPTION 2

We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.


I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.
Click to expand...

Lets try option #1 first

First off, how did I even get this? I use nod32 and a few spyware programs.

I ran avg anti-rootkit last night and it said it removed it, but I just woke up to a warning from nod32:

Code: 
Time	Module	Object	Name	Threat	Action	User	Information
6/8/2009 15:15:26 PM	AMON	file	C:\System Volume Information\_restore{554CCE67-0960-4DC2-A66F-7385F3565CA3}\RP825\A0364842.sys	a variant of Win32/Kryptik.SB trojan	quarantined - deleted	NT AUTHORITY\SYSTEM	Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 
6/8/2009 15:15:23 PM	AMON	file	C:\System Volume Information\_restore{554CCE67-0960-4DC2-A66F-7385F3565CA3}\RP825\A0364841.dll	a variant of Win32/Kryptik.PF trojan	quarantined - deleted	NT AUTHORITY\SYSTEM	Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
 
And by the way, Spybot gets to the "loading" screen but does not load completely, although this is farther than I got before.

I should probably just format, right?
 
Hi again,

There are different ways that may have caused the infection. Topic here may give you some idea of possible source.

As I said, reformat is one of the option and probably the recommended one. The other one is cleaning attempt without any guarantees.
 
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top