1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Another Google Redirect Issue

Discussion in 'Virus & Other Malware Removal' started by WhiteWalls, May 3, 2010.

Thread Status:
Not open for further replies.
  1. WhiteWalls

    WhiteWalls Thread Starter

    Joined:
    May 3, 2010
    Messages:
    1
    A couple days ago I was browsing the internet on firefox when my pc started spazzing out. I immediately restarted in safe mode and ran malwarebytes, adaware, and avg. All of which found a large number of viruses. I fixed a few reg keys I was familiar with. I restarted windows and everything seemed fine until I did a google search and upon clicking a search result ended up on a different website. So I told my roommate who works part-time for geeksquad and is a compe grad student. He ran a few geeksquad tools on my pc and found a couple viruses in the java application data folder. I figured this would be the end but the redirects continued.

    I started to check forums about my problem and tried everything that was mentioned. I got spybot and superantispyware both of which found more infections. Then I uninstalled and reinstalled both firefox and internet explorer countless times. I downloaded and installed google chrome but when I attempted to use it, it wouldn't run properly which I imagine is a cause of the virus. I deleted all of my temporary files. I got combo fix which found and deleted a few more viruses along with resetting some windows files.

    Here is my combo fix log

    ComboFix 10-05-03.02 - Mark 05/03/2010 16:28:07.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1261 [GMT -4:00]
    Running from: d:\documents and settings\Mark\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    d:\documents and settings\Mark\Local Settings\Application Data\Windows Server
    d:\documents and settings\Mark\Local Settings\Application Data\Windows Server\flags.ini
    d:\documents and settings\Mark\Local Settings\Application Data\Windows Server\uses32.dat
    d:\documents and settings\Mark\Local Settings\Temporary Internet Files\Ernw74Pp.jpg
    d:\documents and settings\Mark\Local Settings\Temporary Internet Files\j1NrQ.jpg
    d:\documents and settings\Mark\Local Settings\Temporary Internet Files\KmyM83155.jpg
    d:\documents and settings\Mark\Local Settings\Temporary Internet Files\lGVW0.jpg
    d:\documents and settings\Mark\Local Settings\Temporary Internet Files\TestBrowser.html
    d:\program files\WindowsUpdate
    d:\windows\system32\ctfmon .exe
    d:\windows\system32\nwiz .exe
    d:\windows\system32\regsvr32 .exe
    d:\windows\system32\rundll32 .exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4


    ((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
    .

    2010-05-03 18:14 . 2010-05-03 18:14 52224 ----a-w- d:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-05-03 18:14 . 2010-05-03 18:14 117760 ----a-w- d:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-05-03 18:14 . 2010-05-03 18:14 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-05-03 18:13 . 2010-05-03 18:13 -------- d-----w- d:\program files\SUPERAntiSpyware
    2010-05-03 18:13 . 2010-05-03 18:13 -------- d-----w- d:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
    2010-05-03 18:11 . 2010-05-03 18:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-05-03 18:11 . 2010-05-03 18:14 -------- d-----w- d:\program files\Spybot - Search & Destroy
    2010-05-03 17:30 . 2010-05-03 17:30 -------- d-----w- d:\program files\Common Files\Java
    2010-05-03 17:30 . 2010-05-03 17:30 -------- d-----w- d:\program files\Sun
    2010-05-03 17:29 . 2010-05-03 17:29 411368 ----a-w- d:\windows\system32\deployJava1.dll
    2010-05-03 17:28 . 2010-05-03 17:29 -------- d-----w- d:\program files\Java
    2010-05-03 05:52 . 2010-05-03 05:52 -------- d-----w- d:\documents and settings\Administrator\Application Data\Webroot
    2010-05-02 23:36 . 2010-05-02 23:36 -------- d-----w- d:\documents and settings\Mark\Application Data\Webroot
    2010-05-02 22:43 . 2008-05-02 14:41 3493888 ---ha-w- d:\documents and settings\Mark\Application Data\U3\temp\Launchpad Removal.exe
    2010-05-02 22:43 . 2010-05-02 22:43 -------- d-----w- d:\documents and settings\Mark\Application Data\U3
    2010-05-02 22:26 . 2010-05-02 22:26 6153352 ----a-w- d:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-05-02 22:26 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-02 22:26 . 2010-05-03 02:10 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2010-05-02 22:26 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
    2010-04-30 05:45 . 2010-04-30 05:45 664 ----a-w- d:\windows\system32\d3d9caps.dat
    2010-04-29 02:32 . 2010-05-03 17:07 -------- d-----w- d:\documents and settings\Mark\Local Settings\Application Data\Temp
    2010-04-29 02:32 . 2010-05-03 17:07 -------- d-----w- d:\documents and settings\Mark\Local Settings\Application Data\Google
    2010-04-28 18:40 . 2010-04-28 18:40 -------- d-----w- d:\documents and settings\Mark\Application Data\AVG9
    2010-04-27 20:59 . 2010-04-27 20:59 -------- d-s---w- d:\documents and settings\NetworkService\UserData
    2010-04-27 09:48 . 2010-04-27 09:48 -------- d-s---w- d:\documents and settings\Mark\UserData
    2010-04-27 09:38 . 2010-04-27 09:38 -------- d-----w- d:\documents and settings\Mark\Application Data\Malwarebytes
    2010-04-27 09:17 . 2010-04-27 09:17 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-04-27 06:42 . 2010-04-27 06:42 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-04-27 06:41 . 2010-04-27 06:41 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-27 05:43 . 2010-04-27 06:16 -------- d-----w- d:\program files\WeFi
    2010-04-20 17:50 . 2010-04-20 17:50 242696 ----a-w- d:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-04-20 17:49 . 2010-04-20 17:49 1689952 ----a-w- d:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-04-15 22:46 . 1999-12-17 14:13 86016 ----a-w- d:\windows\unvise32.exe
    2010-04-15 22:46 . 2010-04-15 22:46 -------- d-----w- d:\program files\TeraTermSSH
    2010-04-12 04:58 . 2010-04-12 04:58 2617856 ----a-w- d:\documents and settings\All Users\Application Data\Out of the Park Developments\OOTP Baseball 8\uninstaller\uninstall.exe
    2010-04-12 04:58 . 2010-04-12 04:58 -------- d-----w- d:\documents and settings\Mark\Application Data\Out of the Park Developments
    2010-04-12 04:58 . 2010-04-12 04:58 -------- d-----w- d:\program files\Out of the Park Developments
    2010-04-12 04:58 . 2010-04-12 04:58 -------- d-----w- d:\program files\ootp8freesetup
    2010-04-12 04:58 . 2010-04-12 04:58 -------- d-----w- d:\documents and settings\All Users\Application Data\Out of the Park Developments
    2010-04-07 17:08 . 2010-04-07 17:08 4255072 ----a-w- d:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-04-05 14:29 . 2010-04-05 14:29 -------- d-----w- d:\windows\Sun
    2010-04-04 19:28 . 2010-04-04 19:28 2165 ----a-w- d:\documents and settings\Mark\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-03 20:34 . 2010-01-25 17:20 -------- d-----w- d:\documents and settings\Mark\Application Data\uTorrent
    2010-05-03 18:48 . 2010-01-19 05:12 -------- d-----w- d:\documents and settings\Mark\Application Data\.purple
    2010-05-03 18:13 . 2010-01-19 04:58 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard
    2010-05-03 02:34 . 2010-01-19 04:52 -------- d-----w- d:\documents and settings\Mark\Application Data\foobar2000
    2010-04-27 20:51 . 2010-01-19 04:58 -------- d-----w- d:\program files\iTunes
    2010-04-27 20:49 . 2010-01-19 05:02 -------- d-----w- d:\documents and settings\All Users\Application Data\avg9
    2010-04-27 20:08 . 2010-01-25 17:20 -------- d-----w- d:\program files\uTorrent
    2010-04-27 20:08 . 2010-01-19 05:03 -------- d-----w- d:\program files\Winamp
    2010-04-27 20:07 . 2010-01-19 05:15 -------- d-----w- d:\program files\QuickTime
    2010-04-24 05:13 . 2010-02-11 21:46 -------- d-----w- d:\documents and settings\Mark\Application Data\gtk-2.0
    2010-04-24 04:58 . 2010-01-21 00:26 -------- d-----w- d:\documents and settings\Mark\Application Data\DC++
    2010-04-20 17:50 . 2010-01-19 05:02 242896 ----a-w- d:\windows\system32\drivers\avgtdix.sys
    2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\7137\AdobeARM.exe
    2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\7137\AdobeExtractFiles.dll
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\7137\ReaderUpdater.exe
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\7137\AcrobatUpdater.exe
    2010-03-24 04:21 . 2010-01-26 21:49 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-16 14:13 . 2010-03-16 14:13 12464 ----a-w- d:\windows\system32\avgrsstx.dll
    2010-03-16 14:13 . 2010-01-19 05:02 29512 ----a-w- d:\windows\system32\drivers\avgmfx86.sys
    2010-03-16 14:13 . 2010-01-19 05:02 216200 ----a-w- d:\windows\system32\drivers\avgldx86.sys
    2010-03-01 06:30 . 2010-03-01 06:30 2157 ----a-w- d:\documents and settings\Mark\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2010-02-25 15:26 . 2010-01-19 05:00 68456 ----a-w- d:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-11 04:53 . 2010-02-11 04:53 2095 ----a-w- d:\documents and settings\Mark\Application Data\.purple\certificates\x509\tls_peers\login.live.com
    .
    Code:
    <pre>
    d:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    d:\program files\Analog Devices\Core\smax4pnp .exe
    d:\program files\Analog Devices\SoundMAX\smax4   .exe
    d:\program files\AVG\AVG9\avgtray .exe
    d:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    d:\program files\Common Files\Nero\Lib\nerocheck .exe
    d:\program files\Common Files\Nero\Lib\nmbgmonitor .exe
    d:\program files\iTunes\ituneshelper .exe
    d:\program files\Microsoft Office\Office12\groovemonitor .exe
    d:\program files\Nero\Nero8\Nero BackItUp\nbkeyscan .exe
    d:\program files\QuickTime\qttask   .exe
    d:\program files\uTorrent\utorrent   .exe
    d:\program files\Winamp\winampa .exe
    </pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="d:\program files\uTorrent\utorrent .exe" [2010-01-25 289584]
    "Google Update"="d:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-02 136176]
    "SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-27 2020592]
    "ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
    "nwiz"="nwiz.exe" [N/A]
    "NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
    "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    d:\documents and settings\Mark\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-16 14:13 12464 ----a-w- d:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\Last.fm\\LastFM.exe"=
    "d:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "d:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "d:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [1/19/2010 1:02 AM 216200]
    R1 AvgTdiX;AVG Free Network Redirector;d:\windows\system32\drivers\avgtdix.sys [1/19/2010 1:02 AM 242896]
    R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
    R2 avg9emc;AVG Free E-mail Scanner;d:\program files\AVG\AVG9\avgemc.exe [3/16/2010 10:13 AM 916760]
    R2 avg9wd;AVG Free WatchDog;d:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 10:13 AM 308064]
    S3 memchek;memchek;\??\d:\windows\system32\memchek.sys --> d:\windows\system32\memchek.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-27 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-05-03 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-57989841-1417001333-1003Core.job
    - d:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-02 18:37]

    2010-05-03 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-57989841-1417001333-1003UA.job
    - d:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-02 18:37]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - d:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\h1dfsd4z.default\
    FF - plugin: d:\documents and settings\Mark\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

    ---- FIREFOX POLICIES ----
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-03 16:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x89D08CE2]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
    \Driver\ACPI -> ACPI.sys @ 0xba77fcb8
    \Driver\atapi -> atapi.sys @ 0xba711852
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xba61dbb0
    PacketIndicateHandler -> NDIS.sys @ 0xba62aa21
    SendHandler -> NDIS.sys @ 0xba60887b
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(896)
    d:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(340)
    d:\progra~1\MICROS~3\Office12\GRA8E1~1.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
    d:\program files\AVG\AVG9\avgchsvx.exe
    d:\program files\AVG\AVG9\avgrsx.exe
    d:\program files\AVG\AVG9\avgcsrvx.exe
    d:\windows\system32\RUNDLL32.EXE
    d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    d:\program files\Bonjour\mDNSResponder.exe
    d:\program files\Java\jre6\bin\jqs.exe
    d:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
    d:\windows\system32\nvsvc32.exe
    d:\windows\system32\wdfmgr.exe
    d:\program files\AVG\AVG9\avgnsx.exe
    d:\program files\AVG\AVG9\avgcsrvx.exe
    d:\program files\iPod\bin\iPodService.exe
    d:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-03 16:36:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-03 20:36

    Pre-Run: 53,795,758,080 bytes free
    Post-Run: 54,113,640,448 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(3)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(3)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(2)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(2)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 1AE2572B6559A91B066A9557F0A5DBD9
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920898

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice