Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirect...system has virus downloader pop up

Started by hchung , Oct 29 2009 04:56 PM

  • Please log in to reply

#1
hchung
Posted 29 October 2009 - 04:56 PM

hchung

    New Member

  • Member
  • Pip
  • 1 posts
Hi! So i've looked through the forums and tried everything that it showed me to do on each thread. I've noticed each thread is a lot different from another so I've ended up just stuck with a bunch of programs and no fix. Every time it says to do something during the downloading process of the program, an error message pops up. Also, i'll be on a website and this page pops up looking like the control panel screen detecting my computer for virus telling to download a program.

Well, I scanned the computer with combofix
Hopefully someone would be kind enough to help?






ComboFix 09-10-28.08 - Benjamin 10/29/2009 15:34.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1489 [GMT -7:00]
Running from: c:\docume~1\Benjamin\LOCALS~1\Temp\b8t9zn48.tmp\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000026_.tmp.dll
c:\windows\system32\_000027_.tmp.dll
c:\windows\system32\_000028_.tmp.dll
c:\windows\system32\_000029_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 21:52 . 2009-10-29 21:52 -------- d-----w- C:\!KillBox
2009-10-16 00:06 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-16 00:06 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-16 00:06 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-16 00:06 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-10-16 00:06 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-16 00:06 . 2009-10-16 00:06 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Simply Super Software
2009-10-16 00:06 . 2009-10-16 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-16 00:05 . 2009-10-16 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-16 00:04 . 2009-10-16 00:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-16 00:04 . 2009-10-16 00:04 -------- d-----w- c:\documents and settings\Benjamin\Application Data\SUPERAntiSpyware.com
2009-10-15 00:29 . 2009-10-15 00:29 -------- d-----w- c:\program files\iPod
2009-10-15 00:29 . 2009-10-15 00:30 -------- d-----w- c:\program files\iTunes
2009-10-15 00:29 . 2009-10-15 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-15 00:26 . 2009-10-15 00:27 -------- d-----w- c:\program files\QuickTime
2009-10-14 06:49 . 2009-10-14 06:49 -------- d-----w- c:\documents and settings\Benjamin\Local Settings\Application Data\AIM
2009-10-04 18:30 . 2009-10-04 18:30 -------- d-----w- c:\windows\system32\Service
2009-10-04 18:30 . 2009-10-04 18:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-02 21:16 . 2009-10-02 21:16 -------- d-----w- c:\documents and settings\Benjamin\Local Settings\Application Data\Temp
2009-10-02 21:16 . 2009-10-02 21:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 22:12 . 2009-09-19 21:47 -------- d-----w- c:\program files\Trend Micro
2009-10-16 00:04 . 2008-10-10 05:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-15 00:50 . 2008-07-27 18:48 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Apple Computer
2009-10-15 00:29 . 2008-11-12 09:09 -------- d-----w- c:\program files\Common Files\Apple
2009-10-15 00:18 . 2009-06-19 06:29 -------- d-----w- c:\program files\Safari
2009-10-03 16:20 . 2008-09-09 17:57 -------- d-----w- c:\documents and settings\Benjamin\Application Data\uTorrent
2009-10-02 21:16 . 2009-09-02 21:56 -------- d-----w- c:\program files\Google
2009-09-25 05:37 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-22 23:08 . 2009-06-20 03:39 55736 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 22:38 . 2008-07-27 18:05 67216 ----a-w- c:\documents and settings\Benjamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 22:31 . 2009-09-15 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-19 21:48 . 2009-09-19 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-09-19 21:43 . 2009-09-19 21:48 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-09-19 21:43 . 2009-09-19 21:48 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-09-19 21:43 . 2009-09-19 21:48 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-19 21:43 . 2009-09-19 21:43 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-09-19 21:43 . 2009-09-19 21:43 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-09-19 21:43 . 2009-09-19 21:43 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-09-19 21:43 . 2009-09-19 21:43 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-09-19 21:38 . 2009-09-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 20:45 . 2009-09-15 20:45 -------- d-----w- c:\program files\AVG
2009-09-15 20:44 . 2009-09-15 20:44 -------- d-----w- c:\program files\Alwil Software
2009-09-15 20:37 . 2009-09-15 19:56 -------- d-sh--w- c:\documents and settings\All Users\Application Data\0c613ba
2009-09-15 20:19 . 2009-09-15 20:19 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Malwarebytes
2009-09-15 20:19 . 2009-09-15 20:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-15 20:19 . 2009-09-15 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-11 18:49 . 2008-12-26 08:22 -------- d-----w- c:\program files\AIMTunes
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-09-15 20:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-09-15 20:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 08:25 . 2009-09-05 08:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 08:25 . 2009-09-05 08:25 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 02:42 . 2009-06-19 06:26 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-11-12 09:10 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-13 15:16 . 2009-09-10 02:50 512000 ----a-w- c:\windows\system32\SET193.tmp
2009-08-13 15:16 . 2009-09-10 02:50 512000 ------w- c:\windows\system32\SET2C5.tmp
2009-08-13 15:16 . 2009-09-10 02:50 512000 ------w- c:\windows\system32\SET15B.tmp
2009-08-07 02:24 . 2008-07-27 17:57 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-07-27 17:57 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2008-07-27 17:57 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2008-07-27 17:57 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2008-07-27 17:57 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-07-27 17:57 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-05 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-09-19 1020248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-20 19968]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-04-10 16861184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\donnybrook\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\donnybrook\\counter-strike\\hl.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\alexeomagnifico\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/19/2009 2:43 PM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/26/2008 1:21 AM 24652]
R3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [2/18/2009 12:29 PM 437760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/19/2009 2:48 PM 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/19/2009 2:48 PM 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2009 2:15 PM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-02 21:15]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-02 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Benjamin\Application Data\Mozilla\Firefox\Profiles\3x852w9u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3876)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2009-10-29 15:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 22:46

Pre-Run: 60,353,974,272 bytes free
Post-Run: 60,245,942,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1E0AD1A7EC07B3D20BB6DDEDAB086C4C






thanks!

Edited by hchung, 29 October 2009 - 05:49 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP