Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update redirects to Google


  • This topic is locked This topic is locked
6 replies to this topic

#1 MLS122171

MLS122171

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Toronto, Canada
  • Local time:06:39 AM

Posted 09 February 2009 - 09:52 PM

Hello, I have a problem. I should start off by saying that I am running Windows XP Home SP2 on my Mac through the application Parallels Desktop. Everything to do with XP is running fine, except for two things. First, whenever I go to the Windows/Microsoft update websites, it always redirects me to Google; it doesn't matter if I've clicked the link from the Automatic Updates control panel, or if I've typed it in manually, it always redirects to Google. I'm wondering if I have some sort of malware or virus on my computer because I know that my Mac has a virus, and I'm wondering if it's affecting the Windows XP portion of the computer too. The reason I mentioned AVG here is because I saw another person post the exact same problem as mine, and this person't problem started out with AVG failing to update (I have AVG Internet Security 8.0). Any suggestions?

Here is the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:47:49.54 on Mon 02/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63.9 [GMT -5:00]

AV: AVG Internet Security *On-access scanning disabled* (Outdated)
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
\\.psf\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.apple.com/ca
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start
mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uPolicies-explorer: NoSimpleNetIDList = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: .psf
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-8 12936]
R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-1-23 101984]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-8 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-8 90632]
R1 prl_boot;prl_boot;c:\windows\system32\drivers\prl_boot.sys [2009-1-23 32736]
R2 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2009-1-23 148448]
R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2009-2-8 15840]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-2-8 29208]
R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-2-8 18144]
R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-2-8 15712]
R3 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-2-8 23008]
R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-2-8 20064]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-8 98440]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-2-8 29208]

=============== Created Last 30 ================

2009-02-09 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-02-09 17:43 <DIR> a-dshr-- C:\cmdcons
2009-02-08 17:42 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-08 17:42 12,936 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-02-08 17:42 90,632 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-08 17:41 98,440 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-08 17:41 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-08 17:41 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-02-08 17:39 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-02-08 17:39 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-02-08 17:39 <DIR> --d----- c:\program files\AVG
2009-02-08 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-08 16:57 <DIR> --d----- c:\program files\uTorrent
2009-02-08 16:57 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2009-02-08 16:55 <DIR> --ds---- c:\documents and settings\owner\UserData
2009-02-08 00:46 <DIR> --d----- c:\docume~1\owner\applic~1\Parallels
2009-02-08 00:46 23,008 a------- c:\windows\system32\drivers\prl_tg.sys
2009-02-08 00:45 18,144 a------- c:\windows\system32\drivers\prl_eth5.sys
2009-02-08 00:45 151,040 a------- c:\windows\system32\prl_gl.dll
2009-02-08 00:45 83,040 a------- c:\windows\system32\prl_vadd.dll
2009-02-08 00:45 20,064 a------- c:\windows\system32\drivers\prl_vamp.sys
2009-02-08 00:45 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-08 00:45 15,712 a------- c:\windows\system32\drivers\prl_mouf.sys
2009-02-08 00:44 15,840 a------- c:\windows\system32\drivers\prl_time.sys
2009-02-08 00:44 <DIR> --d----- c:\program files\Parallels
2009-02-08 00:42 <DIR> --d----- c:\documents and settings\Owner
2009-02-08 00:42 <DIR> --ds---- c:\windows\system32\Microsoft
2009-02-08 00:42 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-08 00:40 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-02-08 00:40 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-02-08 00:40 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-02-08 00:40 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-02-08 00:40 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-02-08 00:40 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-02-08 00:40 69,120 ac------ c:\windows\system32\dllcache\wingb.ime
2009-02-08 00:40 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-02-08 00:40 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-02-08 00:40 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-02-08 00:40 86,073 ac------ c:\windows\system32\dllcache\voicesub.dll
2009-02-08 00:40 426,041 ac------ c:\windows\system32\dllcache\voicepad.dll
2009-02-08 00:38 20,736 ac------ c:\windows\system32\dllcache\ramdisk.sys
2009-02-08 00:37 7,680 ac------ c:\windows\system32\dllcache\migregdb.exe
2009-02-08 00:36 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-02-08 00:35 66,082 ac------ c:\windows\system32\dllcache\c_20277.nls
2009-02-08 00:34 16,439 ac------ c:\windows\system32\dllcache\admin.exe
2009-02-08 00:34 20,540 ac------ c:\windows\system32\dllcache\admin.dll
2009-02-08 00:34 <DIR> --d----- c:\windows\system32\xircom
2009-02-08 00:34 2,577 a------- c:\windows\system32\CONFIG.NT
2009-02-08 00:34 0 a------- c:\windows\control.ini
2009-02-08 00:33 23,392 a------- c:\windows\system32\nscompat.tlb
2009-02-08 00:33 16,832 a------- c:\windows\system32\amcompat.tlb
2009-02-08 00:33 316,640 a------- c:\windows\WMSysPr9.prx
2009-02-08 00:30 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-08 00:30 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-02-08 00:30 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-08 00:30 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-02-08 00:30 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-02-08 00:30 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-08 00:30 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-08 00:30 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-08 00:30 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-08 00:30 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-08 00:30 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-02-08 00:30 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-08 00:28 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-08 00:26 <DIR> --d----- c:\program files\Online Services
2009-02-08 00:26 <DIR> --d----- c:\program files\Messenger
2009-02-08 00:26 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-02-08 00:25 <DIR> --d----- c:\program files\Windows NT
2009-02-07 19:21 <DIR> --d----- c:\program files\common files\ODBC
2009-02-07 19:21 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-02-07 19:20 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-08 16:39 502,272 a------- c:\windows\system32\winlogon.exe
2009-02-08 00:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-08 00:27 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-01-23 17:55 101,984 a------- c:\windows\system32\drivers\prl_pv32.sys
2009-01-23 17:55 148,448 a------- c:\windows\system32\drivers\prl_fs.sys
2009-01-23 17:55 32,736 a------- c:\windows\system32\drivers\prl_boot.sys
2009-01-23 17:48 80,896 a------- c:\windows\system32\prl_np.dll

============= FINISH: 21:48:26.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 14 February 2009 - 08:06 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 MLS122171

MLS122171
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Toronto, Canada
  • Local time:06:39 AM

Posted 16 February 2009 - 10:00 AM

Hello PP, thank you for taking the time to assist me with my problem.

ComboFix: I ran ComboFix, here is the log:

ComboFix 09-02-15.01 - Owner 2009-02-16 9:34:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63.4 [GMT -5:00]
Running from: \\.psf\Home\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Outdated)
FW: AVG Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-09 21:27 . 2009-02-09 21:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 17:42 . 2009-02-08 17:42 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-08 17:42 . 2009-02-08 17:42 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-02-08 17:42 . 2009-02-08 17:42 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-08 17:41 . 2009-02-08 17:41 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-08 17:41 . 2009-02-09 18:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-02-08 17:41 . 2009-02-08 17:41 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-08 17:39 . 2009-02-08 17:39 <DIR> d-------- c:\program files\AVG
2009-02-08 17:39 . 2009-02-08 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-08 17:39 . 2009-02-08 17:39 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-02-08 17:39 . 2009-02-08 17:39 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-02-08 16:57 . 2009-02-08 16:57 <DIR> d-------- c:\program files\uTorrent
2009-02-08 16:57 . 2009-02-08 18:21 <DIR> d-------- c:\documents and settings\Owner\Application Data\uTorrent
2009-02-08 16:55 . 2009-02-08 16:55 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-02-08 16:20 . 2009-02-08 17:45 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 21:39 502,272 ----a-w c:\windows\system32\winlogon.exe
2009-02-08 05:46 --------- d-----w c:\documents and settings\Owner\Application Data\Parallels
2009-02-08 05:44 --------- d-----w c:\program files\Parallels
2009-02-08 05:34 --------- d-----w c:\program files\microsoft frontpage
2009-01-23 22:55 83,040 ----a-w c:\windows\system32\prl_vadd.dll
2009-01-23 22:55 32,736 ----a-w c:\windows\system32\drivers\prl_boot.sys
2009-01-23 22:55 23,008 ----a-w c:\windows\system32\drivers\prl_tg.sys
2009-01-23 22:55 20,064 ----a-w c:\windows\system32\drivers\prl_vamp.sys
2009-01-23 22:55 18,144 ----a-w c:\windows\system32\drivers\prl_eth5.sys
2009-01-23 22:55 15,840 ----a-w c:\windows\system32\drivers\prl_time.sys
2009-01-23 22:55 15,712 ----a-w c:\windows\system32\drivers\prl_mouf.sys
2009-01-23 22:55 148,448 ----a-w c:\windows\system32\drivers\prl_fs.sys
2009-01-23 22:55 101,984 ----a-w c:\windows\system32\drivers\prl_pv32.sys
2009-01-23 22:48 80,896 ----a-w c:\windows\system32\prl_np.dll
2009-01-23 22:47 151,040 ----a-w c:\windows\system32\prl_gl.dll
.

------- Sigcheck -------

2009-02-08 16:39 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Parallels Shared Internet Applications"="c:\program files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" [2009-01-23 130144]
"Parallels Tools Center"="c:\program files\Parallels\Parallels Tools\prl_cc.exe" [2009-01-23 199264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-08 1235736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-08 12936]
R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-01-23 101984]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-08 90632]
R1 prl_boot;prl_boot;c:\windows\system32\drivers\prl_boot.sys [2009-01-23 32736]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-08 231704]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-02-08 1212184]
R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\Services\coherence.exe [2009-01-23 28256]
R2 Parallels Tools Service;Parallels Tools Service;c:\program files\Parallels\Parallels Tools\Services\prl_tools_service.exe [2009-01-23 138336]
R2 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2009-01-23 148448]
R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2009-02-08 15840]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-02-08 29208]
R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-02-08 18144]
R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-02-08 15712]
R3 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-02-08 23008]
R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-02-08 20064]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-08 98440]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-08 874776]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-02-08 29208]

--- Other Services/Drivers In Memory ---

*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.apple.com/ca
Trusted Zone: .psf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 09:36:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-02-16 9:39:00
ComboFix-quarantined-files.txt 2009-02-16 14:38:52
ComboFix2.txt 2009-02-09 22:49:11

Pre-Run: 32,855,396,352 bytes free
Post-Run: 32,850,288,640 bytes free

137

GMER: I downloaded GMER, and started the scan, but shortly afterwards, the computer went to a blue screen saying "Windows has been forced to close, for the safety of your computer, because of the file gmer.sys" or something like that. I'm not sure exactly what it said becuase it flashed on the screen for about three seconds before restarting the system. I do know for sure that it said it was because of gmer.sys. I then tried scanning using GMER again, and the same thing happened.

As for changes to my computer, I have made none, because I haven't bothered to start up the Windows XP portion of my computer, I decided to just use Mac until I got a reply here.

Regards,
MLS

Edited by MLS122171, 16 February 2009 - 10:02 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 16 February 2009 - 02:11 PM

Hello.

Please try running GMER in Safe Mode.

Give me an update on the symptoms.

With Regards,
The Panda

#5 MLS122171

MLS122171
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Toronto, Canada
  • Local time:06:39 AM

Posted 18 February 2009 - 09:19 PM

Hello PP:

I started it in Safe Mode, and I had the same result: The computer once again shut itself down saying it was due to the file gmer.sys.

Regards,
MLS

Edit: Here is a screenshot of what the page looks like: Posted Image

Edited by MLS122171, 18 February 2009 - 09:25 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 19 February 2009 - 08:28 AM

Hello.

Let's try AviraAntiRootkit then. If it doesn't work either, we'll just skip it.

Download and Run Avira AntiRootkit
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Do not choose to rename any items found yet. There may be false positives.
With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 25 February 2009 - 03:41 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users