Jump to content

Google gets redirected, and Malwarebytes is inaccessible and only scan for a few seconds


Jazi

Recommended Posts

Hi,

Hi i believe that i recently got a virus similar to the one that SIR CHEECH got. I reviewed his posts, and it seems to me that we have a similar problem. I would really appreciate it if someone could help me, I did not follow the instructions that were given to SIR CHEECH because I believe that they were tailored for his computer. Just to give you some background info on my problem, everytime i go to google and click on a result, it redirects me to a new page, and malwarebytes only runs for a few seconds when you first install it, but after that it wont even let you open it, it states: " Windows cannot access the specified path... You may not have the appropriate permissions to access it." AVG 8.5 wont run, Spybot S&D wont run either, ive tried in both safe mode and normal, Hijack This began a scan and shortly closed after and is no longer accessible. I HAVE RUN OUT OF IDEAS! PLEASE PLEASE HELP ME. Tell me what I need to do next. Please. Thank you so much.

is exactly the same problem that I am having. I'm currently running in safe mode. I'm a complete noob when it comes to computers.. Is it ok to run Combofix in Safe Mode?

Link to post
Share on other sites

Ok nevermind on that question about Safe mode.. I referred to another thread here and performed ComboFix in Safe Mode.

as I was running ComboFix it popped up with a screen saying I was infected with 'Rootkit.ZeroAccess inserted in the tcp/ip stack'

anyway.. here is the ComboFix report log - if anyone can help me with it and what to do next that would be great! thanks.

ComboFix 11-09-21.01 - Jasmin 21/09/2011 22:18:06.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1797 [GMT 10:00]

Running from: d:\users\Jasmin\Desktop\Combo-Fix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB26776$\1576979097\@

c:\windows\$NtUninstallKB26776$\1576979097\bckfg.tmp

c:\windows\$NtUninstallKB26776$\1576979097\cfg.ini

c:\windows\$NtUninstallKB26776$\1576979097\Desktop.ini

c:\windows\$NtUninstallKB26776$\1576979097\keywords

c:\windows\$NtUninstallKB26776$\1576979097\kwrd.dll

c:\windows\$NtUninstallKB26776$\1576979097\L\dnoqsjwi

c:\windows\$NtUninstallKB26776$\1576979097\U\00000001.@

c:\windows\$NtUninstallKB26776$\1576979097\U\00000002.@

c:\windows\$NtUninstallKB26776$\1576979097\U\80000000.@

c:\windows\$NtUninstallKB26776$\1576979097\U\80000032.@

c:\windows\$NtUninstallKB26776$\601411829

c:\windows\system32\comct332.ocx

c:\windows\system32\d3d9caps.dat

D:\install.exe

d:\users\Jasmin\WINDOWS

c:\windows\$NtUninstallKB26776$ . . . . Failed to delete

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_5dfeca99

.

.

((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))

.

.

2011-09-21 10:50 . 2011-09-21 11:55 -------- d-----w- d:\users\All Users\Application Data\Spybot - Search & Destroy

2011-09-21 10:50 . 2011-09-21 10:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-21 10:45 . 2011-08-31 07:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-21 10:30 . 2011-09-21 10:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-21 10:30 . 2011-09-21 10:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-21 09:35 . 2011-09-21 09:35 -------- d-sh--w- d:\users\NetworkService\IETldCache

2011-09-20 06:21 . 2011-09-20 06:21 -------- d-----w- C:\.jagex_cache_32

2011-09-01 10:31 . 2011-09-21 09:39 -------- d-----w- d:\users\All Users\Application Data\GameXN

2011-08-28 05:24 . 2011-08-28 05:24 -------- d-----w- d:\users\All Users\Application Data\SwiftKit

2011-08-28 05:24 . 2011-09-20 06:18 -------- d-----w- c:\program files\SwiftKit

2011-08-25 12:58 . 2011-08-25 12:58 -------- d-----w- d:\users\Jasmin\riotsGamesLogs

2011-08-25 12:40 . 2011-08-25 12:40 -------- d-----w- d:\users\Jasmin\Application Data\LolClient

2011-08-25 10:05 . 2008-07-31 00:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll

2011-08-25 10:05 . 2008-07-31 00:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll

2011-08-25 10:05 . 2008-07-11 22:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll

2011-08-25 10:05 . 2008-07-11 22:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

2011-08-25 10:04 . 2008-07-11 22:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll

2011-08-25 10:04 . 2011-08-25 10:04 -------- d-----w- c:\windows\Logs

2011-08-25 10:01 . 2011-08-25 10:01 -------- d-----w- C:\Riot Games

2011-08-25 09:14 . 2011-09-21 10:20 -------- d-----w- d:\users\Jasmin\Local Settings\Application Data\PMB Files

2011-08-25 09:14 . 2011-08-25 17:26 -------- d-----w- d:\users\All Users\Application Data\PMB Files

2011-08-25 09:14 . 2011-08-25 09:14 -------- d-----w- c:\program files\Pando Networks

2011-08-25 07:11 . 2011-09-21 10:08 -------- d-----w- d:\users\Jasmin\Application Data\TS3Client

2011-08-22 16:13 . 2011-08-22 16:13 -------- d-----w- c:\program files\TeamSpeak 3 Client

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-14 07:12 . 2011-08-14 07:12 256 ----a-w- d:\users\Jasmin\pool.bin

2006-12-29 05:15 . 2006-12-29 05:15 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2006-12-29 05:15 . 2006-12-29 05:15 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2006-12-29 05:15 . 2006-12-29 05:15 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

2006-12-29 05:15 . 2006-12-29 05:15 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2011-09-17 05:48 . 2011-05-14 18:06 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-25 3077528]

"GameXN (update)"="d:\users\All Users\Application Data\GameXN\GameXNGO.exe" [2011-09-01 347008]

"GameXN (news)"="d:\users\All Users\Application Data\GameXN\GameXNGO.exe" [2011-09-01 347008]

"GameXN"="d:\users\All Users\Application Data\GameXN\GameXNGO.exe" [2011-09-01 347008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-29 8466432]

"nwiz"="nwiz.exe" [2007-10-29 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-29 81920]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-05 16855552]

"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2003-12-29 130560]

"SupportPoint Viewer"="c:\program files\Panviva\SupportPoint Viewer\VIEWER.EXE" [2007-06-22 1417216]

"DeltTray"="DeltTray.exe" [2004-08-26 56320]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-09 2338656]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

d:\users\Jasmin\Start Menu\Programs\Startup\

qlock.lnk - c:\program files\Qlock\qlock.exe [2011-4-5 4142080]

.

d:\users\All Users\Start Menu\Programs\Startup\

Bginfo.exe.lnk - c:\windows\Bginfo.exe [2008-1-15 512045]

DVD_XPStaging.bat [2008-2-19 840]

Printkey2000.lnk - c:\windows\Installer\{E835099B-B9D5-467B-925B-C403E2AD7CBE}\IconE835099B.exe [2011-5-14 6144]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2011-5-14 6144]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"58040:TCP"= 58040:TCP:Pando Media Booster

"58040:UDP"= 58040:UDP:Pando Media Booster

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 1:33 AM 7390560]

S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/21/2011 8:30 PM 41272]

S3 SAPSprint;SAPSprint;c:\program files\SAP\SAPSPrint\sapsprint.exe [7/6/2007 6:00 AM 1388544]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-118578858-1250186335-2060634783-1009Core.job

- d:\users\Jasmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-14 18:02]

.

2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-118578858-1250186335-2060634783-1009UA.job

- d:\users\Jasmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-14 18:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?l=dis&o=14200

uInternet Settings,ProxyOverride = <local>;*.local

uInternet Settings,ProxyServer = proxy.an.orica.net:8080

Trusted Zone: orica.net

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - d:\users\Jasmin\Application Data\Mozilla\Firefox\Profiles\zr3iuvjo.default\

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKLM-Run-DriverCD - E:\Run.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-21 22:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\iPassLLGina.dll

.

- - - - - - - > 'explorer.exe'(564)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-09-21 22:30:15 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-21 12:30

.

Pre-Run: 92,271,001,600 bytes free

Post-Run: 92,158,210,048 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 0E072813D79FC25D6BAE4DD616D2ACDD

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.