i think i have a virus !!!

[beth2009]

Hi im beth !
Im new so sorry if i am posting this in the wrong place or something. i was wondering if somebody could help me with a few problems im having on my laptop, everytime i search in google when i click a link that comes up it goes to a completely random site and often shuts internet explorer down. Also i download malwarebytes and it will not let me open it or anything. I am not that great with computers lol so sorry if im being a bit dumb !!! anyone know what i should do???

 

[codeman0013]

What happens when you try to open malwarebytes?

 

[Droogie]

Have you tried running malwarebytes in safe mode?

 

[Damorian]

Have you tried renaming the malwarebytes' exe? Both the installer and the installed exe. It definitely does sound like a virus.

 

[beth2009]

i downloaded malware bytes and the first time it opened i clicked quick scan within about 5 seconds the program just closed and now will not open again. Also it will not let me rename it.

 

[johnb35]

I'm not sure if the infection will allow combofix to run or not, depending on how bad you are infected. But go here and follow the instructions and download and run it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post the logfile after its done. Afterwards please follow the instructions here.

http://www.computerforum.com/131398-important-please-read-before-posting.html

These are guides for downloading and running Malwarebytes and hijackthis. If combofix runs then malwarebytes should now work. Please post logs from both programs.

 

[beth2009]

ComboFix 09-11-04.02 - Beth 11/04/2009 21:47.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.121 [GMT 0:00]
Running from: c:\documents and settings\Beth\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 21:59 . 2009-11-04 21:59 -------- d-----w- c:\windows\system32\wbem\snmp
2009-11-04 21:59 . 2009-11-04 21:59 -------- d-----w- c:\windows\system32\xircom
2009-11-04 21:59 . 2009-11-04 21:59 -------- d-----w- c:\program files\microsoft frontpage
2009-11-04 19:30 . 2009-11-04 19:30 -------- d--h--w- c:\windows\PIF
2009-11-04 19:05 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 19:05 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 19:05 . 2009-11-04 19:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 17:14 . 2009-11-04 17:14 -------- d-----w- c:\program files\Microsoft
2009-11-04 17:13 . 2009-11-04 17:13 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-01 14:38 . 2009-11-01 14:38 -------- d-----w- c:\windows\Sun
2009-10-30 20:23 . 2009-10-30 20:23 -------- d-----w- C:\RemovedFiles
2009-10-26 12:00 . 2009-10-25 21:44 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-26 11:52 . 2009-10-25 21:43 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-26 11:52 . 2009-10-25 21:43 1656088 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-25 21:44 . 2009-10-25 22:08 -------- d-----w- C:\$AVG
2009-10-25 21:44 . 2009-10-25 21:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 21:44 . 2009-10-26 11:59 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 21:44 . 2009-10-25 21:44 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 21:44 . 2009-11-04 09:02 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-25 21:43 . 2009-10-25 21:43 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 21:43 . 2009-10-25 21:43 -------- d-----w- c:\program files\AVG
2009-10-25 21:43 . 2009-10-25 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-25 20:58 . 2009-10-25 20:58 -------- d-----w- c:\documents and settings\Beth\Application Data\Malwarebytes
2009-10-25 20:58 . 2009-10-25 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 12:09 . 2009-11-04 19:27 0 ----a-r- c:\windows\win32k.sys
2009-10-23 15:01 . 1998-01-23 11:22 304128 ----a-w- c:\windows\ZeusIsUninst.Exe
2009-10-23 14:59 . 2009-10-23 14:59 -------- d-----w- C:\Sierra
2009-10-23 14:59 . 2009-10-23 14:59 -------- d-----w- c:\program files\Sierra On-Line
2009-10-23 14:57 . 1998-01-23 11:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-10-23 14:57 . 2009-10-23 14:57 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2009-10-23 10:42 . 2009-10-23 10:42 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-10-14 15:58 . 2009-10-14 15:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Anthropics
2009-10-10 12:35 . 2009-10-30 20:19 18424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 20:14 . 2009-09-11 16:35 -------- d-----w- c:\program files\Windows Live
2009-11-03 19:54 . 2009-09-09 11:11 18424 ----a-w- c:\documents and settings\Beth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-30 21:05 . 2009-09-08 15:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 16:11 . 2009-09-27 11:05 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-09-27 11:04 . 2009-09-27 11:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-09-27 10:47 . 2009-09-27 10:47 -------- d-----w- c:\program files\JRE
2009-09-27 10:46 . 2009-09-27 10:38 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-27 10:34 . 2009-09-27 10:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 10:34 . 2009-09-08 16:16 -------- d-----w- c:\program files\Java
2009-09-27 07:39 . 2009-09-27 07:39 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{75CCF7E4-B787-4A0C-877B-DC73819FB993}\ARPPRODUCTICON.exe
2009-09-27 07:38 . 2009-09-27 07:38 266240 ----a-w- c:\windows\system32\CSHelper.exe
2009-09-27 07:38 . 2009-09-27 07:38 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2009-09-14 20:07 . 2009-09-14 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-09-14 20:07 . 2009-09-14 20:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\PlayFirst
2009-09-13 18:53 . 2009-09-13 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-11 16:27 . 2009-09-11 16:27 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-11 14:18 . 2008-05-03 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 21:07 . 2009-09-08 15:48 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-08 18:16 . 2009-09-08 18:08 -------- d-----w- c:\program files\Ares
2009-09-08 16:51 . 2009-09-08 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-09-08 16:25 . 2009-09-08 16:25 -------- d-----w- c:\documents and settings\Beth\Application Data\Apple Computer
2009-09-08 16:25 . 2009-09-08 16:24 -------- d-----w- c:\program files\iTunes
2009-09-08 16:25 . 2009-09-08 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-08 16:24 . 2009-09-08 16:24 -------- d-----w- c:\program files\iPod
2009-09-08 16:24 . 2009-09-08 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-08 16:24 . 2009-09-08 16:24 -------- d-----w- c:\program files\Bonjour
2009-09-08 16:24 . 2009-09-08 16:24 -------- d-----w- c:\program files\QuickTime
2009-09-08 16:23 . 2009-09-08 16:23 -------- d-----w- c:\program files\Apple Software Update
2009-09-08 16:23 . 2009-09-08 16:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-08 16:23 . 2009-09-08 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-08 16:20 . 2009-09-08 16:20 -------- d-----w- c:\program files\Stardock
2009-09-08 16:17 . 2009-09-08 16:17 -------- d-----w- c:\program files\Dell Computer Corporation
2009-09-08 16:16 . 2009-09-08 16:16 -------- d-----w- c:\program files\Common Files\Java
2009-09-08 16:15 . 2009-09-08 16:15 -------- d-----w- c:\program files\Apoint
2009-09-08 16:09 . 2009-09-08 16:09 -------- d-----w- c:\program files\Modem Helper
2009-09-08 16:08 . 2009-09-08 16:07 -------- d-----w- c:\program files\Dell
2009-09-08 16:07 . 2009-09-08 16:06 -------- d-----w- c:\program files\ATI Technologies
2009-09-08 16:05 . 2009-09-08 16:05 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-09-08 16:05 . 2009-09-08 16:01 -------- d-----w- c:\program files\Intel
2009-09-08 16:03 . 2009-09-08 16:03 -------- d-----w- c:\program files\Broadcom
2009-09-08 16:03 . 2009-09-08 16:02 -------- d-----w- c:\program files\CONEXANT
2009-09-08 16:01 . 2009-09-08 15:55 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-08 15:59 . 2009-09-08 15:59 -------- d-----w- c:\program files\SigmaTel
2009-09-08 15:58 . 2009-09-08 15:58 -------- d-----w- c:\program files\Huawei technologies
2009-09-08 15:52 . 2009-09-08 15:52 62633 ----a-w- c:\windows\prio197uninstall.exe
2009-09-08 15:51 . 2009-09-08 15:51 -------- d-----w- c:\program files\Opera
2009-09-08 15:45 . 2009-09-08 15:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 21:03 . 2008-05-03 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-05-03 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-05-03 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-05-03 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-05-03 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2009-02-03 1004544]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-27 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 14:17 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-25 21:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\prio.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 USB Modem.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/25/2009 9:43 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/25/2009 9:44 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/25/2009 9:43 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 9:43 PM 285392]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [9/27/2009 7:38 AM 266240]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-13 21:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RegSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\1XConfig.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-04 22:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 22:05

Pre-Run: 33,050,693,632 bytes free
Post-Run: 33,052,504,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

[beth2009]

ok that was the combo fix log but when i go to open malwarebytes it says 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.'

 

[johnb35]

Either try running malwarebytes in safe mode or uninstall it and reinstall it and see if you can run it. Then post a hijackthis log along with the malwarebytes log.

 

[ScottALot]

Run as admin?