Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot into safe mode, browser redirects


  • Please log in to reply
6 replies to this topic

#1 AMarie006267

AMarie006267

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 30 November 2009 - 10:04 PM

Hey guys, a little earlier I started getting the "antivirus system pro" program popping up on my computer. I restarted, and my Outpost firewall told me that "gfcjsysguard.exe" wanted to run. I blocked it successfully, and ran Malwarebytes'. One thing was found, and it looks like this in the log:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I rebooted and ran Malwarebytes' again. This is what it found:

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcakwprl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qwrqbq\gfcjsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\575.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NR2W2JIP\op[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully

I rebooted again, ran again, it came out clean. There's been no pop ups saying I'm infected and this or that since. However, I still can't boot into Safe Mode, my computer is running slow, and I notice when I click the results of my search in google, I get redirected to other websites. Please help!

BC AdBot (Login to Remove)

 


#2 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 30 November 2009 - 10:11 PM

those are exactly the same files and issues I have here.
Are you running an old (pre 9.2) version of Acrobat? Did Acrobat launch just before you got hit? I'm trying to find out what my security hole was so more information would be helpful.

If you have the same problem I have do you have Error 45 and 49s in your Event log (RMB Mycomputer,manage/event viewer/system).
It sounds like there are a pile of us who got the same root kit.

My post is at My similar sounding issue

Hawker

Edited by AshevilleHawker, 30 November 2009 - 10:13 PM.


#3 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 01 December 2009 - 03:19 AM

No, no Acrobat running. Bump for help :thumbsup:

#4 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 01 December 2009 - 03:32 PM

Did I post something the wrong way? I'm trying to be patient but the redirects are getting really bad. I'd really like to fix this without reformatting.

Edited by AMarie006267, 01 December 2009 - 03:32 PM.


#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:44 PM

Posted 02 December 2009 - 04:29 AM

I rebooted again, ran again, it came out clean. There's been no pop ups saying I'm infected and this or that since. However, I still can't boot into Safe Mode, my computer is running slow, and I notice when I click the results of my search in google, I get redirected to other websites. Please help!

OK ... I'm on it. Sorry about the wait.
Will be back shortly.

Edit: No, you did nothing wrong. Guess everybody is busy ....

Edited by AustrAlien, 02 December 2009 - 04:30 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:44 PM

Posted 02 December 2009 - 04:49 AM

Please follow the directions in the following link ... update MBAM and run a Quick Scan:
Remove Antivirus System Pro (Uninstall Guide)
Posted by Grinler on June 5, 2009
11/29/09 - Updated removal technique due to new protection system used by Antivirus System Pro
http://www.bleepingcomputer.com/virus-remo...irus-system-pro
Please then post the log. We need to see the whole log.

Now, update MBAM again, run a Full Scan, remove all it finds and post the log.

Export SafeBoot key for diagnosis
Let's have a look at your SafeBoot registry key.

* Click Start > Run
* Copy and paste the following code in the open Run box (Do not copy the word "code")
regedit /e C:\SafeBootK.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
* Now click OK
* Double-click/Open My Computer and then navigate to C:\ drive
* In there, you should see a file called SafeBootK.txt
* Double-click it to open the file with Notepad.
* Copy and paste the whole contents of SafeBootK.txt in your next reply please.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 02 December 2009 - 10:11 PM

Hey AMARIE

I think I know how to fix your safe mode from AV PRO. I just fixed mine after a week of trying.

Please see my thread at
http://www.bleepingcomputer.com/forums/t/275317/probable-rootkit-left-over-from-other-virus/

AFAIK that got the root kit out and I can now boot to safe mode again, not get F-Secure warnings and no event 45 49 errors.
The problem with this root kit is no root kit scanners EXCEPT the one in Combo Fix could see it, but Combo Fix could not fix it.

It is very important that you copy the files form an exact OS copy, same service pack and version of XP or it won't work. Be careful.
Its a bit of a tricky fix and you have to be able to work around a live linux install but what the heck I got my comptuter back

Good luck, let me know if you tried it and it worked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users