Page 1 of 6 12345 ... LastLast
Results 1 to 10 of 57

Thread: Browsers deny access or send to wrong sites

  1. #1
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default Browsers deny access or send to wrong sites

    (DDS Log at end of this post - and I've attached a zipped Attach.txt file)

    My PC is infected! Aaaaargh. Its running slowly, takes long time to boot up and both Internet Explorer and Firefox take me to weird search pages when I use Google. They also block me from accessing this site, and others that seem to be associated with those good people who try and solve these problems (So, I'm sending this from a non-infected PC).

    AVG first detected a problem. The Scan found about 41 problems, but couldn't deal with 4 of them (named alureon I think). I used curealureon.exe to try and deal with that. But it only seemed to find one alureon problem (plus quite a few "worms" that were apparently sitting in my external drive). Spybot didn't find anything, except cookie and adware type things - which it got rid of (unless they are back again!)

    I've managed to disable TeaTimer and have backed up my registry (using ERUNT)

    Hope someone can help as I'm really stuck. I'm far from being an expert, so be gentle!

    Thanks


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by John at 18:12:57.04 on 01/06/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3318.2716 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\StkASv2K.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Malware May 10\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = https://login.yahoo.com/config/login....yahoo.com/%3f
    uSearch Page = hxxp://www.google.com
    uWindow Title = Microsoft Internet Explorer provided by Redten
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: WebCGMHlprObj Class: {56b38f40-4e70-11d4-a076-0080ad86ba2f} - c:\windows\system32\cgmopenbho.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
    BHO: EyeOnIE Class: {f081d70d-477f-11d9-95ec-004095356f63} - c:\progra~1\availa~1\asanti~1\AhBho.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [PowerBar]
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103587301578
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178104577323
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222563451466&h=ab142d0f223045041e6febda072d1ee7/&filename=jinstall-6u7-windows-i586-jc.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file:///C:/Program%20Files/InterCAP/ActiveCGM/ActiveX/Acgm.cab
    TCP: NameServer = 93.188.163.43,93.188.166.178
    TCP: {965A2A8F-8291-4DB6-91B5-A4D1CBB65D9A} = 93.188.163.43,93.188.166.178
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: fnpipe - fnpipe.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\m3c04twn.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.quidco.com/
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2008-10-4 40464]
    R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-12-7 11264]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-16 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-24 29512]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-16 242896]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
    S2 gupdate1c9a8cd569b7d04;Google Update Service (gupdate1c9a8cd569b7d04);c:\program files\google\update\GoogleUpdate.exe [2009-3-19 133104]
    S2 MSWU-a23c7763;MSWU-a23c7763;c:\windows\system32\a23c7763.exe --> c:\windows\system32\a23c7763.exe [?]
    S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
    S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\slingagentservice.exe --> c:\program files\sling media\slingagent\SlingAgentService.exe [?]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 asfm;asfm;\??\c:\program files\availasoft\as anti-hacker\asfm.sys --> c:\program files\availasoft\as anti-hacker\asfm.sys [?]
    S3 bfastfao;bfastfao;c:\docume~1\family\locals~1\temp\bfastfao.sys [2004-5-17 29696]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-12-21 17149]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
    S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
    S3 Sling_Audio;SlingProjector Audio Device;c:\windows\system32\drivers\SlingAudio.sys [2009-4-30 19072]
    S3 SlingAudioBusenum;Sling Audio Bus Enumerator;c:\windows\system32\drivers\SlingAudioBus.sys [2009-4-30 23168]
    S3 STVqx5;Digital Blue QX5(tm) Microscope;c:\windows\system32\drivers\STVqx5.sys [2009-10-13 64512]
    S3 STVqx5m;Digital Blue QX5(tm) Microscopem;c:\windows\system32\drivers\STVqx5m.sys [2009-10-13 6144]
    S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2006-12-21 362944]
    S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2005-7-28 88080]

    =============== Created Last 30 ================

    2010-06-01 17:06:20 0 dc----w- C:\Malware May 10
    2010-05-31 19:49:11 25088 ----a-w- c:\windows\system32\fnpipe.dll
    2010-05-27 15:04:16 823808 ----a-w- c:\windows\system32\drivers\djwsgvto.sys
    2010-05-27 15:02:10 36532 ----a-w- c:\windows\system32\net.net

    ==================== Find3M ====================

    2010-04-21 07:53:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-14 18:43:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-05 20:44:14 71220 ---ha-w- c:\windows\system32\mlfcache.dat
    2007-12-07 02:48:20 604 ---ha-w- c:\program files\STLL Notifier
    2004-10-01 21:00:16 40960 ------w- c:\program files\Uninstall_CDS.exe
    2008-05-09 01:42:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

    ============= FINISH: 18:20:34.79 ===============

  2. #2
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
    Hi wingreen and welcome to Safer Networking.

    I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
    • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine!
    • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Refrain from running self fixes as this will hinder the malware removal process.
    • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    Before we start:

    Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    Because of this, I advise you to backup any personal files and folders before you start.

    SUPERAntiSpyware Advice:

    CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

    Next:

    What did you use to transfer the logs, a USB drive for example. If so can we format this prior to it being used again to transfer some tools or not?

    Also what operating system is in use on the machine you used to post your topic please.
    Last edited by Dakeyras; 2010-06-04 at 17:25. Reason: Added further question.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  3. #3
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default

    Thanks for your reply.

    I was aware that using USBs etc. might be a problem - so I burnt the logs onto a CD, then put the CD in my (work) laptop and posted them from there. Using a USB would be easier I'm sure so, if there's a (safe) way to use an USB, I'm all for it (but you may have to advise me on any [re]formatting I'd need to do)

    The machine I used to actually post the topic uses Windows Vista Enterprise.

    The (work) laptop that I'm currently using to "communicate" over the internet is subject to certain security controls and its likely not to allow me to download any executable programs. If these might be needed, I can, if you prefer, communicate through another (non-infected) PC which I can arrange to connect to the internet.

    Hope the above helps.

  4. #4
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    Thanks for your reply.
    You're welcome!

    OK, actually using a CD is safer, in spite of the the precautions I could advise with regard to a USB drive. So use a CD for the following please.

    Please download Rkill from one of the following links:-

    One, Two, Three or Four.

    Please download GMER Rootkit Scanner from here.

    Next:

    Transfer both applications to the desktop of your infected machine.

    Scan with Rkill:

    Note: If your security software warns about Rkill, please ignore and allow to continue.
    • Double click on Rkill.
    • A command window will open then disappear upon completion, this is normal.
    • Please leave Rkill on the Desktop until otherwise advised.
    Note: A logfile will have been created, it can be located at the root of your installed Hard-Drive. EG: C:\rkill.txt.

    Scan with GMER:

    • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO



      Click the image to enlarge it

    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Note: Do not run any programs while Gmer is running.

    When completed the above, please post back the following in the order asked for:
    • How is your computer performing now, any further symptoms and or problems encountered?
    • Rkill Log.
    • GMER Log.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  5. #5
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default

    Damn - I think I messed it up!

    Did as you said and put RKill and GMER on desktop.
    Ran Rkill. (Haven't got the log - see later for why!) but it was a very short one - from memory it "came up" with nothing.

    Then ran GMER and did as instructed and it started running. Then I noticed that Notepad (left over from Rkill) was running in background and, having seen your note saying "Do not run any programs while Gmer running", I thought I better close it, stop Gmer and start again. Trouble is everything seemed so slow - couldn't get it to respond. Tried Ctrl+Alt+Del - still nothing. So I waited even longer. Finally managed to close notepad and, after another long wait, got "access" to Gmer - which I closed down using the X box in the window.

    Double clicked on GMer again to start it - but just got the eggtimer - this went on for ages - so I shut down computer (!?), using power button.

    Started computer again and its just stuck! Hard drive light has been on for couple hours but it won't start in Windows or even Safe Mode. Its just stuck!

    Aaaaargh! What have I done?!

  6. #6
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default

    UPDATE!
    Just managed to get keyboard to select the Safe Mode - it started doing the safe mode "boot" but now its just stuck with a screen listing load of path names (to system ,drivers etc.) - the sort you get when Safe Mode starts up. But that's it. Stuck again. Hard disk light still glowing like mad. Scared to power it off again - but not sure its right to leave it like that for hours

  7. #7
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default

    Not sure if this is helpful or not - but the last line (where Safe Mode has stuck) ends in windows\system32\DRIVERS\isapnp.sys

    (Apologies if adding info before you've had chance to reply is messing things up)

    (PS: Still stuck!)

  8. #8
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    No problem what you mentioned these things happen............If I do mange to remove the malware from your machine some serious system maintenance will be in order but we can address such in due course.

    OK you are going to have to perform a cold shut down with your machine, not good but the only viable option in this scenario. Hold down your computers power on/switch on button until the machine is powered down completely.

    If the need merely disconnect from the mains.

    Reboot into Safe Mode:

    How to boot into Safe Mode:

    Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

    If any problems refer to this tutorial.

    Next:

    In Safe Mode when the Windows Advanced Options menu appears use the Arrow(On the number pad part of the keyboard)keys to select Last Known Good Configuration (your most recent settings that worked), and then press the Enter/Return key.

    Also do you have a Genuine Windows XP CD-ROM or can borrow one from a family member/friend at all if the need arises?

    Let myself know the outcome before we proceed further please.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  9. #9
    Member
    Join Date
    Jun 2010
    Posts
    35

    Default

    Phew.

    OK, did that (chose Last known.....) - and its taken me to a screen where I have to choose between

    Windows XP Media Center Edition
    or
    Safe Mode

    (it has Last Known Good Configuration in ble at bottom of screen)

  10. #10
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    Choose Last Known Good Configuration and let your machine boot up as normal.

    Have you got a Genuine Windows XP CD-ROM or not if we need it? This you can inform myself about in your next reply when you post the logs requested.

    Once booted up run Rkill, do not worry about the log, close down the notepad file for it. So you can post the log for myself to review it can be found here:-

    C:\rkill.txt.

    Next:

    Re-run GMER again as outlined here.

    When completed the above post the logs requested and or let myself know if any further problems encountered, thank you.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •