Page 1 of 13 1234511 ... LastLast
Results 1 to 10 of 124

Thread: Google redirect help

  1. #1
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default Google redirect help

    Hello everyone, and thank you in advance. Recently I began getting annoying redirects that seem to be coming from "Find Fast Answers" that take me to Verde.us, yellowise and a few others. Being a newbie, well maybe not as you guided me through an rundll problem in the past can you please help me with step by step instruction on how to conquer this issue. I have a feeling KIDS who are forbidden form this computer have be meddling around. Thank you again

    GKFISH

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512
    Run by Greg at 20:05:12 on 2011-08-27
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2138 [GMT -4:00]
    .
    AV: AVG Anti-Virus *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Linksys\WUSB54GSC\WLService.exe
    C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    You did not post the entire DDS log, here are the instructions in case you deleted it


    Download DDS from one of the links below to your desktop

    Link 1
    Link 2

    • Double click the tool to run it.
    • A black Screen will open, just read the contents and do nothing.
    • When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
    • Copy/Paste the contents of 'DDS.txt' into your post.
    • 'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)


    Information on A/V control Here
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512
    Run by Greg at 20:05:12 on 2011-08-27
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2138 [GMT -4:00]
    .
    AV: AVG Anti-Virus *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Linksys\WUSB54GSC\WLService.exe
    C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: UrlHelper Class: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
    mRun: [MemoryCardManager] c:\program files\dell photo aio printer 926\memcard.exe
    mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [DATAMNGR] c:\progra~1\imesha~1\mediabar\datamngr\DATAMN~1.EXE
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\greg\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{477A5AC8-5CBC-4C60-BA9C-A2AF7719E1D3} : DhcpNameServer = 192.168.0.1
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\greg\application data\mozilla\firefox\profiles\8zvej24t.default\
    FF - prefs.js: browser.startup.homepage - WWW.GOOGLE.COM
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ae25787&v=7.007.026.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\imesh applications\mediabar\datamngr\firefoxextension\components\DataMngrHlp.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-4-3 52872]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-3 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-3 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-3 243152]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-25 921952]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-25 308136]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gsc\WLService.exe [2008-11-26 53307]
    S2 gupdate1c99b7fb460f64;Google Update Service (gupdate1c99b7fb460f64);c:\program files\google\update\GoogleUpdate.exe [2009-3-2 133104]
    S3 atidgllk;atidgllk;c:\dell\drivers\r169419\atidgllk.sys [2008-4-2 12048]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 1025352]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-2 133104]
    .
    =============== Created Last 30 ================
    .
    2011-08-18 17:29:05 -------- d-----w- c:\program files\iPod
    2011-08-18 17:29:00 -------- d-----w- c:\program files\iTunes
    2011-08-18 17:18:42 -------- d-----w- c:\program files\Bonjour
    2011-08-13 16:42:11 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-13 16:40:47 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    .
    ==================== Find3M ====================
    .
    2011-08-27 20:32:43 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-08-27 20:32:42 104 --sh--r- c:\windows\system32\5018098FE8.sys
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-22 15:01:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 20:12:12.98 ===============


    Thank you.

  4. #4
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    You do have some malware on this system, iMesh Media Bar needs to go.

    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please




    Run this scan to check for a rootkit

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply



    Post both the Malwarebytes log and the log from aswMBR please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default

    Malwarebytes' Anti-Malware 1.34
    Database version: 1849
    Windows 5.1.2600 Service Pack 3

    8/30/2011 2:32:20 PM
    mbam-log-2011-08-30 (14-32-20).txt

    Scan type: Quick Scan
    Objects scanned: 90142
    Time elapsed: 6 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Temp\cd11fa16-6fcc-4b9b-9209-7ad9d601cf67.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\cd1da5d7-535a-4438-b5e7-c2899dd6bf7c.tmp (Heuristics.Ma

    Thank you.

  6. #6
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default

    Hi Ken,

    For whatever reason, after I downlaoded the second program it will not scan. The security warning comes up, at which time I chose allow...then nothing.

    Thank You

  7. #7
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Thanks for the logs, lets try this , first drag aswMBR to the trash and download a fresh copy, make sure to download it to your desktop, dont run it yet





    • Please download rkill (Courtesy of Bleepingcomputer.com).
    • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
    • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
    • Note: You only need to get one of the tools to run, not all of them.





    • Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

      Run rkill repeatedly until it's able to do it's job. This may take a few tries.

      You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.




    Now try asWMBR once more
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 08/30/2011 at 23:10:21.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    C:\Documents and Settings\Greg\Desktop\uSeRiNiT.exe


    Rkill completed on 08/30/2011 at 23:10:30.

    Ken, this was the only log after running all 5 rkill files. I still cannot run aswMBR. Thank you

  9. #9
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Try aswMBR in Safemode

    To Enter Safemode
    • Go to Start> Shut off your Computer> Restart
    • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
      this will bring up a menu.
    • Use the Up and Down Arrow Keys to scroll up to Safemode
    • Then press the Enter Key on your Keyboard

    Tutorial if you need it How to boot into Safemode






    If still a no go then try this one


    RootRepeal - Rootkit Detector

    • Download RootRepeal from the following location and save it to your desktop.
    • Unzip it to your Desktop
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:
      • Drivers
      • Files
      • Processes
      • SSDT
      • Stealth Objects
      • Hidden Services
      • Shadow SSDT
    • Click the OK button
    • Check the box for your main system drive (Usually C, and Click OK to start the scan

      The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Member
    Join Date
    Mar 2009
    Posts
    70

    Default

    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: 00000024
    Image Path: \Driver\00000024
    Address: 0x00000000 Size: 0 File Visible: No Signed: -
    Status: -

    Name: 00000161
    Image Path: \Driver\00000161
    Address: 0x00000000 Size: 0 File Visible: No Signed: -
    Status: -

    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xA8D11000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xBA5BC000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xA4EB2000 Size: 49152 File Visible: No Signed: -
    Status: -

    Stealth Objects
    -------------------
    Object: Hidden Code [ETHREAD: 0x8afecb30]
    Process: System Address: 0x8b00c0c3 Size: 3902

    Object: Hidden Code [ETHREAD: 0x8afeb020]
    Process: System Address: 0x8b00d9fd Size: 1540

    ==EOF==

    Hope I did this correctly, again, Thank You.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •