Browsers deny access or send to wrong sites

Status
Not open for further replies.
W

wingreen

New member
(DDS Log at end of this post - and I've attached a zipped Attach.txt file)

My PC is infected! Aaaaargh. Its running slowly, takes long time to boot up and both Internet Explorer and Firefox take me to weird search pages when I use Google. They also block me from accessing this site, and others that seem to be associated with those good people who try and solve these problems (So, I'm sending this from a non-infected PC).

AVG first detected a problem. The Scan found about 41 problems, but couldn't deal with 4 of them (named alureon I think). I used curealureon.exe to try and deal with that. But it only seemed to find one alureon problem (plus quite a few "worms" that were apparently sitting in my external drive). Spybot didn't find anything, except cookie and adware type things - which it got rid of (unless they are back again!)

I've managed to disable TeaTimer and have backed up my registry (using ERUNT)

Hope someone can help as I'm really stuck. I'm far from being an expert, so be gentle!

Thanks


DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 18:12:57.04 on 01/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3318.2716 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Malware May 10\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http://bt.yahoo.com/?
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Redten
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WebCGMHlprObj Class: {56b38f40-4e70-11d4-a076-0080ad86ba2f} - c:\windows\system32\cgmopenbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: EyeOnIE Class: {f081d70d-477f-11d9-95ec-004095356f63} - c:\progra~1\availa~1\asanti~1\AhBho.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [PowerBar]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103587301578
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178104577323
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222563451466&h=ab142d0f223045041e6febda072d1ee7/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file:///C:/Program%20Files/InterCAP/ActiveCGM/ActiveX/Acgm.cab
TCP: NameServer = 93.188.163.43,93.188.166.178
TCP: {965A2A8F-8291-4DB6-91B5-A4D1CBB65D9A} = 93.188.163.43,93.188.166.178
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: fnpipe - fnpipe.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\m3c04twn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.quidco.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2008-10-4 40464]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-12-7 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-16 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-24 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-16 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S2 gupdate1c9a8cd569b7d04;Google Update Service (gupdate1c9a8cd569b7d04);c:\program files\google\update\GoogleUpdate.exe [2009-3-19 133104]
S2 MSWU-a23c7763;MSWU-a23c7763;c:\windows\system32\a23c7763.exe --> c:\windows\system32\a23c7763.exe [?]
S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\slingagentservice.exe --> c:\program files\sling media\slingagent\SlingAgentService.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 asfm;asfm;\??\c:\program files\availasoft\as anti-hacker\asfm.sys --> c:\program files\availasoft\as anti-hacker\asfm.sys [?]
S3 bfastfao;bfastfao;c:\docume~1\family\locals~1\temp\bfastfao.sys [2004-5-17 29696]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-12-21 17149]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 Sling_Audio;SlingProjector Audio Device;c:\windows\system32\drivers\SlingAudio.sys [2009-4-30 19072]
S3 SlingAudioBusenum;Sling Audio Bus Enumerator;c:\windows\system32\drivers\SlingAudioBus.sys [2009-4-30 23168]
S3 STVqx5;Digital Blue QX5(tm) Microscope;c:\windows\system32\drivers\STVqx5.sys [2009-10-13 64512]
S3 STVqx5m;Digital Blue QX5(tm) Microscopem;c:\windows\system32\drivers\STVqx5m.sys [2009-10-13 6144]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2006-12-21 362944]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2005-7-28 88080]

=============== Created Last 30 ================

2010-06-01 17:06:20 0 dc----w- C:\Malware May 10
2010-05-31 19:49:11 25088 ----a-w- c:\windows\system32\fnpipe.dll
2010-05-27 15:04:16 823808 ----a-w- c:\windows\system32\drivers\djwsgvto.sys
2010-05-27 15:02:10 36532 ----a-w- c:\windows\system32\net.net

==================== Find3M ====================

2010-04-21 07:53:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 18:43:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 20:44:14 71220 ---ha-w- c:\windows\system32\mlfcache.dat
2007-12-07 02:48:20 604 ---ha-w- c:\program files\STLL Notifier
2004-10-01 21:00:16 40960 ------w- c:\program files\Uninstall_CDS.exe
2008-05-09 01:42:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 18:20:34.79 ===============
 
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Click to expand...
Hi wingreen and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

SUPERAntiSpyware Advice:

CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

Next:

What did you use to transfer the logs, a USB drive for example. If so can we format this prior to it being used again to transfer some tools or not?

Also what operating system is in use on the machine you used to post your topic please.
 
Last edited:
Thanks for your reply.

I was aware that using USBs etc. might be a problem - so I burnt the logs onto a CD, then put the CD in my (work) laptop and posted them from there. Using a USB would be easier I'm sure so, if there's a (safe) way to use an USB, I'm all for it (but you may have to advise me on any [re]formatting I'd need to do)

The machine I used to actually post the topic uses Windows Vista Enterprise.

The (work) laptop that I'm currently using to "communicate" over the internet is subject to certain security controls and its likely not to allow me to download any executable programs. If these might be needed, I can, if you prefer, communicate through another (non-infected) PC which I can arrange to connect to the internet.

Hope the above helps.
 
Hi. :)

Thanks for your reply.
Click to expand...
You're welcome!

OK, actually using a CD is safer, in spite of the the precautions I could advise with regard to a USB drive. So use a CD for the following please.

Please download Rkill from one of the following links:-

One, Two, Three or Four.

Please download GMER Rootkit Scanner from here.

Next:

Transfer both applications to the desktop of your infected machine.

Scan with Rkill:

Note: If your security software warns about Rkill, please ignore and allow to continue.
  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: A logfile will have been created, it can be located at the root of your installed Hard-Drive. EG: C:\rkill.txt.

Scan with GMER:

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO



    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

When completed the above, please post back the following in the order asked for:
  • How is your computer performing now, any further symptoms and or problems encountered?
  • Rkill Log.
  • GMER Log.
 
Damn - I think I messed it up!

Did as you said and put RKill and GMER on desktop.
Ran Rkill. (Haven't got the log - see later for why!) but it was a very short one - from memory it "came up" with nothing.

Then ran GMER and did as instructed and it started running. Then I noticed that Notepad (left over from Rkill) was running in background and, having seen your note saying "Do not run any programs while Gmer running", I thought I better close it, stop Gmer and start again. Trouble is everything seemed so slow - couldn't get it to respond. Tried Ctrl+Alt+Del - still nothing. So I waited even longer. Finally managed to close notepad and, after another long wait, got "access" to Gmer - which I closed down using the X box in the window.

Double clicked on GMer again to start it - but just got the eggtimer - this went on for ages - so I shut down computer (!?), using power button.

Started computer again and its just stuck! Hard drive light has been on for couple hours but it won't start in Windows or even Safe Mode. Its just stuck!

Aaaaargh! What have I done?!
 
UPDATE!
Just managed to get keyboard to select the Safe Mode - it started doing the safe mode "boot" but now its just stuck with a screen listing load of path names (to system ,drivers etc.) - the sort you get when Safe Mode starts up. But that's it. Stuck again. Hard disk light still glowing like mad. Scared to power it off again - but not sure its right to leave it like that for hours
 
Not sure if this is helpful or not - but the last line (where Safe Mode has stuck) ends in windows\system32\DRIVERS\isapnp.sys

(Apologies if adding info before you've had chance to reply is messing things up)

(PS: Still stuck!)
 
Hi. :)

No problem what you mentioned these things happen............If I do mange to remove the malware from your machine some serious system maintenance will be in order but we can address such in due course.

OK you are going to have to perform a cold shut down with your machine, not good but the only viable option in this scenario. Hold down your computers power on/switch on button until the machine is powered down completely.

If the need merely disconnect from the mains.

Reboot into Safe Mode:

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.

Next:

In Safe Mode when the Windows Advanced Options menu appears use the Arrow(On the number pad part of the keyboard)keys to select Last Known Good Configuration (your most recent settings that worked), and then press the Enter/Return key.

Also do you have a Genuine Windows XP CD-ROM or can borrow one from a family member/friend at all if the need arises?

Let myself know the outcome before we proceed further please.
 
Phew.

OK, did that (chose Last known.....) - and its taken me to a screen where I have to choose between

Windows XP Media Center Edition
or
Safe Mode

(it has Last Known Good Configuration in ble at bottom of screen)
 
Hi. :)

Choose Last Known Good Configuration and let your machine boot up as normal.

Have you got a Genuine Windows XP CD-ROM or not if we need it? This you can inform myself about in your next reply when you post the logs requested.

Once booted up run Rkill, do not worry about the log, close down the notepad file for it. So you can post the log for myself to review it can be found here:-

C:\rkill.txt.

Next:

Re-run GMER again as outlined here.

When completed the above post the logs requested and or let myself know if any further problems encountered, thank you.
 
I used f8 and got list options. Chose "Last Known etc - but it just takes me the screen I normally get - giving an option to start in Windows XP Media Centre Edition or in Safe Mode. But if I choose the Windows XP it just freezes in black screen like before.
It does let me choose f8 again, but then I just go around in circles.

(Can't find the CD you mention - not sure I've got it though - PC came with it installed. I might have a Windows 98 CD, plus an "upgrade" to XP CD)
 
Hi. :)

Hmm strange that as DDS says your particular Operating System is:-

Microsoft Windows XP Professional

OK could well be a log error(due to updates/you changed the operating system) anyway let your machine boot up into:-

Windows XP Media Centre Edition

With regard to no XP CD-ROM and the fact your machine appears to a be a HP modal it probably has a recovery partition on the main system drive.

Out of interest is this drive a extra drive installed or a external drive?

E: is FIXED (NTFS) - 466 GiB total, 103.398 GiB free.

----------

Let myself know the outcome/answer(s) to my questions, thank you.
 
Sorry - should have explained - the Windows 98 and XP ugrade were for another PC.

Have chosen XP Media Centre but back to earlier problem - black screen, hard disk light constantly on.

The E Drive is an external additional drive, connected via USB
 
UPDATE - I found 3 Product Revocery CD that came with the PC. Install Disk, Program Disk 1 and Program Disk 2 (all 3 for Windows XP Media Center - made by Watford Electronics)
 
Hi. :)

Reboot your machine again please(into Safe mode) but this time see if you can choose the option Safe Mode with networking.

With regard to Watford Electronics. Aye I am aware of the former IT company and would prefer not to use those particular CD's if we can.

OK try the above for myself please and can you tell myself the exact make/modal your HP machine is before we go any further, thank you.
 
Getting worse!
Now its stuck on the flashing cursor so I'm not getting to the f8 option. Currently has screen showing PCI Devide listing, with list of devices, then flashing cursor at bottom of screen - but stuck (and hard disk light constantly on)
 
UPDATE: Just had series of clicks and the computer moved on. Managed to use F8 and I tried Safe mode with Networking but it just takes me to same options as before i.e. Safe Mode or Media Center...or F8 again (so still going around in circles)
 
It says Aries (on a sticky label on side). Not sure where I find the make and model number. I will try and see if documents tell me and get back to you
 
UPDATE: Sorry - can't find relevant documents. It was a "free" PC when I joined RedTen Broadband about 3 years ago.
 
Status
Not open for further replies.
Back
Top