Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz!  (Read 31851 times)

0 Members and 1 Guest are viewing this topic.

flomtl

    Topic Starter


    Beginner

    First i will describe the problem.
    My computer suddenly told me that it was infected with spyware, now i recognized it as a fake indicator because it kept trying to force me to download a certain "anti virus software" so i put 2 and 2 together and figure i had a virus. so I immediately used Avast! (my anti virus program) to run a full thorough scan of my system. It came up with multiple threats (it told me my startup/memory was infected and it was unsafe to continue using my computer) it recommended restarting and running scan on boot to delete threats. So i restart and i get a blue screen. Then the computer tries to restart and it just loops back into the blue screen every time.

    This is what i think the problem is. Something (virus/spyware/malware) is trying to boot up on startup. My computer is crashing because of this. The only way to delete is  to run a boot scan. but i cannot reboot in normal mode, only in safe mode. Avast requires a reboot to delete the files. (and yes ive tried manually delete the infested file it just reapears) (below is everything ive tried)


    Now heres what ive tried to do:
     - I started in smart mode. Ran avast there. it does the same, finds a threat asks me to reboot which brings me back to the blue screen.

    - I ran msconfig, disabled all startup things in the startup tab and then tried a reboot.
    no success, (still got the blue screen)

    - so then in safemode i installed malwarebytes (recommended by a friend) and ran that, it found 20 threats. when i said to delete them it said it had to reboot. which once again led back to a blue screen

    - now i tried to boot from a Windows xp disc. when i click "r" to repair windows xp. it tells me that it cannot detect any hardrive.

    - i ran spybot (dont think its the newest version, because i cannot update it form safe mode) it found 3 threats. so i deleted them, rebooted. back to blue screen.

    so now i am in safe mode, writing the message, in complete despair.

    any help would be greatly appreciated.

    thank you
    Florian


    o and here is some info about my computer if it helps.
    512mb ram
    Windows XP (service pack 2)
    2 25gig hardrive partitions (C:) (D:) (operating system on C drive)
    i use mozilla for internet browsing
    my virus scanner is Avast

    it is a laptop an IBM thinkpad T60

    if you need any information at all to help me please dont hesitate to ask.
    Thanks alot

    Florian.

    Just thought of some more information so i'm modifying my post:
    Since this virus happened. My google.com also refers me to google.co.jp instead of canadian or american  google. Also a lot of sites dont work. and most google links bring me to "wrong" links (as in not wat they are supposed to be) i get redirected, to various sites that tell me to download antivirus/spyware programs.....
    i have to copy paste the link from the bottom of the google descriptin and paste it into the browsing bar.

    hope that helps someone help me  :)




    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Use msconfig and enable all items in the startup tab.

    Please print these instructions as they will be needed later when Internet access is not available.
     
    Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

    When using this tool, you must use the Administrator's account or an account with Administrative rights
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
     
    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.

    flomtl

      Topic Starter


      Beginner

      I followed the instructions. Computer is now starting in Normal mode which is great:D!

      however when i rebooted after running SDFix in safe mode. I started it in normal mode, right away my avast ran a boot scan, then SDFix ran it's scan. Now SDFix froze...i had to force shutdown my laptop because after 2h30min it still wasn't done.

      My computer is telling me that i have no antivirus, and that my firewall is disabled. Also my avast is not letting me update saying it cannot connect to server.

      i have included 3 logs (SDFix, Avast boot scan, and catchme (which just appeared on my desktop?))

      Thanks alot for the help so far!!

      Florian

      [edit]:
      I ran Malwarebytes and it found 2 trojans, (also attached log of scan)

      my virus scans are able to update now so i believe that the thing is gone :D

      On a side note, my google.com is always redirected to www.google.co.jp when 2 days ago it would put me to .ca (cause im in canada) could that be because of the virus still being present? or is that not caused by my computer


      thank you so much for all the help you guys are the best
      Florian

      [Saving space - attachment deleted by admin]
      « Last Edit: October 22, 2008, 09:17:08 PM by flomtl »

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      We will fix the homepage issue after all of the malware is gone.

      Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

      • Double click on RSIT.exe to run.
      • Click Continue at the disclaimer screen.
      • Once it has finished, two logs will open.
      • log.txt <will be maximized and info.txt <will be minimized
      • Please post the contents of both logs in the next reply.

      flomtl

        Topic Starter


        Beginner

        i downloaded the program, ran the .exe, said continue at the disclaimer and i get

        "Autolt Error"

        Line -1:

        Error: INcorrect number of parameters in function call.

        then all i can do is click ok
         
        Did i do something wrong?

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
          Download
        TrendMicro HijackThis.exe (HJT) to the Desktop.

        • Double-click on HJTInstall.
        • Click on the Install button.
        • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
        • Upon install, HijackThis should open for you.
        • Close HijackThis.
        .
        Now run RSIT again and see if it works.

        flomtl

          Topic Starter


          Beginner

          i installed hijack this, same error.

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          OK let's do a HJT scan.

          • Open HijackThis.
          • Click on the Do a system scan and save a log file button
          • HijackThis will scan and then a log will open in notepad.
          • Copy and then paste the entire contents of the log in your post.
          • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

          flomtl

            Topic Starter


            Beginner

            Here's the log file for the HJT scan.



            Logfile of Trend Micro HijackThis v2.0.2
            Scan saved at 4:46:42 PM, on 23/10/2008
            Platform: Windows XP SP2 (WinNT 5.01.2600)
            MSIE: Internet Explorer v7.00 (7.00.6000.16705)
            Boot mode: Normal

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\ibmpmsvc.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\svchost.exe
            C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            C:\Program Files\Alwil Software\Avast4\ashServ.exe
            C:\WINDOWS\Explorer.EXE
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\system32\IPSSVC.EXE
            C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
            C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\System32\QCONSVC.EXE
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\TPHDEXLG.EXE
            C:\WINDOWS\system32\TpKmpSVC.exe
            C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
            C:\Program Files\Canon\CAL\CALMAIN.exe
            C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
            C:\Program Files\Google\Gmail Notifier\gnotify.exe
            C:\Program Files\mobile PhoneTools\WatchDog.exe
            C:\WINDOWS\system32\TpShocks.exe
            C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
            C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
            C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
            C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
            C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
            C:\Program Files\Analog Devices\Core\smax4pnp.exe
            C:\Program Files\QuickTime\QTTask.exe
            C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
            C:\WINDOWS\system32\rundll32.exe
            C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
            C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
            C:\Program Files\iTunes\iTunesHelper.exe
            C:\WINDOWS\system32\iprntctl.exe
            C:\WINDOWS\system32\iprntlgn.exe
            C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
            C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
            C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
            C:\WINDOWS\system32\ctfmon.exe
            C:\Program Files\Windows Media Player\WMPNSCFG.exe
            C:\Program Files\Messenger\msmsgs.exe
            C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
            D:\Program Files\Palm\Hotsync.exe
            D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
            C:\Program Files\iPod\bin\iPodService.exe
            C:\WINDOWS\system32\wuauclt.exe
            C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
            C:\Program Files\Mozilla Firefox\firefox.exe
            C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
            R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
            R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
            R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080
            O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
            O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
            O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
            O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
            O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
            O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
            O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
            O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
            O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
            O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
            O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
            O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
            O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
            O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
            O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
            O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
            O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
            O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
            O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
            O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
            O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
            O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
            O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
            O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
            O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
            O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
            O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
            O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
            O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
            O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
            O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
            O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
            O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe (User '?')
            O4 - S-1-5-18 Startup: Digital Line Detect.lnk = ? (User '?')
            O4 - .DEFAULT Startup: Digital Line Detect.lnk = ? (User 'Default user')
            O4 - .DEFAULT User Startup: Digital Line Detect.lnk = ? (User 'Default user')
            O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\Hotsync.exe
            O4 - Global Startup: TotalMedia Backup Monitor.lnk = D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
            O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
            O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
            O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
            O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
            O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
            O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
            O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
            O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
            O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
            O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
            O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
            O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
            O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
            O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
            O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
            O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O11 - Options group: [JAVA_IBM] Java (IBM)
            O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
            O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
            O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144768162093
            O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
            O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
            O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
            O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
            O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
            O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
            O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
            O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
            O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
            O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
            O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
            O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
            O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
            O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
            O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
            O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
            O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
            O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
            O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
            O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

            --
            End of file - 12604 bytes

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Your Java is out of date.

            Older versions have vulnerabilities that malicious sites can use to infect your system.

            First install the new Sun Java Runtime Environment

            Be sure to close all browser windows before beginning the install.

            Remove the old version(s)

            Download JavaRa
            • Unzip the file and open the JavaRa.exe
            • Click Remove Older Versions
            • JavaRa will search for and remove any outdated version of Java and remove any that are found.
            • Click Additional Tasks
            • Place a check next to Remove Useless JRE Files and click Go
            • Exit JavaRa
            • Delete the JavaRa files from the Desktop
            .
            ----------

            Run this online scan.

            This scanner requires Internet Explorer

            Use the ESET Nod32 Online Scanner

            1. Check the box next to YES, I accept the Terms of Use.
            2. Click Start
            3. When asked, allow the activex control to install
            4. Click Start
            5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
            6. Click Scan
            7. Wait for the scan to finish
            8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
            9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

            How is everything now?

            flomtl

              Topic Starter


              Beginner

              I did the java thing (install new, delete old) however i could not go to the java site you linked. so i just clicked on the update that was waiting in my start bar. (the little java square in the bottom right corner.

              Then i clicked on the link for the NOD32 scan. (in Internet Explorer) however it will not allow me to connect to that site.

              Also my google searches are once again being redirceted. and it feels like the computer has slowed down significantly.
              it seems that i cant get to any anti-virus/malware/spyware related sites...

              So things are not so good now (better then initially though i must say since im not getting a blue screen cycle on start up:D)
              alllways look at the bright side heh

              florian

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              OK we need to let SDFix run again.

              Please print these instructions as they will be needed later when Internet access is not available.
               
              Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

              When using this tool, you must use the Administrator's account or an account with Administrative rights
              • Double click SDFix.exe and it will extract the files to %systemdrive%
              • (this is the drive that contains the Windows Directory, typically C:\SDFix).
              • DO NOT use it just yet.
              .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
               
              Open the SDFix folder and double click RunThis.bat to start the script.
              • Type Y to begin the cleanup process.
              • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
              • Press any Key and it will restart the PC.
              • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
              • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
              • Copy and paste the contents of the results file Report.txt in your next reply.

              flomtl

                Topic Starter


                Beginner

                Did as instructed. i had to attache (instead of paste) the report because otherwise i exceed the maximum allowed length of a post.



                [Saving space - attachment deleted by admin]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                That's the same log as before. Can you find the new one and post it?

                flomtl

                  Topic Starter


                  Beginner

                  o sorry about that i forgot the report saved in the SDFix folder. Here is the proper log.

                  [Saving space - attachment deleted by admin]