Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz!  (Read 31569 times)

0 Members and 1 Guest are viewing this topic.

flomtl

    Topic Starter


    Beginner

    First i will describe the problem.
    My computer suddenly told me that it was infected with spyware, now i recognized it as a fake indicator because it kept trying to force me to download a certain "anti virus software" so i put 2 and 2 together and figure i had a virus. so I immediately used Avast! (my anti virus program) to run a full thorough scan of my system. It came up with multiple threats (it told me my startup/memory was infected and it was unsafe to continue using my computer) it recommended restarting and running scan on boot to delete threats. So i restart and i get a blue screen. Then the computer tries to restart and it just loops back into the blue screen every time.

    This is what i think the problem is. Something (virus/spyware/malware) is trying to boot up on startup. My computer is crashing because of this. The only way to delete is  to run a boot scan. but i cannot reboot in normal mode, only in safe mode. Avast requires a reboot to delete the files. (and yes ive tried manually delete the infested file it just reapears) (below is everything ive tried)


    Now heres what ive tried to do:
     - I started in smart mode. Ran avast there. it does the same, finds a threat asks me to reboot which brings me back to the blue screen.

    - I ran msconfig, disabled all startup things in the startup tab and then tried a reboot.
    no success, (still got the blue screen)

    - so then in safemode i installed malwarebytes (recommended by a friend) and ran that, it found 20 threats. when i said to delete them it said it had to reboot. which once again led back to a blue screen

    - now i tried to boot from a Windows xp disc. when i click "r" to repair windows xp. it tells me that it cannot detect any hardrive.

    - i ran spybot (dont think its the newest version, because i cannot update it form safe mode) it found 3 threats. so i deleted them, rebooted. back to blue screen.

    so now i am in safe mode, writing the message, in complete despair.

    any help would be greatly appreciated.

    thank you
    Florian


    o and here is some info about my computer if it helps.
    512mb ram
    Windows XP (service pack 2)
    2 25gig hardrive partitions (C:) (D:) (operating system on C drive)
    i use mozilla for internet browsing
    my virus scanner is Avast

    it is a laptop an IBM thinkpad T60

    if you need any information at all to help me please dont hesitate to ask.
    Thanks alot

    Florian.

    Just thought of some more information so i'm modifying my post:
    Since this virus happened. My google.com also refers me to google.co.jp instead of canadian or american  google. Also a lot of sites dont work. and most google links bring me to "wrong" links (as in not wat they are supposed to be) i get redirected, to various sites that tell me to download antivirus/spyware programs.....
    i have to copy paste the link from the bottom of the google descriptin and paste it into the browsing bar.

    hope that helps someone help me  :)




    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Use msconfig and enable all items in the startup tab.

    Please print these instructions as they will be needed later when Internet access is not available.
     
    Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

    When using this tool, you must use the Administrator's account or an account with Administrative rights
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
     
    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.

    flomtl

      Topic Starter


      Beginner

      I followed the instructions. Computer is now starting in Normal mode which is great:D!

      however when i rebooted after running SDFix in safe mode. I started it in normal mode, right away my avast ran a boot scan, then SDFix ran it's scan. Now SDFix froze...i had to force shutdown my laptop because after 2h30min it still wasn't done.

      My computer is telling me that i have no antivirus, and that my firewall is disabled. Also my avast is not letting me update saying it cannot connect to server.

      i have included 3 logs (SDFix, Avast boot scan, and catchme (which just appeared on my desktop?))

      Thanks alot for the help so far!!

      Florian

      [edit]:
      I ran Malwarebytes and it found 2 trojans, (also attached log of scan)

      my virus scans are able to update now so i believe that the thing is gone :D

      On a side note, my google.com is always redirected to www.google.co.jp when 2 days ago it would put me to .ca (cause im in canada) could that be because of the virus still being present? or is that not caused by my computer


      thank you so much for all the help you guys are the best
      Florian

      [Saving space - attachment deleted by admin]
      « Last Edit: October 22, 2008, 09:17:08 PM by flomtl »

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      We will fix the homepage issue after all of the malware is gone.

      Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

      • Double click on RSIT.exe to run.
      • Click Continue at the disclaimer screen.
      • Once it has finished, two logs will open.
      • log.txt <will be maximized and info.txt <will be minimized
      • Please post the contents of both logs in the next reply.

      flomtl

        Topic Starter


        Beginner

        i downloaded the program, ran the .exe, said continue at the disclaimer and i get

        "Autolt Error"

        Line -1:

        Error: INcorrect number of parameters in function call.

        then all i can do is click ok
         
        Did i do something wrong?

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
          Download
        TrendMicro HijackThis.exe (HJT) to the Desktop.

        • Double-click on HJTInstall.
        • Click on the Install button.
        • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
        • Upon install, HijackThis should open for you.
        • Close HijackThis.
        .
        Now run RSIT again and see if it works.

        flomtl

          Topic Starter


          Beginner

          i installed hijack this, same error.

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          OK let's do a HJT scan.

          • Open HijackThis.
          • Click on the Do a system scan and save a log file button
          • HijackThis will scan and then a log will open in notepad.
          • Copy and then paste the entire contents of the log in your post.
          • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

          flomtl

            Topic Starter


            Beginner

            Here's the log file for the HJT scan.



            Logfile of Trend Micro HijackThis v2.0.2
            Scan saved at 4:46:42 PM, on 23/10/2008
            Platform: Windows XP SP2 (WinNT 5.01.2600)
            MSIE: Internet Explorer v7.00 (7.00.6000.16705)
            Boot mode: Normal

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\ibmpmsvc.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\svchost.exe
            C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            C:\Program Files\Alwil Software\Avast4\ashServ.exe
            C:\WINDOWS\Explorer.EXE
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\system32\IPSSVC.EXE
            C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
            C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\System32\QCONSVC.EXE
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\TPHDEXLG.EXE
            C:\WINDOWS\system32\TpKmpSVC.exe
            C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
            C:\Program Files\Canon\CAL\CALMAIN.exe
            C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
            C:\Program Files\Google\Gmail Notifier\gnotify.exe
            C:\Program Files\mobile PhoneTools\WatchDog.exe
            C:\WINDOWS\system32\TpShocks.exe
            C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
            C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
            C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
            C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
            C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
            C:\Program Files\Analog Devices\Core\smax4pnp.exe
            C:\Program Files\QuickTime\QTTask.exe
            C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
            C:\WINDOWS\system32\rundll32.exe
            C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
            C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
            C:\Program Files\iTunes\iTunesHelper.exe
            C:\WINDOWS\system32\iprntctl.exe
            C:\WINDOWS\system32\iprntlgn.exe
            C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
            C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
            C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
            C:\WINDOWS\system32\ctfmon.exe
            C:\Program Files\Windows Media Player\WMPNSCFG.exe
            C:\Program Files\Messenger\msmsgs.exe
            C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
            D:\Program Files\Palm\Hotsync.exe
            D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
            C:\Program Files\iPod\bin\iPodService.exe
            C:\WINDOWS\system32\wuauclt.exe
            C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
            C:\Program Files\Mozilla Firefox\firefox.exe
            C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
            R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
            R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
            R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080
            O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
            O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
            O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
            O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
            O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
            O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
            O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
            O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
            O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
            O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
            O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
            O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
            O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
            O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
            O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
            O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
            O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
            O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
            O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
            O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
            O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
            O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
            O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
            O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
            O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
            O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
            O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
            O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
            O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
            O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
            O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
            O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
            O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
            O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe (User '?')
            O4 - S-1-5-18 Startup: Digital Line Detect.lnk = ? (User '?')
            O4 - .DEFAULT Startup: Digital Line Detect.lnk = ? (User 'Default user')
            O4 - .DEFAULT User Startup: Digital Line Detect.lnk = ? (User 'Default user')
            O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\Hotsync.exe
            O4 - Global Startup: TotalMedia Backup Monitor.lnk = D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
            O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
            O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
            O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
            O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
            O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
            O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
            O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
            O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
            O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
            O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
            O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
            O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
            O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
            O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
            O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
            O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O11 - Options group: [JAVA_IBM] Java (IBM)
            O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
            O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
            O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144768162093
            O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
            O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
            O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
            O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
            O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
            O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
            O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
            O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
            O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
            O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
            O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
            O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
            O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
            O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
            O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
            O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
            O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
            O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
            O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
            O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

            --
            End of file - 12604 bytes

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Your Java is out of date.

            Older versions have vulnerabilities that malicious sites can use to infect your system.

            First install the new Sun Java Runtime Environment

            Be sure to close all browser windows before beginning the install.

            Remove the old version(s)

            Download JavaRa
            • Unzip the file and open the JavaRa.exe
            • Click Remove Older Versions
            • JavaRa will search for and remove any outdated version of Java and remove any that are found.
            • Click Additional Tasks
            • Place a check next to Remove Useless JRE Files and click Go
            • Exit JavaRa
            • Delete the JavaRa files from the Desktop
            .
            ----------

            Run this online scan.

            This scanner requires Internet Explorer

            Use the ESET Nod32 Online Scanner

            1. Check the box next to YES, I accept the Terms of Use.
            2. Click Start
            3. When asked, allow the activex control to install
            4. Click Start
            5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
            6. Click Scan
            7. Wait for the scan to finish
            8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
            9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

            How is everything now?

            flomtl

              Topic Starter


              Beginner

              I did the java thing (install new, delete old) however i could not go to the java site you linked. so i just clicked on the update that was waiting in my start bar. (the little java square in the bottom right corner.

              Then i clicked on the link for the NOD32 scan. (in Internet Explorer) however it will not allow me to connect to that site.

              Also my google searches are once again being redirceted. and it feels like the computer has slowed down significantly.
              it seems that i cant get to any anti-virus/malware/spyware related sites...

              So things are not so good now (better then initially though i must say since im not getting a blue screen cycle on start up:D)
              alllways look at the bright side heh

              florian

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              OK we need to let SDFix run again.

              Please print these instructions as they will be needed later when Internet access is not available.
               
              Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

              When using this tool, you must use the Administrator's account or an account with Administrative rights
              • Double click SDFix.exe and it will extract the files to %systemdrive%
              • (this is the drive that contains the Windows Directory, typically C:\SDFix).
              • DO NOT use it just yet.
              .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
               
              Open the SDFix folder and double click RunThis.bat to start the script.
              • Type Y to begin the cleanup process.
              • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
              • Press any Key and it will restart the PC.
              • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
              • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
              • Copy and paste the contents of the results file Report.txt in your next reply.

              flomtl

                Topic Starter


                Beginner

                Did as instructed. i had to attache (instead of paste) the report because otherwise i exceed the maximum allowed length of a post.



                [Saving space - attachment deleted by admin]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                That's the same log as before. Can you find the new one and post it?

                flomtl

                  Topic Starter


                  Beginner

                  o sorry about that i forgot the report saved in the SDFix folder. Here is the proper log.

                  [Saving space - attachment deleted by admin]

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 489
                  • Experience: Familiar
                  • OS: Windows 10
                  Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

                  Link #1
                  Link #2

                  **Note:  It is important that it is saved directly to your Desktop

                  Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

                  Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
                   
                  Double click combofix.exe & follow the prompts.
                  When finished ComboFix will produce a log for you.
                  Post the ComboFix log and a new HijackThis log in your next reply.

                  Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

                  Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

                  flomtl

                    Topic Starter


                    Beginner

                    Combo fix log:
                    ComboFix 08-10-23.03 - student 2008-10-23 20:35:09.1 - NTFSx86

                    .

                    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                    .

                    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
                    C:\WINDOWS\system32\drivers\TDSSpqxt.sys
                    C:\WINDOWS\system32\TDSSbxbx.dll
                    C:\WINDOWS\system32\TDSScfum.dll
                    C:\WINDOWS\system32\TDSSfxwp.dll
                    C:\WINDOWS\system32\TDSSnmxa.dll
                    C:\WINDOWS\system32\TDSSnrsr.dat
                    C:\WINDOWS\system32\TDSSoiqh.log
                    C:\WINDOWS\system32\TDSSosvn.dll
                    C:\WINDOWS\system32\TDSSpqxt.log
                    C:\WINDOWS\system32\TDSSrdym.log
                    C:\WINDOWS\system32\TDSSsihc.dll
                    C:\WINDOWS\system32\TDSStkdv.dll

                    .
                    (((((((((((((((((((((((((   Files Created from 2008-09-24 to 2008-10-24  )))))))))))))))))))))))))))))))
                    .

                    2008-10-23 00:17 . 2008-10-23 00:17   <DIR>   d--------   C:\Program Files\Trend Micro
                    2008-10-23 00:04 . 2008-10-23 00:04   <DIR>   d--------   C:\rsit
                    2008-10-22 21:16 . 2008-10-22 21:16   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
                    2008-10-22 21:16 . 2008-10-16 20:25   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
                    2008-10-22 21:16 . 2008-10-16 20:25   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
                    2008-10-22 17:09 . 2008-10-22 17:09   <DIR>   d--------   C:\WINDOWS\ERUNT
                    2008-10-22 17:05 . 2008-10-23 20:23   <DIR>   d--------   C:\SDFix
                    2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\Documents and Settings\student\Application Data\Malwarebytes
                    2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
                    2008-10-21 15:30 . 2008-10-21 15:30   164   --a------   C:\WINDOWS\system32\TDSSpaxt.dat
                    2008-10-21 15:08 . 2008-10-22 17:09   60,416   --a------   C:\WINDOWS\system32\drivers\TDSSmhlt.sys
                    2008-10-08 20:54 . 2008-10-08 20:54   <DIR>   d--------   C:\Program Files\Windows Live
                    2008-10-06 10:41 . 2008-10-06 10:41   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
                    2008-09-30 01:30 . 2008-09-30 01:30   <DIR>   d--------   C:\Program Files\Alwil Software
                    2008-09-28 22:13 . 2008-09-28 22:13   477,184   --a------   C:\WINDOWS\system32\autoprnt.exe
                    2008-09-28 22:13 . 2008-09-28 22:13   118,784   --a------   C:\WINDOWS\system32\snapapi.dll
                    2008-09-28 22:13 . 2008-09-28 22:13   77,728   --a------   C:\WINDOWS\system32\drivers\snapman.sys
                    2008-09-28 22:13 . 2008-09-28 22:13   37,888   --a------   C:\WINDOWS\system32\setupnt.dll
                    2008-09-28 22:12 . 2008-09-28 22:12   <DIR>   d--------   C:\Program Files\Common Files\Acronis

                    .
                    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    2008-10-23 23:05   ---------   d-----w   C:\Program Files\Java
                    2008-10-22 01:52   ---------   d---a-w   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
                    2008-10-21 19:12   ---------   d-----w   C:\Documents and Settings\student\Application Data\Azureus
                    2008-10-09 03:48   38,088   ----a-w   C:\Documents and Settings\student\Application Data\GDIPFONTCACHEV1.DAT
                    2008-10-09 00:54   ---------   d-----w   C:\Program Files\MSN Messenger
                    2008-10-09 00:54   ---------   d-----w   C:\Program Files\Messenger Plus! Live
                    2008-09-30 05:35   ---------   d-----w   C:\Program Files\ESET
                    2008-09-30 05:32   ---------   d---a-w   C:\Program Files\Common Files\Wise Installation Wizard
                    2008-09-28 16:30   ---------   d-----w   C:\Program Files\Azureus
                    2008-08-27 02:51   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
                    2008-08-27 02:50   ---------   d-----w   C:\Program Files\Symantec
                    2007-05-22 23:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
                    2007-05-22 23:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
                    2003-04-10 14:20   30,208   ------w   C:\Program Files\internet explorer\plugins\lfbmp13n.dll
                    2003-04-10 14:20   35,840   ------w   C:\Program Files\internet explorer\plugins\lfcal13n.dll
                    2003-04-10 14:28   406,528   ------w   C:\Program Files\internet explorer\plugins\LFCMP13n.DLL
                    2003-04-10 14:20   47,104   ------w   C:\Program Files\internet explorer\plugins\lfgif13n.dll
                    2003-04-10 14:21   18,944   ------w   C:\Program Files\internet explorer\plugins\lfmsp13n.dll
                    2003-04-10 14:21   26,624   ------w   C:\Program Files\internet explorer\plugins\lfpcx13n.dll
                    2003-04-10 14:32   181,760   ------w   C:\Program Files\internet explorer\plugins\Lfpng13n.dll
                    2003-04-10 14:21   55,808   ------w   C:\Program Files\internet explorer\plugins\lfpsd13n.dll
                    2003-04-10 14:21   24,576   ------w   C:\Program Files\internet explorer\plugins\lftga13n.dll
                    2002-09-27 16:04   4,033,084   ------w   C:\Program Files\internet explorer\plugins\library.dll
                    2003-04-10 14:18   269,824   ------w   C:\Program Files\internet explorer\plugins\LTDIS13n.dll
                    2003-04-04 20:55   206,848   ------w   C:\Program Files\internet explorer\plugins\ltefx13n.dll
                    2003-04-10 14:18   144,384   ------w   C:\Program Files\internet explorer\plugins\ltfil13n.DLL
                    2003-04-10 14:19   447,488   ------w   C:\Program Files\internet explorer\plugins\ltimg13n.dll
                    2003-04-10 14:18   446,464   ------w   C:\Program Files\internet explorer\plugins\ltkrn13n.dll
                    2003-06-11 14:59   245,839   ------w   C:\Program Files\internet explorer\plugins\MWPro.dll
                    2003-06-11 15:23   73,728   ------w   C:\Program Files\internet explorer\plugins\Paint.dll
                    2003-06-11 15:43   151,552   ------w   C:\Program Files\internet explorer\plugins\sprites.dll
                    1998-07-12 05:13   53,760   ------w   C:\Program Files\internet explorer\plugins\zlib.dll
                    .

                    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    .
                    *Note* empty entries & legit default entries are not shown
                    REGEDIT4

                    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
                    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
                    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
                    "Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
                    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
                    "WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
                    "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
                    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
                    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
                    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
                    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
                    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
                    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
                    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
                    "PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
                    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
                    "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-05 110592]
                    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
                    "iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-05-25 40960]
                    "iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-05-25 45056]
                    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
                    "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
                    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
                    "AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-17 69632]
                    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
                    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
                    "TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
                    "TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

                    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
                    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 24576]

                    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
                    HotSync Manager.lnk - D:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
                    PASPortal.lnk - C:\WINDOWS\Installer\{BA52BCD8-C7A4-4D27-AA07-A5541F65B721}\NewShortcut1.exe [2006-11-15 40960]
                    TotalMedia Backup Monitor.lnk - D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe [2008-03-04 270336]

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
                    "CompatibleRUPSecurity"= 1 (0x1)

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
                    "AllowLegacyWebView"= 1 (0x1)
                    "AllowUnhashedWebView"= 1 (0x1)

                    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
                    "NoViewOnDrive"= 0 (0x0)

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
                    2006-08-17 03:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
                    2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
                    2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
                    2005-11-30 23:16 24576 C:\WINDOWS\system32\tphklock.dll

                    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
                    Notification Packages   REG_MULTI_SZ      scecli csspwntfy

                    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
                    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
                    backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup

                    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
                    --a------ 2008-10-16 20:25 1257104 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

                    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                    "UPS"=3 (0x3)
                    "UCLauncherService"=2 (0x2)
                    "SMART Board Service"=2 (0x2)
                    "SCardSvr"=3 (0x3)
                    "SamSs"=2 (0x2)
                    "iPodService"=3 (0x3)
                    "wscsvc"=2 (0x2)
                    "CiSvc"=3 (0x3)
                    "cusrvc"=3 (0x3)

                    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
                    "DisableMonitoring"=dword:00000001

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                    "%windir%\\system32\\sessmgr.exe"=
                    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
                    "C:\\Program Files\\Azureus\\Azureus.exe"=
                    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
                    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
                    "C:\\WINDOWS\\system32\\rtcshare.exe"=
                    "C:\\Program Files\\NetMeeting\\conf.exe"=
                    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
                    "C:\\StubInstaller.exe"=
                    "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
                    "C:\\Program Files\\iTunes\\iTunes.exe"=
                    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
                    "C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
                    "C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

                    .
                    - - - - ORPHANS REMOVED - - - -

                    Notify-NavLogon - (no file)
                    Notify-WgaLogon - (no file)


                    .
                    ------- Supplementary Scan -------
                    .
                    FireFox -: Profile - C:\DOCUME~1\student\APPLIC~1\Mozilla\Firefox\Profiles\39hnx97q.default\
                    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
                    FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
                    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
                    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
                    FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
                    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
                    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
                    .

                    **************************************************************************

                    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                    Rootkit scan 2008-10-23 20:46:39
                    Windows 5.1.2600 Service Pack 2 NTFS

                    scanning hidden processes ...

                    scanning hidden autostart entries ...

                    scanning hidden files ...

                    scan completed successfully
                    hidden files: 0

                    **************************************************************************
                    .
                    --------------------- DLLs Loaded Under Running Processes ---------------------

                    PROCESS: C:\WINDOWS\system32\winlogon.exe
                    -> C:\WINDOWS\system32\tphklock.dll
                    .
                    ------------------------ Other Running Processes ------------------------
                    .
                    C:\WINDOWS\system32\ibmpmsvc.exe
                    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                    C:\Program Files\Alwil Software\Avast4\ashServ.exe
                    C:\WINDOWS\system32\IPSSVC.EXE
                    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
                    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
                    C:\WINDOWS\system32\QCONSVC.EXE
                    C:\Program Files\SMART Board Software\SMARTBoardService.exe
                    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
                    C:\WINDOWS\system32\rundll32.exe
                    C:\WINDOWS\system32\TPHDEXLG.exe
                    C:\WINDOWS\system32\TpKmpSvc.exe
                    C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
                    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
                    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
                    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
                    C:\Program Files\Canon\CAL\CALMAIN.exe
                    C:\Program Files\DataStudio\PASPortal.exe
                    C:\Program Files\Windows Media Player\wmpnetwk.exe
                    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                    C:\WINDOWS\system32\wscntfy.exe
                    C:\Program Files\iPod\bin\iPodService.exe
                    C:\WINDOWS\system32\dwwin.exe
                    .
                    **************************************************************************
                    .
                    Completion time: 2008-10-23 20:54:42 - machine was rebooted
                    ComboFix-quarantined-files.txt  2008-10-24 00:54:31

                    Pre-Run: 1,294,417,920 bytes free
                    Post-Run: 1,470,304,256 bytes free

                    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
                    [boot loader]
                    timeout=2
                    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
                    [operating systems]
                    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
                    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

                    239   --- E O F ---   2008-09-25 12:18:59





                    hijack this log is attached.

                    [Saving space - attachment deleted by admin]

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 489
                    • Experience: Familiar
                    • OS: Windows 10
                      • Click START then RUN
                      • Now type Combofix /u in the runbox
                      • Make sure there's a space between Combofix and /u
                      • Then hit Enter.
                      .
                      • The above procedure will:
                      • Delete the following:
                      • ComboFix and its associated files and folders.
                      • Reset the clock settings.
                      • Hide file extensions, if required.
                      • Hide System/Hidden files, if required.
                      • Set a new, clean Restore Point.
                      .
                      ----------

                      Open HijackThis and select
                    Do a system scan only.

                    Place a check mark next to the following entries: (if there)

                    - O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

                    Important: Close all windows except for HijackThis and then click Fix checked.

                    Exit HijackThis.

                    ----------

                    Download OTMoveIt2 by OldTimer and save it to your Desktop.

                    Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

                    1. Double-click OTMoveIt2.exe to run it.
                    2. Copy the lines in the codebox below.

                    Code: [Select]
                    [kill explorer]
                    C:\WINDOWS\system32\TDSSpaxt.dat
                    C:\WINDOWS\system32\drivers\TDSSmhlt.sys
                    EmptyTemp
                    [start explorer]

                    3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
                    4. Click the red Moveit! button.
                    5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
                    6. Close OTMoveIt2

                    Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

                    ----------

                    Your Java is out of date.

                    Older versions have vulnerabilities that malicious sites can use to infect your system.

                    First install the new Sun Java Runtime Environment

                    Be sure to close all browser windows before beginning the install.

                    Remove the old version(s)

                    Download JavaRa
                    • Unzip the file and open the JavaRa.exe
                    • Click Remove Older Versions
                    • JavaRa will search for and remove any outdated version of Java and remove any that are found.
                    • Click Additional Tasks
                    • Place a check next to Remove Useless JRE Files and click Go
                    • Exit JavaRa
                    • Delete the JavaRa files from the Desktop
                    .
                    ----------

                    How is everything now?

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 489
                    • Experience: Familiar
                    • OS: Windows 10
                      See if Avast turns back on after running the OTMoveIt2 step.

                      • Click START then RUN
                      • Now type Combofix /u in the runbox
                      • Make sure there's a space between Combofix and /u
                      • Then hit Enter.
                      .
                      • The above procedure will:
                      • Delete the following:
                      • ComboFix and its associated files and folders.
                      • Reset the clock settings.
                      • Hide file extensions, if required.
                      • Hide System/Hidden files, if required.
                      • Set a new, clean Restore Point.
                      .
                      ----------

                      Open HijackThis and select
                    Do a system scan only.

                    Place a check mark next to the following entries: (if there)

                    - O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

                    Important: Close all windows except for HijackThis and then click Fix checked.

                    Exit HijackThis.

                    ----------

                    Download OTMoveIt2 by OldTimer and save it to your Desktop.

                    Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

                    1. Double-click OTMoveIt2.exe to run it.
                    2. Copy the lines in the codebox below.

                    Code: [Select]
                    [kill explorer]
                    C:\WINDOWS\system32\TDSSpaxt.dat
                    C:\WINDOWS\system32\drivers\TDSSmhlt.sys
                    EmptyTemp
                    [start explorer]

                    3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
                    4. Click the red Moveit! button.
                    5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
                    6. Close OTMoveIt2

                    Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

                    ----------

                    Your Java is out of date.

                    Older versions have vulnerabilities that malicious sites can use to infect your system.

                    First install the new Sun Java Runtime Environment

                    Be sure to close all browser windows before beginning the install.

                    Remove the old version(s)

                    Download JavaRa
                    • Unzip the file and open the JavaRa.exe
                    • Click Remove Older Versions
                    • JavaRa will search for and remove any outdated version of Java and remove any that are found.
                    • Click Additional Tasks
                    • Place a check next to Remove Useless JRE Files and click Go
                    • Exit JavaRa
                    • Delete the JavaRa files from the Desktop
                    .
                    ----------

                    How is everything now?

                    flomtl

                      Topic Starter


                      Beginner

                      Explorer killed successfully
                      C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
                      C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
                      < EmptyTemp >
                      File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
                      File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
                      File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
                      File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
                      File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
                      Temp folders emptied.
                      IE temp folders emptied.
                      Explorer started successfully
                       
                      OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130



                      Log of MoveIt2.
                      Rebooting now.


                      flomtl

                        Topic Starter


                        Beginner

                        log after reboot:


                        Explorer killed successfully
                        C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
                        C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
                        < EmptyTemp >
                        File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
                        File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
                        File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
                        File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
                        File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
                        Temp folders emptied.
                        IE temp folders emptied.
                        Explorer started successfully
                         
                        OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130

                        Files moved on Reboot...
                        File C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV not found!
                        C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.
                        C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat moved successfully.
                        File C:\WINDOWS\temp\_avast4_\unp96758181.tmp not found!
                        File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!





                        avast is still not running...

                        i will try to update java now.

                        evilfantasy

                        • Malware Removal Specialist
                        • Moderator


                        • Genius
                        • Calm like a bomb
                        • Thanked: 489
                        • Experience: Familiar
                        • OS: Windows 10
                        Download the avast installer and run it. You will be prompted to uninstall, do so then reinstall it fresh. http://filehippo.com/download_avast_antivirus/

                        Let me know when you get it running.

                        flomtl

                          Topic Starter


                          Beginner

                          Avast is installed and working again.

                          I have noticed that my google.com is still being redirected to google.co.jp
                          i have no clue what is causing this seeing as it should recognize that i situated in Canada. is there anything i can do about that?

                          Florian






                          evilfantasy

                          • Malware Removal Specialist
                          • Moderator


                          • Genius
                          • Calm like a bomb
                          • Thanked: 489
                          • Experience: Familiar
                          • OS: Windows 10
                          Reset Web Settings & Default Security Settings

                          Open IE and then select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

                          ----------

                          Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

                          Double-click FixPolicies.exe.
                          Click the Install button on the bottom toolbar of the box that will open.
                          The program will create a new Folder called FixPolicies.
                          Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
                          A black box will briefly appear and then close.
                          Restart the computer so the changes can take effect.

                          How about now?

                          flomtl

                            Topic Starter


                            Beginner

                            still being redirected on both firefox and on IE.

                            its not that big a deal (i just renamed all my shortcuts to google.ca) im just afraid it is sometype of virus on my network or something...

                            evilfantasy

                            • Malware Removal Specialist
                            • Moderator


                            • Genius
                            • Calm like a bomb
                            • Thanked: 489
                            • Experience: Familiar
                            • OS: Windows 10
                            Well find it. Some are tougher then others but they all fall eventually...

                            Run this online scan.

                            This scanner requires Internet Explorer

                            Use the ESET Nod32 Online Scanner

                            1. Check the box next to YES, I accept the Terms of Use.
                            2. Click Start
                            3. When asked, allow the activex control to install
                            4. Click Start
                            5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
                            6. Click Scan
                            7. Wait for the scan to finish
                            8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
                            9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

                            flomtl

                              Topic Starter


                              Beginner

                              it found 2 trojans, error while deleting 1 of them?:(

                              here is the log:


                              # version=4
                              # OnlineScanner.ocx=1.0.0.635
                              # OnlineScannerDLLA.dll=1, 0, 0, 79
                              # OnlineScannerDLLW.dll=1, 0, 0, 78
                              # OnlineScannerUninstaller.exe=1, 0, 0, 49
                              # vers_standard_module=3550 (20081023)
                              # vers_arch_module=1.064 (20080214)
                              # vers_adv_heur_module=1.060 (20070601)
                              # EOSSerial=44600689593aff46ae9238f0100fcf37
                              # end=finished
                              # remove_checked=true
                              # unwanted_checked=true
                              # utc_time=2008-10-24 04:05:56
                              # local_time=2008-10-24 12:05:56 (-0500, Eastern Daylight Time)
                              # country="Canada"
                              # osver=5.1.2600 NT Service Pack 2
                              # scanned=450155
                              # found=2
                              # scan_time=3802
                              D:\Program Files\MagicISO\Patch.exe   Win32/Agent.OBH trojan (deleted)   00000000000000000000000000000000
                              D:\Program Files\MagicISO\Patch.exe »PECompact v2.xx   Win32/Agent.OBH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)   00000000000000000000000000000000

                              evilfantasy

                              • Malware Removal Specialist
                              • Moderator


                              • Genius
                              • Calm like a bomb
                              • Thanked: 489
                              • Experience: Familiar
                              • OS: Windows 10
                              It was the same file is why it failed the second time.

                              Update MalwareBytes and run a Quick Scan then post the log when complete.


                              flomtl

                                Topic Starter


                                Beginner

                                Malware found 1 trojan, and succesfully deleted it  :D

                                heres the log:

                                Malwarebytes' Anti-Malware 1.30
                                Database version: 1316
                                Windows 5.1.2600 Service Pack 2

                                24/10/2008 2:28:56 PM
                                mbam-log-2008-10-24 (14-28-56).txt

                                Scan type: Full Scan (C:\|)
                                Objects scanned: 168601
                                Time elapsed: 44 minute(s), 17 second(s)

                                Memory Processes Infected: 0
                                Memory Modules Infected: 0
                                Registry Keys Infected: 0
                                Registry Values Infected: 0
                                Registry Data Items Infected: 0
                                Folders Infected: 0
                                Files Infected: 1

                                Memory Processes Infected:
                                (No malicious items detected)

                                Memory Modules Infected:
                                (No malicious items detected)

                                Registry Keys Infected:
                                (No malicious items detected)

                                Registry Values Infected:
                                (No malicious items detected)

                                Registry Data Items Infected:
                                (No malicious items detected)

                                Folders Infected:
                                (No malicious items detected)

                                Files Infected:
                                C:\WINDOWS\system32\TDSScfum.log (Trojan.TDSS) -> Quarantined and deleted successfully.


                                [EDIT] google.com still being redirect :(  [/EDIT]

                                evilfantasy

                                • Malware Removal Specialist
                                • Moderator


                                • Genius
                                • Calm like a bomb
                                • Thanked: 489
                                • Experience: Familiar
                                • OS: Windows 10
                                Run a new HijackThis scan and post the log please.

                                flomtl

                                  Topic Starter


                                  Beginner

                                  Logfile of Trend Micro HijackThis v2.0.2
                                  Scan saved at 3:21:35 PM, on 24/10/2008
                                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                                  MSIE: Internet Explorer v7.00 (7.00.6000.16705)
                                  Boot mode: Normal

                                  Running processes:
                                  C:\WINDOWS\System32\smss.exe
                                  C:\WINDOWS\system32\winlogon.exe
                                  C:\WINDOWS\system32\services.exe
                                  C:\WINDOWS\system32\lsass.exe
                                  C:\WINDOWS\system32\ibmpmsvc.exe
                                  C:\WINDOWS\system32\svchost.exe
                                  C:\WINDOWS\System32\svchost.exe
                                  C:\WINDOWS\system32\svchost.exe
                                  C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                                  C:\Program Files\Alwil Software\Avast4\ashServ.exe
                                  C:\WINDOWS\Explorer.EXE
                                  C:\WINDOWS\system32\spoolsv.exe
                                  C:\Program Files\Google\Gmail Notifier\gnotify.exe
                                  C:\WINDOWS\system32\IPSSVC.EXE
                                  C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
                                  C:\Program Files\mobile PhoneTools\WatchDog.exe
                                  C:\WINDOWS\system32\TpShocks.exe
                                  C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
                                  C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                                  C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
                                  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                                  C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                                  C:\Program Files\Java\jre6\bin\jusched.exe
                                  C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
                                  C:\Program Files\Analog Devices\Core\smax4pnp.exe
                                  C:\Program Files\QuickTime\QTTask.exe
                                  C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
                                  C:\WINDOWS\system32\rundll32.exe
                                  C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
                                  C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
                                  C:\Program Files\iTunes\iTunesHelper.exe
                                  C:\WINDOWS\system32\iprntlgn.exe
                                  C:\WINDOWS\System32\svchost.exe
                                  C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
                                  C:\Program Files\Java\jre6\bin\jqs.exe
                                  C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
                                  C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
                                  C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                                  C:\WINDOWS\system32\ctfmon.exe
                                  C:\Program Files\Windows Media Player\WMPNSCFG.exe
                                  C:\WINDOWS\System32\QCONSVC.EXE
                                  C:\Program Files\Messenger\msmsgs.exe
                                  C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
                                  C:\Program Files\SMART Board Software\SMARTBoardService.exe
                                  D:\Program Files\Palm\Hotsync.exe
                                  D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
                                  C:\WINDOWS\system32\svchost.exe
                                  C:\WINDOWS\System32\TPHDEXLG.EXE
                                  C:\WINDOWS\system32\TpKmpSVC.exe
                                  C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
                                  C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
                                  C:\Program Files\Canon\CAL\CALMAIN.exe
                                  C:\WINDOWS\system32\wscntfy.exe
                                  C:\Program Files\iPod\bin\iPodService.exe
                                  C:\WINDOWS\system32\wuauclt.exe
                                  C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                                  C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                                  C:\Program Files\Mozilla Firefox\firefox.exe
                                  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
                                  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
                                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
                                  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
                                  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080
                                  O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
                                  O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                                  O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
                                  O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
                                  O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                                  O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
                                  O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
                                  O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
                                  O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
                                  O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
                                  O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
                                  O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                                  O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                                  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
                                  O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
                                  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
                                  O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
                                  O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
                                  O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
                                  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                                  O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
                                  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                                  O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
                                  O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
                                  O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
                                  O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
                                  O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
                                  O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
                                  O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
                                  O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
                                  O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                                  O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
                                  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                                  O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
                                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                  O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
                                  O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
                                  O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
                                  O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
                                  O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe (User '?')
                                  O4 - S-1-5-18 Startup: Digital Line Detect.lnk = ? (User '?')
                                  O4 - .DEFAULT Startup: Digital Line Detect.lnk = ? (User 'Default user')
                                  O4 - .DEFAULT User Startup: Digital Line Detect.lnk = ? (User 'Default user')
                                  O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\Hotsync.exe
                                  O4 - Global Startup: PASPortal.lnk = ?
                                  O4 - Global Startup: TotalMedia Backup Monitor.lnk = D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
                                  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                                  O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
                                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                                  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
                                  O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
                                  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144768162093
                                  O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
                                  O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
                                  O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
                                  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                                  O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
                                  O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                                  O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                                  O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
                                  O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                                  O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                                  O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
                                  O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
                                  O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
                                  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                                  O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
                                  O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
                                  O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
                                  O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
                                  O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
                                  O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
                                  O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
                                  O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
                                  O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
                                  O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
                                  O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
                                  O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

                                  --
                                  End of file - 12501 bytes

                                  evilfantasy

                                  • Malware Removal Specialist
                                  • Moderator


                                  • Genius
                                  • Calm like a bomb
                                  • Thanked: 489
                                  • Experience: Familiar
                                  • OS: Windows 10
                                  Open HijackThis and select Do a system scan only.

                                  Place a check mark next to the following entries: (if there)

                                  - R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                                  - R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
                                  - R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
                                  - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080


                                  Important: Close all open windows except for HijackThis and then click Fix checked.

                                  Once completed, exit HijackThis

                                  ----------

                                  Now we need to Reset Web Settings


                                  • If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
                                  • Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computerhope.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
                                  • If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computerhope.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
                                  .
                                  Restart the computer to register the changes.

                                  How about now?

                                  flomtl

                                    Topic Starter


                                    Beginner

                                    did all of the above, still being redirected:(

                                    evilfantasy

                                    • Malware Removal Specialist
                                    • Moderator


                                    • Genius
                                    • Calm like a bomb
                                    • Thanked: 489
                                    • Experience: Familiar
                                    • OS: Windows 10
                                    This scanner requires Internet Explorer

                                    Scan with the BitDefender Online Scanner
                                    Click I Agree to the license and then install the ActiveX control.
                                    Please DO NOT change the Scanning Options.
                                    That will make your logs huge and we don't need to see clean files.

                                    Select Start Scan to begin.
                                    This scan can take a while so please be patient and let it complete.

                                    Once Bitdefender completes the scan:
                                    Click-on the Detected Problems tab.
                                    Then select Click here to export the scan report



                                    This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
                                     
                                    You will have to upload the file online. The forums will not accept HTML.

                                    Upload the file to Savefile.com
                                    There is no need to Register
                                    Select Browse and locate the file.
                                    Fill in the Title, Description and security code then click Upload
                                    Copy the link next to Your link to the file: and post the link back here.

                                    flomtl

                                      Topic Starter


                                      Beginner

                                      tells me i couldnt update the virus signatures for the bitdefender scanner. Then i said to run the scan anyways but it says it cannot scan, and it says to download the program for real time protection....


                                      evilfantasy

                                      • Malware Removal Specialist
                                      • Moderator


                                      • Genius
                                      • Calm like a bomb
                                      • Thanked: 489
                                      • Experience: Familiar
                                      • OS: Windows 10
                                      Run the Kaspersky Online Scanner

                                      In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

                                      • Click on SCAN NOW
                                      • Click Accept.
                                      • The program will then begin downloading the latest definition files.
                                      • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
                                      • The scan will take a while, so be patient and let it finish.
                                      When the scan is done, in the Scan is complete window, any infection is displayed.
                                      There is no option to clean/disinfect, however, we need to analyze the information on the report.

                                      To obtain the report:
                                      Click on: Save Report As
                                      • Next, in the Save as prompt, Save in area, select: Desktop.
                                      • In the File name area use KScan, or something similar.
                                      • In Save as type: click the drop arrow and select: Text file [*.txt]
                                      • Then, click: Save


                                      Copy and paste the Kaspersky Online Scanner Report in your next reply.

                                      Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

                                      flomtl

                                        Topic Starter


                                        Beginner

                                        ive been running the scanner for a long time now and it got stuck at 2h25min and 58seconds......its already forund 1 threat and 4infected objects, but the scan hasnt moved in a long time. The Duration has stayed at 2:25:58 for a long time. However it has ed scanning the C drive and is near the end of the D drive (scan is 81% done) Should i click stop scan? will that still allow me to view the report?

                                        Florian

                                        evilfantasy

                                        • Malware Removal Specialist
                                        • Moderator


                                        • Genius
                                        • Calm like a bomb
                                        • Thanked: 489
                                        • Experience: Familiar
                                        • OS: Windows 10
                                        Is it still running?

                                        flomtl

                                          Topic Starter


                                          Beginner

                                          i ran it twice, both times it got stuck on the same file in my d drive. "frag-document.r00"  and the second time on "frag-document.r02" Ill tell the scanner to only scan the C drive which is where the infection was found both times, becasue without finishing the scan i cant view the log.

                                          ill paste log when it finishes

                                          evilfantasy

                                          • Malware Removal Specialist
                                          • Moderator


                                          • Genius
                                          • Calm like a bomb
                                          • Thanked: 489
                                          • Experience: Familiar
                                          • OS: Windows 10
                                          That's a torerent file that it's getting stuck on.

                                          Boot the computer into Safe Mode and run Dr Web.

                                          Download DrWeb CureIt & save it to your desktop.

                                          Scan with DrWeb-CureIt as follows:
                                          • Double-click on drweb-cureit.exe and then click Start.
                                          • An Express Scan of your PC notice will appear.
                                          • Under Start the Express Scan Now Click OK to start.
                                            • This is a short scan that will scan the files currently running in memory.
                                            • If or when something is found, click the Yes button when it asks you if you want to cure it.
                                          • Once the short scan has finished, Click Options > Change settings
                                          • Choose the Scan tab and UNcheck Heuristic analysis and click OK
                                          • Back at the main window, select the Complete scan button.
                                          • Then click the Green Arrow Start Scanning button on the right and the scan will start.
                                            • Click Yes to all if it asks if you want to cure/move any file(s).
                                          • When the scan is done.
                                          • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
                                          • Save the DrWeb.csv report to your Desktop.
                                          • Exit Dr.Web Cureit.
                                          • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
                                          [/COLOR]
                                          • After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
                                          • Copy and paste that log in the next reply

                                          flomtl

                                            Topic Starter


                                            Beginner

                                            The link you gave me for DrWeb CureIt doesnt work for me. it tells me that firefox cant find the server at ftp.

                                            do i have to download it in "safe mode with networking" or should it download in normal mode (which is what i tried)?

                                            evilfantasy

                                            • Malware Removal Specialist
                                            • Moderator


                                            • Genius
                                            • Calm like a bomb
                                            • Thanked: 489
                                            • Experience: Familiar
                                            • OS: Windows 10

                                            flomtl

                                              Topic Starter


                                              Beginner

                                              ya that worked, thanks. ill run in safe mode and scan then get back to you.

                                              flomtl

                                                Topic Starter


                                                Beginner

                                                Heres the log from the scan.

                                                mirc.exe;C:\Program Files\mIRC;Program.mIRC.60;;
                                                A0256845.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
                                                A0256846.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
                                                A0256847.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
                                                A0256848.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
                                                A0256850.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
                                                A0256885.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
                                                A0256886.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
                                                A0256887.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
                                                A0256888.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
                                                A0256890.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
                                                A0256930.EXE;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Program.PsExec.170;;
                                                A0257904.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Tool.Prockill;;
                                                A0257938.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
                                                A0257939.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
                                                A0257940.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
                                                A0257941.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
                                                A0257942.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
                                                A0257963.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623\A0257963.exe;Program.PsExec.171;;
                                                A0257963.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Archive contains infected objects;Moved.;
                                                mirc62.exe\data007;D:\My Downloads\Apps\MIRC.v6.2.WinALL.Incl.Keygen-ViRiLiTY\mirc62.exe;Program.mIRC.60;;
                                                mirc62.exe;D:\My Downloads\Apps\MIRC.v6.2.WinALL.Incl.Keygen-ViRiLiTY;Archive contains infected objects;Moved.;
                                                A0258326.exe\data007;D:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP625\A0258326.exe;Program.mIRC.60;;
                                                A0258326.exe;D:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP625;Archive contains infected objects;Moved.;




                                                florian

                                                evilfantasy

                                                • Malware Removal Specialist
                                                • Moderator


                                                • Genius
                                                • Calm like a bomb
                                                • Thanked: 489
                                                • Experience: Familiar
                                                • OS: Windows 10
                                                How is the computer running now?

                                                flomtl

                                                  Topic Starter


                                                  Beginner

                                                  everythings running just fine, however i am still getting re-directed. i check on the other computers on my network, they also get re-directed (when i type in www.google.com). either this problem is isp related or somthings on my network?

                                                  but my computer seems to have recovered nicely, thanks alot for the help!

                                                  evilfantasy

                                                  • Malware Removal Specialist
                                                  • Moderator


                                                  • Genius
                                                  • Calm like a bomb
                                                  • Thanked: 489
                                                  • Experience: Familiar
                                                  • OS: Windows 10
                                                  Download FixWareout by LonnyRJonesfrom from one of the two below links and save it to your Desktop.
                                                  • Run Fixwareout.
                                                  • Click Next
                                                  • then Install
                                                  • Make sure Run fixit is checked
                                                  • Click Finish.
                                                  • The fix will begin; follow the prompts.
                                                  • You will be asked to reboot your computer; please do so.
                                                  • Your system may take longer than usual to load; this is normal.
                                                  When you run Fixwareout, just follow the prompts, you will need to restart when prompted.

                                                  After rebooting (restart) back into normal boot mode. Make sure you have all web browsers closed.
                                                  • Go into Control Panel > Network Connections.
                                                  • Right click on your connection
                                                  • and click Properties.
                                                  • On the Properties page, highlight Internet Protocol(TCP/IP)
                                                  • Click Properties. This will bring up another page.
                                                  • Select Obtain DNS Server Automatically.
                                                  • Click the OK button. The page will close.
                                                  • Press OK on the page in front of you.
                                                  • Restart the computer.
                                                  • Reconnect to the Internet using Internet Explorer.
                                                  • Add the log from Fixwareout in your next reply.
                                                  • It will be located at c:\fixwareout\report.txt
                                                  Go to Start > Run and type in cmd
                                                  Click OK.
                                                  This will open a command prompt.
                                                  Type or copy and paste the following line in the command window:

                                                  ipconfig /flushdns

                                                  Hit Enter.
                                                  Exit the command window.

                                                  Restart your computer.

                                                  Please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

                                                  flomtl

                                                    Topic Starter


                                                    Beginner

                                                    404-not found error on both those links...

                                                    evilfantasy

                                                    • Malware Removal Specialist
                                                    • Moderator


                                                    • Genius
                                                    • Calm like a bomb
                                                    • Thanked: 489
                                                    • Experience: Familiar
                                                    • OS: Windows 10
                                                    Very strange. They worked earlier today...

                                                    Do the second part of the instructions beginning with Go into Control Panel > Network Connections.

                                                    flomtl

                                                      Topic Starter


                                                      Beginner

                                                      i already had it set to "obtain DNS automatically"
                                                      i did the ipconfig /flushdns. Restarted
                                                      google.com still redirects to google.co.jp

                                                      attached is the hijackthis log

                                                      florian

                                                      [Saving space - attachment deleted by admin]

                                                      evilfantasy

                                                      • Malware Removal Specialist
                                                      • Moderator


                                                      • Genius
                                                      • Calm like a bomb
                                                      • Thanked: 489
                                                      • Experience: Familiar
                                                      • OS: Windows 10
                                                      Download HostsXpert
                                                      • Unzip HostXpert to your Desktop
                                                      • Open up the HostXpert program.
                                                      • Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
                                                      • Click Create Back Up
                                                      • Then click on Restore Microsoft's Host Files
                                                      • Close the HostXpert program
                                                      .
                                                      Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

                                                      ----------

                                                      If that does not work.

                                                      Delete all the google entries in your hosts file.

                                                      For win xp, the file is under c:\windows\system32\drivers\etc

                                                      Open the hosts file with notepad and remove all the google entries.

                                                      Then in Notepad go to File > Save

                                                      flomtl

                                                        Topic Starter


                                                        Beginner

                                                        The program worked (it ran to completion) however i dont think it did anything cause its still being redirected.

                                                        evilfantasy

                                                        • Malware Removal Specialist
                                                        • Moderator


                                                        • Genius
                                                        • Calm like a bomb
                                                        • Thanked: 489
                                                        • Experience: Familiar
                                                        • OS: Windows 10
                                                        You will need to edit the Hosts file manually.

                                                        flomtl

                                                          Topic Starter


                                                          Beginner

                                                          i went to the host file and found no google entries....
                                                          [EDIT]

                                                          theres only one ip listed and its my local host.

                                                          evilfantasy

                                                          • Malware Removal Specialist
                                                          • Moderator


                                                          • Genius
                                                          • Calm like a bomb
                                                          • Thanked: 489
                                                          • Experience: Familiar
                                                          • OS: Windows 10
                                                          When you get redirected is there an option that says Google in English? Click that if so and it should reset itself. Or go into your Google toolbar options (if you use the toolbar) and make sure it is set to English.

                                                          It could also be related to which country setting you have:

                                                          Open:
                                                          Control Panel/Regional and Language Options

                                                          or Run:
                                                          Start / Run intl.cpl

                                                          Double check the settings.

                                                          flomtl

                                                            Topic Starter


                                                            Beginner

                                                            its all writen in japanes, but i just clicked on all the links and one of them turned it to english, it still says "go to google japan" which it never did befor but my computers running fine so im guessing its not anything virus related?


                                                            i also checked regional settings there set to Canada.


                                                            [EDIT]

                                                            I just cleared my cookies and it resets it to japanese google.

                                                            [/EDIT]

                                                            evilfantasy

                                                            • Malware Removal Specialist
                                                            • Moderator


                                                            • Genius
                                                            • Calm like a bomb
                                                            • Thanked: 489
                                                            • Experience: Familiar
                                                            • OS: Windows 10
                                                            I am really not sure what's going on. It's likely not virus related. Try posting in the Windows forum. Someone there might have seen this problem before and know how to fix it.

                                                            flomtl

                                                              Topic Starter


                                                              Beginner

                                                              ok ill try that,
                                                              thank you very much for all the help on getting rid of my computer problems.
                                                              man do i love this forum!
                                                              Florian