Author Topic: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz! (Read 42034 times)

flomtl · « **on:** October 21, 2008, 08:51:45 PM »

First i will describe the problem.
My computer suddenly told me that it was infected with spyware, now i recognized it as a fake indicator because it kept trying to force me to download a certain "anti virus software" so i put 2 and 2 together and figure i had a virus. so I immediately used Avast! (my anti virus program) to run a full thorough scan of my system. It came up with multiple threats (it told me my startup/memory was infected and it was unsafe to continue using my computer) it recommended restarting and running scan on boot to delete threats. So i restart and i get a blue screen. Then the computer tries to restart and it just loops back into the blue screen every time.

This is what i think the problem is. Something (virus/spyware/malware) is trying to boot up on startup. My computer is crashing because of this. The only way to delete is to run a boot scan. but i cannot reboot in normal mode, only in safe mode. Avast requires a reboot to delete the files. (and yes ive tried manually delete the infested file it just reapears) (below is everything ive tried)

Now heres what ive tried to do:
- I started in smart mode. Ran avast there. it does the same, finds a threat asks me to reboot which brings me back to the blue screen.

- I ran msconfig, disabled all startup things in the startup tab and then tried a reboot.
no success, (still got the blue screen)

- so then in safemode i installed malwarebytes (recommended by a friend) and ran that, it found 20 threats. when i said to delete them it said it had to reboot. which once again led back to a blue screen

- now i tried to boot from a Windows xp disc. when i click "r" to repair windows xp. it tells me that it cannot detect any hardrive.

- i ran spybot (dont think its the newest version, because i cannot update it form safe mode) it found 3 threats. so i deleted them, rebooted. back to blue screen.

so now i am in safe mode, writing the message, in complete despair.

any help would be greatly appreciated.

thank you
Florian

o and here is some info about my computer if it helps.
512mb ram
Windows XP (service pack 2)
2 25gig hardrive partitions (C:) (D:) (operating system on C drive)
i use mozilla for internet browsing
my virus scanner is Avast

it is a laptop an IBM thinkpad T60

if you need any information at all to help me please dont hesitate to ask.
Thanks alot

Florian.

Just thought of some more information so i'm modifying my post:
Since this virus happened. My google.com also refers me to google.co.jp instead of canadian or american google. Also a lot of sites dont work. and most google links bring me to "wrong" links (as in not wat they are supposed to be) i get redirected, to various sites that tell me to download antivirus/spyware programs.....
i have to copy paste the link from the bottom of the google descriptin and paste it into the browsing bar.

hope that helps someone help me

evilfantasy · « **Reply #1 on:** October 21, 2008, 10:19:20 PM »

Use msconfig and enable all items in the startup tab.

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

flomtl · « **Reply #2 on:** October 22, 2008, 06:28:32 PM »

I followed the instructions. Computer is now starting in Normal mode which is great:D!

however when i rebooted after running SDFix in safe mode. I started it in normal mode, right away my avast ran a boot scan, then SDFix ran it's scan. Now SDFix froze...i had to force shutdown my laptop because after 2h30min it still wasn't done.

My computer is telling me that i have no antivirus, and that my firewall is disabled. Also my avast is not letting me update saying it cannot connect to server.

i have included 3 logs (SDFix, Avast boot scan, and catchme (which just appeared on my desktop?))

Thanks alot for the help so far!!

Florian

[edit]:
I ran Malwarebytes and it found 2 trojans, (also attached log of scan)

my virus scans are able to update now so i believe that the thing is gone

On a side note, my google.com is always redirected to www.google.co.jp when 2 days ago it would put me to .ca (cause im in canada) could that be because of the virus still being present? or is that not caused by my computer

thank you so much for all the help you guys are the best
Florian

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #3 on:** October 22, 2008, 09:36:42 PM »

We will fix the homepage issue after all of the malware is gone.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

flomtl · « **Reply #4 on:** October 22, 2008, 10:08:09 PM »

i downloaded the program, ran the .exe, said continue at the disclaimer and i get

"Autolt Error"

Line -1:

Error: INcorrect number of parameters in function call.

then all i can do is click ok

Did i do something wrong?

evilfantasy · « **Reply #5 on:** October 22, 2008, 10:16:18 PM »

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.
Close HijackThis.

.
Now run RSIT again and see if it works.

flomtl · « **Reply #6 on:** October 22, 2008, 10:18:38 PM »

i installed hijack this, same error.

evilfantasy · « **Reply #7 on:** October 22, 2008, 10:38:43 PM »

OK let's do a HJT scan.

Open HijackThis.
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

flomtl · « **Reply #8 on:** October 23, 2008, 02:47:45 PM »

Here's the log file for the HJT scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:42 PM, on 23/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
D:\Program Files\Palm\Hotsync.exe
D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe (User '?')
O4 - S-1-5-18 Startup: Digital Line Detect.lnk = ? (User '?')
O4 - .DEFAULT Startup: Digital Line Detect.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: Digital Line Detect.lnk = ? (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144768162093
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

--
End of file - 12604 bytes

evilfantasy · « **Reply #9 on:** October 23, 2008, 04:16:03 PM »

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

How is everything now?

flomtl · « **Reply #10 on:** October 23, 2008, 05:13:23 PM »

I did the java thing (install new, delete old) however i could not go to the java site you linked. so i just clicked on the update that was waiting in my start bar. (the little java square in the bottom right corner.

Then i clicked on the link for the NOD32 scan. (in Internet Explorer) however it will not allow me to connect to that site.

Also my google searches are once again being redirceted. and it feels like the computer has slowed down significantly.
it seems that i cant get to any anti-virus/malware/spyware related sites...

So things are not so good now (better then initially though i must say since im not getting a blue screen cycle on start up:D)
alllways look at the bright side heh

florian

evilfantasy · « **Reply #11 on:** October 23, 2008, 05:45:24 PM »

OK we need to let SDFix run again.

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

flomtl · « **Reply #12 on:** October 23, 2008, 06:18:11 PM »

Did as instructed. i had to attache (instead of paste) the report because otherwise i exceed the maximum allowed length of a post.

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #13 on:** October 23, 2008, 06:20:14 PM »

That's the same log as before. Can you find the new one and post it?

flomtl · « **Reply #14 on:** October 23, 2008, 06:23:45 PM »

o sorry about that i forgot the report saved in the SDFix folder. Here is the proper log.

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #15 on:** October 23, 2008, 06:25:42 PM »

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

flomtl · « **Reply #16 on:** October 23, 2008, 07:06:15 PM »

Combo fix log:
ComboFix 08-10-23.03 - student 2008-10-23 20:35:09.1 - NTFSx86

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbxbx.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSSnmxa.dll
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSoiqh.log
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSpqxt.log
C:\WINDOWS\system32\TDSSrdym.log
C:\WINDOWS\system32\TDSSsihc.dll
C:\WINDOWS\system32\TDSStkdv.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.

2008-10-23 00:17 . 2008-10-23 00:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-23 00:04 . 2008-10-23 00:04   <DIR>   d--------   C:\rsit
2008-10-22 21:16 . 2008-10-22 21:16   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-22 21:16 . 2008-10-16 20:25   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 21:16 . 2008-10-16 20:25   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 17:09 . 2008-10-22 17:09   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-22 17:05 . 2008-10-23 20:23   <DIR>   d--------   C:\SDFix
2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\Documents and Settings\student\Application Data\Malwarebytes
2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-21 15:30 . 2008-10-21 15:30   164   --a------   C:\WINDOWS\system32\TDSSpaxt.dat
2008-10-21 15:08 . 2008-10-22 17:09   60,416   --a------   C:\WINDOWS\system32\drivers\TDSSmhlt.sys
2008-10-08 20:54 . 2008-10-08 20:54   <DIR>   d--------   C:\Program Files\Windows Live
2008-10-06 10:41 . 2008-10-06 10:41   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
2008-09-30 01:30 . 2008-09-30 01:30   <DIR>   d--------   C:\Program Files\Alwil Software
2008-09-28 22:13 . 2008-09-28 22:13   477,184   --a------   C:\WINDOWS\system32\autoprnt.exe
2008-09-28 22:13 . 2008-09-28 22:13   118,784   --a------   C:\WINDOWS\system32\snapapi.dll
2008-09-28 22:13 . 2008-09-28 22:13   77,728   --a------   C:\WINDOWS\system32\drivers\snapman.sys
2008-09-28 22:13 . 2008-09-28 22:13   37,888   --a------   C:\WINDOWS\system32\setupnt.dll
2008-09-28 22:12 . 2008-09-28 22:12   <DIR>   d--------   C:\Program Files\Common Files\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 23:05   ---------   d-----w   C:\Program Files\Java
2008-10-22 01:52   ---------   d---a-w   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-10-21 19:12   ---------   d-----w   C:\Documents and Settings\student\Application Data\Azureus
2008-10-09 03:48   38,088   ----a-w   C:\Documents and Settings\student\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 00:54   ---------   d-----w   C:\Program Files\MSN Messenger
2008-10-09 00:54   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2008-09-30 05:35   ---------   d-----w   C:\Program Files\ESET
2008-09-30 05:32   ---------   d---a-w   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 16:30   ---------   d-----w   C:\Program Files\Azureus
2008-08-27 02:51   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-27 02:50   ---------   d-----w   C:\Program Files\Symantec
2007-05-22 23:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
2003-04-10 14:20   30,208   ------w   C:\Program Files\internet explorer\plugins\lfbmp13n.dll
2003-04-10 14:20   35,840   ------w   C:\Program Files\internet explorer\plugins\lfcal13n.dll
2003-04-10 14:28   406,528   ------w   C:\Program Files\internet explorer\plugins\LFCMP13n.DLL
2003-04-10 14:20   47,104   ------w   C:\Program Files\internet explorer\plugins\lfgif13n.dll
2003-04-10 14:21   18,944   ------w   C:\Program Files\internet explorer\plugins\lfmsp13n.dll
2003-04-10 14:21   26,624   ------w   C:\Program Files\internet explorer\plugins\lfpcx13n.dll
2003-04-10 14:32   181,760   ------w   C:\Program Files\internet explorer\plugins\Lfpng13n.dll
2003-04-10 14:21   55,808   ------w   C:\Program Files\internet explorer\plugins\lfpsd13n.dll
2003-04-10 14:21   24,576   ------w   C:\Program Files\internet explorer\plugins\lftga13n.dll
2002-09-27 16:04   4,033,084   ------w   C:\Program Files\internet explorer\plugins\library.dll
2003-04-10 14:18   269,824   ------w   C:\Program Files\internet explorer\plugins\LTDIS13n.dll
2003-04-04 20:55   206,848   ------w   C:\Program Files\internet explorer\plugins\ltefx13n.dll
2003-04-10 14:18   144,384   ------w   C:\Program Files\internet explorer\plugins\ltfil13n.DLL
2003-04-10 14:19   447,488   ------w   C:\Program Files\internet explorer\plugins\ltimg13n.dll
2003-04-10 14:18   446,464   ------w   C:\Program Files\internet explorer\plugins\ltkrn13n.dll
2003-06-11 14:59   245,839   ------w   C:\Program Files\internet explorer\plugins\MWPro.dll
2003-06-11 15:23   73,728   ------w   C:\Program Files\internet explorer\plugins\Paint.dll
2003-06-11 15:43   151,552   ------w   C:\Program Files\internet explorer\plugins\sprites.dll
1998-07-12 05:13   53,760   ------w   C:\Program Files\internet explorer\plugins\zlib.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-05 110592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-05-25 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-05-25 45056]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-17 69632]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 24576]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HotSync Manager.lnk - D:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
PASPortal.lnk - C:\WINDOWS\Installer\{BA52BCD8-C7A4-4D27-AA07-A5541F65B721}\NewShortcut1.exe [2006-11-15 40960]
TotalMedia Backup Monitor.lnk - D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe [2008-03-04 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-17 03:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 23:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ    scecli csspwntfy

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-16 20:25 1257104 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"UCLauncherService"=2 (0x2)
"SMART Board Service"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"iPodService"=3 (0x3)
"wscsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"cusrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\student\APPLIC~1\Mozilla\Firefox\Profiles\39hnx97q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 20:46:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-10-23 20:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 00:54:31

Pre-Run: 1,294,417,920 bytes free
Post-Run: 1,470,304,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

239   --- E O F ---   2008-09-25 12:18:59

hijack this log is attached.

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #17 on:** October 23, 2008, 07:25:13 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Do a system scan only.

Place a check mark next to the following entries: (if there)

- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\TDSSpaxt.dat
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
EmptyTemp
[start explorer]

3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
----------

How is everything now?

evilfantasy · « **Reply #18 on:** October 23, 2008, 07:26:59 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Do a system scan only.

Place a check mark next to the following entries: (if there)

- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\TDSSpaxt.dat
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
EmptyTemp
[start explorer]

3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
----------

How is everything now?

flomtl · « **Reply #19 on:** October 23, 2008, 07:33:32 PM »

Explorer killed successfully
C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130

Log of MoveIt2.
Rebooting now.

flomtl · « **Reply #20 on:** October 23, 2008, 07:39:12 PM »

log after reboot:

Explorer killed successfully
C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130

Files moved on Reboot...
File C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV not found!
C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat moved successfully.
File C:\WINDOWS\temp\_avast4_\unp96758181.tmp not found!
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!

avast is still not running...

i will try to update java now.

evilfantasy · « **Reply #21 on:** October 23, 2008, 07:50:56 PM »

Download the avast installer and run it. You will be prompted to uninstall, do so then reinstall it fresh. http://filehippo.com/download_avast_antivirus/

Let me know when you get it running.

flomtl · « **Reply #22 on:** October 23, 2008, 08:09:06 PM »

Avast is installed and working again.

I have noticed that my google.com is still being redirected to google.co.jp
i have no clue what is causing this seeing as it should recognize that i situated in Canada. is there anything i can do about that?

Florian

evilfantasy · « **Reply #23 on:** October 23, 2008, 08:20:02 PM »

Reset Web Settings & Default Security Settings

Open IE and then select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

How about now?

flomtl · « **Reply #24 on:** October 23, 2008, 08:42:52 PM »

still being redirected on both firefox and on IE.

its not that big a deal (i just renamed all my shortcuts to google.ca) im just afraid it is sometype of virus on my network or something...

evilfantasy · « **Reply #25 on:** October 23, 2008, 08:55:09 PM »

Well find it. Some are tougher then others but they all fall eventually...

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

flomtl · « **Reply #26 on:** October 23, 2008, 10:13:51 PM »

it found 2 trojans, error while deleting 1 of them?

here is the log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3550 (20081023)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=44600689593aff46ae9238f0100fcf37
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-24 04:05:56
# local_time=2008-10-24 12:05:56 (-0500, Eastern Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=450155
# found=2
# scan_time=3802
D:\Program Files\MagicISO\Patch.exe Win32/Agent.OBH trojan (deleted) 00000000000000000000000000000000
D:\Program Files\MagicISO\Patch.exe »PECompact v2.xx Win32/Agent.OBH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

evilfantasy · « **Reply #27 on:** October 23, 2008, 10:28:38 PM »

It was the same file is why it failed the second time.

Update MalwareBytes and run a Quick Scan then post the log when complete.

flomtl · « **Reply #28 on:** October 24, 2008, 12:31:10 PM »

Malware found 1 trojan, and succesfully deleted it

heres the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 5.1.2600 Service Pack 2

24/10/2008 2:28:56 PM
mbam-log-2008-10-24 (14-28-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168601
Time elapsed: 44 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSScfum.log (Trojan.TDSS) -> Quarantined and deleted successfully.

[EDIT] google.com still being redirect

[/EDIT]

evilfantasy · « **Reply #29 on:** October 24, 2008, 01:13:35 PM »

Run a new HijackThis scan and post the log please.

flomtl · « **Reply #30 on:** October 24, 2008, 01:21:50 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:35 PM, on 24/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
D:\Program Files\Palm\Hotsync.exe
D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1947608023-3050425102-1802084678-1007\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe (User '?')
O4 - S-1-5-18 Startup: Digital Line Detect.lnk = ? (User '?')
O4 - .DEFAULT Startup: Digital Line Detect.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: Digital Line Detect.lnk = ? (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: PASPortal.lnk = ?
O4 - Global Startup: TotalMedia Backup Monitor.lnk = D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144768162093
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 12501 bytes

evilfantasy · « **Reply #31 on:** October 24, 2008, 01:34:46 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
- R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
- R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=e_XsdoA_PKEvobLt0OpVa4fSphA
- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:8080

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis

----------

Now we need to Reset Web Settings

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computerhope.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computerhope.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

.
Restart the computer to register the changes.

How about now?

flomtl · « **Reply #32 on:** October 24, 2008, 01:52:19 PM »

did all of the above, still being redirected:(

evilfantasy · « **Reply #33 on:** October 24, 2008, 04:40:13 PM »

This scanner requires Internet Explorer

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report

This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)

You will have to upload the file online. The forums will not accept HTML.

Upload the file to Savefile.com
There is no need to Register
Select Browse and locate the file.
Fill in the Title, Description and security code then click Upload
Copy the link next to Your link to the file: and post the link back here.

flomtl · « **Reply #34 on:** October 24, 2008, 05:06:12 PM »

tells me i couldnt update the virus signatures for the bitdefender scanner. Then i said to run the scan anyways but it says it cannot scan, and it says to download the program for real time protection....

evilfantasy · « **Reply #35 on:** October 24, 2008, 05:08:16 PM »

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

flomtl · « **Reply #36 on:** October 25, 2008, 10:06:46 AM »

ive been running the scanner for a long time now and it got stuck at 2h25min and 58seconds......its already forund 1 threat and 4infected objects, but the scan hasnt moved in a long time. The Duration has stayed at 2:25:58 for a long time. However it has ed scanning the C drive and is near the end of the D drive (scan is 81% done) Should i click stop scan? will that still allow me to view the report?

Florian

evilfantasy · « **Reply #37 on:** October 25, 2008, 11:35:57 AM »

Is it still running?

flomtl · « **Reply #38 on:** October 25, 2008, 12:51:57 PM »

i ran it twice, both times it got stuck on the same file in my d drive. "frag-document.r00" and the second time on "frag-document.r02" Ill tell the scanner to only scan the C drive which is where the infection was found both times, becasue without finishing the scan i cant view the log.

ill paste log when it finishes

evilfantasy · « **Reply #39 on:** October 25, 2008, 12:58:29 PM »

That's a torerent file that it's getting stuck on.

Boot the computer into Safe Mode and run Dr Web.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

flomtl · « **Reply #40 on:** October 25, 2008, 01:05:20 PM »

The link you gave me for DrWeb CureIt doesnt work for me. it tells me that firefox cant find the server at ftp.

do i have to download it in "safe mode with networking" or should it download in normal mode (which is what i tried)?

evilfantasy · « **Reply #41 on:** October 25, 2008, 01:08:00 PM »

Try here http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html

flomtl · « **Reply #42 on:** October 25, 2008, 01:13:50 PM »

ya that worked, thanks. ill run in safe mode and scan then get back to you.

flomtl · « **Reply #43 on:** October 26, 2008, 01:01:43 AM »

Heres the log from the scan.

mirc.exe;C:\Program Files\mIRC;Program.mIRC.60;;
A0256845.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
A0256846.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
A0256847.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
A0256848.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
A0256850.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
A0256885.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
A0256886.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
A0256887.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
A0256888.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
A0256890.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
A0256930.EXE;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Program.PsExec.170;;
A0257904.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Tool.Prockill;;
A0257938.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Trojan.Packed.673;Deleted.;
A0257939.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.19;Deleted.;
A0257940.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.22;Deleted.;
A0257941.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.20;Deleted.;
A0257942.dll;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;BackDoor.Tdss.21;Deleted.;
A0257963.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623\A0257963.exe;Program.PsExec.171;;
A0257963.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP623;Archive contains infected objects;Moved.;
mirc62.exe\data007;D:\My Downloads\Apps\MIRC.v6.2.WinALL.Incl.Keygen-ViRiLiTY\mirc62.exe;Program.mIRC.60;;
mirc62.exe;D:\My Downloads\Apps\MIRC.v6.2.WinALL.Incl.Keygen-ViRiLiTY;Archive contains infected objects;Moved.;
A0258326.exe\data007;D:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP625\A0258326.exe;Program.mIRC.60;;
A0258326.exe;D:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP625;Archive contains infected objects;Moved.;

florian

evilfantasy · « **Reply #44 on:** October 26, 2008, 10:01:31 PM »

How is the computer running now?

flomtl · « **Reply #45 on:** October 26, 2008, 10:07:03 PM »

everythings running just fine, however i am still getting re-directed. i check on the other computers on my network, they also get re-directed (when i type in www.google.com). either this problem is isp related or somthings on my network?

but my computer seems to have recovered nicely, thanks alot for the help!

evilfantasy · « **Reply #46 on:** October 26, 2008, 10:17:03 PM »

Download FixWareout by LonnyRJonesfrom from one of the two below links and save it to your Desktop.

Run Fixwareout.
Click Next
then Install
Make sure Run fixit is checked
Click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When you run Fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode. Make sure you have all web browsers closed.

Go into Control Panel > Network Connections.
Right click on your connection
and click Properties.
On the Properties page, highlight Internet Protocol(TCP/IP)
Click Properties. This will bring up another page.
Select Obtain DNS Server Automatically.
Click the OK button. The page will close.
Press OK on the page in front of you.
Restart the computer.
Reconnect to the Internet using Internet Explorer.
Add the log from Fixwareout in your next reply.
It will be located at c:\fixwareout\report.txt

Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.

Restart your computer.

Please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

flomtl · « **Reply #47 on:** October 26, 2008, 10:21:50 PM »

404-not found error on both those links...

evilfantasy · « **Reply #48 on:** October 26, 2008, 10:27:40 PM »

Very strange. They worked earlier today...

Do the second part of the instructions beginning with Go into Control Panel > Network Connections.

flomtl · « **Reply #49 on:** October 26, 2008, 10:44:07 PM »

i already had it set to "obtain DNS automatically"
i did the ipconfig /flushdns. Restarted
google.com still redirects to google.co.jp

attached is the hijackthis log

florian

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #50 on:** October 26, 2008, 10:49:40 PM »

Download HostsXpert

Unzip HostXpert to your Desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

.
Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

If that does not work.

Delete all the google entries in your hosts file.

For win xp, the file is under c:\windows\system32\drivers\etc

Open the hosts file with notepad and remove all the google entries.

Then in Notepad go to File > Save

flomtl · « **Reply #51 on:** October 26, 2008, 10:59:00 PM »

The program worked (it ran to completion) however i dont think it did anything cause its still being redirected.

evilfantasy · « **Reply #52 on:** October 26, 2008, 11:01:05 PM »

You will need to edit the Hosts file manually.

flomtl · « **Reply #53 on:** October 26, 2008, 11:03:38 PM »

i went to the host file and found no google entries....
[EDIT]

theres only one ip listed and its my local host.

evilfantasy · « **Reply #54 on:** October 26, 2008, 11:19:34 PM »

When you get redirected is there an option that says Google in English? Click that if so and it should reset itself. Or go into your Google toolbar options (if you use the toolbar) and make sure it is set to English.

It could also be related to which country setting you have:

Open:
Control Panel/Regional and Language Options

or Run:
Start / Run intl.cpl

Double check the settings.

flomtl · « **Reply #55 on:** October 27, 2008, 08:15:12 AM »

its all writen in japanes, but i just clicked on all the links and one of them turned it to english, it still says "go to google japan" which it never did befor but my computers running fine so im guessing its not anything virus related?

i also checked regional settings there set to Canada.

[EDIT]

I just cleared my cookies and it resets it to japanese google.

[/EDIT]

evilfantasy · « **Reply #56 on:** October 27, 2008, 12:03:52 PM »

I am really not sure what's going on. It's likely not virus related. Try posting in the Windows forum. Someone there might have seen this problem before and know how to fix it.

flomtl · « **Reply #57 on:** October 27, 2008, 05:32:05 PM »

ok ill try that,
thank you very much for all the help on getting rid of my computer problems.
man do i love this forum!
Florian

Computer Hope Forum

News:

Author Topic: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz! (Read 42034 times)

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

evilfantasy

flomtl

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl

evilfantasy

flomtl