Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz!

[evilfantasy]

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[flomtl]

Combo fix log:
ComboFix 08-10-23.03 - student 2008-10-23 20:35:09.1 - NTFSx86

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbxbx.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSSnmxa.dll
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSoiqh.log
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSpqxt.log
C:\WINDOWS\system32\TDSSrdym.log
C:\WINDOWS\system32\TDSSsihc.dll
C:\WINDOWS\system32\TDSStkdv.dll

.
(((((((((((((((((((((((((   Files Created from 2008-09-24 to 2008-10-24  )))))))))))))))))))))))))))))))
.

2008-10-23 00:17 . 2008-10-23 00:17   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-23 00:04 . 2008-10-23 00:04   <DIR>   d--------   C:\rsit
2008-10-22 21:16 . 2008-10-22 21:16   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-22 21:16 . 2008-10-16 20:25   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 21:16 . 2008-10-16 20:25   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 17:09 . 2008-10-22 17:09   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-22 17:05 . 2008-10-23 20:23   <DIR>   d--------   C:\SDFix
2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\Documents and Settings\student\Application Data\Malwarebytes
2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-21 15:30 . 2008-10-21 15:30   164   --a------   C:\WINDOWS\system32\TDSSpaxt.dat
2008-10-21 15:08 . 2008-10-22 17:09   60,416   --a------   C:\WINDOWS\system32\drivers\TDSSmhlt.sys
2008-10-08 20:54 . 2008-10-08 20:54   <DIR>   d--------   C:\Program Files\Windows Live
2008-10-06 10:41 . 2008-10-06 10:41   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
2008-09-30 01:30 . 2008-09-30 01:30   <DIR>   d--------   C:\Program Files\Alwil Software
2008-09-28 22:13 . 2008-09-28 22:13   477,184   --a------   C:\WINDOWS\system32\autoprnt.exe
2008-09-28 22:13 . 2008-09-28 22:13   118,784   --a------   C:\WINDOWS\system32\snapapi.dll
2008-09-28 22:13 . 2008-09-28 22:13   77,728   --a------   C:\WINDOWS\system32\drivers\snapman.sys
2008-09-28 22:13 . 2008-09-28 22:13   37,888   --a------   C:\WINDOWS\system32\setupnt.dll
2008-09-28 22:12 . 2008-09-28 22:12   <DIR>   d--------   C:\Program Files\Common Files\Acronis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 23:05   ---------   d-----w   C:\Program Files\Java
2008-10-22 01:52   ---------   d---a-w   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-10-21 19:12   ---------   d-----w   C:\Documents and Settings\student\Application Data\Azureus
2008-10-09 03:48   38,088   ----a-w   C:\Documents and Settings\student\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 00:54   ---------   d-----w   C:\Program Files\MSN Messenger
2008-10-09 00:54   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2008-09-30 05:35   ---------   d-----w   C:\Program Files\ESET
2008-09-30 05:32   ---------   d---a-w   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 16:30   ---------   d-----w   C:\Program Files\Azureus
2008-08-27 02:51   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-27 02:50   ---------   d-----w   C:\Program Files\Symantec
2007-05-22 23:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
2003-04-10 14:20   30,208   ------w   C:\Program Files\internet explorer\plugins\lfbmp13n.dll
2003-04-10 14:20   35,840   ------w   C:\Program Files\internet explorer\plugins\lfcal13n.dll
2003-04-10 14:28   406,528   ------w   C:\Program Files\internet explorer\plugins\LFCMP13n.DLL
2003-04-10 14:20   47,104   ------w   C:\Program Files\internet explorer\plugins\lfgif13n.dll
2003-04-10 14:21   18,944   ------w   C:\Program Files\internet explorer\plugins\lfmsp13n.dll
2003-04-10 14:21   26,624   ------w   C:\Program Files\internet explorer\plugins\lfpcx13n.dll
2003-04-10 14:32   181,760   ------w   C:\Program Files\internet explorer\plugins\Lfpng13n.dll
2003-04-10 14:21   55,808   ------w   C:\Program Files\internet explorer\plugins\lfpsd13n.dll
2003-04-10 14:21   24,576   ------w   C:\Program Files\internet explorer\plugins\lftga13n.dll
2002-09-27 16:04   4,033,084   ------w   C:\Program Files\internet explorer\plugins\library.dll
2003-04-10 14:18   269,824   ------w   C:\Program Files\internet explorer\plugins\LTDIS13n.dll
2003-04-04 20:55   206,848   ------w   C:\Program Files\internet explorer\plugins\ltefx13n.dll
2003-04-10 14:18   144,384   ------w   C:\Program Files\internet explorer\plugins\ltfil13n.DLL
2003-04-10 14:19   447,488   ------w   C:\Program Files\internet explorer\plugins\ltimg13n.dll
2003-04-10 14:18   446,464   ------w   C:\Program Files\internet explorer\plugins\ltkrn13n.dll
2003-06-11 14:59   245,839   ------w   C:\Program Files\internet explorer\plugins\MWPro.dll
2003-06-11 15:23   73,728   ------w   C:\Program Files\internet explorer\plugins\Paint.dll
2003-06-11 15:43   151,552   ------w   C:\Program Files\internet explorer\plugins\sprites.dll
1998-07-12 05:13   53,760   ------w   C:\Program Files\internet explorer\plugins\zlib.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-05 110592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-05-25 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-05-25 45056]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-17 69632]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 24576]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HotSync Manager.lnk - D:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
PASPortal.lnk - C:\WINDOWS\Installer\{BA52BCD8-C7A4-4D27-AA07-A5541F65B721}\NewShortcut1.exe [2006-11-15 40960]
TotalMedia Backup Monitor.lnk - D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe [2008-03-04 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-17 03:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 23:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli csspwntfy

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-16 20:25 1257104 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"UCLauncherService"=2 (0x2)
"SMART Board Service"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"iPodService"=3 (0x3)
"wscsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"cusrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\student\APPLIC~1\Mozilla\Firefox\Profiles\39hnx97q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 20:46:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-10-23 20:54:42 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-24 00:54:31

Pre-Run: 1,294,417,920 bytes free
Post-Run: 1,470,304,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

239   --- E O F ---   2008-09-25 12:18:59





hijack this log is attached.

[Saving space - attachment deleted by admin]

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Open HijackThis and select

Do a system scan only.

Place a check mark next to the following entries: (if there)

- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\TDSSpaxt.dat
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
  
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
  
• Place a check next to Remove Useless JRE Files and click Go
  
• Exit JavaRa
  
• Delete the JavaRa files from the Desktop

.
----------

How is everything now?

[evilfantasy]

See if Avast turns back on after running the OTMoveIt2 step.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Open HijackThis and select

Do a system scan only.

Place a check mark next to the following entries: (if there)

- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\TDSSpaxt.dat
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
  
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
  
• Place a check next to Remove Useless JRE Files and click Go
  
• Exit JavaRa
  
• Delete the JavaRa files from the Desktop

.
----------

How is everything now?

[flomtl]

Explorer killed successfully
C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130



Log of MoveIt2.
Rebooting now.

[flomtl]

log after reboot:


Explorer killed successfully
C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130

Files moved on Reboot...
File C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV not found!
C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat moved successfully.
File C:\WINDOWS\temp\_avast4_\unp96758181.tmp not found!
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!





avast is still not running...

i will try to update java now.

[evilfantasy]

Download the avast installer and run it. You will be prompted to uninstall, do so then reinstall it fresh. http://filehippo.com/download_avast_antivirus/

Let me know when you get it running.

[flomtl]

Avast is installed and working again.

I have noticed that my google.com is still being redirected to google.co.jp
i have no clue what is causing this seeing as it should recognize that i situated in Canada. is there anything i can do about that?

Florian

[evilfantasy]

Reset Web Settings & Default Security Settings

Open IE and then select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

How about now?

[flomtl]

still being redirected on both firefox and on IE.

its not that big a deal (i just renamed all my shortcuts to google.ca) im just afraid it is sometype of virus on my network or something...

[evilfantasy]

Well find it. Some are tougher then others but they all fall eventually...

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[flomtl]

it found 2 trojans, error while deleting 1 of them?

here is the log:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3550 (20081023)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=44600689593aff46ae9238f0100fcf37
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-24 04:05:56
# local_time=2008-10-24 12:05:56 (-0500, Eastern Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=450155
# found=2
# scan_time=3802
D:\Program Files\MagicISO\Patch.exe   Win32/Agent.OBH trojan (deleted)   00000000000000000000000000000000
D:\Program Files\MagicISO\Patch.exe »PECompact v2.xx   Win32/Agent.OBH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)   00000000000000000000000000000000

[evilfantasy]

It was the same file is why it failed the second time.

Update MalwareBytes and run a Quick Scan then post the log when complete.

[flomtl]

Malware found 1 trojan, and succesfully deleted it 

heres the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 5.1.2600 Service Pack 2

24/10/2008 2:28:56 PM
mbam-log-2008-10-24 (14-28-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168601
Time elapsed: 44 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSScfum.log (Trojan.TDSS) -> Quarantined and deleted successfully.


[EDIT] google.com still being redirect   [/EDIT]

[evilfantasy]

Run a new HijackThis scan and post the log please.