Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help plz!  (Read 31765 times)

0 Members and 1 Guest are viewing this topic.

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

flomtl

    Topic Starter


    Beginner

    Combo fix log:
    ComboFix 08-10-23.03 - student 2008-10-23 20:35:09.1 - NTFSx86

    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\WINDOWS\system32\drivers\TDSSpqxt.sys
    C:\WINDOWS\system32\TDSSbxbx.dll
    C:\WINDOWS\system32\TDSScfum.dll
    C:\WINDOWS\system32\TDSSfxwp.dll
    C:\WINDOWS\system32\TDSSnmxa.dll
    C:\WINDOWS\system32\TDSSnrsr.dat
    C:\WINDOWS\system32\TDSSoiqh.log
    C:\WINDOWS\system32\TDSSosvn.dll
    C:\WINDOWS\system32\TDSSpqxt.log
    C:\WINDOWS\system32\TDSSrdym.log
    C:\WINDOWS\system32\TDSSsihc.dll
    C:\WINDOWS\system32\TDSStkdv.dll

    .
    (((((((((((((((((((((((((   Files Created from 2008-09-24 to 2008-10-24  )))))))))))))))))))))))))))))))
    .

    2008-10-23 00:17 . 2008-10-23 00:17   <DIR>   d--------   C:\Program Files\Trend Micro
    2008-10-23 00:04 . 2008-10-23 00:04   <DIR>   d--------   C:\rsit
    2008-10-22 21:16 . 2008-10-22 21:16   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-22 21:16 . 2008-10-16 20:25   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-22 21:16 . 2008-10-16 20:25   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-22 17:09 . 2008-10-22 17:09   <DIR>   d--------   C:\WINDOWS\ERUNT
    2008-10-22 17:05 . 2008-10-23 20:23   <DIR>   d--------   C:\SDFix
    2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\Documents and Settings\student\Application Data\Malwarebytes
    2008-10-21 19:09 . 2008-10-21 19:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
    2008-10-21 15:30 . 2008-10-21 15:30   164   --a------   C:\WINDOWS\system32\TDSSpaxt.dat
    2008-10-21 15:08 . 2008-10-22 17:09   60,416   --a------   C:\WINDOWS\system32\drivers\TDSSmhlt.sys
    2008-10-08 20:54 . 2008-10-08 20:54   <DIR>   d--------   C:\Program Files\Windows Live
    2008-10-06 10:41 . 2008-10-06 10:41   <DIR>   d--------   C:\Program Files\Microsoft Silverlight
    2008-09-30 01:30 . 2008-09-30 01:30   <DIR>   d--------   C:\Program Files\Alwil Software
    2008-09-28 22:13 . 2008-09-28 22:13   477,184   --a------   C:\WINDOWS\system32\autoprnt.exe
    2008-09-28 22:13 . 2008-09-28 22:13   118,784   --a------   C:\WINDOWS\system32\snapapi.dll
    2008-09-28 22:13 . 2008-09-28 22:13   77,728   --a------   C:\WINDOWS\system32\drivers\snapman.sys
    2008-09-28 22:13 . 2008-09-28 22:13   37,888   --a------   C:\WINDOWS\system32\setupnt.dll
    2008-09-28 22:12 . 2008-09-28 22:12   <DIR>   d--------   C:\Program Files\Common Files\Acronis

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-23 23:05   ---------   d-----w   C:\Program Files\Java
    2008-10-22 01:52   ---------   d---a-w   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2008-10-21 19:12   ---------   d-----w   C:\Documents and Settings\student\Application Data\Azureus
    2008-10-09 03:48   38,088   ----a-w   C:\Documents and Settings\student\Application Data\GDIPFONTCACHEV1.DAT
    2008-10-09 00:54   ---------   d-----w   C:\Program Files\MSN Messenger
    2008-10-09 00:54   ---------   d-----w   C:\Program Files\Messenger Plus! Live
    2008-09-30 05:35   ---------   d-----w   C:\Program Files\ESET
    2008-09-30 05:32   ---------   d---a-w   C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-28 16:30   ---------   d-----w   C:\Program Files\Azureus
    2008-08-27 02:51   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
    2008-08-27 02:50   ---------   d-----w   C:\Program Files\Symantec
    2007-05-22 23:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
    2007-05-22 23:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
    2003-04-10 14:20   30,208   ------w   C:\Program Files\internet explorer\plugins\lfbmp13n.dll
    2003-04-10 14:20   35,840   ------w   C:\Program Files\internet explorer\plugins\lfcal13n.dll
    2003-04-10 14:28   406,528   ------w   C:\Program Files\internet explorer\plugins\LFCMP13n.DLL
    2003-04-10 14:20   47,104   ------w   C:\Program Files\internet explorer\plugins\lfgif13n.dll
    2003-04-10 14:21   18,944   ------w   C:\Program Files\internet explorer\plugins\lfmsp13n.dll
    2003-04-10 14:21   26,624   ------w   C:\Program Files\internet explorer\plugins\lfpcx13n.dll
    2003-04-10 14:32   181,760   ------w   C:\Program Files\internet explorer\plugins\Lfpng13n.dll
    2003-04-10 14:21   55,808   ------w   C:\Program Files\internet explorer\plugins\lfpsd13n.dll
    2003-04-10 14:21   24,576   ------w   C:\Program Files\internet explorer\plugins\lftga13n.dll
    2002-09-27 16:04   4,033,084   ------w   C:\Program Files\internet explorer\plugins\library.dll
    2003-04-10 14:18   269,824   ------w   C:\Program Files\internet explorer\plugins\LTDIS13n.dll
    2003-04-04 20:55   206,848   ------w   C:\Program Files\internet explorer\plugins\ltefx13n.dll
    2003-04-10 14:18   144,384   ------w   C:\Program Files\internet explorer\plugins\ltfil13n.DLL
    2003-04-10 14:19   447,488   ------w   C:\Program Files\internet explorer\plugins\ltimg13n.dll
    2003-04-10 14:18   446,464   ------w   C:\Program Files\internet explorer\plugins\ltkrn13n.dll
    2003-06-11 14:59   245,839   ------w   C:\Program Files\internet explorer\plugins\MWPro.dll
    2003-06-11 15:23   73,728   ------w   C:\Program Files\internet explorer\plugins\Paint.dll
    2003-06-11 15:43   151,552   ------w   C:\Program Files\internet explorer\plugins\sprites.dll
    1998-07-12 05:13   53,760   ------w   C:\Program Files\internet explorer\plugins\zlib.dll
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
    "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
    "PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
    "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-05 110592]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-05-25 40960]
    "iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-05-25 45056]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
    "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
    "AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-17 69632]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
    "TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
    "TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 24576]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
    HotSync Manager.lnk - D:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
    PASPortal.lnk - C:\WINDOWS\Installer\{BA52BCD8-C7A4-4D27-AA07-A5541F65B721}\NewShortcut1.exe [2006-11-15 40960]
    TotalMedia Backup Monitor.lnk - D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe [2008-03-04 270336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "CompatibleRUPSecurity"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "AllowLegacyWebView"= 1 (0x1)
    "AllowUnhashedWebView"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
    2006-08-17 03:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 23:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages   REG_MULTI_SZ      scecli csspwntfy

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
    backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    --a------ 2008-10-16 20:25 1257104 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "UPS"=3 (0x3)
    "UCLauncherService"=2 (0x2)
    "SMART Board Service"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "SamSs"=2 (0x2)
    "iPodService"=3 (0x3)
    "wscsvc"=2 (0x2)
    "CiSvc"=3 (0x3)
    "cusrvc"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Azureus\\Azureus.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\WINDOWS\\system32\\rtcshare.exe"=
    "C:\\Program Files\\NetMeeting\\conf.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\StubInstaller.exe"=
    "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
    "C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    Notify-WgaLogon - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\DOCUME~1\student\APPLIC~1\Mozilla\Firefox\Profiles\39hnx97q.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
    FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-23 20:46:39
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\system32\QCONSVC.EXE
    C:\Program Files\SMART Board Software\SMARTBoardService.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSvc.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\DataStudio\PASPortal.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dwwin.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-23 20:54:42 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-10-24 00:54:31

    Pre-Run: 1,294,417,920 bytes free
    Post-Run: 1,470,304,256 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

    239   --- E O F ---   2008-09-25 12:18:59





    hijack this log is attached.

    [Saving space - attachment deleted by admin]

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
      • Click START then RUN
      • Now type Combofix /u in the runbox
      • Make sure there's a space between Combofix and /u
      • Then hit Enter.
      .
      • The above procedure will:
      • Delete the following:
      • ComboFix and its associated files and folders.
      • Reset the clock settings.
      • Hide file extensions, if required.
      • Hide System/Hidden files, if required.
      • Set a new, clean Restore Point.
      .
      ----------

      Open HijackThis and select
    Do a system scan only.

    Place a check mark next to the following entries: (if there)

    - O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Important: Close all windows except for HijackThis and then click Fix checked.

    Exit HijackThis.

    ----------

    Download OTMoveIt2 by OldTimer and save it to your Desktop.

    Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

    1. Double-click OTMoveIt2.exe to run it.
    2. Copy the lines in the codebox below.

    Code: [Select]
    [kill explorer]
    C:\WINDOWS\system32\TDSSpaxt.dat
    C:\WINDOWS\system32\drivers\TDSSmhlt.sys
    EmptyTemp
    [start explorer]

    3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
    4. Click the red Moveit! button.
    5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
    6. Close OTMoveIt2

    Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

    ----------

    Your Java is out of date.

    Older versions have vulnerabilities that malicious sites can use to infect your system.

    First install the new Sun Java Runtime Environment

    Be sure to close all browser windows before beginning the install.

    Remove the old version(s)

    Download JavaRa
    • Unzip the file and open the JavaRa.exe
    • Click Remove Older Versions
    • JavaRa will search for and remove any outdated version of Java and remove any that are found.
    • Click Additional Tasks
    • Place a check next to Remove Useless JRE Files and click Go
    • Exit JavaRa
    • Delete the JavaRa files from the Desktop
    .
    ----------

    How is everything now?

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
      See if Avast turns back on after running the OTMoveIt2 step.

      • Click START then RUN
      • Now type Combofix /u in the runbox
      • Make sure there's a space between Combofix and /u
      • Then hit Enter.
      .
      • The above procedure will:
      • Delete the following:
      • ComboFix and its associated files and folders.
      • Reset the clock settings.
      • Hide file extensions, if required.
      • Hide System/Hidden files, if required.
      • Set a new, clean Restore Point.
      .
      ----------

      Open HijackThis and select
    Do a system scan only.

    Place a check mark next to the following entries: (if there)

    - O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Important: Close all windows except for HijackThis and then click Fix checked.

    Exit HijackThis.

    ----------

    Download OTMoveIt2 by OldTimer and save it to your Desktop.

    Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

    1. Double-click OTMoveIt2.exe to run it.
    2. Copy the lines in the codebox below.

    Code: [Select]
    [kill explorer]
    C:\WINDOWS\system32\TDSSpaxt.dat
    C:\WINDOWS\system32\drivers\TDSSmhlt.sys
    EmptyTemp
    [start explorer]

    3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
    4. Click the red Moveit! button.
    5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
    6. Close OTMoveIt2

    Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

    ----------

    Your Java is out of date.

    Older versions have vulnerabilities that malicious sites can use to infect your system.

    First install the new Sun Java Runtime Environment

    Be sure to close all browser windows before beginning the install.

    Remove the old version(s)

    Download JavaRa
    • Unzip the file and open the JavaRa.exe
    • Click Remove Older Versions
    • JavaRa will search for and remove any outdated version of Java and remove any that are found.
    • Click Additional Tasks
    • Place a check next to Remove Useless JRE Files and click Go
    • Exit JavaRa
    • Delete the JavaRa files from the Desktop
    .
    ----------

    How is everything now?

    flomtl

      Topic Starter


      Beginner

      Explorer killed successfully
      C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
      C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
      < EmptyTemp >
      File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
      File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
      File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
      File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
      File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
      Temp folders emptied.
      IE temp folders emptied.
      Explorer started successfully
       
      OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130



      Log of MoveIt2.
      Rebooting now.


      flomtl

        Topic Starter


        Beginner

        log after reboot:


        Explorer killed successfully
        C:\WINDOWS\system32\TDSSpaxt.dat moved successfully.
        C:\WINDOWS\system32\drivers\TDSSmhlt.sys moved successfully.
        < EmptyTemp >
        File delete failed. C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV scheduled to be deleted on reboot.
        File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
        File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat scheduled to be deleted on reboot.
        File delete failed. C:\WINDOWS\temp\_avast4_\unp96758181.tmp scheduled to be deleted on reboot.
        File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
        Temp folders emptied.
        IE temp folders emptied.
        Explorer started successfully
         
        OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_213130

        Files moved on Reboot...
        File C:\DOCUME~1\student\LOCALS~1\Temp\etilqs_KPeQJvpkCiRQGrNjf6LV not found!
        C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.
        C:\WINDOWS\temp\Perflib_Perfdata_3d4.dat moved successfully.
        File C:\WINDOWS\temp\_avast4_\unp96758181.tmp not found!
        File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!





        avast is still not running...

        i will try to update java now.

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Download the avast installer and run it. You will be prompted to uninstall, do so then reinstall it fresh. http://filehippo.com/download_avast_antivirus/

        Let me know when you get it running.

        flomtl

          Topic Starter


          Beginner

          Avast is installed and working again.

          I have noticed that my google.com is still being redirected to google.co.jp
          i have no clue what is causing this seeing as it should recognize that i situated in Canada. is there anything i can do about that?

          Florian






          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Reset Web Settings & Default Security Settings

          Open IE and then select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

          ----------

          Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

          Double-click FixPolicies.exe.
          Click the Install button on the bottom toolbar of the box that will open.
          The program will create a new Folder called FixPolicies.
          Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
          A black box will briefly appear and then close.
          Restart the computer so the changes can take effect.

          How about now?

          flomtl

            Topic Starter


            Beginner

            still being redirected on both firefox and on IE.

            its not that big a deal (i just renamed all my shortcuts to google.ca) im just afraid it is sometype of virus on my network or something...

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Well find it. Some are tougher then others but they all fall eventually...

            Run this online scan.

            This scanner requires Internet Explorer

            Use the ESET Nod32 Online Scanner

            1. Check the box next to YES, I accept the Terms of Use.
            2. Click Start
            3. When asked, allow the activex control to install
            4. Click Start
            5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
            6. Click Scan
            7. Wait for the scan to finish
            8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
            9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

            flomtl

              Topic Starter


              Beginner

              it found 2 trojans, error while deleting 1 of them?:(

              here is the log:


              # version=4
              # OnlineScanner.ocx=1.0.0.635
              # OnlineScannerDLLA.dll=1, 0, 0, 79
              # OnlineScannerDLLW.dll=1, 0, 0, 78
              # OnlineScannerUninstaller.exe=1, 0, 0, 49
              # vers_standard_module=3550 (20081023)
              # vers_arch_module=1.064 (20080214)
              # vers_adv_heur_module=1.060 (20070601)
              # EOSSerial=44600689593aff46ae9238f0100fcf37
              # end=finished
              # remove_checked=true
              # unwanted_checked=true
              # utc_time=2008-10-24 04:05:56
              # local_time=2008-10-24 12:05:56 (-0500, Eastern Daylight Time)
              # country="Canada"
              # osver=5.1.2600 NT Service Pack 2
              # scanned=450155
              # found=2
              # scan_time=3802
              D:\Program Files\MagicISO\Patch.exe   Win32/Agent.OBH trojan (deleted)   00000000000000000000000000000000
              D:\Program Files\MagicISO\Patch.exe »PECompact v2.xx   Win32/Agent.OBH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)   00000000000000000000000000000000

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              It was the same file is why it failed the second time.

              Update MalwareBytes and run a Quick Scan then post the log when complete.


              flomtl

                Topic Starter


                Beginner

                Malware found 1 trojan, and succesfully deleted it  :D

                heres the log:

                Malwarebytes' Anti-Malware 1.30
                Database version: 1316
                Windows 5.1.2600 Service Pack 2

                24/10/2008 2:28:56 PM
                mbam-log-2008-10-24 (14-28-56).txt

                Scan type: Full Scan (C:\|)
                Objects scanned: 168601
                Time elapsed: 44 minute(s), 17 second(s)

                Memory Processes Infected: 0
                Memory Modules Infected: 0
                Registry Keys Infected: 0
                Registry Values Infected: 0
                Registry Data Items Infected: 0
                Folders Infected: 0
                Files Infected: 1

                Memory Processes Infected:
                (No malicious items detected)

                Memory Modules Infected:
                (No malicious items detected)

                Registry Keys Infected:
                (No malicious items detected)

                Registry Values Infected:
                (No malicious items detected)

                Registry Data Items Infected:
                (No malicious items detected)

                Folders Infected:
                (No malicious items detected)

                Files Infected:
                C:\WINDOWS\system32\TDSScfum.log (Trojan.TDSS) -> Quarantined and deleted successfully.


                [EDIT] google.com still being redirect :(  [/EDIT]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                Run a new HijackThis scan and post the log please.