1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Interne - cannot access sites and searchs jump to weird unrelated places.

Discussion in 'Virus & Other Malware Removal' started by Gypsy22, Oct 5, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Hi
    When I start the computer for some reason iexplore seems to start twice before I open the internet shortcut. When I have the internet open I can no longer access any download or update sites so my AVG 8 ( free version) and Windows automatic updates cannot update. My computer keeps freezing and I cannot close anything so have to turn off to shut it down. I;m Windows XP with service pack 3 installed.
    When I do searchs I end up being re-directed to Live search .com and Britannia?? but even clicking the links there doesn't work. Sometimes porn pages are coming up when I try to get on the Microsoft Updates pages.
    Since this started I've installed error smart with the anti spyware option but it hasn't picked up any virus. I also installed CCleaner. Am at my wits end to know what's going on or how to fix it.

    I can't get to any link on this site so am posting from another computer.

    Hijack this log from today and the start up log below. Please Help. Thanks

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:38:52, on 05/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\1XConfig.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\ErrorSmart\ErrorSmart.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AntiSpywareApp\Antispyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1201514903884
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219154493154
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{83F9B63E-3DE2-41C4-8FB2-AFEC69C8CD51}: NameServer = 192.111.39.1,192.111.39.4
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    --
    End of file - 8167 bytes

    StartupList report, 05/10/2008, 19:41:30
    StartupList version: 1.52.2
    Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
    Detected: Windows XP SP3 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.6000.16705)
    * Using default options
    ==================================================
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\1XConfig.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\ErrorSmart\ErrorSmart.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AntiSpywareApp\Antispyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    --------------------------------------------------
    Checking Windows NT UserInit:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    --------------------------------------------------
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ZCfgSvc.exe = C:\WINDOWS\system32\ZCfgSvc.exe
    PRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    igfxtray = C:\WINDOWS\system32\igfxtray.exe
    igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
    igfxpers = C:\WINDOWS\system32\igfxpers.exe
    Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    dla = C:\WINDOWS\system32\dla\tfswctrl.exe
    UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
    ErrorSmart = C:\Program Files\ErrorSmart\ErrorSmart.exe
    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    Antispyware = C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
    --------------------------------------------------
    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    [OptionalComponents]
    =
    --------------------------------------------------
    Load/Run keys from C:\WINDOWS\WIN.INI:
    load=*INI section not found*
    run=*INI section not found*
    Load/Run keys from Registry:
    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll
    --------------------------------------------------
    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*
    Shell & screensaver key from Registry:
    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*
    Policies Shell key:
    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*
    --------------------------------------------------

    Enumerating Browser Helper Objects:
    (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
    (no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
    (no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    (no name) - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
    --------------------------------------------------
    Enumerating Task Scheduler jobs:
    Antispyware Scheduled Scan.job
    ErrorSmart Scheduled Scan.job
    MP Scheduled Scan.job
    RegCure Program Check.job
    RegCure.job
    --------------------------------------------------
    Enumerating Download Program Files:
    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.euro.dell.com/systemprofiler/SysPro.CAB
    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\system32\wuweb.dll
    CODEBASE = http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1201514903884
    [MUWebControl Class]
    InProcServer32 = C:\WINDOWS\system32\muweb.dll
    CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219154493154
    [{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    [Crucial cpcScan]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
    CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
    --------------------------------------------------
    Enumerating Winsock LSP files:
    NameSpace #4: C:\WINDOWS\system32\wshbth.dll
    --------------------------------------------------
    Enumerating ShellServiceObjectDelayLoad items:
    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll
    WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
    --------------------------------------------------
    End of report, 8,712 bytes
    Report generated in 0.751 seconds
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!


    Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Paste the contents of the Report.txt back here with a new HijackThis log
     
  3. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Hi Cybertech

    Thanks a million for looking at this for me. I have follwed your instructions and disabled all the pieces as outlined and have the SDFIx copied in and ready to run but when I try to start in Safe mode I get an error
    "the video driver has failed to initialize". There's all the usual blurb on the blue screen.
    If I try to boot up as normal she boots up no problem it just won't work in Safe mode.

    Any suggestions how I get round this?

    Thanks
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run this instead...

    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
     
  5. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Hi Cybertech

    Thanks for quick response. Wasn't expecting anything until tomorrow given the time difference.
    I followed your instructions. Malware log below. I saved it to my memory stick so I could upload from this computer instead of the sick one.
    It did ask for a reboot so I clicked ok but WIndows is taking forever to shutdown. It's been sitting for about 5 minutes now just saying Windows is shutting down with no lights flickering. Will I just leave it or should I intervene by hitting the power switch?

    Malwarebytes' Anti-Malware 1.28
    Database version: 1251
    Windows 5.1.2600 Service Pack 3
    10/10/2008 18:57:12
    mbam-log-2008-10-10 (18-57-12).txt
    Scan type: Quick Scan
    Objects scanned: 45257
    Time elapsed: 4 minute(s), 35 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 15
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    Folders Infected:
    C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.
    Files Infected:
    C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\AntiSpyware on the Web.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\AntiSpyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Desktop\AntiSpyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssadw.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\TDSSl.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdsslog.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssserf1.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

    Regards

    Gypsy22
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I hope you left it and it did eventually shut down. It was, no doubt, killing off some of the processes.

    Run it again before you reply and post the new log.
     
  7. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Hi ya

    Gave up waiting on it so shut it down after an hour and a half. As soon as I started it up again I re-ran Malwarebytes. I found 2 more infected files and cleaned them up. Have done nothing else since but have the internet disabled on that laptop so nothing new can sneak in. Log below.
    Rgds
    Malwarebytes' Anti-Malware 1.28
    Database version: 1251
    Windows 5.1.2600 Service Pack 3
    10/10/2008 20:25:24
    mbam-log-2008-10-10 (20-25-24).txt
    Scan type: Quick Scan
    Objects scanned: 45091
    Time elapsed: 4 minute(s), 46 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\Documents and Settings\Owner\Local Settings\Temp\TDSS3701.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\TDSSd9f9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Now empty these two folders:
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp

    If there are other profiles on the machine empty those C:\Documents and Settings\Other\Local Settings\Temp folders as well.

    Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
    5. Now click the Run Scan button on the toolbar.
    6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    7. When the scan is complete Notepad will open with the report file loaded in it.
    8. Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  9. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Have run that but it ran very quickly - less than a minute!

    I left all the settings as they were presented except the 2 you told me to check in advanced settings.
    It's a bit bigger than the previous logs so I've taken your advice an attached the file rather than copying it in here.

    Again Thanks
     

    Attached Files:

  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I don't see anything in the log other than a few tmp files.


    How it the computer working?
     
  11. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    What was the Impersonate Privilege Upgrade Tool has run line in the log about? Obviously I'm clueless about all of this but spotted the word Impersonate and thought it looked iffy?

    The computer is running fine but I haven't re-activated the AVG or Windows defender etc or tried the internet yet until I got the OK from you. Have no idea how whatever it was got in or how to prevent it happening again. I would have thought I had enough protection with AVG8 and Windows defender but seemingly not.

    Probably a silly question but would whatever infected the machine have blocked the system backup and restore facility. I did try to do a system restore at the start of all this a few weeks ago but though it allowed me to select the date but did nothing when I clicked on Next to start the restore no matter what backup date I chose.

    I have to hit the sack now so won't be able to do anymore until lunchtime tomorrow as I'm out from 8 - 11.30 in the morning.

    Thanks a mill for your help so far - what I wouldn't do to have your know how

    Rgds
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You would have to read up on LSA http://msdn.microsoft.com/en-us/library/aa380529(VS.85).aspx

    That key is fine in your log.

    Malware can cause problems with your system restore. Best to clear that out as it is likely infected anyway.

    I would also suggest staying away from registry cleaners as they cause more problems than they fix.


    I think you should proceed with turning on the anti-virus and see what happens. I would also suggest doing a scan with Kaspersky when you venture back on the internet.

    Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        [*]Archives
        [*]Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.
     
  13. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    Hi Cybetech

    So far the internet connections seem to be working. AVG has updated sucessfully for the first time in weeks. I then closed it down to install Kybersky but am running into problems. My Java version is up to date but when Kaspersky starts downloading "packages/kos-bin-winnt-redist.jarit " it then presents a dialog box telling me that the Java Appelet could not be started and that I need to go online to start it. I have no idea what this means. Then Kaspersky starts another larger download (Downloading file: packages/kos-bin-winnt-engine.jar) of 2060 kb but seems to stop at 77kb with no further error messages. Sorry to be a pain.

    Rgds
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    jar is java so that seems to be giving you a problem.

    Has AVG found anything?
     
  15. Gypsy22

    Gypsy22 Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    12
    I'll run an AVG scan now. All I did earlier was to allow it to update and once it did that I moved onto Kaspersky
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Interne cannot
  1. DonChoudhry
    Replies:
    36
    Views:
    2,025
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/756361

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice