Solved: Interne - cannot access sites and searchs jump to weird unrelated places.

[Gypsy22]

Hi
When I start the computer for some reason iexplore seems to start twice before I open the internet shortcut. When I have the internet open I can no longer access any download or update sites so my AVG 8 ( free version) and Windows automatic updates cannot update. My computer keeps freezing and I cannot close anything so have to turn off to shut it down. I;m Windows XP with service pack 3 installed.
When I do searchs I end up being re-directed to Live search .com and Britannia?? but even clicking the links there doesn't work. Sometimes porn pages are coming up when I try to get on the Microsoft Updates pages.
Since this started I've installed error smart with the anti spyware option but it hasn't picked up any virus. I also installed CCleaner. Am at my wits end to know what's going on or how to fix it.

I can't get to any link on this site so am posting from another computer.

Hijack this log from today and the start up log below. Please Help. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:52, on 05/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AntiSpywareApp\Antispyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1201514903884
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219154493154
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F9B63E-3DE2-41C4-8FB2-AFEC69C8CD51}: NameServer = 192.111.39.1,192.111.39.4
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
--
End of file - 8167 bytes

StartupList report, 05/10/2008, 19:41:30
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AntiSpywareApp\Antispyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ZCfgSvc.exe = C:\WINDOWS\system32\ZCfgSvc.exe
PRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
ErrorSmart = C:\Program Files\ErrorSmart\ErrorSmart.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Antispyware = C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
=
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------

Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Antispyware Scheduled Scan.job
ErrorSmart Scheduled Scan.job
MP Scheduled Scan.job
RegCure Program Check.job
RegCure.job
--------------------------------------------------
Enumerating Download Program Files:
[SysProWmi Class]
InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.euro.dell.com/systemprofiler/SysPro.CAB
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1201514903884
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219154493154
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #4: C:\WINDOWS\system32\wshbth.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 8,712 bytes
Report generated in 0.751 seconds

 

[cybertech]

Hi, Welcome to TSG!!


Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re-enable the protection again afterwards before connecting to the Internet.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
• Instead of Windows loading as normal, the Advanced Options Menu should appear
• Select the first option, to run Windows in Safe Mode, then press Enter
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to the clipboard ready for posting back on the forum).
• Paste the contents of the Report.txt back here with a new HijackThis log

 

[Gypsy22]

Hi Cybertech

Thanks a million for looking at this for me. I have follwed your instructions and disabled all the pieces as outlined and have the SDFIx copied in and ready to run but when I try to start in Safe mode I get an error
"the video driver has failed to initialize". There's all the usual blurb on the blue screen.
If I try to boot up as normal she boots up no problem it just won't work in Safe mode.

Any suggestions how I get round this?

Thanks

 

[cybertech]

Run this instead...

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply with a new hijackthis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

[Gypsy22]

Hi Cybertech

Thanks for quick response. Wasn't expecting anything until tomorrow given the time difference.
I followed your instructions. Malware log below. I saved it to my memory stick so I could upload from this computer instead of the sick one.
It did ask for a reboot so I clicked ok but WIndows is taking forever to shutdown. It's been sitting for about 5 minutes now just saying Windows is shutting down with no lights flickering. Will I just leave it or should I intervene by hitting the power switch?

Malwarebytes' Anti-Malware 1.28
Database version: 1251
Windows 5.1.2600 Service Pack 3
10/10/2008 18:57:12
mbam-log-2008-10-10 (18-57-12).txt
Scan type: Quick Scan
Objects scanned: 45257
Time elapsed: 4 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\AntiSpyware on the Web.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\AntiSpyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\AntiSpyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssadw.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSl.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf1.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

Regards

Gypsy22

 

[cybertech]

I hope you left it and it did eventually shut down. It was, no doubt, killing off some of the processes.

Run it again before you reply and post the new log.

 

[Gypsy22]

Hi ya

Gave up waiting on it so shut it down after an hour and a half. As soon as I started it up again I re-ran Malwarebytes. I found 2 more infected files and cleaned them up. Have done nothing else since but have the internet disabled on that laptop so nothing new can sneak in. Log below.
Rgds
Malwarebytes' Anti-Malware 1.28
Database version: 1251
Windows 5.1.2600 Service Pack 3
10/10/2008 20:25:24
mbam-log-2008-10-10 (20-25-24).txt
Scan type: Quick Scan
Objects scanned: 45091
Time elapsed: 4 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\TDSS3701.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSd9f9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

[cybertech]

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Now empty these two folders:
C:\WINDOWS\Temp
C:\Documents and Settings\Owner\Local Settings\Temp

If there are other profiles on the machine empty those C:\Documents and Settings\Other\Local Settings\Temp folders as well.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

1. Close any open browsers.
2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
5. Now click the Run Scan button on the toolbar.
6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
8. Save that notepad file

If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

 

[Gypsy22]

Have run that but it ran very quickly - less than a minute!

I left all the settings as they were presented except the 2 you told me to check in advanced settings.
It's a bit bigger than the previous logs so I've taken your advice an attached the file rather than copying it in here.

Again Thanks

 

[cybertech]

I don't see anything in the log other than a few tmp files.


How it the computer working?

 

[Gypsy22]

What was the Impersonate Privilege Upgrade Tool has run line in the log about? Obviously I'm clueless about all of this but spotted the word Impersonate and thought it looked iffy?

The computer is running fine but I haven't re-activated the AVG or Windows defender etc or tried the internet yet until I got the OK from you. Have no idea how whatever it was got in or how to prevent it happening again. I would have thought I had enough protection with AVG8 and Windows defender but seemingly not.

Probably a silly question but would whatever infected the machine have blocked the system backup and restore facility. I did try to do a system restore at the start of all this a few weeks ago but though it allowed me to select the date but did nothing when I clicked on Next to start the restore no matter what backup date I chose.

I have to hit the sack now so won't be able to do anymore until lunchtime tomorrow as I'm out from 8 - 11.30 in the morning.

Thanks a mill for your help so far - what I wouldn't do to have your know how

Rgds

 

[cybertech]

You would have to read up on LSA http://msdn.microsoft.com/en-us/library/aa380529(VS.85).aspx

That key is fine in your log.

Malware can cause problems with your system restore. Best to clear that out as it is likely infected anyway.

I would also suggest staying away from registry cleaners as they cause more problems than they fix.


I think you should proceed with turning on the anti-virus and see what happens. I would also suggest doing a scan with Kaspersky when you venture back on the internet.

Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*]Archives
    [*]Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

 

[Gypsy22]

Hi Cybetech

So far the internet connections seem to be working. AVG has updated sucessfully for the first time in weeks. I then closed it down to install Kybersky but am running into problems. My Java version is up to date but when Kaspersky starts downloading "packages/kos-bin-winnt-redist.jarit " it then presents a dialog box telling me that the Java Appelet could not be started and that I need to go online to start it. I have no idea what this means. Then Kaspersky starts another larger download (Downloading file: packages/kos-bin-winnt-engine.jar) of 2060 kb but seems to stop at 77kb with no further error messages. Sorry to be a pain.

Rgds

 

[cybertech]

jar is java so that seems to be giving you a problem.

Has AVG found anything?

 

[Gypsy22]

I'll run an AVG scan now. All I did earlier was to allow it to update and once it did that I moved onto Kaspersky