Dear all,

Since this weekend I found that the executables for Avast and Spybot have been removed from my computer. Re-installing them does not help (even if I completely remove them before)

When I want to run any of the applications after install, the executables are gone again.

If I go to the install folder (before running the programs) The executables are there and 1 sec, when windows refreshes I see that the files have been removed.

I tried:

Booting in SAFE mode → Windows does not boot
Booting normally and killing all processes and applications and then installing Avast and Spybot → Files still get removed
Booting normally and killing all processes and services and applications and then installing Avast and Spybot → Files still get removed

Going back to a windows restore point (before the problems happend) → Did not help, Avast and Spybot were still removed and I could not install them.

It is now randomly switching off, not shutting down as usual, but a black screen and then starting up again.

I am slowly turning desperate,… can somebody please give me some advice on how to continue ?

Thanks,

Danny

Maybe this trick is still working:

http://forum.avast.com/index.php?topic=28459.msg232730#msg232730

Hi knacker,

Download hostfixer from here: http://www.funkytoad.com/content/view/13/
Because I think your hostfile is corrupted and that may be the problem.
It also could be you have a smitfraud or vundo infection, but I need a hjt logfile to establish that.

After this post a hijackthislog, hjt download from here:
http://www.spychecker.com/download/download_hijackthis.html

polonus

Dear Polonus,

Hijjack this made the following log file: (which I do not understand)

(see attached)

Regards,

Danny

it looks like your problem is similar to the one discussed here
http://forum.avast.com/index.php?topic=32371.msg270631#msg270631

Can you download the trial of prevx 2 and see what it does.
http://www.prevx.com/antimalware.asp

Go to add/remove programs and uninstall the following program if present

Desktop Messenger

Then run HJT, do a system scan only, check mark the following lines

[b]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

and all the 018 lines[/b]

Disable teatimer it can interfere with the next scanner

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

.
Edit to add: Please limit your internet activity to a bare minimum, ie to check this thread and download the required tools, until you can get an av on that system.

Dear all,

I performed the actions listed about. (Desktop messenger was not there)

I made 2 log files, can somebody please help me to read them ?

Kind regards and Thanks,

Danny

Have you been able to de-activate Tea-Timer? Do you have access to Task Manager?

Have you read the thread that I linked you to earlier and if so did it make any sense to you?

The infection is still apparent in your log as per O4 - HKCU..\Run: [german.exe] C:\WINDOWS\system32\wintems.exebut this may just be a leftover that needs to be cleaned up.
report back wether you have avast or spybot working,

You may as well turn off System restore on all drives and clean out all your temp files while Oldman organises the next step.

Do the following, then try to get an antivirus program installed.

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let us know if you can access Safe Mode now?

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\wintems.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new hjt log.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Dear Oldman and Cloussau,

It looks like there is light in the end of the tunnel. I performed all the last actions and now I am able to install spybot and Avast again. Attached you’ll find the requested files, I hope that they show I am in the clear now.

Thanks a million,

Danny

Okay, I check the logs in a bit, I have to go off line for awhile.

Thanks

Hi, how are things going?

Is this your home page?

www…abnamro…nl

I added a couole of dots to make it in active

Please make sure teatimer is turned off. we will enable it again when we are done.

Open Spybot and make sure teatimer is disabled. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and hide known extentions are not checked. Click APPLY.

copy and paste the following into a new notepad

@echo off
dir “C:\Documents and Settings\All Users\Application Data\TEMP” >> look.txt
start look.txt

save it to your desktop, name it look.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Folder:: C:\WINDOWS\system32\drivers\down

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJTlog.

Gentlepeople,

Don’t worry ABNamro is indeed my home-page. I also managed to install spybot(as you have seen) and Avast again.

Made the *.bat file and ran combofix, the results are attached.

Thanks,

Danny

Just about done

Open HJT, run a system scan only, check mark these lines if present

[b] O4 - HKCU..\Run: [LDM] \Program[/b]

Close all other browsers/windows, click fix, close HJT

Click start button, click run, copy and paste this line into the box and click ok

combofix /u

1. Please download OTMoveIt by OldTimer. Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

2. RE-run that cleanup program that I had you download when we started (not the OTMOVEIT one)

3. Re-enable teatimer

4. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

5. Remove old restore points

Disk Cleanup

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

You can also delete any logs,notepads,etc that you may have left that where created during this.

Take care and keep safe.

Dear all,

Thanks for all the help, I could not have done it without you.

Kind regards,

Danny
(installed sygate)

You’re welcome. 8)

Hi :

 Since you have selected Sygate as your firewall, it would be wise to use
 the Info in the "Sygate SetUp Guide" available at
 www.kotiposti.net/string/SPF_eng/SPFGuide.html ; of course, you should
 skip the "Installation" section & start with the "Configuration" section .