Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection that prevents me from doubleclicking on the desktop (computer reboots)


  • This topic is locked This topic is locked
4 replies to this topic

#1 cocoggfr

cocoggfr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 21 December 2013 - 05:59 PM

Hello,

The computer I am taking care of is my father's and I am staying at his home until the 27th of December (and I doubt he will be able to fix the problem by himself), so I know this is probably not the best time of the year, but it would be great if someone could have a look at my post before I leave... :)

So here is the problem: since the last update of Avast (a few days ago), whenever double-clicking on the desktop, the computer reboots (I also tried the winkey+E -> reboots, but winkey+R works and I am able to launch programs using the cmd window).

I doubt Avast is responsible for the problem but, more likely, the virus "sneaked in" during the update.

 

In safe mode, I tried to fix his problem with the following programs:

  • RogueKiller -> found a key that was a false positive (IMHO) (log attached below)
  • Avenger2 -> didn't find any rootkit
  • HiJackThis and OTL -> returned a log file. As they are too complicated for what I know, I wasn't able to find any suspicious element in them (logs attached below)
  • MBAM -> found and deleted 9 threats, but the reboot problem is still here when I double-click on the desktop (log attached below).

I was able to run the following programs in "normal mode" (using the command window), but they crashed during the scans (the computer rebooted at some point, before fixing anything):

  • SUPERAntiSpyware
  • TDSSKiller

I tried to install ComboFix but it freezes at approximately 50% of the installation process.

 

I hope you will be able to solve the problem!

Thank you in advance for whatever you can do for us! and thank you for spending some time helping us, especially at this time of the year...

 

*********

 

Here is the content of the DDS.txt log (sorry, some parts are in French, feel free to ask me if you need them to be translated):

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Propriétaire at 23:16:45 on 2013-12-21
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.33.1036.18.1279.660 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.fr/
uSearch Bar = hxxp://search.ke.voila.fr/S/voila?kw=
uDefault_Page_URL = hxxp://qfr10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qfr10.hpwis.com/
mSearch Bar = hxxp://srch-qfr10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Search Class: {08C06D61-F1F3-4799-86F8-BE1A89362C85} - c:\program files\orangehss\searchurlhook\SearchPageURL.dll
BHO: Aide pour le lien d'Adobe PDF Reader: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - c:\program files\check point software technologies ltd\zonealarm\1.8.21.15\bh\zonealarm.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
BHO: ZoneAlarm Do Not Track Me: {6E45F3E8-2683-4824-A6BE-08108022FB36} - c:\program files\check point software technologies ltd\zonealarm\abinesdk\ie\DNTPAddon.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - c:\program files\check point software technologies ltd\zonealarm\1.8.21.15\zonealarmTlbr.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [RecordNow!] <no file>
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\fichiers communs\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [MessagerStarter Wanadoo] c:\progra~1\messag~1\StartMessager.exe Messager Wanadoo
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ORAHSSSessionManager] "c:\program files\orangehss\sessionmanager\SessionManager.exe"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [IndexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [PPort12reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\12\config\ereg\Ereg.ini"
mRun: [PDFHook] c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf viewer plus\RegistryController.exe
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [APSDaemon] "c:\program files\fichiers communs\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [20131121] c:\program files\avast software\avast\setup\emupdate\bec540a3-4c49-402d-a529-1b811d7297ee.exe /check
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Convertir en Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir en un fichier PDF existant - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la cible du lien en Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien en un fichier PDF existant - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la sélection en Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la sélection en un fichier PDF existant - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir les liens sélectionnés en un fichier PDF existant - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Ouvrir avec PDF Viewer Plus - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: mappy.com
Trusted Zone: orange.fr
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212245825156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{10A92EDD-8D2E-471A-B465-06E0B512B630} : DHCPNameServer = 192.168.1.1 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-6-19 527976]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-3-10 49944]
S0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-3-10 180248]
S0 hoyev;hoyev;c:\windows\system32\drivers\dtmmugkt.sys --> c:\windows\system32\drivers\dtmmugkt.sys [?]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-8 775952]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2012-4-8 410528]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-3-10 67824]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-8 50344]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27056]
S2 MSDisk;Network helper Service;"c:\windows\system32\irdvxc.exe" /service --> c:\windows\system32\irdvxc.exe [?]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2010-3-9 144672]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-8-14 39056]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\checkpoint\zonealarm\ZAPrivacyService.exe [2013-6-18 54160]
S3 83351531;83351531; [x]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-2-1 245760]
.
=============== Created Last 30 ================
.
2013-12-21 20:56:51 -------- d-----w- c:\documents and settings\propriétaire\application data\Malwarebytes
2013-12-21 20:56:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-12-21 20:56:42 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-12-21 20:56:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-12-21 20:01:42 204896 ----a-w- c:\windows\system32\drivers\34837591.sys
2013-12-21 18:38:02 -------- d-----w- C:\SUPERDelete
2013-12-21 18:27:38 -------- d-----w- c:\documents and settings\propriétaire\application data\SUPERAntiSpyware.com
2013-12-21 18:26:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-12-21 18:26:58 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-12-20 19:35:53 -------- d-----w- C:\UsbFix
.
==================== Find3M  ====================
.
2013-12-18 19:16:27 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-12-18 19:16:27 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-12-18 19:16:26 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-12-18 19:16:26 43152 ----a-w- c:\windows\avastSS.scr
2013-12-11 21:52:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 21:52:46 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-13 02:59:28 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:36:42 7680 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:51:58 1879168 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57:02 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 07:57:01 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 00:45:17 385024 ----a-w- c:\windows\system32\html.iec
2013-10-23 23:45:43 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-22 09:35:48 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-22 09:35:38 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-21 19:33:31 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-10-14 17:41:58 104752 ----a-w- c:\windows\system32\drivers\aswFW.sys
2013-10-12 15:56:10 279552 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:39 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59:15 610304 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 23:17:06,85 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:07 PM

Posted 26 December 2013 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your logs.

Run OTL - Double-click OTL.exe otlDesktopIcon.png to start it.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\irdvxc.exe /service -- (MSDisk)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (TrueSight)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\dtmmugkt.sys -- (hoyev)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (83351531)
O4 - HKU\S-1-5-21-4272282039-1579389402-1806092646-1003..\Run: [RecordNow!]  File not found

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Uncheck the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
Restart the computer normally.
===

As for the problem with the Desktop try this fix.

Go to start, control panel, display
go to the desktop tab,
click the "customize desktop" button
go to the web tab in the new window that comes up.
uncheck everything you find there
also delete everything there except for "desktop"(which you won't be able to delete anyway.
Restart the Computer normally.

Or

Go to the Control Panel and choose Display (it may be under the Appearance and Themes section). Go to the Desktop tab. Click on the Customize Desktop button. Next, go to the Web tab and uncheck anything that might be checked there (it will probably be called "security"). Click OK and reboot your computer.

===

It could very well be that one of the .lnk icons is damaged.
I would copy them to a temporary folder and delete if from the desktop.

If all is well then copy them back one by one until you find the culprit.
===

Post the logs.

Hope that helps.

#3 cocoggfr

cocoggfr
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 26 December 2013 - 10:50 AM

Hello nasdaq,
 
Thank you very much for helping us.
I ended up uninstalling Avast yesterday (in safe mode) and installed AVG instead and... guess what: the computer works like a charm.
 
I ran NPE and TDSSKiller after the change. I also scanned all the drives and USB keys used here.
In both cases, I didn't find anything.
 
I didn't update my post because I wasn't sure the computer was fine but, as you wrote "Nothing suspicious was found on your logs.", I think we can consider our problem solved.
 
I will keep your suggestions in mind regarding the Desktop problem in case the problem appears again (which is very unlikely, IMO).  Thank you for advising  AdwCleaner too.
 
Thank you again for your time, I hope this post will help other people if some encountered the same problem during the Avast update of the 2013-12-19!
 

Best,

 

C.

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:07 PM

Posted 26 December 2013 - 01:27 PM

Thank you for the feedback.

I'm closing this topic.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:07 PM

Posted 26 December 2013 - 01:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users