Hello, had these problems and found this site to upload my hijackthis log.
problems:
explorer.exe restarting and the first two google/yahoo searches redirect to something like h33p://go.google.com/?u=etc etc or h33p://go.yahoo.com/?u=etc etc
thanks for any help
EDIT: "regedit" doesnt work. there is a popup window saying:
"Registry editing has been disabled by your administrator"
which I (as admin) havent done such thing, and on the other hand my account is an admin account.
I have tryed "UnHookExec.ini" under safe mode and then I could use the regedit as usual, but when I go to normal mode again I cant exec regedit.
EDIT2: I managed to run SuperAntiSpyware (had to change the name of the .exe file) and removed some vundo and other types of trojan.
The explorer.exe does not restart now, but the regedit and the google/yahoo search problem persist. Also there are popup from IE with adverts.
Then executed hijackthis again (crusty.exe) and I have attached/replaced the log file on this post.
EDIT3: I just managed ton install and run MBAM. Here is a full list of my log files from these three programs.
Also I am not able to run any updates on antivirus antispyware or zonealarm.
Found by Zonealarm (all deleted):
Kazaa Lite goop 28 on HKCU\Software\Kazaa (Directory: C:\Windows\Downloaded Installations)
P2P-Worm.Win32.Logpole.c on HKCU\Software\Kazaa\LocalContent
Atdmt on C:\Document and Settings\Thodoris\Cookies\thodoris@atdmt[1].txt
Doubleclick on C:\Document and Settings\Thodoris\Cookies\thodoris@doubleclick[1].txt
Found from Avast:
C:\Documents and Settings\Thodoris\My Documents\My Music\Ksena\zzz resto\Coldplay - Viva La Vida [2008] 320Kbps\10 Coldplay - Death And All His Friends.mp3 (WMA:Wimad [Drp])
C:\System Volume Information\_restore{874739E1-1326-4F8C-AF06-1BB687DC90B1}\RP224\A0050737.dl (Win32:Lighty-G [Cryp])
C:\WINDOWS\system32\jhsrf832jbnefe.dll (Win32:Lighty-G [Cryp])
C:\Documents and Settings\Nikoula\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000XR (JS:Agent-CK [Trj])
C:\Avenger\TDSSnjaa.sys (Win32:Tidserv [Trj])
C:\System Volume Information\_restore{874739E1-1326-4F8C-AF06-1BB687DC90B1}\RP224\A0050852.sys (used to have that Win32:Tidserv [Trj] but I rescanned and its clean now..I didnt clean it)
All the above files from Avast are in the chest now
problems:
explorer.exe restarting and the first two google/yahoo searches redirect to something like h33p://go.google.com/?u=etc etc or h33p://go.yahoo.com/?u=etc etc
thanks for any help
EDIT: "regedit" doesnt work. there is a popup window saying:
"Registry editing has been disabled by your administrator"
which I (as admin) havent done such thing, and on the other hand my account is an admin account.
I have tryed "UnHookExec.ini" under safe mode and then I could use the regedit as usual, but when I go to normal mode again I cant exec regedit.
EDIT2: I managed to run SuperAntiSpyware (had to change the name of the .exe file) and removed some vundo and other types of trojan.
The explorer.exe does not restart now, but the regedit and the google/yahoo search problem persist. Also there are popup from IE with adverts.
Then executed hijackthis again (crusty.exe) and I have attached/replaced the log file on this post.
EDIT3: I just managed ton install and run MBAM. Here is a full list of my log files from these three programs.
Also I am not able to run any updates on antivirus antispyware or zonealarm.
Found by Zonealarm (all deleted):
Kazaa Lite goop 28 on HKCU\Software\Kazaa (Directory: C:\Windows\Downloaded Installations)
P2P-Worm.Win32.Logpole.c on HKCU\Software\Kazaa\LocalContent
Atdmt on C:\Document and Settings\Thodoris\Cookies\thodoris@atdmt[1].txt
Doubleclick on C:\Document and Settings\Thodoris\Cookies\thodoris@doubleclick[1].txt
Found from Avast:
C:\Documents and Settings\Thodoris\My Documents\My Music\Ksena\zzz resto\Coldplay - Viva La Vida [2008] 320Kbps\10 Coldplay - Death And All His Friends.mp3 (WMA:Wimad [Drp])
C:\System Volume Information\_restore{874739E1-1326-4F8C-AF06-1BB687DC90B1}\RP224\A0050737.dl (Win32:Lighty-G [Cryp])
C:\WINDOWS\system32\jhsrf832jbnefe.dll (Win32:Lighty-G [Cryp])
C:\Documents and Settings\Nikoula\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000XR (JS:Agent-CK [Trj])
C:\Avenger\TDSSnjaa.sys (Win32:Tidserv [Trj])
C:\System Volume Information\_restore{874739E1-1326-4F8C-AF06-1BB687DC90B1}\RP224\A0050852.sys (used to have that Win32:Tidserv [Trj] but I rescanned and its clean now..I didnt clean it)
All the above files from Avast are in the chest now