Ok, so basically I think I was infected with a really bad form of that go.google.com redirecting virus (mine used web-analytics.google.com) that also made my explorer.exe constantly crash and reboot itself (it actually seemed like it was being closed while functional, as no error message ever popped up, and I could access my desktop/folders for like 5 seconds or so between each crash/reboot). When I manually closed explorer.exe in Task Manager, it stopped rebooting.
Since I couldn't access any anti-virus downloads (redirected to ad sites by the virus), I went with the only solution I could find that didn't require accessing a 3rd party program, which was to disable some "TDSSserv.sys" in Device Manager. Once I did, and restarted, my internet stopped working. I then tried to access Safe Mode (with and without Networking) to no avail. It freezes somewhere around the login screen (sometimes it freeze before I click which user to log in, sometimes it freezes as far as after I say "yes" to continue in safe mode and not attempt system restore, but it ALWAYS freezes. I tried at least 20 times).
To sum it up, my explorer.exe closes/reboots every 10 seconds, my internet doesn't work (I can't access my router through Firefox, if that says anthing about the source), and I can't start in Safe Mode. Oh, and logging in normally only works like once every ten tries (freezes like when I attempt to start in Safe Mode, except sometimes I get lucky, if you wanna call it that).
Oh yeah, I tried reenabling and uninstalling (it reinstalled itself) that "TDSServ.sys" thing. Nothing changed.
Help?

 

If you have access to another computer, and USB Stick, do this -

 

 

Double-click on the combofix icon found on your desktop.

 

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.  

 When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

 

It is possible you´ll have to do it from safe mode.

---

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

 

 

ComboFix 08-12-13.03 - Michael 2008-12-13 21:53:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic   6.0.6000.0.1252.1.1033.18.1022.537 [GMT -5:00]
Running from: c:\users\Michael\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
C:\resycled
c:\resycled\boot.com
c:\windows\system32\pac.txt
D:\resycled
d:\resycled\boot.com

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
hxxp://78.157.143.163
hxxp://91.203.93.6
.
(((((((((((((((((((((((((   Files Created from 2008-11-14 to 2008-12-14  )))))))))))))))))))))))))))))))
.

2008-12-07 13:22 . 2008-12-13 00:43 122,801,072 --a------ c:\windows\MEMORY.DMP
2008-12-06 19:18 . 2008-12-06 19:18 29,184 --a------ c:\windows\System32\drivers\Ndisprot.sys
2008-12-06 19:13 . 2008-12-06 19:14 34,308 --a------ c:\windows\System32\Chip.dll
2008-12-06 19:13 . 2008-12-06 19:14 22,004 --a------ c:\windows\System32\Pvt.tmp
2008-12-06 16:54 . 2008-12-06 16:54 <DIR> d-------- c:\program files\Acoustica Shared Effects
2008-12-06 16:46 . 2008-12-06 16:55 <DIR> d-------- c:\program files\Acoustica Mixcraft 4
2008-12-06 15:54 . 2008-12-06 20:48 <DIR> d-------- c:\program files\Red Kawa
2008-12-06 15:54 . 2008-12-06 15:54 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-06 15:53 . 2008-12-06 15:53 <DIR> d-------- C:\OpenCandy
2008-12-06 15:02 . 2008-12-06 15:02 <DIR> d----c--- c:\windows\System32\DRVSTORE
2008-12-06 15:02 . 2008-04-17 13:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2008-12-06 15:02 . 2008-04-17 13:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2008-12-06 15:01 . 2008-12-06 15:02 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 15:01 . 2008-12-06 15:02 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 15:01 . 2008-12-06 15:02 <DIR> d-------- c:\program files\iTunes
2008-12-06 15:01 . 2008-12-06 15:01 <DIR> d-------- c:\program files\iPod
2008-12-06 14:57 . 2008-12-06 14:57 <DIR> d-------- c:\program files\Bonjour
2008-12-06 14:55 . 2008-12-06 14:56 <DIR> d-------- c:\program files\QuickTime
2008-12-06 12:23 . 2008-12-08 19:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-06 12:15 . 2008-12-06 12:15 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-12-06 12:15 . 2008-12-06 12:15 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-12-06 12:14 . 2008-12-06 17:46 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-12-06 12:14 . 2008-12-06 12:14 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-12-06 12:13 . 2008-12-07 12:49 <DIR> d-------- c:\users\All Users\avg8
2008-12-06 12:13 . 2008-12-07 12:49 <DIR> d-------- c:\programdata\avg8
2008-12-06 12:13 . 2008-12-06 12:13 <DIR> d-------- c:\program files\AVG
2008-12-05 11:42 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-05 11:42 . 2002-12-17 16:23 33,340 --------- c:\windows\System32\dbmsqlgc.dll
2008-12-05 11:42 . 2002-10-20 14:05 24,576 --------- c:\windows\System32\dbmsgnet.dll
2008-12-05 11:42 . 2008-12-05 11:42 20,480 --a------ c:\windows\System32\cliconfg.728
2008-12-05 11:41 . 2008-12-05 11:41 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-12-05 11:37 . 2008-12-05 11:37 <DIR> d-------- c:\users\All Users\Sony
2008-12-05 11:37 . 2008-12-05 11:37 <DIR> d-------- c:\programdata\Sony
2008-12-05 10:41 . 2008-12-06 16:42 <DIR> d-------- c:\users\Michael\AppData\Roaming\Sony
2008-12-05 10:41 . 2008-12-05 10:41 <DIR> d-------- c:\users\Michael\AppData\Roaming\Publish Providers
2008-12-05 10:41 . 2008-12-05 10:41 <DIR> d-------- c:\users\Michael\AppData\Roaming\NetMedia Providers
2008-12-05 10:38 . 2008-12-05 12:30 <DIR> d-------- c:\program files\Sony
2008-12-05 10:36 . 2008-12-05 11:54 <DIR> d-------- c:\program files\Sony Setup
2008-11-28 17:38 . 2008-11-28 17:38 <DIR> d-------- c:\users\Guest\AppData\Roaming\Webroot
2008-11-28 17:37 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Searches
2008-11-28 17:37 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Contacts
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Videos
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Saved Games
2008-11-28 17:36 . 2008-12-02 03:41 <DIR> dr------- c:\users\Guest\Pictures
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Music
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Links
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Downloads
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> dr------- c:\users\Guest\Documents
2008-11-28 17:36 . 2008-11-28 17:37 <DIR> d--h----- c:\users\Guest\AppData
2008-11-28 17:36 . 2008-12-06 15:56 <DIR> d-------- c:\users\Guest
2008-11-27 22:26 . 2008-11-27 22:24 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-25 14:29 . 2008-11-25 14:29 <DIR> d-------- c:\users\Michael\AppData\Roaming\Audio Editor Deluxe
2008-11-25 14:14 . 2008-10-21 00:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 14:14 . 2008-08-27 22:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 14:14 . 2008-08-27 22:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 14:14 . 2008-08-27 22:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 14:14 . 2008-10-21 22:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 14:14 . 2008-10-21 22:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 14:14 . 2008-10-21 22:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-21 23:50 . 2008-11-21 23:50 <DIR> d-------- c:\program files\ASIO4ALL v2
2008-11-17 16:26 . 2008-11-17 16:26 <DIR> d-------- c:\users\Michael\AppData\Roaming\dvdcss
2008-11-17 16:24 . 2008-11-17 16:24 <DIR> d-------- c:\users\Michael\AppData\Roaming\vlc
2008-11-17 16:22 . 2008-11-17 16:22 <DIR> d-------- c:\program files\VideoLAN
2008-11-17 16:13 . 2008-11-17 16:13 60 --a------ c:\windows\WININIT.INI
2008-11-16 14:42 . 2008-11-17 15:26 <DIR> d-------- c:\users\All Users\Cakewalk
2008-11-16 14:42 . 2008-11-17 15:26 <DIR> d-------- c:\programdata\Cakewalk

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 21:25 --------- d-----w c:\users\Michael\AppData\Roaming\BitTorrent
2008-12-07 17:44 --------- d-----w c:\program files\V CAST Music with Rhapsody
2008-12-06 20:01 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 08:37 --------- d-----w c:\program files\Xilisoft
2008-11-28 03:24 --------- d-----w c:\program files\Java
2008-11-18 01:42 --------- d-----w c:\program files\VST Plugins
2008-11-17 20:15 --------- d-----w c:\users\Michael\AppData\Roaming\Cakewalk
2008-11-08 20:48 118,784 ----a-w c:\windows\dsdxirmv.exe
2008-11-08 20:28 --------- d-----w c:\users\Michael\AppData\Roaming\NCH Swift Sound
2008-11-08 20:21 --------- d-----w c:\users\Michael\AppData\Roaming\Recordpad
2008-11-08 20:21 --------- d-----w c:\programdata\NCH Swift Sound
2008-11-08 20:21 --------- d-----w c:\program files\NCH Software
2008-11-04 03:19 4,608 ----a-w c:\windows\System32\w95inf32.dll
2008-11-04 03:19 2,272 ----a-w c:\windows\System32\w95inf16.dll
2008-10-26 05:07 --------- d-----w c:\program files\Syncrosoft
2008-10-26 04:35 --------- d-----w c:\users\Michael\AppData\Roaming\Steinberg
2008-10-26 04:24 --------- d-----w c:\programdata\Steinberg
2008-10-26 04:18 2,892 ----a-w c:\windows\System32\audcon.sys
2008-10-26 04:18 --------- d-----w c:\programdata\Syncrosoft
2008-10-26 02:46 --------- d-----w c:\users\Michael\AppData\Roaming\Deckadance
2008-10-21 18:56 --------- d-----w c:\program files\Image-Line
2008-10-21 18:48 --------- d-----w c:\programdata\Adobe Systems
2008-10-16 22:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 21:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-15 16:06 --------- d-----w c:\program files\Windows Mail
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-08-10 06:45 174 --sha-w c:\program files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-08-10 1232896]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-27 136600]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8D470BBC-F88D-45C4-AFD2-F14E291096AB}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{D04247EB-4844-48DC-9FE4-56293DF0F45F}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"{44BE1F2B-F89E-411A-A316-F386928A8559}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F0DA0F1F-C7C7-4E75-9AEC-334358218F4D}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{51DF0441-3E85-4423-8196-CB05799DC2BF}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{45D63BFC-EE4A-4A8D-976C-CE513559F166}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{B073F3DD-0F11-4087-943D-3816C72C6AD5}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{17E09F17-DB7D-489B-B474-BCA36A2A34B6}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"{33D7DDDF-1FB2-4598-988F-B8378664A4D2}"= UDP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{C23768FB-D6ED-4CED-BE5B-B7A719453CE9}"= TCP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"TCP Query User{4068B70D-AC7D-40DC-B6DB-FE361E855362}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{144335D6-CA88-4BD2-862E-B8F56987E242}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{1C49C63D-F223-4864-9F0E-FDF042B6CB41}"= UDP:c:\windows\System32\dlcccoms.exe:Dell 924 Server
"{F3B7A6D3-F54A-4E52-882A-C09D029AF795}"= TCP:c:\windows\System32\dlcccoms.exe:Dell 924 Server
"{771B7E9B-B7C1-4EF4-B008-3B85E15483D6}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A3A2E7B8-3A27-4E8D-9ED0-FFF360305A44}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{8EBC925F-CC47-4E72-A89E-026115931142}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E29CCE5A-3C57-443A-AD9E-45B368FCD68F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0EAB2E34-A70F-413D-B2B6-26BE302CD552}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{853E8355-9F09-406E-AE98-5E07E29CD37F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-06 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-12-06 69128]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2008-08-20 33792]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2008-08-20 23288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a5cbb89-6684-11dd-8554-0019b9713409}]
\shell\AutoRun\command - Autorun.exe /run
\shell\Shell00\Command - Autorun.exe /run
\shell\Shell01\Command - Autorun.exe /action
\shell\Shell02\Command - Autorun.exe /uninstall

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-12-04 c:\windows\Tasks\wrSpySweeper_LA9CB9E2ED6644FBF834CFD5C772563CA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 22:56]

2008-12-04 c:\windows\Tasks\wrSpySweeper_LA9CB9E2ED6644FBF834CFD5C772563CA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 22:56]

2008-12-04 c:\windows\Tasks\wrSpySweeper_LA9CB9E2ED6644FBF834CFD5C772563CA.job
- c:\","d:\","E:\" []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FF6BF7D2-D07A-49DD-B73C-C207FC130B61} - (no file)
ShellExecuteHooks-{2E88B5AE-9737-415B-BE30-371B8E5DC001} - c:\windows\system32\mlJYQghG.dll

 

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 21:58:58
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-13 22:03:38
ComboFix-quarantined-files.txt  2008-12-14 03:03:36

Pre-Run: 19,822,829,568 bytes free
Post-Run: 20,018,843,648 bytes free

225 --- E O F --- 2008-12-04 07:25:36