Solve your computer problem with the help of experts!

[Dr. Pepper]

Here is the log, help would be very much appreciated:

Spoiler

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:36:10, on 10/03/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18565)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Notebook Performance Tuning Service  (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4651 bytes

 

[Abhas]

From the look of it, I can't see anything wrong.
Is there an error message displayed when the blue screen comes up?

 

[Dr. Pepper]

can't really tell, restarts too quickly.

THe problem is this "physicaldrive0 tdl4" or something like that, that avast finds every time, and I delete it and restart, but avast finds it again and it keeps coming back.

Also randomly opens up a new tab on firefox when i';m on internet, which avast blocks. Then it'll blue screen shortly after.

 

[Varun]

Avast can't catch malwares and spywares, so I'd suggest use any other antivirus. Also, many viruses list themselves in the 'exceptions' in the antivirus softwares, so that may be one of the reason why it can't detect it.

 

[Themer]

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

I think you've got a tdl4 root kit, download that and run it and hopefully it should sort things out for you.

 

[Dr. Pepper]

Thanks for all the help, I think it's fixed now. I googled the problem and it came up with the avast forums, and it said to run a programme which found and fixed the tdl4 thing. No problems since then, so I think it's fixed. Cheers for the help

 

[MattW]

Something that has been bugging me for a while - is there any way to force a program to use Aero in Windows 7?

I have the one program I use frequently that doesn't support it by default, but if I kill the dwm.exe process, then the program works fine without the basic style.

Every search I do for this on Google just is for people wanting to get the Aero to run in the first place, that isn't my problem, I just want to make a program that works fine in Aero when dwm is restarted work fine when I run it.

 

[Abhas]

Something that has been bugging me for a while - is there any way to force a program to use Aero in Windows 7?

I have the one program I use frequently that doesn't support it by default, but if I kill the dwm.exe process, then the program works fine without the basic style.

Every search I do for this on Google just is for people wanting to get the Aero to run in the first place, that isn't my problem, I just want to make a program that works fine in Aero when dwm is restarted work fine when I run it.

You mean to say, if the dwm is restarted, the program runs in Aero, but if it is run as is, it runs in basic?
That's funny.. have you tried running the program in compatibility mode?

----------

Have you tried looking at the registries of the software? There might be something that's forcing it to run in Basic or Aero?

----------

You might want to try the aero hacks available..

Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM (if this key doesn’t exist, create it)

Create a new DWORD (32-bit value) of UseMachineCheck, and set its value to 0.

----------

Also came across this: Hacking Windows 7 beta problems - Computerworld Blogs Couldn't be bothered to read the entire thing Give it a go

----------

hi all, had the same exact problem with Aero starting running for a second then screen flashed and service quit with error (0x...) and then of couse is not running so aero troubleshooter thinking dwm is disabled but its not.
Microsoft put out a statement that after looking at the issue it is caused by a glitch between windows 7 OS and some manufacturers motherboards with nvidia/ati chipset and have S3 power management. SO ... What I did to fix it :

Disable windows desktop manager service
Restart
BIOS --> change power management so that S3 is DISABLED! Only allow S1 (POS) power mode or all OFF
Restart
Windows loads and ACPI notices hardware changes, allow reboot
Restart
Start up cmd.exe as Administrator and type in the following
sc config uxsms start= auto
net start uxsms
BINGO --> aero is running and stable should never halt now..

I think the issue was that Aero service on start wants to briefly put the display device in S3 suspend mode just for a millisecond but when I went to properties on my video card and go to device details and then 'power data' it will list the power capabilities and it shows that S0 and S1 are supported (mapped to ON/OFF) BUT NO support for S3 (shows --> "S3-> Unsupported") so I think since Aero was some crappy little peon service yet had to handle a major unhandled exception by the big dog video card makes it just dump the error to windows and so service is stopped on error. I bet microsoft will throw a fix for certain S3 unsupported vid cards/motherboard/chipsets at some point (hopefully); though I didn't care not to have S3 cuz I use my system hardcore style so turned all that power management crap off. good luck..

Also, this seems really interesting!

----------

Sorry for such a fragmented reply.. That's how I roll

You might want to search using the name of the software, rather than aero in general, because that would streamline the results.

 

[MattW]

Ah! Solved it. The solution was renaming the exe to something else. Works fine now.

 

[Abhas]

Damn you.

----------

Did it get registered in some kind of exceptions of the DWM?

 

[MattW]

Did it get registered in some kind of exceptions of the DWM?

Probably, the little 'why is this happening' balloon popped up previously and mentioned stuff about the program, and I remember it not working with DWM in Vista (part of the reason I switched back to XP at the time). But obviously a lot simpler a solution than registry hacks. Thanks for the response though.

 

[Chewie]

ok so I have a virus on my computer. A quickscan of my computer revealed a worm - ainslot.A but I can't remove it the normal way. When MSE tries to remove it my computer blue screens. The computer blue screens even if I don't try to remove it after being on for about half an hour. I know it's to do with the worm/is a software problem because I can boot into safe mode just fine without any blue screens (i.e. it's not to do with my hardware). The problem is that a scan of my computer in safe mode doesn't find the worm. I did a full scan overnight and found four things, but none of them were what I was looking for (they were small problems on my alternate OS installation, and a couple were false-negatives I think)

What would be the best way of getting rid of this virus? What program is best to do this?

 

[Chewie]

Currently running superantispyware in safe mode. It infected my flash drives as well so it's a good thing I have a mac cos I can format them on this without getting infected

 

[Abhas]

I looked it up, and found it propagates via removable drives, so unsurprisingly it has infected the flash drive.

I also came across the encyclopedia entry about the virus, http://www.microsoft.com/security/p...ame=Worm:Win32/Ainslot.A&ThreatID=-2147326058

While it does not give a proper removal instruction, we can work it our ourselves.

These are the things it adds:

The presence of the following files:
c:\documents and settings\administrator\application data\data.dat
c:\documents and settings\administrator\application data\winlogon.exe

The presence of the following registry modifications:
Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Adds value: StubPath
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: hklm\software\microsoft\active setup\installed components\{27de4d5a-faae-4f1c-c1d6-df3177fcda6a}

Adds value: "C:\Documents and Settings\Administrator\Application Data\winlogon.exe"
With data: "c:\documents and settings\administrator\application data\winlogon.exe:*:enabled:windows messanger"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

You need to delete the respective files, and the registry entries.

Adds value: "C:\Documents and Settings\Administrator\Application Data\winlogon.exe"
With data: "c:\documents and settings\administrator\application data\winlogon.exe:*:enabled:windows messanger"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Adds this value to the security settings key, and should be deleted as well.

On the removable drives, it creates:

<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.ini

These need to be deleted as well. It would be best if you remove them from the mac, and not connect it to the PC till the virus is removed.


Also, look in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

for other suspicious entries.

----------

I looked it up, and found it propagates via removable drives, so unsurprisingly it has infected the flash drive.

I also came across the encyclopedia entry about the virus, Encyclopedia entry: Worm:Win32/Ainslot.A - Learn more about malware - Microsoft Malware Protection Center

While it does not give a proper removal instruction, we can work it our ourselves.

These are the things it adds:

The presence of the following files:
c:\documents and settings\administrator\application data\data.dat
c:\documents and settings\administrator\application data\winlogon.exe

The presence of the following registry modifications:
Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Adds value: "Winlogon"
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Adds value: StubPath
With data: "c:\documents and settings\administrator\application data\winlogon.exe"
To subkey: hklm\software\microsoft\active setup\installed components\{27de4d5a-faae-4f1c-c1d6-df3177fcda6a}

Adds value: "C:\Documents and Settings\Administrator\Application Data\winlogon.exe"
With data: "c:\documents and settings\administrator\application data\winlogon.exe:*:enabled:windows messanger"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

You need to delete the respective files, and the registry entries.

Adds value: "C:\Documents and Settings\Administrator\Application Data\winlogon.exe"
With data: "c:\documents and settings\administrator\application data\winlogon.exe:*:enabled:windows messanger"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Adds this value to the security settings key, and should be deleted as well.

On the removable drives, it creates:

<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.ini

These need to be deleted as well. It would be best if you remove them from the mac, and not connect it to the PC till the virus is removed.


Also, look in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

for other suspicious entries.

 

[Chewie]

Yea I found that before.

It's a bit different since Windows 7 doesn't actually have a 'documents and settings' folder.

I just formatted the drives on my mac.

----------

SUPERantispyware seems to have picked most of it up anyway. Haven't checked cos the scan's still running though.

I checked those registry places and none of those entires are there except the last one, and it's not using winlogon, my version of the virus uses lsass.exe instead.