Options

Very serious problem...

Unknown
edited April 2007 in Spyware & Virus Removal
This has been a step by step process. I had pop-ups first, then couldn't access the internet at all, and now I can only start up my computer in safe mode. Luckily I was able to get a hijack this log so here it is:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:48 PM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Leslie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\bak\swdoctor.exe" /Q
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

Any help would be greatly appreciated!!!

Comments

  • Rahina-RescueRahina-Rescue Finland
    edited April 2007
    Hello, Did you Run Hijackthis in Safemode?

    If you did, Run it in Normal Mode this time.

    We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

    Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
    Right click an open area in the main panel.
    Select New > Folder.
    Type in HJT & press Enter

    Now We have Created C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    Please Post a Fresh Hijackthis log in your next reply.
  • zeerbof01
    edited April 2007
    I am unable to move hijack this from my desktop. Currently I cannot drag anything or save anything to a new folder. So I apologize for that. I was finally able to boot my computer normally and here's the hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:52:06 PM, on 4/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Electronic Arts\EA Link\Core.exe
    C:\Documents and Settings\Leslie\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\bak\swdoctor.exe" /Q
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • Rahina-RescueRahina-Rescue Finland
    edited April 2007
    Hello :)

    Step #1
    • Please download LSPFix
    • Run the LSPFix.exe that you have just finished downloading.
    • Check the I know what I'm doing box.
    • In the Keep box you should see one or more instances of msnetax.dll
    • Select every instance of msnetax.dll and move each one to the Remove box by clicking the >> button.
    • When you are done click Finish>>.
    Step #2

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • When it has finished, DSS will open two Notepads: main.txt and extra.txt
    • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
  • zeerbof01
    edited April 2007
    Okay, here's the extra.txt file:

    Deckard's System Scanner v20070423.42
    Extra logfile - please post this as an attachment with your post.

    -- System Information

    Unable to create WMI object; error code: 0x80070005

    -- Security Center

    AUOptions is disabled.
    Windows Internal Firewall is enabled.


    -- Environment Variables

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Leslie\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=MYTOY
    ComSpec=C:\WINDOWS\system32\cmd.exe
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Leslie
    LOGONSERVER=\\MYTOY
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0209
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Leslie\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Leslie\LOCALS~1\Temp
    USERDOMAIN=MYTOY
    USERNAME=Leslie
    USERPROFILE=C:\Documents and Settings\Leslie
    windir=C:\WINDOWS


    -- User Profiles

    Leslie (admin)


    -- Add/Remove Programs

    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
    Adobe Flash Player 9 --> C:\WINDOWS\System32\Macromed\Flash\UninstFl.exe
    Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
    AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
    AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
    Best Buy Rhapsody --> C:\PROGRA~1\BESTBU~1\Unwise32.exe /A C:\PROGRA~1\BESTBU~1\install.log
    BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
    CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
    CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
    CEP3 - Color Enable Package 3 --> "C:\WINDOWS\unins000.exe"
    CompuServe --> C:\Program Files\Common Files\csshare\csunins_us.exe
    CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
    EA Link --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{F5577101-33CC-4711-8235-3A95BCD49DB0} /l1033
    Empire Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2447500B-22D7-47BD-9B13-1A927F43A267}\Setup.exe"
    Empire Earth - The Art of Conquest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B49C924C-A651-4378-94F6-5D9BF44A959F}\Setup.exe" -l0x9
    ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
    ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
    ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
    ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
    ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
    ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
    ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
    ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
    ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
    ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
    ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
    ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
    ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
    ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
    ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
    ewido anti-malware --> C:\Program Files\ewido anti-malware\Uninstall.exe
    HijackThis 1.99.1 --> C:\Documents and Settings\Leslie\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
    HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
    HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
    HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
    hp LaserJet 1000 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{975C8028-51D8-44A9-9585-82E9810FE96A}\setup.exe"
    ICQ --> C:\PROGRA~1\ICQ\ICQUninstall.EXE
    Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\System32\CDUninst.isu
    Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
    Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
    Intel(R) PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
    InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
    Internet Explorer Q824145 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q824145.inf
    iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
    J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
    Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
    Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140011_2443f442\Setup.exe /APR-REMOVE
    KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
    Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
    LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
    Linksys Wireless-G USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{033F7469-6B73-480A-9C4A-DF49BEEDB376}\Setup.exe" -l0x9
    Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
    Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
    MMS_Screensaver --> C:\WINDOWS\System32\MMS_Screensaver.scr /u
    Mozilla Firefox (2.0.0.2) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    Netscape 6 (6.2.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"
    Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
    OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
    OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
    OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
    Outlook Express Update Q330994 --> C:\WINDOWS\Q330994.exe C:\WINDOWS\INF\Q330994.inf
    Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
    PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
    Q-Xpress Installer 1.1.5 --> C:\Program Files\ModTheSims2.com\Q-Xpress Installer\uninst.exe
    QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
    Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe"
    Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
    Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
    Security Task Manager 1.7 --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
    Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
    SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
    SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
    SimPE 0.50b (alpha) --> "C:\Program Files\SimPE\unins000.exe"
    SimPE PhotoStudio Templates 2.0 --> "C:\WINDOWS\unins001.exe"
    SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
    SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
    SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F20&SUBSYS_200014F1
    Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    Spyware Doctor 3.2 --> "C:\Program Files\Spyware Doctor\unins000.exe"
    SpywareBlaster v3.4 --> "C:\Program Files\SpywareBlaster\unins000.exe"
    The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
    The Sims 2 Family Fun Stuff --> C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
    The Sims 2 Glamour Life Stuff --> C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe
    The Sims 2 HomeCrafter Plus --> C:\Program Files\EA GAMES\The Sims 2 HomeCrafter Plus\EAUninstall.exe
    The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
    The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
    The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
    The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
    The Sims Complete Collection --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2527115-B8BF-4FDB-B5DA-5AADFB7C13E1}\setup.exe" -l0x9 -l0009
    The Sims™ 2 Celebration! Stuff --> C:\Program Files\EA GAMES\The Sims 2 Celebration! Stuff\EAUninstall.exe
    The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
    TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
    TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
    Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
    Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
    Virtual Labs for Physical Anthropology --> C:\WINDOWS\unvise32.exe C:\WINDOWSUninstall Virtual Labs for Physical Anthropology.log
    VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
    Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
    Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
    Xtreme Desktop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E742E0-DF42-4685-A210-B26445939248}\setup.exe" -l0x9 -removeonly
    Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
    Yahoo! Messenger Explorer Bar --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\COMPAN~1\Modules\messmod2\v4\yhexbmes.dll
    Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
    Zeus --> C:\WINDOWS\IsUninst.exe -f"C:\Impressions Games\Zeus\Uninst.isu"
    Zinio Reader --> C:\Program Files\Zinio\uninstall.exe


    -- End of Deckard's System Scanner: finished at 2007-04-26 at 14:23:41

    And the main.txt file:

    Deckard's System Scanner v20070423.42
    Run by Leslie on 2007-04-26 at 14:21:53
    Computer is in Normal Mode.

    -- System Restore

    Unable to create System Restore WMI object; error code: 0x80070005
    Backed up registry hives.

    Performed disk cleanup.


    -- HijackThis (run as Leslie.exe)

    Logfile of HijackThis v1.99.1
    Scan saved at 2:23:04 PM, on 4/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Electronic Arts\EA Link\Core.exe
    C:\WINDOWS\System32\rsvp.exe
    F:\dss.exe
    C:\DOCUME~1\Leslie\Desktop\Leslie.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\bak\swdoctor.exe" /Q
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe


    -- HijackThis Fixed Entries (C:\DOCUME~1\Leslie\Desktop\backups\)

    backup-20070304-115017-108 O4 - HKLM\..\Run: [{24644BA4-0AF0-1033-0208-041025200001}] "C:\Program Files\Common Files\{24644BA4-0AF0-1033-0208-041025200001}\Update.exe" te-110-12-0000213
    backup-20070304-115017-284 O4 - HKLM\..\Run: [{24644BA4-0AEF-1033-0208-041025200001}] "C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}\Update.exe" te-110-12-0000213
    backup-20070304-115017-285 O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
    backup-20070304-115017-375 O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\ECURIT~1\wuauboot.exe" -vt yazb
    backup-20070304-115017-574 O4 - HKCU\..\Run: [Aejaso] "C:\Program Files\Common Files\F?nts\?hkntfs.exe" 99001275
    backup-20070304-115017-889 O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34644~1\Bar888.dll
    backup-20070304-115017-984 O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34644~1\Bar888.dll
    backup-20070314-001550-761 O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    backup-20070314-001550-864 O15 - Trusted Zone: http://*.turbotax.com
    backup-20070314-001554-459 O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000132 (file missing)
    backup-20070415-013435-118 O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
    backup-20070415-013435-122 O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
    backup-20070415-013435-214 O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmkkkh.dll",realset
    backup-20070415-013435-530 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    backup-20070415-013435-791 O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
    backup-20070415-013435-819 O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    backup-20070415-013435-851 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    backup-20070415-013435-886 O2 - BHO: (no name) - {803e496a-5db8-4c44-88fb-f2cab181acbb} - C:\WINDOWS\system32\jpicare.dll
    backup-20070415-013442-666 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    backup-20070415-013442-830 O20 - Winlogon Notify: jpicare - C:\WINDOWS\SYSTEM32\jpicare.dll
    backup-20070416-000122-135 O20 - Winlogon Notify: jpicare - C:\WINDOWS\SYSTEM32\jpicare.dll
    backup-20070416-000122-231 O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\nnmmnm.dll",realset
    backup-20070416-000122-604 O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll
    backup-20070416-000122-695 O2 - BHO: (no name) - {803e496a-5db8-4c44-88fb-f2cab181acbb} - C:\WINDOWS\system32\jpicare.dll
    backup-20070416-000122-861 O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp9A.tmp.dll
    backup-20070416-122532-138 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    backup-20070416-122532-351 O2 - BHO: (no name) - {803e496a-5db8-4c44-88fb-f2cab181acbb} - C:\WINDOWS\system32\jpicare.dll
    backup-20070416-122532-565 O20 - Winlogon Notify: jpicare - C:\WINDOWS\SYSTEM32\jpicare.dll
    backup-20070417-095353-775 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

    -- File Associations

    .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL %1,%*
    .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    1 DcCam (Kodak Camera Proxy) - c:\windows\system32\drivers\dccam.sys <Verified; Eastman Kodak Company; Kodak Digital Camera Driver; 4.6.0.0; 1.7.0614.0>
    3 DcFpoint - c:\windows\system32\drivers\dcfpoint.sys <Verified; Eastman Kodak Company; Kodak Digital Camera FP Driver; 4.5.0.2; 1.6.0331.0>
    2 DCFS2K (Kodak DCFS2K Driver) - c:\windows\system32\drivers\dcfs2k.sys <Verified; Eastman Kodak Company; Kodak DC File System Driver (NT); 4.4.0.0; 1.0.4100.7>
    3 DcLps (Legacy Polling Service) - c:\windows\system32\drivers\dclps.sys <Verified; Eastman Kodak Company; Kodak Digital Camera LPS Driver; 4.5.0.2; 1.6.0331.0>
    3 DcPTP - c:\windows\system32\drivers\dcptp.sys <Verified; Eastman Kodak Company; Kodak Digital Camera PTP Driver; 4.5.0.2; 1.6.0331.0>
    1 EXAMPLE - c:\windows\system32\main.sys (file missing) <Verified; Intel Corporation; Intel(R) PRO Adapter; 6.04.14.0000; 6.04.14.0000 built by: WinDDK>
    1 Exportit - c:\windows\system32\drivers\exportit.sys <Verified; Eastman Kodak Company; Kodak DC File System driver; 4.5.0.2; 1.0.8900.9>
    3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Verified; Conexant Systems, Inc.; SoftK56 Modem Driver; 7.04.05; 7.04.05>
    3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Verified; Conexant Systems, Inc.; SoftK56 Modem Driver; 7.04.05; 7.04.05>
    3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R); 6.14.10.4342; 6.14.10.4342>
    2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Verified; Conexant; Diagnostic Interface; 1.0.2.005; 1.0.2.005>
    3 ntldr.sys - c:\ntldr.sys (file missing) <Verified; Microsoft Corporation; Microsoft® Windows® Operating System; 5.1.2600.1106; 5.1.2600.1106 (xpsp1.020828-1920)>
    3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\program files\wusb54g wireless-g adapter\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows; 5.00.13.50; 5.00.13.50>
    3 PRISM_A02 (802.11a/g USB Driver) - c:\windows\system32\drivers\wusb20xp.sys <Not Verified; GlobespanVirata, Inc.; PRISM 802.11 Wireless LAN; 0.06.00.0000; 0.06.00>
    3 Runtime - c:\windows\system32\drivers\runtime.sys (file missing) <Verified; Microsoft Corporation; Microsoft® Windows® Operating System; 5.1.2600.1106; 5.1.2600.1106 (xpsp1.020828-1920)>
    3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Verified; America Online, Inc.; Wan Miniport (ATW); 8.3.0.0; 8.3.0.0>
    3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Verified; Conexant Systems, Inc.; SoftK56 Modem Driver; 7.04.05; 7.04.05 built by: WinDDK>

    pe386 driver present

    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    4 Client IP-IPX - c:\windows\system32\svchosts.exe
    2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe
    4 Windows Overlay Components - c:\windows\uzdfjcf.exe (file missing)
    4 WUSB54GSVC - c:\program files\wusb54g wireless-g adapter\wlservice.exe


    -- Files created between 2007-03-26 and 2007-04-26

    2007-04-26 13:02:03 0 d
    C:\HijackThis
    2007-04-16 00:26:38 23552 --a
    C:\WINDOWS\System32\wsys.dll
    2007-04-15 22:41:10 169984 --a
    C:\WINDOWS\System32\brbwzv.dll
    2007-04-15 22:40:27 16896 --a
    C:\WINDOWS\System32\update74910103.exe
    2007-04-15 22:40:26 39936 --a
    C:\WINDOWS\System32\totour.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System; 5.2.3790.1830; 5.2.3790.1830>
    2007-04-15 22:40:25 7296 --a
    C:\WINDOWS\System32\drivers\ip6fw.sys
    2007-04-15 22:40:19 39225 --a
    C:\WINDOWS\System32\update10560986.exe
    2007-04-15 22:40:14 235008 --a
    C:\WINDOWS\System32\update38810001.exe
    2007-04-15 22:40:09 14336 --a
    C:\WINDOWS\System32\update96926207.exe
    2007-04-15 22:40:05 107012 --a
    C:\WINDOWS\System32\update68731342.exe
    2007-04-15 22:39:58 22697 --a
    C:\Documents and Settings\Leslie\ie_updater.exe
    2007-04-15 22:08:25 106767 --a
    C:\WINDOWS\nnmmnm.dll
    2007-04-15 15:08:03 106767 --a
    C:\WINDOWS\iifdaa.dll


    -- Find3M Report

    2007-04-17 20:16:23 0 d
    C:\Program Files\EA GAMES
    2007-04-17 19:25:20 0 d
    C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}
    2007-04-16 00:26:41 516608 --a
    C:\WINDOWS\System32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System; 5.1.2600.1106; 5.1.2600.1106 (xpsp1.020828-1920)>
    2007-03-22 01:44:48 19502 --a
    C:\WINDOWS\System32\catopy.dll
    2007-03-22 01:44:47 27176 --a
    C:\WINDOWS\System32\ddcyx.exe
    2007-03-22 01:39:15 8504 --a
    C:\WINDOWS\System32\ssqpnli.dll
    2007-03-22 01:35:14 0 d
    C:\Program Files\Zinio
    2007-03-10 06:08:03 0 d
    C:\Program Files\Common Files\{24644BA4-0AF0-1033-0208-041025200001}
    2007-03-05 13:00:58 0 d--h
    C:\Program Files\InstallShield Installation Information
    2007-03-05 13:00:22 0 d
    C:\Program Files\Common Files\F?nts
    2007-03-05 12:59:14 0 d
    C:\Program Files\Common Files\{34644BA4-0AEF-1033-0208-041025200001}
    2007-03-03 02:49:44 0 d
    C:\Program Files\Common Files\??mbols
    2007-03-03 02:49:32 36864 --a
    C:\WINDOWS\System32\svchosts.exe
    2007-03-03 02:49:31 2560 --a
    C:\WINDOWS\System32\unsvchosts.exe


    -- Registry Dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
    "EA Core"="\"C:\\Program Files\\Electronic Arts\\EA Link\\Core.exe\" -silent"
    "Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\bak\\swdoctor.exe\" /Q"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
    "vgabc1"="C:\\WINDOWS\\System32\\vgabc1.exe"
    "{24644BA4-0AEF-1033-0208-041025200001}"="\"C:\\Program Files\\Common Files\\{24644BA4-0AEF-1033-0208-041025200001}\\Update.exe\" te-110-12-0000132"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{24644BA4-0AF0-1033-0208-041025200001}"="\"C:\\Program Files\\Common Files\\{24644BA4-0AF0-1033-0208-041025200001}\\Update.exe\" te-110-12-0000132"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source REG_SZ C:\WINDOWS\System32\ad.html

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    Shell\AutoRun\command E:\Autorun.exe


    -- End of Deckard's System Scanner: finished at 2007-04-26 at 14:23:41
  • Rahina-RescueRahina-Rescue Finland
    edited April 2007
    You have been fixing Lines with hijackthis on your own, that is something you never should do without professional help!!

    We got things to do.

    Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! I Suggest you print these Instructions out.

    Step #1

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
    Step #2

    Please download Combofix to your desktop.
    • Double click on Combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Step #3

    Download the latest version of Java Runtime Environment (JRE) 6

    Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    Click the "Download" button to the right.
    Check the box that says: "Accept License Agreement".
    The page will refresh.

    Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    Close any programs you may have running - especially your web browser.
    Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

    Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    Click the Remove or Change/Remove button.
    Repeat as many times as necessary to remove each Java versions.
    Reboot your computer once all Java components are removed.
    Then from your desktop double-click on the download to install the newest version.

    Step #4

    In your next reply please post the following logs:
    • SDFix Report.txt
    • Combofix.txt
    • Hijackthis Logfile
  • zeerbof01
    edited April 2007
    Here is my SDFix report and new hijack this log: Currently running combofix...

    SDFix: Version 1.79

    Run by Leslie - Thu 04/26/2007 - 17:52:48.76

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    Client IP-IPX
    EXAMPLE
    kprof
    ntldr.sys
    poof
    Runtime
    Windows Overlay Components

    ImagePath:
    "C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000132
    \??\C:\WINDOWS\System32\main.sys
    \??\C:\WINDOWS\System32\kprof
    \??\C:\ntldr.sys
    \??\C:\WINDOWS\System32\poof
    \??\C:\WINDOWS\System32\drivers\runtime.sys
    C:\WINDOWS\uzdfjcf.exe

    Client IP-IPX - Deleted
    EXAMPLE - Deleted
    kprof - Deleted
    ntldr.sys - Deleted
    poof - Deleted
    Runtime - Deleted
    Windows Overlay Components - Deleted


    ndis.sys Infected!

    Patched File copied to Backups Folder
    Attempting to replace ndis.sys with original version...

    Unable To Replace Patched File!


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\SYSTEM32\RCUDS5~1.HTM - Deleted
    C:\CP1041.NLS - Deleted
    C:\Documents and Settings\Leslie\ie_updater.exe - Deleted
    C:\WINDOWS\system32\0_exception.nls - Deleted
    C:\WINDOWS\system32\koos.exe - Deleted
    C:\WINDOWS\system32\kprof - Deleted
    C:\WINDOWS\system32\poof - Deleted
    C:\WINDOWS\system32\RunOnce2.t__ - Deleted
    C:\WINDOWS\system32\RunOnce2.tm_ - Deleted
    C:\WINDOWS\system32\svchosts.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.lzma - Deleted
    C:\WINDOWS\Uninst2.htm - Deleted
    C:\WINDOWS\Unist1.htm - Deleted

    Could Not Remove C:\WINDOWS\system32\wsys.dll


    Removing Temp Files

    ADS Check:

    Checking if ADS is attached to system32 Folder
    C:\WINDOWS\system32
    No streams found.

    Checking if ADS is attached to svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.



    Final Check:

    Remaining Services:


    Rootkit PE386 Active, Use a Rootkit scanner !

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\DOCUME~1\\Leslie\\LOCALS~1\\Temp\\bl4ck.com"="C:\\DOCUME~1\\Leslie\\LOCALS~1\\Temp\\bl4ck.com:*:ENABLED:0"
    "C:\\WINDOWS\\System32\\a.exe"="C:\\WINDOWS\\System32\\a.exe:*:ENABLED:0"


    Remaining Files:
    C:\WINDOWS\system32\wsys.dll Found

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking For Files with Hidden Attributes:

    C:\Program Files\Common Files\csshare\shell\us\shellext.dll
    C:\Deckard\System Scanner\backup\DOCUME~1\Leslie\LOCALS~1\Temp\sdexe.exe
    C:\Documents and Settings\Leslie\My Documents\Programs\sdinstall.exe
    C:\Documents and Settings\Leslie\My Documents\Programs\spywareblastersetup34.exe
    C:\Program Files\CompuServe 7.0\csphx.exe
    C:\Program Files\CompuServe 7.0\cstray.exe
    C:\Program Files\CompuServe 7.0\RBM.exe
    C:\Program Files\CompuServe 7.0\wcs2000.exe
    C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
    C:\WINDOWS\system32\3FA6A1C840.sys
    C:\WINDOWS\system32\KGyGaAvL.sys
    C:\Deckard\System Scanner\backup\DOCUME~1\Leslie\LOCALS~1\Temp\parDBFD.tmp
    C:\Documents and Settings\All Users\Application Data\Microsoft\YTjSKYNVFLfeCmy\nnfY6X2BQdSI.tmp
    C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy\aLYTjSKYNVFL\nnfY6X2BQdSI.tmp

    Finished

    Logfile of HijackThis v1.99.1
    Scan saved at 6:30:48 PM, on 4/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Electronic Arts\EA Link\Core.exe
    C:\Documents and Settings\Leslie\Desktop\Leslie.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\bak\swdoctor.exe" /Q
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • zeerbof01
    edited April 2007
    finished combofix, though it did not produce a log for me.
  • Rahina-RescueRahina-Rescue Finland
    edited April 2007
    Combofix logfile located here:

    C:\Combofix.txt
Sign In or Register to comment.