Hijacked!

I've just joined the ranks of those that have been nailed with the Search Assistant on the taskbar. I tried uninstalling but it sends me to the 180 website which teases me into believing that the uninstall was succesful. Please help! I've found omniscient.exe,zpfujj.exe, and other odd processes in my task manager and have found a folder called Windows SA which will not let itself be deleted, removed, or uninstalled. Here is my Hijack This logfile:

Logfile of HijackThis v1.95.1
Scan saved at 1:34:22 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\zpfujj.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\wgp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsSvc32\WinSvc16.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zqmlnqcs] C:\WINDOWS\System32\zpfujj.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\System32\lockctrl.exe C:\WINDOWS\System32\wgp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: WinSvc16.exe
O4 - Global User StartupWinSvc16.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/gam...nts/y/jt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs6b.instantservice.com/jar...erxsigned42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7841.3692824074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yah.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF302909-AF4F-408C-AC19-AE780561260B}: NameServer = 205.152.37.23 205.152.144.23

Any help reading this will be greatly appreciated and help removing this hijacker will be rewarded with a slightly used first born!!!

Thanks!

Well, keep the kid and I'll help you anyways

Let's start with some trojan scanning:

Download, install and perform a full system scan with these two utilities:

Trojan Hunter
http://www.misec.net/trojanhunter/

DiamondCS TDS-3
http://tds.diamondcs.com.au/


It wouldn't hurt to perform an online scan at two of these sites:

Trend Micro Housecall
http://housecall.trendmicro.com/

Panda Active Scan
www.pandasoftware.com/activescan/activescan

Bitdefender
http://www.bitdefender.com/scan/licence.php

Reboot if anything is removed and please post your results including a fresh HijackThis log.

Tom

Thanks for your patience, Tom...I had to run out of town suddenly. Anyway, I did what you told me to do...the first scan results were:

Registry scan
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rundll (matches LittleWitch.621)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Documents and Settings\Kenny\Local Settings\Temp\optimize.exe/3G19M2M9.exe (Adware.PurityScan.202)
Found trojan file: C:\Documents and Settings\Kenny\Local Settings\Temp\optimizer.exe (TrojanDownloader.Dyfuca.100)
Found trojan file: C:\Documents and Settings\Kenny\Local Settings\Temp\addictivetech.exe/U1PkA.exe (Adware.ATPartners.100)
Found trojan file: C:\Documents and Settings\Kenny\Local Settings\Temp\gamma installerl_129241.exe/c3rWCqO.exe (TrojanDownloader.Istbar.102)
Found trojan file: C:\Documents and Settings\Kenny\Local Settings\Temp\searchbarcash.exe/H0MIR.exe (Adware.Flingstone.100)
Found possible trojan file: C:\WINDOWS\system32\MsSvc32\WinSvc16.exe (Suspicious: PEDiminisher-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINDOWS\mattie54.exe (KLog.Briss.101)
Found trojan file: C:\WINDOWS\preInsTT.exe (Adware.BiSpy.101)
Found trojan file: C:\WINDOWS\polmx.exe/hJbKNex.exe (Adware.CallingHome.100)
Found trojan file: C:\WINDOWS\2_0_1browserhelper2.dll (Adware.Bhx.100)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP80\A0016035.dll (Adware.ATPartners.100)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP81\A0016145.exe/0mZBCMqH.exe (Adware.CallingHome.100)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP81\A0016179.exe/Rf1y3wI.exe (Adware.CallingHome.100)
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP82\A0017337.exe (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP82\A0017493.exe (Adware.Ncase.100)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP82\A0017839.exe/Ab6vix3.exe (Adware.PurityScan.202)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP85\A0020342.EXE (Adware.Ncase.100)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP86\A0020501.exe/svZGj.exe (Adware.PurityScan.202)
Found trojan file: C:\System Volume Information\_restore{80917252-F4AA-4D8E-A02B-75E1666C8235}\RP93\A0023281.EXE (Adware.MyWay.100)
Error: Directory not found: E:\
17 trojan files found
2 possible trojan files found

You'll notice winsvc16.exe was a possible trojan so I sent it to have it reviewed but have not heard back from them. The second scan you told me to run, found it to be a trojan but I didn't save the log to show what it was ! I corrected the problems through both scans.

My new hijackthis log is as follows:

Logfile of HijackThis v1.95.1
Scan saved at 2:50:11 PM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\zpfujj.exe
C:\WINDOWS\System32\wgp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

I found the process "omniscient.exe" and deleted it from the registry. Also, there was a missing "bridge.dll" error that is no longer a boot issue as well as a "ccRegvfy.exe" issue (I removed that from the registry manually). I still have this idiot search assistant bar and no matter what I do, it will not go away!!

Thanks, by the way, for letting me keep the kid but I think it's the kid who got me into this mess, so I think it's time for auction!

That's what I got...hope to hear from you soon!

Kenny

Hey Kenny,

You're doing great!

ccRegvfy.exe is actually part of Norton Antivirus, It checks to see if Norton has been changed or corrupted at one time or another. If you are still using Norton, you may want to consider reinstalling to replace ccRegvfy.exe


Please update HijackThis, you are using an outdated version:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.98 at: http://www.majorgeeks.com/download3155.html

Post a fresh log with this new version.

Tom

Thanks Tom...

Got the new version...here's the log!

Logfile of HijackThis v1.98.0
Scan saved at 10:57:37 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\wgp.exe
C:\WINDOWS\System32\zpfujj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Kenny\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\System32\lockctrl.exe C:\WINDOWS\System32\wgp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [nnnaezcqqi] C:\WINDOWS\System32\zpfujj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs6b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF302909-AF4F-408C-AC19-AE780561260B}: NameServer = 205.152.37.23 205.152.144.23

Thanks again!

Kenny

Kenny,

Regarding this line in your log:

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

It is a leftover from being infected with Blazefind.

Removing it with HijackThis, or Adaware could lead to your not being able to login to windows again.

Please read through this article at Lavasoft and let me know if you are comfortable with the removal instructions:

http://www.lavahelp.com/articles/v6/04/06/0901.html

Please feel free to ask any questions, be happy to help.

Tom

Hi Tom,

All I can say is...uh oh.

Here's what happened:

My computer was running real sluggish and I found that there was a problem using Nero that caused it...so, I uninstalled it. When I rebooted, I got a dialog that said Windows SA was successfully uninstalled." The Search Assistant bar was gone, and my pc seemed to be running ok. Hurray! I shut my computer down and now, it won't let me in.

I checked the link and found out the problem but now, booting from cd, it's gone to a fresh installation of WINDOWS.

It rebooted after preparation and when I chose to cancel the ihstallation via f10, I got into setup. I followed the instructions to the point where I was supposed to log into windows and edit the registry from there but now, it continues the installation and is asking for my disk. Basically, I'll have to reinstall windows unless there's a way out of it. I'm going to wait for your advise before I reinstall windows because, it seems that when I don't, I screw up just a little more each time!!!

Thanks again!

Live, from my laptop,

Kenny

Umm...well, I accidenatally started reinstalling, could not stop it. However, it gave me a fatal error. "One of the components that Windows needs to continue setup could not be installed. Manifest Parse Error: Invalid at the top level of the document."

The setup log says this:

Fatal Error:
One of the components that Windows needs to continue setup could not installed.

The operation was cancelled by the user.


***

Error:
SXS.DLL: Syntax error in manifest or policy file "F:\l386\asms\6000\MSFT\WINDOWS\COMMON\CONTROLS\CONTROLS.MAN" on line 0.


***

Error:
Installation Failed: F:\l386\asms. Error Message: Manifest Parse Error: Invalid at the top level of the document.

***

Fatal Error:
One of the components that Windows needs to continue setup could not be installed.

Manifest Parse Error: Invalid at the top level of the document.


***


So, does this mean that I can't reinstall??? Please help?!

Kenny

Quoting from the Lavasoft instructions:



Did you choose Recovery Console?

Tom

I'm sorry to hear it didn't work out for you. Keep in touch and and we'll get you up and running again.

This is Microsoft's explanation of the error:

http://support.microsoft.com/default.aspx?scid=kb;en-us;331881

I would try cleaning the CD with mild soap and water. Dry it with a lint free cloth.

Then I would try a Repair installation first:

http://www.michaelstevenstech.com/XPrepairinstall.htm

Maybe we can get your data back.

Tom

Hi Tom...

Okay, I have a new disk. I don't care about reinstalling but there are a few files I cannot lose that are stored on my desktop. If I reinstall, I lose them, right? So, I have an idea that's almost working...I get to the recovery console and the dos prompt. I'm trying to get to the directory for documents and settings but it says access is denied. As a matter of fact, every directory except windows is denied! There has to be a way that I can access this! Is there? Otherwise, the only other choice is swapping my master and slave drives, installing on the former slave, but then...will the data be safe on the former master and how do I access it? I'm so close to figuring this out. And, once it's all said and done, can I take any action against the company that forced me into this fiasco?

Eagerly awaiting your response!

Kenny

Oh, also...what's this about ghosting a hard drive? Do I need my OS to do so? Can I take that hard drive and install it to another computer and access the siles that way in order to back it up?? Thanks again! You're quite the security blanket!

Technically, if everything goes right, if you follow the Repair Installation instructions, your files should be intact (although I have never seen anyone give out any guarantees on this one!).



There are laws that are trying to be created to protect us from these kinds of attacks.



Norton Ghost is the best tool for storing an image of your hard drive on your hard drive for quick restoring of your operating system:

www.symantec.com/sabu/ghost/ghost_personal/

When using the Recovery Console, are you logging in as administrator?

If not, give it a try. Leave the password field blank if you did not set up one when you installed XP.

Tom