Virus has disabled Zone Alarm & runs all programs very slow, -Also disabled internet, sound & more problems now! Options

[HAR78]

Hi there,
On 10/8 I was online and shut down around 1am without problem. When I turned my computer on again around 9pm, I noticed Zone Alarm and Spyware Doctor were no longer running in the task bar by the clock, which they should be since they load on start up. Also, when clicking Internet Explorer or windows explorer it took like 10 mins for the windows to open. Eventually the Spyware Doctor icon appeared by the clock. It did not disable my AVG antivirus however. The ZoneAlarm client and vsmon were both running under the processes tab in the task manager even though they weren't "really" running, so I ended the process on both since the vsmon was sucking a lot of memory. The strangest thing was while in the task manger under the processes tab, it showed all these processes were running but it was blank under the column for "User Name" for everything except for one program showing it was being run by the system. All the programs that would show the administrators name were blank, as if I wasn't logged on, but under the users tab it showed I was. Then after about 10 mins or so my name appeared next to the processes. I am able to get around on everything I click so far but theres a huge, huge lag time opening everything. I also did a system restore to the previous week which was successful, but it's still acting the same, so I'm sure its a virus. Also saw something called "Sysfader" briefly running under applications before it dissapeared and got a virtual memory error not too long ago while running one of online av scans. I ran several online scanning antivirus programs and the Kaspersky log found this:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 09, 2005 8:03:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/10/2006
Kaspersky Anti-Virus database records: 216935
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Heather\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 13526
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:11:35

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ja.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked skipped
C:\DOCUME~1\Heather\LOCALS~1\Temp\Perflib_Perfdata_6f4.dat
Object is locked skipped

Scan process completed.


I then ran my avg antivirus on the windows/temp folder and it found the ja.exe and quarantined that and I deleted it. Was not sure on the other stuff though, so didn't do anything else. Finally I ran the hijackthis program and here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:31 PM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Startup: restart_vs.lnk = E:\Viewsonic.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...re-NWE107SILVER
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/07bf89d5b0f001327400/...ip/RdxIE601.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please let me know what I need to do to fix this! Thanks!!

This post has been edited by HAR78: Oct 12 2006, 01:59 PM

[Bobbi Flekman]

Hi Heather,

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.

Let's see what we can get rid of through the "normal method" first.

Sysfader is something that is connected to NVidia Video cards.

[HAR78]

Hi Bobbi,
Thanks for the fast reply, I would have replied sooner but I have to wait until I get home from work to get on this computer! Here is the log you requested. I know I have Limewire and Cursorcafe which are "bad" things to have, but if possible I'd like to keep them since I have had them on here for several years without a problem so far. There were some things that looked weird and appeared on the hijackthis list that I didn't see when I went into the control panel and looked at the add/remove programs...is it possible they are on the system but are somehow invisble to show up under the control panel add/remove programs? I will check tmrw for your reply and get bcak to you asap tmrw night, I can't stand limping along on this thing much longer! :)

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Reader 7.0.7
Ahead InCD
AOL Instant Messenger (SM)
ATI Control Panel
ATI Display Driver
ATI DVD Decoder
ATI Multimedia Center 7.8.0.0
AVG Free Edition
Bejeweled 2 Deluxe 1.0
BHODemon 2.0.0.22
BookWorm Deluxe 1.01
CardRd81
CCScore
CD LabelMaker
Click'N Design 3D
CR2
CursorCafe Installer
DAO
Diner Dash (remove only)
DivX 5.0.3 Bundle
EasyTune4
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
FLIP FlashAlbum Deluxe 1.1
GoldWave v5.04
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPSFO
HP DeskJet 810C Series (Remove only)
HydraVision
Intel® Personal Audio Player 3000
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.0_01
Kaspersky Online Scanner
Kodak EasyShare software
KSU
LimeWire
LimeWire 4.6.0
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.75
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office XP Professional with FrontPage
Microsoft Windows-Journal-Viewer
MSN Messenger 7.5
MUSICMATCH® Jukebox
Nero
Norton WMI Update
Notifier
OfotoXMI
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
OTtBP
OTtBPSDK
Paint Shop Pro Shareware Version 3.1
Photo Gadget
Photodex Presenter
PowerDVD
PrintMaster Gold 3.00
QuickTime
RealOne Player
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB913446)
SFR
SHASTA
SKIN0001
SKINXSDK
SonicStage 3.2
Sound Blaster Audigy 2
Spybot - Search & Destroy 1.3
Spyware Doctor 3.8
The Print Shop Ensemble III
Viewpoint Media Player
ViewSonic Windows XP Signed Files
VPRINTOL
WeatherBug
Webshots!
Winamp (Remove Only)
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB890175
WinZip
WIRELESS
Yahoo! Messenger
ZoneAlarm

[Bobbi Flekman]

Hi Heather,

This is my standard answer to the LimeWire matter. You might want to look into Frostwire

This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use "Add/Remove Program" to remove it and any reference to LimeWire.
This is another article: http://www.cexx.org/adware.htm

This is an open source version of LimeWire: FrostWire. Be aware that this does not mean that what you download is malware free.

I'm sorry, but CursorCafe has to go...

Open "Add/Remove Programs" in the Control Panel. Select the following items:

• CursorCafe Installer
  
  These are not bad, but exploits waiting to happen, so it's best to get rid of them
• J2SE Runtime Environment 5.0 Update 6
• Java 2 Runtime Environment, SE v1.4.0_01
• Java 2 Runtime Environment, SE v1.4.2_05
• Java 2 SDK, SE v1.4.0_01
  
  See my earlier remark ;)
• LimeWire
• LimeWire 4.6.0
  
  Spybot 1.3 is obsolete. Download SpyBot S+D.
  
• Spybot - Search & Destroy 1.3
  
• Viewpoint Media Player
• WeatherBug

and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

Update Java:

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  
  It should have next icon next to it:
  Select it and click Remove.
• The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 9' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

Please post a new log from HijackThis after this.

[HAR78]

Hi Bobbi,
I printed off what you said to remove and will do that when I get home tonight. What are some of the programs listed like Shasta, skinxsdk, vprintol, etc. that are all in caps? Also, another thing I noticed last night while in the msconfig window under the services tab....only 3 were running one was for the zonealarm (true vector monitor or something) saying something about start pending under the staus column and the other 2 were set to yes under the essential column but can't remember what they were. Everything that used to be under there from Microsoft was missing! Also, on that Kaspersky log I posted before my first hijackthis log, does any of that stuff listed look like a virus due to the files being locked and skipped? Like those .log files listed as oakley.log and passwd.log?? Now I'm worried I have some password hijacking virus! Will we get to that part after I've removed the programs you listed?

[HAR78]

Bobbi,
Things have gone from bad to much much worse!!!! When I booted up last night here is what has now happened:


1. I no longer have connection to the internet on any program, there fore I cannot connect to download anything now, which is a major issue!!!! It is running but this virus has dasbled it!

2. I no longer have the windows xp theme, its not even listed to choose from in the appearance tab - only windows classic style.

3. I no longer have sound, it has disabled my sound card and my computer makes the default beeeping sounds when windows pop up alerting me of something.

4. A weird Zone alarm window is popping up now saying its getting ready to start (which I close right away)

5. My name is not even showing up under the task manager as being logged on under the users tab, and under the processes tab very few apps are running now compared to normal and my name is not assigned to any of them.

6. When I booted in Safe mode, it came to the logon screen and asked if I wanted to be logged on as "The Administrator" (which I am and I have it set to log in without a password, but it was asking for one!) and then it had my name listed below that like I'm just another user on the computer!

7. When I tried to change some things under the msconfig window, it would say I needed administrator privs to do that - but I AM the administrator, no other profiles are set up on the computer and I went under the control panel to check and it showed just my name listed as the administrator!

8. Under the SERVICES tab in msconfig here is the only 3 services running now:

Remote Procedure Call Essential=yes Manufacturer=Microsoft Status=Stopped
Remote Procedure Call Essential=yes Manufacturer=Microsoft Status=Running
True Vector Internet Monitor Essential= Manufacturer=Zone Labs, LLC Status= Start Pending


If you or another administrator could get back to me asap on this, that would be great cuz now I can only communicate on my work comptuer with you and would like to at least get the internet part working so I can get online at home to keep posting to you to fix this! My computer at home is now basically useless! I did uninstall all of the programs you asked me to except one of the java ones wouldn't unsinstall and I didn't remove the Update 5 one, since I could not replace it with the Update 9 you told me to download.

Here is my hijackthis log from last night that I had to save on a floppy disk and bring into work so I can post to you:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:27 PM, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...re-NWE107SILVER
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/07bf89d5b0f001327400/...ip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


PLEASE tell me what I need to do to get this thing working again - I really don't want to have to reformat and reinstall but this is not looking good at all now since so amny things are disabled and have no internet connection:(

[Bobbi Flekman]

hey Heather,

Not good! Definitely. Something is hiding from us...

Download Rootkit Revealer, and extract it. Double click on Rootkit Revealer and press "Scan". Please don't do anything during the time it is scanning because that will show up in the log, and might inluence the results. After the scan press "File"->"Save..." and copy/paste the contents in a new post.