Hey GTG!

My first visit here, I hope you will be able to help me out.
I am not good with computers at all, but so far I figured out downloading HJT and here is the report of the scan:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:06, on 12-03-2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\reDie\ie_updater.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programmer\DAEMON Tools\daemon.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
H:\Programmer\PowerISO\SCDEmuApp.exe
H:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\msapp.exe
C:\WINDOWS\System32\adirss.exe
C:\WINDOWS\System32\lnwin.exe
C:\Programmer\Fælles filer\{F8717605-070A-1030-1222-04120304002d}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\programmer\valve\steam\steam.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmer\Ipwindows\ipwins.exe
C:\WINDOWS\System32\adirka.exe
C:\DOCUME~1\reDie\DOKUME~1\RACLE~1\ping.exe
C:\Programmer\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\reDie\Dokumenter\??stem32\?pool32.exe
C:\Programmer\VIA\RAID\raid_tool.exe
H:\Programmer\Mozilla\firefox.exe
C:\Documents and Settings\reDie\Skrivebord\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\shdocvs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VPNS System - {366B2151-E1C7-44a3-86A3-E5686C2A3D2F} - C:\WINDOWS\iedrives.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video ActiveX Object\isadd.dll (file missing)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: (no name) - {E26A7A1D-B8DD-B675-F1D4-C2DEC9B00CB1} - C:\WINDOWS\System32\bqlnbucc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCDEmuApp.exe] H:\Programmer\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\programmer\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IpWins] C:\Programmer\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\System32\adirka.exe
O4 - HKCU\..\Run: [Cstm] "C:\DOCUME~1\reDie\DOKUME~1\RACLE~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Zle] "C:\Documents and Settings\reDie\Dokumenter\??stem32\?pool32.exe" 99001122
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmer\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\window

redie,

Hello, and welcome to Geeks to Go. You have an extremely infected PC, and there are several reasons for that. You've never applied any Microsoft patches, which leaves you very vulnerable, and you are not running any antivirus program at all.

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/downloads/details...;DisplayLang=en
Apply the update and reboot.

Please go to Uploadmalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: C:\WINDOWS\System32\ntos.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

I see you're not running any antivirus program. Before we go any further, you must download and install an AV.

I recommend one of the following:

AVG Free
Avast

Please download and install one of these programs, update it, and run a full scan.

When you've completed these steps, please post a new hijackthis log. Make sure you include the entire log - your first one was incomplete. While in Notepad, do ctrl-a to select all, and then ctrl-c to copy it all.

Thanks,

sari



This post has been edited by sari: Mar 12 2007, 09:18 AM

Hey Sari!

Thanks for your reply!

I have followed your instructions as closely as possible.

I tried to update to SP 1a but for some reason I got this message (translated from danish): "SP 1 Installation error; The file C:\windows\system32\drivers\ndis.sys is open or is used by another program. Close all windows and try again."

I closed ALL windows and applications (didnt have any open..), and ran it again --> Same error!
I killed all the processes I possbibly could, and tried once again but to no avail --> Same error!
So I still have the regular fairly un-updated XP, but I hope I can update it further when my computer is getting cleaner, I think may be some virus blocking that file.. But i have no clue :)

I have uploaded ntos.exe to that site as you asked of me.

I downloaded AVG Free and tried to update but it said I couldnt do so over the internet, so I picked the most recent update from their site and downloaded that into a folder. I asked AVG to update from that file and a windows very briefly occured, which makes me uncertain it even updated... But I got these informations about the program stats itself:
Program version: 7.5.446
Virus base: 268..18.3/696
Release date: 21-2-2007 15:19
File version: 7.5.0.438

Anyways, I succesfully completed a FULL scan and here are the results:

Scan stats:
72059 objects scanned
2 errors (I looked under the tab Virus results and it seems the errors are from the ntos.exe file --> the result: "Reading error")
38 threats
0 healed
8 moved to vault
30 deleted

The new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:52:01, on 12-03-2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Programmer\Mozilla\firefox.exe
C:\WINDOWS\System32\svchost.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\Programmer\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\reDie\Skrivebord\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\shdocvs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VPNS System - {366B2151-E1C7-44a3-86A3-E5686C2A3D2F} - C:\WINDOWS\iedrives.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video ActiveX Object\isadd.dll (file missing)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: (no name) - {E26A7A1D-B8DD-B675-F1D4-C2DEC9B00CB1} - C:\WINDOWS\System32\bqlnbucc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCDEmuApp.exe] H:\Programmer\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\programmer\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IpWins] C:\Programmer\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\System32\adirka.exe
O4 - HKCU\..\Run: [Zle] "C:\Documents and Settings\reDie\Dokumenter\??stem32\?pool32.exe" 99001122
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmer\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

I dont get it... it simply refuses to display the full log when I paste it! I did it several times now and just keeps showing only till O9 or something...
I have attacked the full log for you!

This post has been edited by redie: Mar 12 2007, 11:04 AM

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Programmer\Mozilla\firefox.exe
C:\WINDOWS\System32\svchost.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\Programmer\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\reDie\Skrivebord\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\shdocvs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VPNS System - {366B2151-E1C7-44a3-86A3-E5686C2A3D2F} - C:\WINDOWS\iedrives.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video ActiveX Object\isadd.dll (file missing)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: (no name) - {E26A7A1D-B8DD-B675-F1D4-C2DEC9B00CB1} - C:\WINDOWS\System32\bqlnbucc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCDEmuApp.exe] H:\Programmer\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\programmer\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IpWins] C:\Programmer\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\System32\adirka.exe
O4 - HKCU\..\Run: [Zle] "C:\Documents and Settings\reDie\Dokumenter\??stem32\?pool32.exe" 99001122
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmer\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A65E962-AE93-4029-9871-5DE53545AEAE}: NameServer = 64.86.114.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{3360968A-06A0-4EED-A6D7-65C68BC3CE31}: NameServer = 64.86.114.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDA666C-98F6-4E60-9D75-B2BE73547D3E}: NameServer = 64.86.114.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF3B8111-B4AE-4297-9D8B-A5D1B3A02D49}: NameServer = 64.86.114.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{1A65E962-AE93-4029-9871-5DE53545AEAE}: NameServer = 64.86.114.3
O17 - HKLM\System\CS4\Services\Tcpip\..\{1A65E962-AE93-4029-9871-5DE53545AEAE}: NameServer = 64.86.114.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenter\Settings\winsys2f.dll
O21 - SSODL: vYfPQHAQ - {F8717606-52DB-DCAC-8D82-DCECC5CEBDD5} - (no file)
O21 - SSODL: DCOM Server 37389 - {2C1CD3D7

Thi is the rest of it: Dont understand why I have to split it up, cant upload the .txt log either!

O21 - SSODL: vYfPQHAQ - {F8717606-52DB-DCAC-8D82-DCECC5CEBDD5} - (no file)
O21 - SSODL: DCOM Server 37389 - {2C1CD3D7-86AC-4068-93BC-A02304B37389} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallDriver Table Manager IDriverTUMWdf (IDriverTUMWdf) - Unknown owner - C:\WINDOWS\System32\ac3filterz.exe
O23 - Service: ieupdater (Microsoft IEUpdater) - Unknown owner - C:\Documents and Settings\reDie\ie_updater.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\Programmer\Autodesk\3dsMax8\Brazil\sfmgr.exe (file missing)

redie,

Could you please upload the C:\windows\system32\drivers\ndis.sys file to Uploadmalware also, using the directions in the first post I made? This is normally a valid file, but I have found some indications that there is a virus that uses this filename also.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

This will take of a lot of your issues, but not all. We'll still have more to do after this.

Thank you,

sari