Need help with TSAupdate

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HJT Version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You need to remember All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!
Also please do not post .doc files. Use either .log or .txt. HJT defaults to saving .log files. Just post them.

What a mess!

I'm working on your log but this may take some time.

 

Look in Add/Remove programs for an uninstall to Web Offer and use it if found.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\system32\aywuwx\kisljwah.exe
C:\WINDOWS\system32\fnasgnen\tetih.exe
C:\WINDOWS\system32\hxyd\jtxnenqd.exe
C:\Documents and Settings\Cari\Application Data\n?x??n.exe
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.whlzpshnvwopz.com/qibiMWYnXBlgIQ0zk7/kyERVxUaBAZ663HmBfmzjBGK3KuLicCFfkzZwHMDnLYvK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0DC0237F-2C4B-47CC-1B1C-6132083B235B} - C:\WINDOWS\system32\catfuowi\eovnymic.dll
O2 - BHO: (no name) - {31B2A171-18F7-F566-AA90-FDAB06583FA3} - C:\PROGRA~1\Liesbind\JunkLog.exe (file missing)
O2 - BHO: (no name) - {32357ECA-B41F-85D5-755E-FD5F394AD5BA} - C:\WINDOWS\system32\splvfksj\uwkymcva.dll
O2 - BHO: (no name) - {554695B0-694A-3344-714A-803755C7F2A6} - C:\WINDOWS\system32\iehbdluy\semaisdy.dll
O2 - BHO: (no name) - {6A7154D7-8529-F13E-FCA9-E64DC28DA76F} - C:\DOCUME~1\Cari\APPLIC~1\Liesbind\JunkLog.exe
O2 - BHO: KGhost - {968BC8A3-7660-4B12-B2BF-3334775835E1} - C:\Program Files\NetMeeting\KG\KGhost.dll
O2 - BHO: (no name) - {DC48D0EE-7BD1-A615-979B-8B5C4920B6CF} - C:\WINDOWS\system32\blbhuwhm\ggtnkmqq.dll
O2 - BHO: (no name) - {E78ECA84-4117-03AA-CC2A-305FC0FACCBC} - C:\WINDOWS\system32\wpyrpati\rjosrnns.dll
O2 - BHO: (no name) - {F0761B6D-D946-F6D0-3D09-B7997FAC1262} - C:\WINDOWS\system32\wssbehts\rcjbyxpv.dll
O2 - BHO: (no name) - {F310B9A5-16C9-2747-C543-91665111DA3C} - C:\WINDOWS\system32\jpbrpidk\viwxynlc.dll
O2 - BHO: (no name) - {FD8525B7-C687-024D-1B35-B4637DFFB81A} - C:\WINDOWS\system32\sqglhwrl\kreclovi.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\dwxkxjy.exe
O4 - HKLM\..\Run: [Flaw Iso Gram Date] C:\Documents and Settings\All Users\Application Data\DEFY SHOW FLAW ISO\INFOREGS.exe
O4 - HKLM\..\Run: [QBRSR] C:\WINDOWS\QuickBrowser.exe
O4 - HKLM\..\Run: [gkholtmo] C:\WINDOWS\System32\bspaoxon\gkholtmo.exe
O4 - HKLM\..\Run: [qecdrhvq] C:\WINDOWS\System32\dwerweml\qecdrhvq.exe
O4 - HKLM\..\Run: [kbkkcvk] C:\WINDOWS\system32\dokmu\kbkkcvk.exe
O4 - HKLM\..\Run: [wafcxga] C:\WINDOWS\system32\rxgv\wafcxga.exe
O4 - HKLM\..\Run: [fcsbghh] C:\WINDOWS\system32\hvaa\fcsbghh.exe
O4 - HKLM\..\Run: [xemcred] C:\WINDOWS\system32\mchkdgxt\xemcred.exe
O4 - HKLM\..\Run: [XtTb.exe] C:\WINDOWS\XtTb.exe
O4 - HKLM\..\Run: [wqhcrril] C:\WINDOWS\system32\lgsbqc\wqhcrril.exe
O4 - HKLM\..\Run: [ceqg] C:\WINDOWS\system32\jemeslv\ceqg.exe
O4 - HKLM\..\Run: [uxxwavl] C:\WINDOWS\system32\rrwanl\uxxwavl.exe
O4 - HKLM\..\Run: [eadohia] C:\WINDOWS\system32\rvka\eadohia.exe
O4 - HKLM\..\Run: [lbcjx] C:\WINDOWS\system32\lvbjwu\lbcjx.exe
O4 - HKLM\..\Run: [Eq Axis Tick 1] C:\Documents and Settings\All Users\Application Data\ProgramHoldEqAxis\MFCD MEMO.exe
O4 - HKLM\..\Run: [fghbmpim] C:\WINDOWS\system32\fqnhxmm\fghbmpim.exe
O4 - HKLM\..\Run: [ittvdd] C:\WINDOWS\system32\eutyfj\ittvdd.exe
O4 - HKLM\..\Run: [xtla] C:\WINDOWS\system32\ohdkfju\xtla.exe
O4 - HKLM\..\Run: [qiwkt] C:\WINDOWS\system32\rqqoaywj\qiwkt.exe
O4 - HKLM\..\Run: [mdabjd] C:\WINDOWS\system32\fouoc\mdabjd.exe
O4 - HKLM\..\Run: [palwl] C:\WINDOWS\system32\ktkh\palwl.exe
O4 - HKLM\..\Run: [akbhrdm] C:\WINDOWS\system32\helj\akbhrdm.exe
O4 - HKLM\..\Run: [bemwwyix] C:\WINDOWS\system32\yngde\bemwwyix.exe
O4 - HKLM\..\Run: [bejnj] C:\WINDOWS\system32\ugiew\bejnj.exe
O4 - HKLM\..\Run: [rrbjemy] C:\WINDOWS\system32\mhpuha\rrbjemy.exe
O4 - HKLM\..\Run: [ojxit] C:\WINDOWS\system32\ikrcw\ojxit.exe
O4 - HKLM\..\Run: [xxrso] C:\WINDOWS\system32\lvvtua\xxrso.exe
O4 - HKLM\..\Run: [jnasmis] C:\WINDOWS\system32\madtgj\jnasmis.exe
O4 - HKLM\..\Run: [phqtjrnq] C:\WINDOWS\system32\eacdsdaw\phqtjrnq.exe
O4 - HKLM\..\Run: [odsaiboo] C:\WINDOWS\system32\pmjchfx\odsaiboo.exe
O4 - HKLM\..\Run: [bfkajxcn] C:\WINDOWS\system32\mhfep\bfkajxcn.exe
O4 - HKLM\..\Run: [wofoqj] C:\WINDOWS\system32\dtywteri\wofoqj.exe
O4 - HKLM\..\Run: [kcuhdj] C:\WINDOWS\system32\bglkwp\kcuhdj.exe
O4 - HKLM\..\Run: [vtpxtsml] C:\WINDOWS\system32\dbqicvb\vtpxtsml.exe
O4 - HKLM\..\Run: [ravtkqtx] C:\WINDOWS\system32\fjedfy\ravtkqtx.exe
O4 - HKLM\..\Run: [vjqepqd] C:\WINDOWS\system32\xndcne\vjqepqd.exe
O4 - HKLM\..\Run: [svbdye] C:\WINDOWS\system32\mqljryk\svbdye.exe
O4 - HKLM\..\Run: [uhkb] C:\WINDOWS\system32\dlwwvpu\uhkb.exe
O4 - HKLM\..\Run: [otgojm] C:\WINDOWS\system32\xpmo\otgojm.exe
O4 - HKLM\..\Run: [msnguhxh] C:\WINDOWS\system32\gefmmbr\msnguhxh.exe
O4 - HKLM\..\Run: [lyrybf] C:\WINDOWS\system32\gokc\lyrybf.exe
O4 - HKLM\..\Run: [oxatnu] C:\WINDOWS\system32\ppbp\oxatnu.exe
O4 - HKLM\..\Run: [odaqobfv] C:\WINDOWS\system32\qrhlugy\odaqobfv.exe
O4 - HKLM\..\Run: [togqhkd] C:\WINDOWS\system32\xrhlv\togqhkd.exe
O4 - HKLM\..\Run: [aaog] C:\WINDOWS\system32\noyiqv\aaog.exe
O4 - HKLM\..\Run: [hyqtov] C:\WINDOWS\system32\pcchbp\hyqtov.exe
O4 - HKLM\..\Run: [puccg] C:\WINDOWS\system32\lifhrw\puccg.exe
O4 - HKLM\..\Run: [mfqofaw] C:\WINDOWS\system32\rlwpdw\mfqofaw.exe
O4 - HKLM\..\Run: [ypjlff] C:\WINDOWS\system32\gxhlhyc\ypjlff.exe
O4 - HKLM\..\Run: [ptdiltef] C:\WINDOWS\system32\wyttdl\ptdiltef.exe
O4 - HKLM\..\Run: [aerissy] C:\WINDOWS\system32\vdwkvsy\aerissy.exe
O4 - HKLM\..\Run: [eipwq] C:\WINDOWS\system32\kikf\eipwq.exe
O4 - HKLM\..\Run: [dumdjxi] C:\WINDOWS\system32\uwpfill\dumdjxi.exe
O4 - HKLM\..\Run: [hmkih] C:\WINDOWS\system32\uvyqvme\hmkih.exe
O4 - HKLM\..\Run: [qyqf] C:\WINDOWS\system32\khufdlh\qyqf.exe
O4 - HKLM\..\Run: [vmwfjwy] C:\WINDOWS\system32\gbnkkdi\vmwfjwy.exe
O4 - HKLM\..\Run: [pkgubegx] C:\WINDOWS\system32\pqkdb\pkgubegx.exe
O4 - HKLM\..\Run: [mohyajnt] C:\WINDOWS\system32\xajitc\mohyajnt.exe
O4 - HKLM\..\Run: [icld] C:\WINDOWS\system32\vlqrs\icld.exe
O4 - HKLM\..\Run: [xsxcwnl] C:\WINDOWS\system32\kcgtp\xsxcwnl.exe
O4 - HKLM\..\Run: [hred] C:\WINDOWS\system32\ghevqmc\hred.exe
O4 - HKLM\..\Run: [rqpv] C:\WINDOWS\system32\lnaqm\rqpv.exe
O4 - HKLM\..\Run: [sqrucvhi] C:\WINDOWS\system32\burii\sqrucvhi.exe
O4 - HKLM\..\Run: [srrga] C:\WINDOWS\system32\ucpcdvq\srrga.exe
O4 - HKLM\..\Run: [alql] C:\WINDOWS\system32\xlxfogxm\alql.exe
O4 - HKLM\..\Run: [ujycwt] C:\WINDOWS\system32\iwxjoeve\ujycwt.exe
O4 - HKLM\..\Run: [uouml] C:\WINDOWS\system32\runb\uouml.exe
O4 - HKLM\..\Run: [uaknonw] C:\WINDOWS\system32\bqfetrqd\uaknonw.exe
O4 - HKLM\..\Run: [tyrvse] C:\WINDOWS\system32\tgvxs\tyrvse.exe
O4 - HKLM\..\Run: [rwemjxa] C:\WINDOWS\system32\uiytibr\rwemjxa.exe
O4 - HKLM\..\Run: [xmivr] C:\WINDOWS\system32\bsnmax\xmivr.exe
O4 - HKLM\..\Run: [vyih] C:\WINDOWS\system32\pgehh\vyih.exe
O4 - HKLM\..\Run: [ikhnpg] C:\WINDOWS\system32\lfwxaxoe\ikhnpg.exe
O4 - HKLM\..\Run: [rocfjen] C:\WINDOWS\system32\exoms\rocfjen.exe
O4 - HKLM\..\Run: [cxxdtwxx] C:\WINDOWS\system32\frmu\cxxdtwxx.exe
O4 - HKLM\..\Run: [lghnanm] C:\WINDOWS\system32\ktcbq\lghnanm.exe
O4 - HKLM\..\Run: [ddquw] C:\WINDOWS\system32\lyhmsovc\ddquw.exe
O4 - HKLM\..\Run: [bimrbju] C:\WINDOWS\system32\qwbo\bimrbju.exe
O4 - HKLM\..\Run: [vefxlgv] C:\WINDOWS\system32\gvyh\vefxlgv.exe
O4 - HKLM\..\Run: [tmypdwk] C:\WINDOWS\system32\qhidibfr\tmypdwk.exe
O4 - HKLM\..\Run: [idgdkxm] C:\WINDOWS\system32\xjgxb\idgdkxm.exe
O4 - HKLM\..\Run: [wuadhy] C:\WINDOWS\system32\renn\wuadhy.exe
O4 - HKLM\..\Run: [cewjy] C:\WINDOWS\system32\wagda\cewjy.exe
O4 - HKLM\..\Run: [atfhst] C:\WINDOWS\system32\fkqkisum\atfhst.exe
O4 - HKLM\..\Run: [cjntdst] C:\WINDOWS\system32\amxhahi\cjntdst.exe
O4 - HKLM\..\Run: [yfjrees] C:\WINDOWS\system32\mmhetn\yfjrees.exe
O4 - HKLM\..\Run: [sqlt] C:\WINDOWS\system32\hvtaxvu\sqlt.exe
O4 - HKLM\..\Run: [qpijmhd] C:\WINDOWS\system32\ltsjl\qpijmhd.exe
O4 - HKLM\..\Run: [psegyxw] C:\WINDOWS\system32\prvday\psegyxw.exe
O4 - HKLM\..\Run: [kchc] C:\WINDOWS\system32\qlqt\kchc.exe
O4 - HKLM\..\Run: [rkjn] C:\WINDOWS\system32\femy\rkjn.exe
O4 - HKLM\..\Run: [vvcrpg] C:\WINDOWS\system32\vutqq\vvcrpg.exe
O4 - HKLM\..\Run: [kisljwah] C:\WINDOWS\system32\aywuwx\kisljwah.exe
O4 - HKLM\..\Run: [tetih] C:\WINDOWS\system32\fnasgnen\tetih.exe
O4 - HKLM\..\Run: [qfiykq] C:\WINDOWS\system32\rpykk\qfiykq.exe
O4 - HKLM\..\Run: [jtxnenqd] C:\WINDOWS\system32\hxyd\jtxnenqd.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Settings Jugs] C:\DOCUME~1\Cari\APPLIC~1\SITESH~1\MANAGER DOG NEW.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Cari\Application Data\n?x??n.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezsys.exe
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\aywuwx\kisljwah.exe
C:\WINDOWS\system32\fnasgnen\tetih.exe
C:\WINDOWS\system32\hxyd\jtxnenqd.exe
C:\Documents and Settings\Cari\Application Data\n?x??n.exe
C:\Documents and Settings\All Users\Application Data\DEFY SHOW FLAW ISO <--- the whole directory
C:\Documents and Settings\All Users\Application Data\ProgramHoldEqAxis <--- the whole directory
Now also look back above at all the O4 items we had HJT fix and locate and delete all those files too.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. We may not get all of this the first time.

 

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

This time let try booting in safe mode to cleanup. So boot into safe mode now and don't run anything except what I indicate.
You will need to print these instructions of save them to a file locally to review because I want you offline. It is okay if you want to have a notepad session up to copy these to locally while selecting all the lines in HJT.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them
C:\WINDOWS\system32\dpcmbfcv\ujnwpdsi.exe
C:\WINDOWS\system32\skjhmm\dsbo.exe
C:\WINDOWS\system32\gihvnbkc\xscshdfi.exe
C:\WINDOWS\system32\mjdunib\apwc.exe
C:\WINDOWS\system32\dealhelper.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zyebgckuqdgqydecizkktgsue.com/qibiMWYnXBmqUhMPVADQyVz0mynuZmXoyC7MDeLJKRQ.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {76486EC0-8092-B595-9D1A-E6F7981631F6} - C:\WINDOWS\system32\pojuixeh\ismwjsyf.dll
O4 - HKLM\..\Run: [xehbnwg] C:\WINDOWS\system32\tjjv\xehbnwg.exe
O4 - HKLM\..\Run: [qbkubahw] C:\WINDOWS\system32\ovju\qbkubahw.exe
O4 - HKLM\..\Run: [tsjvkyh] C:\WINDOWS\system32\cxcej\tsjvkyh.exe
O4 - HKLM\..\Run: [tohodr] C:\WINDOWS\system32\rqbdpswo\tohodr.exe
O4 - HKLM\..\Run: [myfs] C:\WINDOWS\system32\rdva\myfs.exe
O4 - HKLM\..\Run: [gcqq] C:\WINDOWS\system32\aucuwl\gcqq.exe
O4 - HKLM\..\Run: [ibmvhypq] C:\WINDOWS\system32\mqsa\ibmvhypq.exe
O4 - HKLM\..\Run: [pllespe] C:\WINDOWS\system32\gyabo\pllespe.exe
O4 - HKLM\..\Run: [oxrgkxv] C:\WINDOWS\system32\mouyewli\oxrgkxv.exe
O4 - HKLM\..\Run: [uqwiccxy] C:\WINDOWS\system32\qmwbjde\uqwiccxy.exe
O4 - HKLM\..\Run: [jibqwqi] C:\WINDOWS\system32\qgghngu\jibqwqi.exe
O4 - HKLM\..\Run: [opnon] C:\WINDOWS\system32\lojwo\opnon.exe
O4 - HKLM\..\Run: [mwjx] C:\WINDOWS\system32\vfhsr\mwjx.exe
O4 - HKLM\..\Run: [sandog] C:\WINDOWS\system32\gqsja\sandog.exe
O4 - HKLM\..\Run: [wvpgmw] C:\WINDOWS\system32\ejqvdoje\wvpgmw.exe
O4 - HKLM\..\Run: [mbhirm] C:\WINDOWS\system32\jbbfn\mbhirm.exe
O4 - HKLM\..\Run: [boggvw] C:\WINDOWS\system32\kmqv\boggvw.exe
O4 - HKLM\..\Run: [ewdvmvg] C:\WINDOWS\system32\xjiecjat\ewdvmvg.exe
O4 - HKLM\..\Run: [hvrkf] C:\WINDOWS\system32\yxlic\hvrkf.exe
O4 - HKLM\..\Run: [unriikdc] C:\WINDOWS\system32\yuscrtae\unriikdc.exe
O4 - HKLM\..\Run: [pqnbu] C:\WINDOWS\system32\efqfbx\pqnbu.exe
O4 - HKLM\..\Run: [tmend] C:\WINDOWS\system32\xexmp\tmend.exe
O4 - HKLM\..\Run: [ttycc] C:\WINDOWS\system32\secj\ttycc.exe
O4 - HKLM\..\Run: [gjkefs] C:\WINDOWS\system32\xjxw\gjkefs.exe
O4 - HKLM\..\Run: [bphcwsaf] C:\WINDOWS\system32\bhdlshf\bphcwsaf.exe
O4 - HKLM\..\Run: [hapjg] C:\WINDOWS\system32\bbptj\hapjg.exe
O4 - HKLM\..\Run: [jlyqb] C:\WINDOWS\system32\fhfi\jlyqb.exe
O4 - HKLM\..\Run: [mgkmip] C:\WINDOWS\system32\sabm\mgkmip.exe
O4 - HKLM\..\Run: [bjjunu] C:\WINDOWS\system32\lgrs\bjjunu.exe
O4 - HKLM\..\Run: [fepepv] C:\WINDOWS\system32\rkemby\fepepv.exe
O4 - HKLM\..\Run: [avobijir] C:\WINDOWS\system32\stbobxgd\avobijir.exe
O4 - HKLM\..\Run: [ridfgcp] C:\WINDOWS\system32\xrod\ridfgcp.exe
O4 - HKLM\..\Run: [mkps] C:\WINDOWS\system32\ttdh\mkps.exe
O4 - HKLM\..\Run: [hphcriqp] C:\WINDOWS\system32\gfqhyc\hphcriqp.exe
O4 - HKLM\..\Run: [feyftonr] C:\WINDOWS\system32\spemmh\feyftonr.exe
O4 - HKLM\..\Run: [rmlgf] C:\WINDOWS\system32\npmoqvo\rmlgf.exe
O4 - HKLM\..\Run: [hosti] C:\WINDOWS\system32\skwgo\hosti.exe
O4 - HKLM\..\Run: [dsbo] C:\WINDOWS\system32\skjhmm\dsbo.exe
O4 - HKLM\..\Run: [ujnwpdsi] C:\WINDOWS\system32\dpcmbfcv\ujnwpdsi.exe
O4 - HKLM\..\Run: [kxmen] C:\WINDOWS\system32\jaemppp\kxmen.exe
O4 - HKLM\..\Run: [xchims] C:\WINDOWS\system32\hijxlr\xchims.exe
O4 - HKLM\..\Run: [cfmk] C:\WINDOWS\system32\pkfycsx\cfmk.exe
O4 - HKLM\..\Run: [obqb] C:\WINDOWS\system32\clwvrhx\obqb.exe
O4 - HKLM\..\Run: [xscshdfi] C:\WINDOWS\system32\gihvnbkc\xscshdfi.exe
O4 - HKLM\..\Run: [apwc] C:\WINDOWS\system32\mjdunib\apwc.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Now run Windows Explorer and delete the following:
C:\Program Files\Common Files\tsa <-- the whole directory
C:\WINDOWS\system32\pojuixeh\ismwjsyf.dll

And now again delete all the files indicated in the above on the O4 - HLKM lines. Take your time and make sure you get all of them. Also while in the system32 folder check to see if you notice any other similarly named random folders with random names EXE files in them. You may want to write them done (if there aren't too many). I would like to say just delete them but that may not be a good idea.

Tell me if you have problems finding or deleting any of those.

Now reboot normal and post a new HJT log.

 

You're welcome! We are getting a little better each time but we still have things to fix. New stuff just keeps showing as we fix other problems.

Very Important: You must remember to exit all browsers anytime you use HijackThis (even more important when using it to fix problems. You had two IE sessions running (see your log).

What do you expect your home page to be? I'm going to assume you want: http://www.emachines.com

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.fvomknkfblegvziukittbzs.info/qibiMWYnXBlgIQ0zk7/kyERVxUaBAZ663HmBfmzjBGL29QuAzkStCTZwHMDnLYvK.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zyebgckuqdgqydecizkktgsue.com/qibiMWYnXBmqUhMPVADQyVz0mynuZmXoyC7MDeLJKRQ.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {6A7154D7-8529-F13E-FCA9-E64DC28DA76F} - C:\DOCUME~1\Cari\APPLIC~1\Liesbind\JunkLog.exe
O4 - HKLM\..\Run: [Eq Axis Tick 1] C:\Documents and Settings\All Users\Application Data\ProgramHoldEqAxis\ExtraSoftware.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Cari\Application Data\n?x??n.exe
O4 - HKCU\..\Run: [Settings Jugs] C:\DOCUME~1\Cari\APPLIC~1\SITESH~1\MANAGER DOG NEW.exe

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Cari\Application Data\Liesbind\JunkLog.exe
C:\Documents and Settings\Cari\Application Data\SITESH~1\MANAGER DOG NEW.exe <-- SITESH~1 is short for something. You should be able to figure out what.
C:\Documents and Settings\All Users\Application Data\ProgramHoldEqAxis\ExtraSoftware.exe

Now let's Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://www.emachines.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Question:
This next line for Yahoo Pager does not look correct. Do you use this?
O4 - HKCU\..\Run: [Yahoo! Pager] 1
I expect it to look more like:
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

 

You're welcome.

Your log looks clean. You can remove the Yahoo pager line since you don't use it.

You should not work thru this: How to Protect yourself from malware!