Hijack this Log(RESOLVED)

**kduff** · 29-12-2005

Logfile of HijackThis v1.99.1
Scan saved at 11:29:16 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\appyd.exe
C:\WINDOWS\sysze32.exe
C:\WINDOWS\system32\javafx.exe
C:\WINDOWS\sysze32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hslta.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hslta.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hslta.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hslta.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hslta.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0E594352-A957-6820-4820-A4904CB77B7B} - C:\WINDOWS\system32\sdkan.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {57071e88-0e9d-4695-8af0-5731ab4c8655} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {86d567f3-4515-48cc-9fb1-9e99ceba29bf} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Class - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll
O2 - BHO: Class - {DCAEDD4C-CBCF-4AEE-7E2B-A1821BA8C715} - C:\WINDOWS\system32\apirg.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmkhg.dll
O2 - BHO: (no name) - {eaf82827-aa61-41c9-af7b-7d7a7f46da29} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: Class - {F3D033BB-F814-6782-CAD4-9295C2E8F8F1} - C:\WINDOWS\appdm.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mfcxg32.exe] C:\WINDOWS\mfcxg32.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [3F.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [msen.exe] C:\WINDOWS\msen.exe
O4 - HKLM\..\Run: [appyd.exe] C:\WINDOWS\system32\appyd.exe
O4 - HKLM\..\Run: [javafx.exe] C:\WINDOWS\system32\javafx.exe
O4 - HKLM\..\RunOnce: [sysze32.exe] C:\WINDOWS\sysze32.exe
O4 - HKLM\..\RunOnce: [winlj.exe] C:\WINDOWS\winlj.exe
O4 - HKLM\..\RunOnce: [crvb32.exe] C:\WINDOWS\system32\crvb32.exe
O4 - HKLM\..\RunOnce: [sysyu32.exe] C:\WINDOWS\sysyu32.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7106F43A-984C-426E-9449-943C19288BF1}: NameServer = 68.168.96.194,68.168.96.197
O20 - Winlogon Notify: gebya - gebya.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\SYSTEM32\pmkhg.dll
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysze32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

**Neal** · 29-12-2005

Welcome to DAL, you are extremely infected. Bear with us and we will do our best to get you cleaned up. We will start on the Vundo Trojan first and a few cws files and go from there.

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Remote Procedure Call (RPC) Helper and press OK. OK any prompts, close HijackThis, and restart your computer.

Do the same for the other two services if listed

Please print these instructions out for use in Safe Mode.

Please download VundoFix© to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix© folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix© folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\pmnlk.dll

Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\klnmp.*
Press Enter to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: Class - {0E594352-A957-6820-4820-A4904CB77B7B} - C:\WINDOWS\system32\sdkan.dll
O2 - BHO: (no name) - {57071e88-0e9d-4695-8af0-5731ab4c8655} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {86d567f3-4515-48cc-9fb1-9e99ceba29bf} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: Class - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll
O2 - BHO: Class - {DCAEDD4C-CBCF-4AEE-7E2B-A1821BA8C715} - C:\WINDOWS\system32\apirg.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmkhg.dll
O2 - BHO: (no name) - {eaf82827-aa61-41c9-af7b-7d7a7f46da29} - C:\WINDOWS\system32\yaeoabtt.dll
O2 - BHO: Class - {F3D033BB-F814-6782-CAD4-9295C2E8F8F1} - C:\WINDOWS\appdm.dll

O4 - HKLM\..\Run: [mfcxg32.exe] C:\WINDOWS\mfcxg32.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [3F.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [msen.exe] C:\WINDOWS\msen.exe
O4 - HKLM\..\Run: [appyd.exe] C:\WINDOWS\system32\appyd.exe
O4 - HKLM\..\Run: [javafx.exe] C:\WINDOWS\system32\javafx.exe
O4 - HKLM\..\RunOnce: [sysze32.exe] C:\WINDOWS\sysze32.exe
O4 - HKLM\..\RunOnce: [winlj.exe] C:\WINDOWS\winlj.exe
O4 - HKLM\..\RunOnce: [crvb32.exe] C:\WINDOWS\system32\crvb32.exe
O4 - HKLM\..\RunOnce: [sysyu32.exe] C:\WINDOWS\sysyu32.exe
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab

O20 - Winlogon Notify: gebya - gebya.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\SYSTEM32\pmkhg.dll
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysze32.exe

Nothing open but hijackthis and click on "fix checked"

Hunt for and delete if found:

C:\WINDOWS\mfcxg32.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
C:\WINDOWS\msen.exe
C:\WINDOWS\system32\appyd.exe
C:\WINDOWS\system32\javafx.exe
C:\WINDOWS\sysze32.exe
C:\WINDOWS\winlj.exe
C:\WINDOWS\system32\crvb32.exe
C:\WINDOWS\sysyu32.exe
gebya.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\system32\pmnlk.dll

Nothing open but hijackthis and click "fix checked"
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

**kduff** · 29-12-2005

Okay, I did everything you suggested, and I found most of the items I was told to delete, however Ive noticed some of the items I've deleted have reapeared on the HijackThis log. Such as the O20 items.

PS: I would just like to thank you for all the assistance, it is very appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 5:13:16 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oiwxw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oiwxw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oiwxw.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oiwxw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oiwxw.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {035AB507-A454-30C0-7879-F028430BA8A3} - C:\WINDOWS\system32\ipcx.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E594352-A957-6820-4820-A4904CB77B7B} - (no file)
O2 - BHO: Class - {30E10B5B-9687-AA26-0DCB-8CAF27CCF33E} - C:\WINDOWS\system32\apiae.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {57071e88-0e9d-4695-8af0-5731ab4c8655} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {5AF27B88-58BE-EDE2-DEDC-AC150AF3E5C5} - C:\WINDOWS\system32\netkg.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Class - {7FBDBF6B-DE91-BC70-ADEC-F5F1A0D6EC45} - C:\WINDOWS\system32\msax32.dll (file missing)
O2 - BHO: Class - {825560FE-D4A6-EE93-7E13-121140EE2DB0} - C:\WINDOWS\system32\appyp.dll (file missing)
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O2 - BHO: Class - {8544CEB8-7AA5-0ABD-E8D0-E151F009353B} - C:\WINDOWS\msdo.dll (file missing)
O2 - BHO: (no name) - {86d567f3-4515-48cc-9fb1-9e99ceba29bf} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Class - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll (file missing)
O2 - BHO: Class - {DCAEDD4C-CBCF-4AEE-7E2B-A1821BA8C715} - C:\WINDOWS\system32\apirg.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: Class - {EAA02F05-94D5-AC51-1A38-4EE43DA52407} - C:\WINDOWS\addeo.dll
O2 - BHO: (no name) - {eaf82827-aa61-41c9-af7b-7d7a7f46da29} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {F3D033BB-F814-6782-CAD4-9295C2E8F8F1} - C:\WINDOWS\appdm.dll (file missing)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mfcxg32.exe] C:\WINDOWS\mfcxg32.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [3F.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [mssy.exe] C:\WINDOWS\mssy.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7106F43A-984C-426E-9449-943C19288BF1}: NameServer = 68.168.96.194,68.168.96.197
O20 - Winlogon Notify: gebya - gebya.dll (file missing)
O20 - Winlogon Notify: pmkhg - pmkhg.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\pmnlk.dll

The second filepath entered was c:\windows\system32\klnmp.

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 152 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe

Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\pmnlk.dll Deleted sucessfully.
c:\windows\system32\klnmp. Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Activescan results

Incident Status Location

Spyware:spyware/cydoor Not disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:adware/searchaid Not disinfected C:\WINDOWS\SYSTEM32\sdkhs32.exe
Adware:adware/delfinmedia Not disinfected C:\keys.ini
Adware:adware/antivirus-gold Not disinfected C:\WINDOWS\desktop.html
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Brian\Favorites\1111
Spyware:spyware/virtumonde Not disinfected Windows Registry
Possible Virus. Not disinfected C:\asdf.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[Beyond.class]
Virus:Bck/Obot.C Not disinfected C:\Documents and Settings\Brian\Desktop\backups\backup-20051229-153849-943.dll
Virus:Trj/ShellHook.E Not disinfected C:\WINDOWS\SYSTEM32\pmkjg.dll

**Neal** · 30-12-2005

Nice job, lots to do yet.

look in add/remove program remove if present:

cydoor
searchaid
delfinmedia
antivirus-gold
pacimedia
Limewire---if this is not the latest paid version remove please

Download the killbox:

Killbox

1) Open up kill box now.

2) Select "Delete on Reboot".

3) Copy the file names below to the clipboard by highlighting it and pressing Control-C:

C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\sdkhs32.exe
C:\keys.ini
C:\WINDOWS\desktop.html
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\asdf.exe
C:\WINDOWS\SYSTEM32\pmkjg.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Now...prepareing for more of the fix

I need you to download firefox browser, it will make some of these bad guys die a lot easier as it is not infected like internet explorer is.

Firefox download page:---www.mozilla.org/products/firefox/

Don't run any of the below tools yet just update and exit if updates available

Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install http://www.ccleaner.com/ccdownload.php

Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe

Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.

Download About:Buster from here:

http://majorgeeks.com/download4289.html

Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.

Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.

Now go get firefox and make it your default browser, download those tools above and post a new hijackthis log and we can procede.

**kduff** · 30-12-2005

Did everything you suggested. Heres my results with HijackThis.
Thanks alot!

Logfile of HijackThis v1.99.1
Scan saved at 9

01 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {035AB507-A454-30C0-7879-F028430BA8A3} - C:\WINDOWS\system32\ipcx.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E594352-A957-6820-4820-A4904CB77B7B} - (no file)
O2 - BHO: Class - {30E10B5B-9687-AA26-0DCB-8CAF27CCF33E} - C:\WINDOWS\system32\apiae.dll (file missing)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {57071e88-0e9d-4695-8af0-5731ab4c8655} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {5AF27B88-58BE-EDE2-DEDC-AC150AF3E5C5} - C:\WINDOWS\system32\netkg.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Class - {7FBDBF6B-DE91-BC70-ADEC-F5F1A0D6EC45} - C:\WINDOWS\system32\msax32.dll (file missing)
O2 - BHO: Class - {825560FE-D4A6-EE93-7E13-121140EE2DB0} - C:\WINDOWS\system32\appyp.dll (file missing)
O2 - BHO: Class - {8544CEB8-7AA5-0ABD-E8D0-E151F009353B} - C:\WINDOWS\msdo.dll (file missing)
O2 - BHO: (no name) - {86d567f3-4515-48cc-9fb1-9e99ceba29bf} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Class - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll (file missing)
O2 - BHO: Class - {DCAEDD4C-CBCF-4AEE-7E2B-A1821BA8C715} - C:\WINDOWS\system32\apirg.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: Class - {EAA02F05-94D5-AC51-1A38-4EE43DA52407} - C:\WINDOWS\addeo.dll (file missing)
O2 - BHO: (no name) - {eaf82827-aa61-41c9-af7b-7d7a7f46da29} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {F3D033BB-F814-6782-CAD4-9295C2E8F8F1} - C:\WINDOWS\appdm.dll (file missing)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mfcxg32.exe] C:\WINDOWS\mfcxg32.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [mssy.exe] C:\WINDOWS\mssy.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7106F43A-984C-426E-9449-943C19288BF1}: NameServer = 68.168.96.194,68.168.96.197
O20 - Winlogon Notify: gebya - gebya.dll (file missing)
O20 - Winlogon Notify: pmkhg - pmkhg.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 30-12-2005

Hi,

If the weatherbug program you have is the free version please remove it thru add/remove program

Did you run the about:buster fix?
Did you run the CWShredder fix?
Did you run the fixagentB fix?

I am not seeing part of your troubles. Don't be surprised if those infections come back but may not but best results are when those tools are run from safe mode.

Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

Run hijackthis and click on the scan button and put checks next to these items:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {035AB507-A454-30C0-7879-F028430BA8A3} - C:\WINDOWS\system32\ipcx.dll (file missing)
O2 - BHO: (no name) - {0E594352-A957-6820-4820-A4904CB77B7B} - (no file)
O2 - BHO: Class - {30E10B5B-9687-AA26-0DCB-8CAF27CCF33E} - C:\WINDOWS\system32\apiae.dll (file missing)
O2 - BHO: (no name) - {57071e88-0e9d-4695-8af0-5731ab4c8655} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {5AF27B88-58BE-EDE2-DEDC-AC150AF3E5C5} - C:\WINDOWS\system32\netkg.dll (file missing)
O2 - BHO: Class - {7FBDBF6B-DE91-BC70-ADEC-F5F1A0D6EC45} - C:\WINDOWS\system32\msax32.dll (file missing)
O2 - BHO: Class - {825560FE-D4A6-EE93-7E13-121140EE2DB0} - C:\WINDOWS\system32\appyp.dll (file missing)
O2 - BHO: Class - {8544CEB8-7AA5-0ABD-E8D0-E151F009353B} - C:\WINDOWS\msdo.dll (file missing)
O2 - BHO: (no name) - {86d567f3-4515-48cc-9fb1-9e99ceba29bf} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {C6227AB8-1429-9D80-8BEE-55DC63DBF69B} - C:\WINDOWS\system32\mfcyz32.dll (file missing)
O2 - BHO: Class - {DCAEDD4C-CBCF-4AEE-7E2B-A1821BA8C715} - C:\WINDOWS\system32\apirg.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: Class - {EAA02F05-94D5-AC51-1A38-4EE43DA52407} - C:\WINDOWS\addeo.dll (file missing)
O2 - BHO: (no name) - {eaf82827-aa61-41c9-af7b-7d7a7f46da29} - C:\WINDOWS\system32\yaeoabtt.dll (file missing)
O2 - BHO: Class - {F3D033BB-F814-6782-CAD4-9295C2E8F8F1} - C:\WINDOWS\appdm.dll (file missing)

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O4 - HKLM\..\Run: [mfcxg32.exe] C:\WINDOWS\mfcxg32.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [mssy.exe] C:\WINDOWS\mssy.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)---only if the free version

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.micros...p/TLIEFlash.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O20 - Winlogon Notify: gebya - gebya.dll (file missing)
O20 - Winlogon Notify: pmkhg - pmkhg.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll (file missing)

Nothing open but hijackthis and click "fix checked"

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

C:\WINDOWS\mfcxg32.exe < file
C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe < file
C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe < file
C:\WINDOWS\mssy.exe < file
C:\Program Files\AWS < folder---only if the free version
gebya.dll
pmkhg.dll
C:\WINDOWS\system32\pmnlk.dll < file

Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.

Then:

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot and post a new hijackthis log please. Thanks.

**kduff** · 30-12-2005

I did everything suggested and it does look alot smaller now!

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 2:33:48 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dumprep.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7106F43A-984C-426E-9449-943C19288BF1}: NameServer = 68.168.96.194,68.168.96.197
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 30-12-2005

Log looks good, great job.

Go here to learn how to clear your Java cache.

http://www.java.com/en/download/help/5000020300.xml

If everything is ok we can send you on your way with some free prevention tools to keep you a lot safer while on the net.

**kduff** · 31-12-2005

Got it

**Neal** · 31-12-2005

Okey dokey

If you are no longer having any more trouble here is some preventative measures for you.

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

http://forums.thatcomputerguy.us/ind...showtopic=1190

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
Windows XP: service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Microsoft ME:

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

RegProtect

This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.

You have the option of allowing(good) items or blocking(bad)items.

http://www.diamondcs.com.au/index.php?page=regprot

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
MS Antispyware beta: http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm

OutPost Personal Firewall:
Outpost

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

Hijack this Log(RESOLVED)

Hijack this Log(RESOLVED)

Similar Threads

Hijack log please help(RESOLVED)

Hijack this -8/27/06 (RESOLVED)

Can Somebody please help with my Hijack this Log ??? (Resolved)

Hijack This Log - Please help (Resolved)

Hijack This Log (Resolved)