Hello, I have been trying for three days to root out this [bleep] problem. Winfixer 2000 keeps coming up on my screen. i have disabled ms messenger services,
ran mundo spyware removal progs. Man, I would love it if someone could help me out. A BIG THANKS IN ADVANCE!!!!

my log

Logfile of HijackThis v1.99.1
Scan saved at 7:31:51 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\eMule\emule.exe
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: http://www.winantispyware.com/pages/scanne...y&ex=1&p=1&ax=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\sstqn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52587BE-BC8E-4225-A829-B8FBF35D6749}: NameServer = 64.59.135.133,64.59.135.135
O20 - Winlogon Notify: sstqn - C:\WINDOWS\System32\sstqn.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  
  QUOTE
  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  
  
  
• At this point press enter one time.
  
• Next you will see:
  
  QUOTE
  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\System32\sstqn.dll
  
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• Next you will see:
  
  QUOTE
  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\System32\nqtss.*
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
  O1 - Hosts: http://www.winantispyware.com/pages/scanne...y&ex=1&p=1&ax=2
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\sstqn.dll
  O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
  O20 - Winlogon Notify: sstqn - C:\WINDOWS\System32\sstqn.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Awesome. Thanks very much for the quick response. I am currently at the stage of running the active scan. I will post my results.

I VERY MUCH appreciate your time and knowledge.

Thanks for helping and I will post asap.

cheers

Well, here are the results. Thanks for taking time to help me out.



scan results from active scan


Incident Status Location

Hacktool:Hacktool/HideItX No disinfected C:\Win32\dll\Win32k.exe
Adware:adware/transponder No disinfected C:\WINDOWS\LastGood\INF\Pynix.inf

/////////////////////////////////////////////////////////////////////////////////////

Hijack this log after scan was completed:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:40 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52587BE-BC8E-4225-A829-B8FBF35D6749}: NameServer = 64.59.135.133,64.59.135.135
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\SYSTEM32\jkkjh.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  
  QUOTE
  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  
  
  
• At this point press enter one time.
  
• Next you will see:
  
  QUOTE
  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\System32\jkkjh.dll
  
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• Next you will see:
  
  QUOTE
  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\System32\hjkkj.*
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\jkkjh.dll
  O20 - Winlogon Notify: jkkjh - C:\WINDOWS\SYSTEM32\jkkjh.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Finished the scan, here are the results.

THANKS IN ADVANCE!

Active Scan Log:


Incident Status Location

Hacktool:Hacktool/HideItX No disinfected C:\Win32\dll\Win32k.exe
Adware:adware/transponder No disinfected C:\WINDOWS\LastGood\INF\Pynix.inf
=================================================
Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 8:49:16 AM, on 9/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redflagdeals.com/forums/forumdisplay.php?f=9
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ddcya.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52587BE-BC8E-4225-A829-B8FBF35D6749}: NameServer = 64.59.135.133,64.59.135.135
O20 - Winlogon Notify: ddcya - C:\WINDOWS\System32\ddcya.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe

Can you send the file C:\WINDOWS\System32\ddcya.dll to submit@atribune.org in an attachment please.

Also do the same with C:\WINDOWS\System32\jkkjh.dll if found.

email sent.
thanks

Ok got the file thanks.

Post a new Hijackthis log here in a reply its been a few hours things might have changed.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.