[densomi]

Logfile of HijackThis v1.99.1
Scan saved at 2:43:59, on 13/10/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\taskswitch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\carpserv.exe
D:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
D:\Program Files\WS_FTP Pro\ftpqueue.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\AppServ\Apache\Apache.exe
D:\Program Files\WS_FTP Pro\ftpsched.exe
D:\AppServ\mysql\bin\mysqld-nt.exe
D:\AppServ\Apache\Apache.exe
D:\WINDOWS\system32\PDFCreatorMessages.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - D:\WINDOWS\system32\pmnnk.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - D:\WINDOWS\system32\qwcxstyi.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PDFCreatorClient] D:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ftpqueue] D:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [VaCtrl] D:\Program Files\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] "D:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MPLAB_SVHelper] E:\hi-tech PIC C\SVHelper\SVHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2091EE9-B0BF-4575-A4BE-43A7ECEE7B7B}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pmnnk - D:\WINDOWS\system32\pmnnk.dll
O23 - Service: Apache - Unknown owner - D:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - D:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - D:\AppServ\mysql\bin\mysqld-nt.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - D:\WINDOWS\system32\PDFCreatorMessages.exe

[Advertisements]

Welcome densomi to Geeks to Go!

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

***

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please print these instructions out for use in Safe Mode.
Please note: your AntiVirus program may prompt you to a malicious program running. Allow the entire script to run.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  This list of forums is provided as an example of where to go to obtain help!!
  <a href="http://www.atribune.org/forums" target="_blank">http://www.atribune.....org/forums</a>
  <a href="http://www.247fixes.com/forums" target="_blank">http://www.247fixes.....com/forums</a>
  <a href="http://www.geekstogo.com/forum" target="_blank">http://www.geekstogo...o.com/forum</a>
  <a href="http://forums.net-in...ntegration.net" target="_blank">http://forums.net-in...gration.net</a>
  <a href="http://castlecops.co...om/forums.html" target="_blank">http://castlecops.co...forums.html</a>
  <a href="http://www.besttechie.net/forums" target="_blank">http://www.besttechi....net/forums</a>
  Press enter to continue....
  

  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • D:\WINDOWS\system32\pmnnk.dll
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):D:\WINDOWS\system32\knnmp.*
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:R3 - Default URLSearchHook is missing
  
  O1 - Hosts: 69.50.166.12 www.go.com
  O1 - Hosts: 69.50.166.12 go.com
  O1 - Hosts: 69.50.166.13 astalavista.com
  O1 - Hosts: 69.50.166.13 www.astalavista.com
  O1 - Hosts: 69.50.166.13 astalavista.box.sk
  
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - D:\WINDOWS\system32\pmnnk.dll
  
  O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - D:\WINDOWS\system32\qwcxstyi.dll
  
  O20 - Winlogon Notify: pmnnk - D:\WINDOWS\system32\pmnnk.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by g2i2r4, 13 October 2005 - 01:42 PM.

[g2i2r4]

Welcome densomi to Geeks to Go!

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

***

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please print these instructions out for use in Safe Mode.
Please note: your AntiVirus program may prompt you to a malicious program running. Allow the entire script to run.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  This list of forums is provided as an example of where to go to obtain help!!
  <a href="http://www.atribune.org/forums" target="_blank">http://www.atribune.....org/forums</a>
  <a href="http://www.247fixes.com/forums" target="_blank">http://www.247fixes.....com/forums</a>
  <a href="http://www.geekstogo.com/forum" target="_blank">http://www.geekstogo...o.com/forum</a>
  <a href="http://forums.net-in...ntegration.net" target="_blank">http://forums.net-in...gration.net</a>
  <a href="http://castlecops.co...om/forums.html" target="_blank">http://castlecops.co...forums.html</a>
  <a href="http://www.besttechie.net/forums" target="_blank">http://www.besttechi....net/forums</a>
  Press enter to continue....
  

  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • D:\WINDOWS\system32\pmnnk.dll
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):D:\WINDOWS\system32\knnmp.*
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:R3 - Default URLSearchHook is missing
  
  O1 - Hosts: 69.50.166.12 www.go.com
  O1 - Hosts: 69.50.166.12 go.com
  O1 - Hosts: 69.50.166.13 astalavista.com
  O1 - Hosts: 69.50.166.13 www.astalavista.com
  O1 - Hosts: 69.50.166.13 astalavista.box.sk
  
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - D:\WINDOWS\system32\pmnnk.dll
  
  O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - D:\WINDOWS\system32\qwcxstyi.dll
  
  O20 - Winlogon Notify: pmnnk - D:\WINDOWS\system32\pmnnk.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by g2i2r4, 13 October 2005 - 01:42 PM.