What do I delete??? (hijackthis vs. Ads234) :?

Unknown

Hello, i have that Ads 234 issue that alot of people seem to have I was wondering if i could get any help with that, the following is the log i have from Hijackthis, thanks

Logfile of HijackThis v1.98.2
Scan saved at 1:58:12 PM, on 12/08/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\DkLog.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\dkcktkn.exe
C:\WINNT\etlisrv.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Datakey\Crypt32\DkAutoReg.exe
C:\Program Files\Datakey\Crypt32\DkMonitor.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\tdistemp\LB.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\temp\msbb.exe
C:\WINNT\system32\etlitr50.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\loader.exe
C:\TDISTemp\setup.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SecBarOpenNet.exe
C:\WINNT\notepad.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Documents and Settings\rodriguezja.PPTCGDOM1.002\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cstwebsrv2.irm.state.gov:8765
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.state.gov
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.state.gov
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Department of State - (Ver 3.0)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://msie.irm.state.gov/version3.0/ins/win32/en/install.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=127.0.0.1:1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\rodriguezja.PPTCGDOM1.002\Local Settings\Temp\OELs2voG.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Datakey\Crypt32\DkAutoReg.exe
O4 - HKLM\..\Run: [DkMonitor.exe] C:\Program Files\Datakey\Crypt32\DkMonitor.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Datakey\Crypt32\DkStartup.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [*keybak] C:\WINNT\addins\keybak.exe
O4 - HKLM\..\Run: [LB.exe] C:\tdistemp\LB.exe
O4 - HKLM\..\Run: [yrqdutgj] C:\WINNT\yrqdutgj.exe
O4 - HKLM\..\Run: [*asad] C:\WINNT\Config\asad.exe
O4 - HKLM\..\Run: [*libac] C:\WINNT\inf\libac.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [vovuz] C:\WINNT\vovuz.exe
O4 - HKLM\..\Run: [nypqf] C:\WINNT\nypqf.exe
O4 - HKLM\..\Run: [rubypyh] C:\WINNT\rubypyh.exe
O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: loader.exe
O4 - Global Startup: SecBarOpenNet.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C5A37DE-9359-11D6-B4FD-00A0C9FB7A5C} (Project1.BillTest) - http://tdisinquiry.ca.state.gov/Security/NetSecOCX.CAB
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll

Buckeye_Sam

Download CWShredder.

http://cwshredder.net/bin/CWSInstall.exe

Run it, make sure to click Fix and not Scan.



Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\rodriguezja.PPTCGDOM1.002\Local Settings\Temp\OELs2voG.dll
O4 - HKLM\..\Run: [LB.exe] C:\tdistemp\LB.exe
O4 - HKLM\..\Run: [yrqdutgj] C:\WINNT\yrqdutgj.exe
O4 - HKLM\..\Run: [*asad] C:\WINNT\Config\asad.exe
O4 - HKLM\..\Run: [*libac] C:\WINNT\inf\libac.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [vovuz] C:\WINNT\vovuz.exe
O4 - HKLM\..\Run: [nypqf] C:\WINNT\nypqf.exe
O4 - HKLM\..\Run: [rubypyh] C:\WINNT\rubypyh.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - Global Startup: loader.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll

Remove these unless you or an administrator put them in place.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present





Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.



Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3




Please delete these files using Windows Explorer(if present):
C:\WINNT\system32\msehek.dll
C:\tdistemp\LB.exe
C:\WINNT\yrqdutgj.exe
C:\WINNT\Config\asad.exe
C:\WINNT\inf\libac.exe
C:\WINNT\vovuz.exe
C:\WINNT\nypqf.exe
C:\WINNT\rubypyh.exe
C:\WINNT\system32\msmc.exe
C:\loader.exe




Delete everything found inside of this folder.
C:\temp



Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.



Reboot into normal mode.



Get an online virus scan here.
http://housecall.trendmicro.com/



Post a new hijackthis log.