Not sure what is causing it - maybe the dreaded V trojan that Spybot said I have, that many people are asking about in this forum - but my computer worked fine until yesterday and now IE is popping up extra windows (ad's of course) and Firefox won't go anywhere and to get any other program to operate, I have to choose it twice. :( I'm sooooo sad.

In browsing through your forum, I have down loaded Hijackthis and ran a scan. Also, unfortunately, I've attempted to do lots of clean up on my own (obviously, nothing has worked) including creating a different account on my computer hoping that it was a user problem. Maybe that was naive, but I'm desperate - just about ready to throw this one out and get a new one.

On a side note, has anyone ever brought a class action against the people who advertise through malware? If not the creator, these people are obviously benefiting from it - sounds like a perfect lawsuit since I've spent now 9 hours attempting to clean my system and other people obviously have had much frustration also.

Anyway, any help is soooo much appreciated!

Situation has changed - I attempted a restore to this morning :( Didn't work. So now, after downloading Hijackthis & Spybot again, I haven't touched anything. Hopefully someone will have the time to help.

Thx,

Stephanie

ok, I'm sorry for doing this without being instructed first but I'm getting desperate... here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:59 PM, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\tcntaxdm.exe
C:\WINDOWS\mrofinu572.exe
C:\DOCUME~1\STEPHA~1\MYDOCU~1\FNTS~1\ati2evxx.exe
C:\Documents and Settings\Stephanie\My Documents\??crosoft\w?wexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: {b000a495-743e-356b-8c94-c5e04a32e9e5} - {5e9e23a4-0e5c-49c8-b653-e347594a000b} - C:\WINDOWS\system32\rakuqc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9A65D301-26C9-4D91-B7CF-76C7A911A06F} - C:\WINDOWS\system32\qoMfefeB.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\nnnnOHYq.dll
O2 - BHO: (no name) - {AD33CF4C-20D5-7A27-AE38-7CA2E2EB1AE3} - C:\WINDOWS\system32\mlul.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [{49-91-1E-E2-DW}] C:\windows\system32\rwwnw64d.exe DWram1
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdm.exe DWram1
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [BMff77a2d1] Rundll32.exe "C:\WINDOWS\system32\gpirttan.dll",s
O4 - HKLM\..\Run: [fc44914d] rundll32.exe "C:\WINDOWS\system32\uakayeje.dll",b
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\STEPHA~1\MYDOCU~1\FNTS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Tlqqhpf] "C:\Documents and Settings\Stephanie\My Documents\??crosoft\w?wexec.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdm.exe
O4 - Startup: DesktopX.exe.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v10_en.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: nnnnOHYq - C:\WINDOWS\SYSTEM32\nnnnOHYq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

--
End of file - 8148 bytes


next i'm going to download combofix to my desktop.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

First, thank you, thank you for starting to work with me.

I deleted my old copy of cf and downloaded as you said. i ran it but it stalled. (did not click) So right now, I've got my laptop hooked to the net now instead of my infected computer (laptop is generally never connected) so i can communicate this to you, in case there's any reply (as in, giving me crap for what i'm about to do next). I closed cf and rebooted my system and will now run cf again.

Second - I love Link :)

Hopefully I'll have a couple logs to post soon.

Stephanie

It stalled again - again, didn't click it - it finished Stage 43 then the next line is

C:\ComboFix\DirRoot

and this is where it's stalled.

Any suggestions as to why it's stalling or what I should do next?

Yay! It worked:

ComboFix 08-07-03.1 - Stephanie 2008-07-03 22:50:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.721 [GMT -6:00]
Running from: C:\Documents and Settings\Stephanie\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 07:01 . 2008-07-03 07:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-03 07:00 . 2004-08-04 06:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-03 06:32 . 2006-05-05 03:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-07-01 11:29 . 2008-07-01 11:59 63,918 --a------ C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll-uninst.exe
2008-07-01 08:28 . 2008-07-01 08:28 49,179 --a------ C:\WINDOWS\system32\rswnw64k.exe
2008-06-30 22:49 . 2008-06-30 22:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 22:12 . 2008-06-30 22:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-30 22:12 . 2008-06-30 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 21:17 . 2008-06-30 21:17 <DIR> d-------- C:\Documents and Settings\Internet Only\Application Data\TELUS
2008-06-30 21:17 . 2008-06-30 23:37 <DIR> d---s---- C:\Documents and Settings\Internet Only
2008-06-30 18:30 . 2006-06-01 12:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-06-30 18:30 . 2006-06-01 12:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-06-30 18:29 . 2006-03-16 18:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2008-06-30 18:27 . 2008-06-13 07:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-30 18:27 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 18:18 . 2008-07-03 07:10 <DIR> d-------- C:\WINDOWS\$hf_mig$
2008-06-30 16:34 . 2008-07-03 21:31 110,446 --a------ C:\WINDOWS\BMff77a2d1.xml
2008-06-30 07:38 . 2008-06-30 07:38 <DIR> d-------- C:\WINDOWS\system32\modtrux01
2008-06-30 07:38 . 2008-06-30 07:38 <DIR> d-------- C:\WINDOWS\system32\crp
2008-06-30 07:38 . 2008-06-30 07:38 <DIR> d-------- C:\WINDOWS\system32\area
2008-06-30 07:38 . 2008-06-30 07:38 <DIR> d-------- C:\Temp\syschk3
2008-06-30 07:38 . 2008-07-03 21:39 <DIR> d-------- C:\Temp
2008-06-30 07:38 . 2008-06-30 07:38 41,984 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-06-30 07:38 . 2008-06-30 07:39 41,984 --a------ C:\WINDOWS\mrofinu572.exe
2008-06-30 07:38 . 2008-06-30 07:38 41,984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-06-30 07:38 . 2008-06-30 07:39 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-06-10 16:53 . 2008-06-10 16:53 <DIR> d-------- C:\Program Files\Seagate Software
2008-06-10 16:52 . 2008-06-10 16:55 <DIR> d-------- C:\Program Files\Winsim

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 23:31 --------- d-----w C:\Program Files\Common Files\Command Software
2008-07-01 05:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-01 05:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 01:28 --------- d-----w C:\Program Files\World of Warcraft
2008-06-10 22:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 13:31 371,200 ----a-w C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll
2008-05-26 13:02 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{df624c9d-4eae-3f01-30ee-0fdda8ae2198}]
2008-05-27 07:31 371200 --a------ C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tlqqhpf"="C:\Documents and Settings\Stephanie\My Documents\??crosoft\w?wexec.exe" [?]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-04-10 10:12 1286160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 16:56 180278]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"{4dfea11a-81f2-cbd1-be19-20050acdc783}"="C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll" [2008-05-27 07:31 371200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Stephanie\Start Menu\Programs\Startup\
DesktopX.exe.lnk - C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe [2008-03-30 13:31:38 526104]
DW_Start.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir [2008-07-03 22:23:11 49199]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-03-31 16:25 210168 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\288.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39af7a4d-db42-11db-928e-0013204473e5}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 04:46:25 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-07-01 01:28:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{16ffc510-d44e-446f-996e-3f925f12c9e3} - C:\WINDOWS\system32\zvekyt.dll
BHO-{7877B4B5-2D70-461B-82CC-32E3D9AFB8B1} - C:\WINDOWS\system32\qoMfefeB.dll
BHO-{9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\nnnnOHYq.dll
BHO-{AD33CF4C-20D5-7A27-AE38-7CA2E2EB1AE3} - C:\WINDOWS\system32\mlul.dll
BHO-{C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll
HKCU-Run-Sen - C:\DOCUME~1\STEPHA~1\MYDOCU~1\FNTS~1\ati2evxx.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-{49-91-1E-E2-DW} - c:\windows\system32\rwwnw64d.exe
HKLM-Run-BMff77a2d1 - C:\WINDOWS\system32\gpirttan.dll
HKLM-Run-fc44914d - C:\WINDOWS\system32\qvedvije.dll
ShellExecuteHooks-{9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\nnnnOHYq.dll
Notify-nnnnOHYq - nnnnOHYq.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 23:18:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINDOWS\TEMP\288.tmp"
.
Completion time: 2008-07-03 23:19:41
ComboFix-quarantined-files.txt 2008-07-04 05:19:24

Pre-Run: 45,468,606,464 bytes free
Post-Run: 53,940,494,336 bytes free

156 --- E O F --- 2008-07-03 13:10:41




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:28 PM, on 03/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {df624c9d-4eae-3f01-30ee-0fdda8ae2198} - C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [{4dfea11a-81f2-cbd1-be19-20050acdc783}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll" DllStart
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Tlqqhpf] "C:\Documents and Settings\Stephanie\My Documents\??crosoft\w?wexec.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DesktopX.exe.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
O4 - Startup: DW_Start.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v10_en.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

--
End of file - 7568 bytes


Thanks again!

Thanks for returning your information, read and follow all directions carefully and in the numbered order.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) C:\WINDOWS\system32\modtrux01 <<< I need to know if this is malware, I believe it is. Use http://virusscan.jotti.org/ to scan that file and post the results.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: gooochi browser optimizer - {df624c9d-4eae-3f01-30ee-0fdda8ae2198} - C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll
O4 - HKLM\..\Run: [{4dfea11a-81f2-cbd1-be19-20050acdc783}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll" DllStart
O4 - HKCU\..\Run: [Tlqqhpf] "C:\Documents and Settings\Stephanie\My Documents\??crosoft\w?wexec.exe"
O4 - Startup: DW_Start.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v10_en.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

8) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Include the information about the file you scanned and the uninstall list.

Thanks

1) done

2) modtrux01 is a folder & wouldn't scan. the only file in the folder modtrux011065.exe scan results:

File: modtrux011065.exe
Status: INFECTED/MALWARE
MD5: 52571215d112d5136f8627c5e12fb37b
Packers detected: -

Scanner results
Scan taken on 04 Jul 2008 15:36:00 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.VB.eyc.4
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Downloader.Generic7.TVT
BitDefender Found nothing
ClamAV Found Trojan.Downloader-44265
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.56730
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.VB.eyc
Fortinet Found W32/Dloader.EYC!tr.dldr
Ikarus Found Trojan-Downloader.Win32.VB.eyc
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.VB.eyc
NOD32 Found a variant of Win32/TrojanDownloader.VB.AW
Norman Virus Control Found W32/DLoader.HWYU
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.eyc

3 - 6) done

7) uninstall manager log <edited>:

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BootSkin
Broadcom Driver Installer
Dell ResourceCD
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
KaraFun 1.18
LimeWire 4.14.10
LogonStudio
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.15)
MSXML 4.0 SP2 (KB936181)
Patch-Resource-5.X-Msi
Power CD+G Player Pro
QuickTime
Scrabble Complete
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
<security update for Windows XP deleted>
SimCity 4 Deluxe
Simply Accounting by Sage 2006
SoundMAX
Spybot - Search & Destroy
Stardock Central
TELUS Security & Privacy
<update for Windows XP deleted>
Winamp
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
<hotfix results deleted>
WinJammer Shareware 3.0
World of Warcraft

8) mbam log & new HJT log:

Malwarebytes' Anti-Malware 1.19
Database version: 920
Windows 5.1.2600 Service Pack 2

9:28:27 AM 04/07/2008
mbam-log-7-4-2008 (09-28-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 79711
Time elapsed: 17 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Stephanie\My Documents\FNTS~1\ati2evxx.exe.vir (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlul.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pcntstdm.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP434\A0009313.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP435\A0009345.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP435\A0009349.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP435\A0009350.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP437\A0010557.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP439\A0011376.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP439\A0011377.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP439\A0011381.dll (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP443\A0011929.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP443\A0011931.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP443\A0011936.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP444\A0011948.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP444\A0011949.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP445\A0012223.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF041599-FAEC-4B99-AA13-0802C664D89A}\RP445\A0012224.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rswnw64k.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\area\dragGLL1.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{4d3a7b9f-06fb-d8ad-ed9c-b83042e1c13b}.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:30 AM, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DesktopX.exe.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

--
End of file - 6233 bytes


Again, Thank You!!

Thanks for returning your information and the feedback.

1) C:\WINDOWS\system32\modtrux01 <<< delete that folder and everything in in.

2) Uninstall list:

Read these directions: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Once you have the newest version installed, uninstal the old versions.
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

Mozilla Firefox (2.0.0.15) <<< if you use it, I suggest you update, link here:
http://www.mozilla.com/en-US/firefox/all.html

3) http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm

4) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How is the computer running now?

Thanks

I'm so happy! :)

1) deleted

2) your instructions were contrary to the link you provided - in the link, it said uninstall prior to new installation. I followed your instructions and installed then uninstalled. Regardless, all noted items were uninstalled.

Mozilla updated.

3) read and understood. thank you.

4) done.

My system is running WONDERFULLY! Before this process my CPU usage was near 100% and now it hovers at 0% and 1% with the occasional spike to 15 or 20-ish%.

I can't thank you enough for taking me through all of this. Should I delete all the programs used for this fix? (i.e. combofix, HJT, etc.?) And, lastly, is there any maintenance programs that you would suggest?

Again, I thank you thank you thank you. It is such a relief that I don't have to entirely wipe my system and start over. Having used computers & the internet since the original windows shell and the beginning of the internet, I have wiped many a computer and it is sooooo annoying. My eternal gratitude to you.

Stephanie

Thanks for the feedback, I will try to answer all of your security questions before we finish, but this is the next bridge we must cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif


Thanks...Phil

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


:)

Good job with the RC installation:bigthumb: that tool may come in very handy one day:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

HijackThis: I have had it on all of my computers for about ten years, here is a tutorial about all it can do for you:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

If your computer is running as it should be, I will leave you with this information. I think all of your questions will be answers, if not post them and I will do my best to answer them.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Dear Phil,

Thank you so much for all of your help. I have read much of the information you have provided (not all yet - there's a lot) and since your last post I:

-downloaded SpywareBlaster and enabled full protection
-updated Spybot and immunized
-enabled Teatimer
-downloaded Comodo Firewall and Comodo Safe Search (my new default search engine) (allowed the registry changes)
-it performed a scan - clean :)
-updated Internet Explorer to v. 7 (a terrifically long process which I should have started with because then it had to go through Comodo and Spybot!)

I attempted to make a donation in your name however paypal was asking for a specification (PIN) that I don't have for my credit card. I will be looking into further options.

It appears I will have a lot to learn and so I can make decisions on these new precautions - i.e. paypal was attempting to access the keyboard directly?? Not knowing if this was just to "autofill", I allowed it, since paypal is supposed to be a secure system. Then it froze. Could this be why my delete key is not working? After I submit this, I'm going to attempt a re-boot to see if it fixes it - but this is a welcome option to becoming infected again.

Good luck in everything you do, Phil. I thank you for sharing your time and knowledge with me.

Sincerely and with gratitude,

Stephanie :heart:

I'll keep this topic open for a couple of days, let me know if you run into any roadblocks:)

Hi again!

I'm not sure if you would consider this a roadblock but I'm having a problem with my email program now. It won't connect to the server. When I log onto the webmail interface provided by my isp, I can log in just fine and previously when my email program wouldn't connect it was due to the isp server being busy or down.

Do you think this could be caused by the Comodo firewall that I installed? However, once, last night, after signing off windows then signing in again, I was able to connect to my email. Bizarre, hey?

Oh, and the thing with my delete key not working didn't go away - it appears that my delete key doesn't function within IE7 forms. Is this a problem with IE7 that you've heard of before?

These are definitely minor annoyances in comparison to the major infestations people have so just in your own time if you can advise if you've heard of these problems after cleaning the system or protecting the system.

Thanks!

Stephanie

Not sure if I can help, I will give you my thoughts.

Comodo firewall: I have not used this one, so know little about the settings, I suggest you turn the firewall off completely then see if the problem goes away. That will tell you if the firewall settings are at fault.

You should be able to get free help here: http://forums.comodo.com/ or here
http://forums.comodo.com/comodo_firewall-b50.0/

I also suggest you ask your ISP technical support for help, that is what you pay them for.
You can also try other free email providers:
http://get.live.com/mail/overview
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
http://www.youtube.com/watch?v=uBbmiQhuAhU


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:30 AM, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) <<< seems you are running IE 6, the first thing I would try would be to update to IE7 to see if that fixes your issues:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Hope this helps...Thanks

Thanks lots for your input! I did already upgrade to IE7, yesterday after you gave me all the security info. I will try your suggestions.

Thanks again!

delete key not working
Is there any error message when this happens?
Do you have another Keyboard that you can try? Only take a bit of debris to cause a key not to work. Try turning the keyboard over and tapping it lightly to see if it has debris in in, I have never seen one that did not after they were no longer new.

http://www.google.com/search?hl=en&q=+delete+key+not+working+&btnG=Search
407,000 <<< possible answers

What kind of keyboard is it, have you checked to see if there is a driver update?

Thanks

I would believe it was a dirty keyboard if wasn't a consistent problem - it consistently does not work within IE7 internet forms, such as this reply box that I'm typing in; however it consistently does work in all other places - like the address bar in IE7 or in other Windows programs. Wierd, hey?

But I'll browse through the searches that you've mentioned.

Thanks :)

Just to update you - I've searched the Comodo firewall for "email" and it appears that this version (3) is causing almost everyone to have a problem with their email client. Still reading.

You're such a helpful person, you know that? :)