WINFIXER PROBLEM - HELP PLS

[diananana]

I have two computers in the house networked together.  I had a serious problem on the main computer with spyaxe weeks ago that this forum successfully and quickly helped me resolve it.

Now the problem is the other computer, my son's computer, which I am sending this message from.  Apparently he is having problems with the winfixer bug.  Pop unders, constant pop up ads even though we have pop-up stopper software (Pest Patrol/by Sunbelt).  Computer freezes etc etc.

I tried running spydoctor which found 300 infections and zoftspy which found some too but then they werent free so I remembered about your site.

I downloaded hijack this and here's copy of the log:  PLEASE HELP!
Thanks,
Diane

Logfile of HijackThis v1.99.1
Scan saved at 4:54:11 PM, on 1/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\Program Files\Common Files\AOL\1136146567\ee\AOLSoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DLLLOADRS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZUMCXY35\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: om
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\vtsqo.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\mljjk.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136146567\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [COM Service] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\WINDOWS\system32\10.tmp
O4 - HKLM\..\Run: [Microsoft Windows COM Objects Loader] C:\WINDOWS\system32\217.tmp
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\DLLLOADRS.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\DLLLOADRS.EXE
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: LimeWire On Startup.lnk = C:\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/client/download/TNPLDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {78AB15BF-0C99-4E52-87C9-5201394749EF} - http://install.mycleanerpc.com/distid/4801041213/mycleanerpc.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ddayw - ddayw.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\SYSTEM32\mljjk.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\p2p60c7sef.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\system32\RpcSs.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe (file missing)
O23 - Service: WUSB54GPSVC - Unknown owner - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe" "WUSB54GP.exe (file missing)

[GTO]

Hi, diananana. Welcome to 2-Spyware.com forums!

Your son's computer is badly infected with dangerous parasites. It is highly recommended to update security-related software installed to the system (AVG Anti-Virus and Microsoft AntiSpyware) and perform a full system scan. I cannot suggest a manual removal, becase a HijackThis log probably does not reveal all the pests the system is infected with. Furthermore, 300 infections is a very large number to remove manually. Nevertheless, I will provide you with manual removal instructions.

1. First of all, download the KillBox utility.

2. Click on the Start button, then select Run... and type in msconfig. This should launch the Windows Configuration Utility. Select the Services tab within it and find entries with the following names:
Remote Procedure Call (RPC) Service (RpcSssvc) and WUSB54GPSVC.
Then uncheck them and apply changes by pressing the Apply button.

3. Use HijackThis to fix the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: om
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\vtsqo.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\mljjk.dll
O4 - HKLM\..\Run: [COM Service] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\WINDOWS\system32\10.tmp
O4 - HKLM\..\Run: [Microsoft Windows COM Objects Loader] C:\WINDOWS\system32\217.tmp
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\DLLLOADRS.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\DLLLOADRS.EXE
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ddayw - ddayw.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\SYSTEM32\mljjk.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\p2p60c7sef.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\system32\RpcSs.exe (file missing)
O23 - Service: WUSB54GPSVC - Unknown owner - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe" "WUSB54GP.exe (file missing)

4. Now reboot the system into Safe Mode. This step is very important!

5. Use KillBox to delete the following files:
C:\PROGRA~1\Jalmp\jalmp.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\217.tmp
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\DLLLOADRS.EXE
C:\windows\winsysupd4.exe
C:\WINDOWS\system32\p2p60c7sef.dll

6. After you get done, restart a computer, run another HijackThis scan and post a fresh log here.

[diananana]

I will do as you say and get back as soon as possible.  I am involved in a family emergency right now and will try to do this later on today.  Thanks so much!

Diana