Okay, I think I'm ready to post finally...lol.

[ladybugsy]

I've tried to follow all the cleaning methods in the READ ME sticky, and I am still having major problems. I'm not sure where to start, so I will start by attaching my hjt. I also ran the Kapersky tool and it found 14 viruses. The AVG found 116 threats. I have no idea where to start. The problem I am having is major popups, it usually says win 32 error and it looks like its scanning my computer, it also says "errorsafe or something like that...can't remember...or trying to get me to click on things to scan my computer. I also am having an error when I boot up that says mm_tray error...not sure what that is either. I ran the ATF and the AVG. I installed and ran windows defender...it also found lots of things...I'm not sure where to begin. There are several things on my add and remove program list that I don't recognize, but I'm afraid to delete. My startup menu definately needs to be cleaned up...please let me know what I need too now. I'm not sure what all to put in this request for help.

[ladybugsy]

Here is everything that Kapersky found...I put it into a text file, not sure how else to get it here.

[jholland1964]

Ok, the attached HJT log in this thread shows a LOT more items than the log in your original thread of 8/17/2007
Frankly, I am not certain the difference is because you are using the newer version of HJT here or not. But there is definitely much more showing.

Your Kaspersky log here shows a lot of nasties in various temp files. Let's see if we can get rid of those. PLUS it also shows me that sometime you have run the VundoFix tool as there are infections in a VundoFix Backups folder. When did you run this tool?

Please download the CleanupXP
Reboot to Safe Mode and run the program. When it is complete then reboot again to safe mode and continue with instruction below.

Next go to Add/Remove and UNINSTALL all listings of the following that you find;
WinAntiSpyware 2007

Reboot to Normal Mode.
Right off the bat in your HJT log I still see a vundo infection, even after you had sometime run the vundofix so let's start with that one;
Please download VundoFix.exe to your desktop if you do not still have it on your machine.

• Double-click VundoFix.exe to run it.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

After you have run that I want you to relocate your HiJackThis program to it's own folder following the instructions given on the Read Me Sticky. It needs to be in it's own folder.
To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and Click ENTER. This is where you need to locate your HiJackThis program and please rename it hjtscan.exe.

After you have relocated and renamed HJT please run a new scan with it and save the log. Post back here with that new HJT log and the VundoFix log.

[ladybugsy]

I ran the vundofix last night, but I think that was there from before. Heck, I don't know...but I'm about ready to pull my hair out!

Okay, about safe mode. I'm using the f8 method, and most times it won't work. After I hit safe mode, it starts listing what looks like to be drivers of some sort. I have to do it several times before it will work. I'm going to run the cleanupxp now and then the rest of your suggestions. I'll get back to you asap.
Thanks for taking the time to help me
Rory

[ladybugsy]

Okay, I'm attaching the vundofix and the hjt scans. Vundo didn't find anything new...I ran it last night and it did remove some things. While I was trying to run it, I got 3 new virus notices from NAV. Lovely. I relocated and renamed the hjt as well.

[jholland1964]

Okay, about safe mode. I'm using the f8 method, and most times it won't work. After I hit safe mode, it starts listing what looks like to be drivers of some sort.

That is what it is supposed to do, it is listing drivers and stuff like that. Even though it is going into safe mode it still has to load all that in order to run. Just wait, it may take several minutes but it will get there. It may look like it isn't doing anything but it is.
Will look at your logs and see what is going on.

First thing I see in the VundoFix is this;

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

This is probably one of the causes of your infections. Go to Add/Remove immediately and uninstall all versions of Java showing there.

Then go to Download SunJava
Download the latests version there which is version 6. Choose the manual install option.
Download it to your system, save it to the desktop so that you can find it. Then close all unnecessary programs, Browsers, Kodak\Kodak EasyShare programs, MSN Messenger, any email programs. THEN install this new version of Java.
After it is installed then go to the Verification Page
to be certain that it is installed and working.

First thing I see in the HiJackThis log is this;
No Active Firewall is detected. Windows built in firewall is not detected by the HJT scan so if this is the one you are using then please let me know ASAP.
If you have no firewall on the system either Activate the Built In Windows firewall Immediately OR download one of the good free ones you will find here
Either way, you must run a firewall.

[jholland1964]

Do the above steps FIRST.

Next, ENABLE VIEWING OF HIDDEN FILES AND FOLDERS.

AFTER you have done that then reboot the computer in SAFE MODE again.
Once in safe mode you are going to have to manually look for some files that are noted in RED and if you find them DELETE them. Don't delete the FOLDER they are contained just delete the specific file.

First go to My Computer. Double Click on "C" drive to open it up.
Then navigate to each of the folders noted first below after you see
C:\\

C:\Program Files\MSN Gaming Zone\horyl22011.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\

Now carefully read the exact location of each of these files.
C:\Documents and Settings\Rory and Chuck\Local Settings\Temp\ Open that Temp folder, Select all the temp files you find there and DELETE them.

C:\Documents and Settings\Rory and Chuck\Local Settings\Temporary Internet Files\Content.IE5\
Now when you open this Content.IE5 folder you will see a number of Folders there with odd looking names like OMM9QX6D Open each one of the Folders you find in each and select all files and delete them.

Next go Here and delete items showing in RED;
C:\WINDOWS\system32\CC1\mon113bcz.exe
C:\WINDOWS\system32\diskwow.dll
C:\WINDOWS\system32\dnphbytp.exe

C:\WINDOWS\system32\lldsrngo.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ICM2\nb22011.exe/

All files I have noted in red are infected files, they need to be removed. If you are unable to find any of them, make note of it to included in your next post.

Once you have deleted all those items then Reboot the System in Normal mode.
Run HiJackThis again.
Place a checkmark next to the following entries, if they still remain;

O2 - BHO: (no name) - {41C5A24E-A86D-4E36-9916-5E320DAB97F0} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E6A45CC-4443-4F44-AB67-10C0062089B7} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {E0252019-EDDD-E57F-81D2-EEABD803059D} - C:\WINDOWS\system32\dwgxyfe.dll (file missing)

O4 - HKLM\..\Run: [horyl] C:\Program Files\MSN Gaming Zone\horyl22011.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\dnphbytp.exe (file missing)

Once you have placed the checkmarks then click the Fix Checked Button.
Exit HJT.
Reboot the system to Normal Mode. Run a new Kaspersky scan and save the log.
Run a new HJT scan and save the log.

Post back here with both new logs.

[ladybugsy]

Okay, Java uninstalled and reinstalled successfully. I checked the windows firewall and it was running along with the automatic updates. Here are the problems I ran in to while following your further instructions.

"C:\Documents and Settings\Rory and Chuck\Local Settings\Temporary Internet Files\Content.IE5\
Now when you open this Content.IE5 folder you will see a number of Folders there with odd looking names like OMM9QX6D Open each one of the Folders you find in each and select all files and delete them."

I could not find a file that said Content.IE5. I found 2 that said content, and 2 that said ie5, but I was unsure what to do with them. When I open the temporary internet files there are probably hundreds of files in there...I'm assuming that's not good.

I was unable to find these files in system32.

C:\WINDOWS\system32\dnphbytp.exe

C:\WINDOWS\system32\lldsrngo.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ICM2\nb22011.exe/

My new hjt is attached. Another virus showed itself on NAV while I was printing out the instructions you gave.

[jholland1964]

When I open the temporary internet files there are probably hundreds of files in there...I'm assuming that's not good

.

They are called TEMPORARY for a reason, that means they are not to be kept forever.
Delete EACH and EVERY temp file. Now. Download CCleaner
Install it. Reboot to SAFE MODE and run CCleaner

Where is that new Kaspersky log?

[ladybugsy]

Sorry...I forgot about the kaperskys...lol. I want to make plain the file I told you had hundreds of files...it was the C:\Documents and Settings\Rory and Chuck\Local Settings\Temporary Internet Files. Seems like one of these things I'm running would clean that out if it was supposed to be, right? Anyway, I'm going to wait for confirmation on that before I delete everything in it. Btw, is there a way to select all of those files without deleting every one? I'm going to run kapersky's and cc now and then I'll be back to post it.