Mass Email Malware?

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Please install HijackThis as requested in step 7 of the READ ME. Download it from our link and use the self extracting installation program. Then rename it as requested.

Then attach a new log from HJT.

Also you are way out of date with GetRunKey and ShowNew. You must use the current versions of the programs. Where or when did you download the ones you have. Download the ones from the links in the READ & RUN ME and use them to attach two new logs.

Was that a complete log from CounterSpy? It does not show much information. It does not even say no problems were found.

Did you setup the below ProxyServer?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.45.56.24:8100

Also what are the below two huge files in your root folder for?

Code:

"C:\"
212.tmp       Dec 13 2006  1174360064  "212.tmp"
e6.tmp        Mar  6 2007   873648128  "E6.tmp"

Note: In many cases problems like you are describing are not due to a virus. They are typically just due to spammers knowing your IP address. Once you are on one spam list, you will get added to many more. However, let's see what happens after we fix your malware problems.

 

Then delete them if you have not already.

I'm sorry! I did not mean to say IP address. My mind was thinking one thing and my fingers another. I meant to say they know your email address. The easist solution for that is to change email address and be more careful who you give it to and where you use it. Use another email address like a free Yahoo or MSN account to sign up for things and to buy things on line. Only check these free accounts when you expect something to be in them. Otherwise you can just periodically delete all the spam that may show up in them.

However let's fix your malware and see what happens.

First uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\Jeff Nathan\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xttjdqd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mfctmc - mfctmc.dll (file missing)
O21 - SSODL: DnlczS - {580FB036-F2A5-1A9C-01E2-F84C759DDAED} - (no file)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Jeff Nathan\Local Settings\Temp\A~NSISu_.exe
C:\Program Files\Downloads\Anime\Misc\bsplayer141.832.exe
C:\212.tmp
C:\E6.tmp
C:\sstray.exe
C:\tskmgr.exe
c:\windows\didduid.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\rtiit.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\msdtc_32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\cdromdrv32.dll
C:\WINDOWS\system32\MSIXU.DLL

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{580FB035-0BB0-1033-0721-030304290001}

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Quite often spam mail that is sent to you is made to look like it originated as being sent by you. This is just another method of spamming. I'm not saying that is definitely your problem, but quite often it is. I have had many cases where the time frame where the email was supposedly sent and the PC suspected of spamming was not even powered on during the time frame. The problem was incoming spam not outgoing.

Let me know if you still have problems. Your current logs are clean.