Please help me with this hijackthis log...

@2oldgeek

well i have disabled the McAfee WSC Integration, McAfee Task Scheduler and McAfee SecurityCenter using the services.msc. but for some reason, the mcafee icon is still on the bottom right hand corner of the screen.

I have no problems with the ATF-Cleaner.exe.

After I ran the Malwarebytes' Anti-Malware, it says that there are few malwares that can't be removed, it told me to restart the computer and it will remove it. I did that, but on the typing the password part, it froze after i typed the password to log-in to windows. so i forced shut it again, but it worked the second time.

and the combofix thing, i got the same problem as last time. the nircmd.com thing.

btw, when i paste the combofix /u in the box, it says windows can't file the combofix file. i guess i deleted it???

so yea, this is the latest update on my computer, but at least the worm problem is getting better. the linking to other pages are gone, the computer is faster, and i could actually click on the links that you gave me for the .exe s because most of the time it will just say page not found, so i have to use my other computer to download them and transfer them to this computer. thanks

here are my logs:

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:18 PM, on 9/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10666 bytes


Malwarebytes

Malwarebytes' Anti-Malware 1.28
Database version: 1170
Windows 5.1.2600 Service Pack 2

9/18/2008 3:16:24 PM
mbam-log-2008-09-18 (15-16-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 159536
Time elapsed: 1 hour(s), 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 49

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{6a8a50ea-91e6-4325-ac66-a94ce9c5a28e} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d4c1db9-858d-4048-9869-9188dcf2bed7} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{232de810-25e4-4d59-b91c-ec1ab2759253} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b130cddd-d5c5-428d-9322-d9896cc20304} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48413ad5-c4fb-4139-b9ec-e2e81f669b8a} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9b3b6152-725c-423f-8fd5-90e4fb67d33c} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{d44f08e1-3c00-41a8-8a36-7ff7d3f08c15} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90abcbc0-8d4a-4094-820d-152780f49d4f} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a14dc54-d801-419c-9c44-b9982d9a949b} (Rogue.AdwareAway) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v2.2.8.9_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\backup (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\OtherTools (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Adware Away\ab_old.reg (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\activex.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Customize.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\fa.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\FixForV8.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\hosts.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iedlls.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ierestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ietoolbarbutton.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\keylogger.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ListDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\LSP.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\OtherNormal.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\piracy.txt (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sharedresource.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextensions.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sporder.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\OtherTools\FixForV8.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\OtherTools\ListDlls.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Vicky Chan\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.


and i can't find the c:\comboFix.txt


thank you very much

hakuron

 

@hakuron,

Malwarebytes’ removed a lot of infection. Your HJT log still shows signs of infection.

Also McAfee shows to still be running.

You must stop McAfee before we can run ComboFix which is necessary to clean the infection still remaining in your machine.

Download and run this un-installer from McAfee and hopefully it will be able to get rid of all the mcafee stuff so we can finish cleaning up….

http://tools.mcafeehelp.com/doc.php?siteid=1&docid=419397


after running the mcafee un-installer, post a fresh HJT Log.

2OG

 

@2oldgeek

hmmm.... it seems that http://tools.mcafeehelp.com/doc.php?siteid=1&docid=419397 is a broken link. i've tried clicking that with 2 computers already.

and yes, i know it removed tons of infections for me. kind of shocked

thanks
hakuron

 

@hakuron,

Welllllllllll, I guess they have lost their server because it worked for me yesterday. Maybe they’ll be back up soon and we can try it.

I really would like to get rid of that McAfee, if possible, but it can wait. Hehe

Here is something we can try. I have been searching for a reason that windows was rejecting the ComboFix file and maybe this will do the trick:

Download -> COM File Association Fix

Download the ZIP and open it. Extract the REG file to your desktop and double click it. Answer yes to the import prompt.


After running the above Fix please delete any copy of ComboFix you may have left.

Then go through these instructions again and, hopefully, it will work this time.



1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt


2OG

 

@2oldgeek

Sorry to tell you this but when i run the COM File Association Fix, the 'same window cannot open this file : xp_com_fix_reg and ask me what kind of program i should use to open it' window appeared again ! i'm sure this new is really frustrating to you, as i am too

hakuron

 

@hakuron,

It is frustrating since I don’t have my hands on it and my crystal ball is really fuzzy.

I must be out of town a few days and will be thinking about it but in the mean time, I believe you may consider a re-format/re-install of your OS as a last resort, of curse.


2OG

 

@2oldgeek

really? wow, that would be terrible if i really have to reformat the computer... but i guess if it doesn't bother me too much, i could just leave it just like this??? or will it get worse over time?

have a safe trip

hakuron

 

I'm sorry for intruding, but your problem can be fixed manually, hakuron. Another sorry to 2oldgeek, if I'm messing up your thread. Normally, I would tell you first, but apparently, you're out of town...

This might take some trial and error, but perhaps it can be done.

First, download REG File Association Fix. Unzip this file only. Do not run it yet.

Go to Start, Run, and type in regedit. Click on OK. If this step does not work, look below. **

Click on File, Import, and navigate to xp_regfile.reg. Click on Open. Restart your computer.

Now, run the COM File Association Fix and reboot. I'll leave the rest for 2oldgeek.

Best Regards

**Download this tool ( http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml ) and enable regedit. You might have to reboot for the changes to take effect.

 

@hakuron,

Step through the instructions that cdavfrew posted and let me know what happens….

If you don’t understand something, please ask..

@cdavfrew,
Tnx, sounds like that might work or at least narrow it down.

 

@2oldgeek and cdavfrew

well i ran the REG File Association Fix that cdavfrew has suggested. and it ran smoothly. then i tried to run the combofix file. this time no nircmd window popped up, so it ran smoothly also (asking me to click 'yes') and it restarted the computer. so far so good, but after i typed my password to log-on to windows, i can't see any icons(start buttons, toolbar, clock, icons on the desktop..etc). i can only see my desktop wallpaper. so i tried to force shut it off and turn it back on, but the same thing happened. but i know the computer works because i tried to press crtl+alt+delete and the window task manager pops up. but yea, as far as i can see, i can't use my computer because there aren't an icons for me to click. but the good news is that remember i told you about a weird window that pops up everytime before i type my password? that window didn't pop up anymore !!

please tell me what to do next so that i can finally use my cleaned computer. can't wait

thank you very much

hakuron

 

@ hakuron,

I don’t have much time but here is something to try…

Since you have your Task Manager:

Hit CTrl+Alt+Delete to open Task Manager:
Choose the Application Tab at the top.
Click the "New Task..." button.
Type explorer.exe and hit enter.

Hopefully this will return your desktop and icons.

If ComboFix ran successfully please post the Log located at c:\comboFix.txt

2OG

 

@2oldgeek

wow, after i typed explorer.exe, the icons appeared magically !! thank you so much. oh here's the log file. btw i've replaced my name with XXXXXXX and one last question, do i have to type explorer.exe everytime my computer starts? or is it a one time thing?

ComboFix 08-10-07.06 - XXXXXXXX 2008-10-07 20:55:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.608 [GMT -7:00]
Running from: C:\Documents and Settings\XXXXXXXX\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-04 17:11 . 2008-10-04 17:11 <DIR> d-------- C:\Program Files\ConvertHelper
2008-10-04 15:10 . 2008-10-04 15:10 <DIR> d-------- C:\Documents and Settings\XXXXXXXX\dwhelper
2008-10-03 13:01 . 2008-10-03 13:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-03 13:00 . 2008-10-03 13:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-19 21:51 . 2008-10-07 20:01 <DIR> d-------- C:\Documents and Settings\XXXXXXXXX\Application Data\skypePM
2008-09-19 21:51 . 2008-09-19 21:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-09-19 21:38 . 2008-09-19 21:38 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-09-18 14:05 . 2008-09-18 14:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 14:05 . 2008-09-18 14:05 <DIR> d-------- C:\Documents and Settings\XXXXXXXX\Application Data\Malwarebytes
2008-09-18 14:05 . 2008-09-18 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 14:05 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 14:05 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-17 15:38 . 2008-09-17 16:31 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-09 00:12 . 2008-09-09 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 22:59 . 2008-09-08 22:59 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-08 21:14 . 2008-09-08 21:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 03:51 --------- d-----w C:\Documents and Settings\XXXXXXXX\Application Data\OpenOffice.org2
2008-10-08 03:43 37,624 ----a-w C:\Documents and Settings\XXXXXXXXX\Application Data\wklnhst.dat
2008-10-08 03:40 --------- d-----w C:\Documents and Settings\XXXXXXXX\Application Data\Skype
2008-10-06 06:15 --------- d-----w C:\Program Files\FlashGet
2008-10-05 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-10-01 06:50 --------- d-----w C:\Documents and Settings\XXXXXXXXXX\Application Data\dvdcss
2008-09-25 08:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-25 08:13 --------- d-----w C:\Documents and Settings\XXXXXXXXXX\Application Data\Samsung
2008-09-24 23:42 --------- d-----w C:\Documents and Settings\XXXXXXXXXX\Application Data\HP
2008-09-12 01:32 --------- d-----w C:\Program Files\BitComet
2008-09-09 05:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-06 20:08 --------- d-----w C:\Program Files\Citrix
2008-09-06 20:07 61,224 ----a-w C:\Documents and Settings\XXXXXXXXX\GoToAssistDownloadHelper.exe
2008-09-06 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-06 19:41 --------- d-----w C:\Documents and Settings\XXXXXXXXXX\Application Data\AdobeUM
2006-02-21 05:20 87,088 ----a-w C:\Documents and Settings\XXXXXXXXXX\Application Data\GDIPFONTCACHEV1.DAT
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-08 02:14 308,224 --sha-w C:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

Code:

<pre>
----a-w         2,328,733 2006-12-16 07:39:14  C:\Program Files\BitComet\Downloads\WinXMedia DVD AVI MP3 MP4 MPEG iPod PSP Video Audio Converter Ripper\WinXMedia DVD Audio Ripper\WinXMedia DVD Audio Ripper .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Personal Firewall"="C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe" [2005-11-03 91648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [N/A]
"CameraFixer"="C:\WINDOWS\CameraFixer.exe" [2006-04-12 20480]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 827392]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 C:\WINDOWS\stsystra.exe]
"MAIHIME_ACCESSORY_STARTUP"="" [N/A]
"MAIHIME_CALENDAR_STARTUP"="" [N/A]

C:\Documents and Settings\XXXXXXX\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-02-18 122880]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-02-07 917611]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-06 13:07 10536 C:\Program Files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"C:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"32670:TCP"= 32670:TCP:Azureus port
"6881:TCP"= 6881:TCP:bt1
"6882:TCP"= 6882:TCP:bt2
"6883:TCP"= 6883:TCP:bt3
"6884:TCP"= 6884:TCP:bt4
"6885:TCP"= 6885:TCP:bt5
"25456:TCP"= 25456:TCP:BitComet 25456 TCP
"25456:UDP"= 25456:UDP:BitComet 25456 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 VFILT;Lavasoft Firewall Kernel Driver;C:\Program Files\Lavasoft\Personal Firewall\kernel\FILTNT.SYS [2005-11-03 117408]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 ehMonitor;Media Center Monitor Service;C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [2005-09-07 49336]
R3 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL [2005-11-03 33504]
R3 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL [2005-11-03 17632]
R3 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL [2005-11-03 4928]
R3 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL [2005-11-03 14208]
R3 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL [2005-11-03 9056]
R3 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL [2005-11-03 11584]
R3 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL [2005-11-03 13280]
R3 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL [2005-11-03 7232]
R3 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL [2005-11-03 14784]
R3 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL [2005-11-03 6784]
R3 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL [2005-11-03 10016]
R3 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL [2005-11-03 16992]
R3 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);C:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL [2005-11-03 9728]
S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe Start=service [ ]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2006-04-23 29184]
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47067ed8-ba1a-11da-ae51-0014a55dc70c}]
\Shell\AutoRun\command - F:\q83iwmgf.bat
\Shell\explore\Command - F:\q83iwmgf.bat
\Shell\open\Command - F:\q83iwmgf.bat
.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\XXXXXXX\Application Data\Mozilla\Firefox\Profiles\4yxa7ucb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 23:34:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2444] 0x8569DAF0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-07 23:41:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-08 06:41:09

Pre-Run: 71,113,617,408 bytes free
Post-Run: 77,711,953,920 bytes free

225 --- E O F --- 2008-09-10 10:02:32


Thank you very much for the fast reply

hakuron

 

You got me buddy, give it a boot and see……..

Maybe all will change after we get you cleaned up..

I need some time to go over the Combo Log so don’t hold your breath… lol

Looks like you may have a worm on a flash drive…. You do have a flash drive, huh?

I’ll be looking over the logs so any questions, concerns?

Also, while I am looking over the logs, please go to Start > Run > type in sfc /scannow click OK

Let it run and let me know the outcome…

2OG

 

Also, please send me a fresh HJT Log.... TNX

2OG

 

@2oldgeek

i did the scan thing, and when it's almost complete, it asks me for a win xp cd2 , which i don't have. btw here's the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38, on 2008-10-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10044 bytes


thank you again

hakuron

 

btw, what's a flash drive???

 

@hakuron,

Let me know if your icons and toolbar are staying in place now…

You have a corrupt or missing System File. That is what we found out with the SFC /scannow..
If you have a friend that has a XP disk, see if you can borrow it to make the repairs to your computer.. Simply run sfc /scannow again and when it asks for a CD put it in the drive and it will find and replace the bad file……


The link I sent you for McAfee un-installer is still down but I found another one.
Download and run this to get rid of the old McAfee programs that are still running in your machine:
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Here are a few other things you need to do:


Your Adobe Reader is out of date.

Download and install -> Adobe Reader 9.0



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.


Update Java using JavaRa

Please download JavaRa and unzip it to your desktop.
• Double-click on JavaRa.exe to start the program.
• Click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 7.



Java Runtime can be activated by websites, so if there is security vulnerability in any Java version on your machine, it can be exploited by a malicious site to infect your machine. Each new version of Java fixes security vulnerabilities, so it's extremely important to keep up to date, and it's auto-update mechanism isn't considered very reliable.




hakuron, I know you know what a Flash drive, Thumb drive, Pin drive, USB drive is….

What is your F: Drive??? Either you or someone has plugged in a “F” drive and it contains a Worm. Find it and we can clean it. Otherwise don’t plug it in…….

Let me know how everything is working.. any problems???

2OG

 

@2oldgeek

WOOHOO!! the Mcafee has finally been officially removed. i have updated Java and installed the new adobe reader. but there's still one slight problem, it seems that i have to type explorer.exe everytime after i restarted my computer to get my icons back. is there a way to make it stay there? and about the F drive, i'm not sure where you see it, because on the 'my computer' window, i don't see any F drive. only C, A, D, E , and G

you're the best

hakuron

 

@hakuron,

Will be away for a few days but when I return, hopefully, I can come up with a solution to get your desktop to load properly. Hang in there….


2OG

 

@ hakuron,

You won’t be able to see it until it’s plugged in. When you plug in a flash drive the system initializes it and places a key in the registry.

The registry key shows up in ComboFix:

This tells me that you have had a memory device connected to your computer and it loaded a file called q83iwmgf.bat which is a Bad file. See ->> q83iwmgf.bat - HERE

That file is no longer in your computer, but if you connect that device without cleaning it you will be re-infected….

As I said, this is a sign of a corrupted System file that needs to be replaced before Explorer can load properly..

Since you have no CD did you check with all your friends, cousins, neighbors, etc. and maybe beg or borrow a CD from one of them???

Maybe we can do a work around the problem or if we are lucky, there may be a file on your drive….

Use windows explorer and navigate to C:\Windows\ - then look for a Folder named I386

Let me know if you find this folder and we can go from there…..

2OG