pleeeez help can't get rid of virus

have been trying to fix and make small steps but not great luck have now run a hijack this log can some one help
the virus is z-lob
running windows xp sp2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:52 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.superantispyware.com/applicationdisplay.html?id=1000000544&trial=no&activated=no&appid={58B3C1E7-5FB7-4234-AB3C-77EF8F03C175}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll (file missing)
O2 - BHO: Windows Media Player - {61FEBF12-793B-4D8A-8513-D1814FE2A395} - C:\WINDOWS\wmpdxm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: RDL Rolex - {CD6E6FC0-7BED-4DE5-B37E-FB7CF0A567DF} - C:\WINDOWS\dkxrstqwkx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O3 - Toolbar: (no name) - {C37757F5-7FB4-4273-B3BE-E81667449196} - (no file)
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PDF3 Registry Controller] “C:\Program Files\ScanSoft\PDF Converter 3.0\RegistryController.exe”
O4 - HKLM..\Run: [HP CD-DVD] C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
O4 - HKLM..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM..\Run: [xMain] C:\WINDOWS\system32\xlaunch.exe
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com/
O15 - ProtocolDefaults: ‘@ivt’ protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: ‘file’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘ftp’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘http’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘https’ protocol is in My Computer Zone, should be Internet Zone
O21 - SSODL: DrvComponent - {c2855b7a-b48f-49df-9504-fd58eb7cda54} - C:\WINDOWS\Installer{c2855b7a-b48f-49df-9504-fd58eb7cda54}\DrvComponent.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee SpamKiller Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (file missing)
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - C:\Program Files\Spyware Terminator\sp_rsser.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


End of file - 8656 bytes

Go here and follow the instructions under

Your computer was infected by an unknown trojan
It’s dangerous for your system (critical files can be lost)!

It’s the last one on the page.

http://www.malwareteks.com/FixIEDef.php

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

hope i did this right
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:16 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.superantispyware.com/applicationdisplay.html?id=1000000544&trial=no&activated=no&appid={58B3C1E7-5FB7-4234-AB3C-77EF8F03C175}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll (file missing)
O2 - BHO: Windows Media Player - {61FEBF12-793B-4D8A-8513-D1814FE2A395} - C:\WINDOWS\wmpdxm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O3 - Toolbar: (no name) - {C37757F5-7FB4-4273-B3BE-E81667449196} - (no file)
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PDF3 Registry Controller] “C:\Program Files\ScanSoft\PDF Converter 3.0\RegistryController.exe”
O4 - HKLM..\Run: [HP CD-DVD] C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
O4 - HKLM..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM..\Run: [xMain] C:\WINDOWS\system32\xlaunch.exe
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com/
O15 - ProtocolDefaults: ‘@ivt’ protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: ‘file’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘ftp’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘http’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘https’ protocol is in My Computer Zone, should be Internet Zone
O21 - SSODL: DrvComponent - {c2855b7a-b48f-49df-9504-fd58eb7cda54} - C:\WINDOWS\Installer{c2855b7a-b48f-49df-9504-fd58eb7cda54}\DrvComponent.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Unknown owner - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - (no file)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - (no file)
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - (no file)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - (no file)


End of file - 7526 bytes

and here is the second one
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:16 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.superantispyware.com/applicationdisplay.html?id=1000000544&trial=no&activated=no&appid={58B3C1E7-5FB7-4234-AB3C-77EF8F03C175}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll (file missing)
O2 - BHO: Windows Media Player - {61FEBF12-793B-4D8A-8513-D1814FE2A395} - C:\WINDOWS\wmpdxm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O3 - Toolbar: (no name) - {C37757F5-7FB4-4273-B3BE-E81667449196} - (no file)
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PDF3 Registry Controller] “C:\Program Files\ScanSoft\PDF Converter 3.0\RegistryController.exe”
O4 - HKLM..\Run: [HP CD-DVD] C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
O4 - HKLM..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM..\Run: [xMain] C:\WINDOWS\system32\xlaunch.exe
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com/
O15 - ProtocolDefaults: ‘@ivt’ protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: ‘file’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘ftp’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘http’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘https’ protocol is in My Computer Zone, should be Internet Zone
O21 - SSODL: DrvComponent - {c2855b7a-b48f-49df-9504-fd58eb7cda54} - C:\WINDOWS\Installer{c2855b7a-b48f-49df-9504-fd58eb7cda54}\DrvComponent.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Unknown owner - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - (no file)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - (no file)
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - (no file)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - (no file)


End of file - 7526 bytes

Did you follow the instructions in the link at the begining of my post?

What about combofix. I need that log. If you have already ran combofix, do not run it again. Go to c:\combofix there will be a text file there

Combofix.txt Please post it.

sorry we ran combo fix but can’t seem to get the log to go on post says it is over limit i will try to put on as a attachment

did you also want us to download the fixide as well?

Sure. Attachments work better for me. :slight_smile:

have gone back and ran the FixIEdef but the log is not on the desktop so no idea where it has gone

Check the C:\ drive for a folder called FixIEdef

You had mcafee installed previously, there are some remnants remaining. Please go to this site and use the removal tool for your version. what the tool doesn’t remove, we probably can.

javascript:openRating(“FAQDocument.aspx?id=107083&lc=4105&partner=10005&type=TS”);

What are you using for a firewall? It seems that you where using mcaffe personal firewall, but it may have been removed/disabled when you uninstalled mcafee? If that is the case, turn on the windows firewall for now.

Open HJT, run a system scan only, check mark these lines if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Windows Media Player - {61FEBF12-793B-4D8A-8513-D1814FE2A395} - C:\WINDOWS\wmpdxm.dll
O3 - Toolbar: (no name) - {C37757F5-7FB4-4273-B3BE-E81667449196} - (no file)
O15 - ProtocolDefaults: ‘@ivt’ protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: ‘file’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘ftp’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘http’ protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: ‘https’ protocol is in My Computer Zone, should be Internet Zone
O21 - SSODL: DrvComponent - {c2855b7a-b48f-49df-9504-fd58eb7cda54} - C:\WINDOWS\Installer{c2855b7a-b48f-49df-9504-fd58eb7cda54}\DrvComponent.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\amp.bat C:\WINDOWS\wmpdxm.dll C:\WINDOWS\fqspogw.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Are things settling down?

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\xlaunch.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

can you please re enter the site to visit to remove the macafee remnants please
also looked for the fiiedef log and still can not find in c drive

Don’t worry about the fiiedef log

use this link, the too; is the first link on the page.

http://service.mcafee.com/FAQSearch.aspx?lc=4105&sg=TS&pt=1

here are the logs of hjt and combo fix
when uploaded to virustotal reply was o bytes received
i should mention thsat the computer i am working off of is not the infected one as the infected one will not load any webpage can connect to internet but no site(hope that makes sense)
and as well the avast will not reinstall in task bar so have been tryiing to fix via jump stick
not sure if that is the reason for the message from virustotal

Virus is active and blocking the send of the file.
Firewall or antivirus issues (blocking it).

the pop up screen saying that we have unknown trojan is now gone
we can now get to a webpage on ie 7
have ran avast again and still have these 4 trojans
1.A0319507.exe c:\system volume information_restore virus win32:trojan gen
2.A0344934.dll c:\system volume information_restore virus win:32adware-gen
3 A0345795.dll c:\system volume information_restore virus win:32adware-gen
4.dkxrstqwkx.dll.vir c:qoobox\quarantine\c\WINDOWS virus win:32adware-gen
the viruses are sitting in the chest as recommended

still having problems with

  1. recycle bin (appears in bottom right hand corner) can not open or see properties, when click properies error message “there are no properties for this item” and it will go back to regular spot and then move back to bottom???

  2. start taskbar always comes up as locked even after reset to unlock

3.avast icon tray is not there(was not put in right bottom corner at all)

Hi. please don’t run any more scans as you will be detecting combofix’s quaratined files, they aren’t encrpted. One scan is enough.

The ones that you detected are system restore and combofix files.

We will work on your other problems once i get a chance to review the logs. Ok?

Definate progress. ;D

Please submit that file to virustotal, now that you can get on the ne. You assumed right, it has to be submitted from the computer it’s on.

thanks

are we save to run on net on dsl without avast turned on ( at least i think it is not on as there is no blue ball running in corner)

The first 3 are restore points (possibly as a result of removing infected files from the system folders), which are benign unless you use system restore, you could clear all old restore points and create a new clean one once you are in the clear.

The 4th one is from one of the tools you ran combofix, etc. and if it is now in the chest it can do no harm there.

Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button

Re avast! icon missing - As a temporary measure until this is resolved you can create a desktop shortcut for this file C:\Program Files\Alwil Software\Avast4\ashDisp.exe (the avast icon and interface to the providers). Right click on the file and select Send To, Desktop (create shortcut). You will need to run this after each boot until the problem is resolved.

What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard or OnGuard), PrevX, WinPatrol, ProcessGuard, etc. ?

Check the option in the Appearance tab of Program Settings. Or Make a link to ashdisp.exe in your startup folder.

| Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information…
File xlaunch.exe received on 03.20.2008 22:56:20 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 16.
Estimated start time is between 92 and 131 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.20.2 2008.03.20 -
AntiVir 7.6.0.75 2008.03.20 -
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 -
AVG 7.5.0.516 2008.03.20 -
BitDefender 7.2 2008.03.20 -
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.20 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5629 2008.03.20 -
Ewido 4.0 2008.03.20 -
F-Prot 4.4.2.54 2008.03.19 -
F-Secure 6.70.13260.0 2008.03.20 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.20 -
Ikarus T3.1.1.20 2008.03.20 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5256 2008.03.20 -
Microsoft 1.3301 2008.03.20 -
NOD32v2 2965 2008.03.20 -
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.32.00 2008.03.20 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.20 -
Webwasher-Gateway 6.6.2 2008.03.20 -
Additional information
File size: 295 bytes
MD5: 341eca0e901feb325231f464d64a0f77
SHA1: aea314792b032bf2af4e9b9ee7f9eaff346a3acd
PEiD: -

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

Thanks DavidR for the input on system restore and asdisp. Appreciated.

Sorry about the abruptness of my last post. The removal tools do not encrypt their quaratined files and system restore is generally infected. These can lead to panic if a scan is done when they are still present on the computer. Sometimes the tools themselves have been detected, this could lead to damage to them.

First, that was an old combofix log, it’s dated the 18th. The new one will be called combofix.txt with the newest date. (combofix numbers it’s logs backwards, the oldest has the highest number) Please post it, as I have no way of knowing if the files where removed.

The mcafee removal tool has done it’s job.

Ashdisp is set to run according to HJT. It would also appear avast is running. If you have turned on the windows firewall, you should be okay to come here to finish this.

Navigate to this folder

C:\Program Files\Alwil Software\Avast4

locate ashdisp.exe in the right hand panel, double click it. Does the icon appear?

If it does, please right click the file, choose sent to, choose Desktop(create shortcut). You should now have a shortcut on your desktop that you can use until we get your HJT log looking right. As DavidR mentioned, you will have to use this each time you restart your computer. This is only temporary.

Now for HJT

Hjt doesn’t seem to be able to fix the 015 lines We will have to do a regfix.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

Open HJT, run a system scan only, check mark these lines if present

R3 - Default URLSearchHook is missing
All the O15 lines

Close all other browsers/windows, click fix, close HJT.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=“”
“http”=dword:00000003
“https”=dword:00000003
“ftp”=dword:00000003
“file”=dword:00000003
@ivt”=dword:00000001
“shell”=dword:00000000

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=“”
“http”=dword:00000003
“https”=dword:00000003
“ftp”=dword:00000003
“file”=dword:00000003
@ivt”=dword:00000001

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP

Then in the FILE NAME box type (including the " " marks), “fix.reg”

Click save.

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Please ensure it is copied exactly including spaces.

In your next reply, please post the combofix log that was missed and a new HJT log. Also did the shortcut work?

When this is working ok, we see what we can do with the other two items. :slight_smile: