Hijackthis log

Start by going to Add/Remove Programs and uninstalling all the malware that you have installed. Uninstall all of the below programs:

Aquatica Waterworlds
Butterfly Oasis Screensaver
eAcceleration
Enhanced MediaLoads
iMesh
J2SE Runtime Environment 5.0 Update 1
Kazaa 2.7.2
LimeWire 4.9.0
My Search Bar
Search Assistant - My Search
Viewpoint Media Player
Whistle Software

You seem to have both McAfee and Vcom antivirus programs installed. Is this true! If so, you must uninstall one. If Vcom does not contain an antivirus, just tell me.


Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Now please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\Program Files\BUTTER~1\BO1HEL~1.EXE
C:\documents and settings\jeffrey\local settings\temp\YkwDqzurC.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\documents and settings\jeffrey\local settings\temp\mkr.exe
C:\Program Files\AQUATI~1\AQ3HEL~1.EXE
C:\WINDOWS\System32\j?vaw.exe
C:\Documents and Settings\Jeffrey\Application Data\wtta.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [YkwDqzurC.exe] C:\documents and settings\jeffrey\local settings\temp\YkwDqzurC.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe"
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [qbmjmudli] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [mkr.exe] C:\documents and settings\jeffrey\local settings\temp\mkr.exe
O4 - HKLM\..\Run: [lghkfkx] C:\WINDOWS\lghkfkx.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [kbdkor] C:\WINDOWS\System32\kbdkor.exe
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [Ppagb] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Jeffrey\Application Data\wtta.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
C:\Documents and Settings\Jeffrey\Application Data\Mozilla\Firefox\Profiles\he6fnzwn.default\Cache\915C89DAd01
C:\Documents and Settings\Jeffrey\Application Data\Mozilla\Firefox\Profiles\he6fnzwn.default\Cache\E5B3C4CAd01
C:\documents and settings\jeffrey\local settings\temp\YkwDqzurC.exe
C:\documents and settings\jeffrey\local settings\temp\mkr.exe
C:\Documents and Settings\Jeffrey\Application Data\wtta.exe
c:\windows\system32\j?vaw.exe
C:\WINDOWS\System32\D0CE0C16B1.dll
C:\WINDOWS\System32\E6F1873B.DLL
C:\WINDOWS\System32\httppost.exe
C:\WINDOWS\System32\newnet.dll
c:\windows\system32\ClrSchP012.dll
c:\windows\system32\fiz1
c:\windows\system32\mstbl.ocx
c:\windows\system32\NLNupgradeV4_5P13.exe
c:\windows\system32\nostalgia.dll
c:\windows\system32\stlb2.xml
c:\windows\system32\stlb2.dll
c:\windows\system32\SWRT01.dll
C:\WINDOWS\System32\vgltjeme.exe
C:\WINDOWS\lghkfkx.exe
C:\WINDOWS\System32\kbdkor.exe
c:\windows\downloaded program files\ATPartners.inf
c:\windows\downloaded program files\UERSNetInstaller.exe
c:\windows\inf\alchem.inf
c:\windows\inf\banner.inf
c:\GatorPatch.log
c:\windows\browserxtras\pn\remove.exe
c:\windows\RatedXXX.exe
c:\windows\smdat32a.sys
c:\windows\system32\Roodyc
c:\temp\salmau.dat
c:\temp\salm.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete them if found (many may not exist - just take your time and look carefully):
C:\Program Files\Aquatica Water Worlds
C:\Program Files\Acceleration Software
C:\Program Files\AdStatus Service
c:\program files\altnet\points manager
C:\Program Files\BullsEye Network
C:\Program Files\Butterfly Oasis Screensaver
c:\program files\common files\ErrorSafe
C:\Program Files\Common files\SearchUpgrader
c:\program files\common files\Totem Shared
c:\program files\common files\tsa
C:\Program Files\Common files\updmgr
C:\Program Files\Common files\updater
c:\program files\DelFin
C:\Program Files\Internet Optimizer
C:\Program Files\Kontiki
c:\program files\Lycos
c:\program files\MyWay
C:\Program Files\NZSearch
c:\program files\RapidBlaster
c:\program files\TimeSink
C:\Program Files\WeatherCast
c:\program files\winfavorites
c:\program files\When U Save
c:\windows\temp\Adware
c:\windows\bsx32
c:\windows\DIALPASS
c:\windows\browserxtras\pn
C:\WINDOWS\System32\P2P Networking


Also delete all files in the below two folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Jeffrey\Local Settings\Temp\


Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew.

Make sure you tell me how things are working now!

 

Then you MUST uninstall McAfee as was stated in step 3 of the READ ME. You must not have multiple antivirus applications installed. They will conflict and not work properly and you will waste a load of extra system resources and slow down your PC performance.

Uninstall McAfee now before continuing!

You missed one item from the previous fix. Have HJT fix the below line.
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

Then exit HJT.

MAKE SURE TO REDOWNLOAD THIS REGISTRY PATCH. I modified it slightly. There was a typo that could have affected it last time.
Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new HJT log.

If you are not having any other malware problems, you need to get started on the below ASAP. Your OS is way out of date and you are extremely susceptable to malware problems. You must get updated (this is covered in the link below).

It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Yes! You forgot to attach the follow up HJT log I requested.

Is you copy of Windows legit? Did you finish going thru the Windows Authentication process?

 

I see the below in your new HJT log which means you were authenticated:

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

Perhaps you are just having a problem with your firewall or antivirus blocking the downloads. If you did not configure the firewall properly to allow the necessary programs to have internet access it could cause problems with Windows Updates. Try disabling your firewall and AV (just temporary) while getting updates. If that does not work, try the software forum. You may have problem elsewhere in your OS.

And since you have still ignored the warning about using both Vcom and McAfee, you are on your own!

It is possible the below may help but it also may not help:

Fixing Windows Update Problems (Win 2K and XP)

 

Make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
If you do not find the above process, just continue.
After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\McAfee <--- the whole folder

Now reboot in normal mode and post a new HJT log.

Try reading the below! If it does not help you figure it out, I recommend you post a message in the Software Forum. t


Cause:

The error value ‘0x80070005’ means ‘Access Denied’.
This means that an attempt has been made to update part of the registry that you do not have permissions to update. There are many parts of the registry that can be read but not updated (except by ‘system’ or the local administrator).​

Possibly Remedies:

• Check that you have local administration rights.​
• If you are a local administrator (i.e. a member of the ‘Administrators’ group on the workstation) then most likely someone or some application has modified (intentionally or unintentionally) the permissions on one or more registry keys and that this is preventing access. (Alternately, it may be that the key that is failing is one that normally only ‘system’ can update.) To identify which registry key is causing the problem use Regmon (a freeware tool published by System Internals). Use Regmon to capture all registry access when regsvr32 is run. If an ‘OpenKey’ request fails with ‘Access Denied’ (which is listed by Regmon as ‘ACCDENIED’) then run regedt32 and check the permissions on that registry key. If necessary change the permissions on the key to grant local Administrators ‘Full Control’. They try registering the COM object again. The only times I have encountered this problem it affected more than one key, so be prepared to repeat this process.​

 

Forget about regmon for now! As I stated in my previous message, problems with Windows Update are not issues for this forum. You more than likely have a registry permissions problem. This means for some reason you do not have the proper permission to change or edit a particular registry key (or even a range of keys). I'm not sure what version of Windows XP you have (Pro, Home...etc) but perhaps the below link may prove useful to you:

http://groups.google.com/group/microsoft.public.windowsupdate/msg/f7d73177367bab34?hl=en

Then perhaps you can re-run the procedure to try and fix Windows Update.

As I stated before, if this does not work, you must pursue getting this fixed in the Software Forum as our focus in this forum is malware.

 

There is no difference between your current HJT log and the one you posted in message # 20 other than now you have two instances of WinAmp running. WinAmp should not be running when you use HJT.

You did not have malware before in message # 20 and you still don't!

But why do you still have part of McAfee installed when you are using Vcom? You have this service:

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to AVSync Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

AvSynMgr

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to. That may helps things a little. Other than that. You problems are due to what you are running. Uninstall Vcom (as a test) and then tell me how things are working.