Hi, I'm new here too and think I have an infection from somewhere. I have AVG full internet suite installed and running for about a year with no problems. All of sudden I get these Pop-ups saying I have been infected, the notice came from a program I do not have "system Gard 2009" (I think). My system restore will not work, my browsers are redirected and the internet is very slow on this one computer: I am on another computer to do this as the infected one will not allow me to go to a Spybot site.
I tried to install Spybot but could not do that ether. Looking over your forum I decided to run the HijackThis program and the results are posted below. I also have "Uniblue RegistryBooster 2" installed and did a reg rollback to a date when everything was working fine, No help so I sent it back to today and then ran The HijackThis program.
I have not realized till just now how much I use this PC and any help would be appreciated. John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:31 PM, on 2/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\Explorer.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\hkcmd.exe
J:\PROGRA~1\AVG\AVG8\avgtray.exe
J:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
J:\WINDOWS\system32\igfxtray.exe
J:\WINDOWS\system32\igfxpers.exe
J:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
J:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
J:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
J:\Program Files\Novosoft\Handy Backup\hbagent.exe
J:\Program Files\UltraMon\UltraMon.exe
J:\Program Files\UltraMon\UltraMonTaskbar.exe
J:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
J:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
J:\PROGRA~1\AVG\AVG8\avgfws8.exe
J:\Program Files\Bonjour\mDNSResponder.exe
J:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
J:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
J:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
J:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
J:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
J:\WINDOWS\system32\svchost.exe
J:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
J:\WINDOWS\system32\ZuneBusEnum.exe
J:\PROGRA~1\AVG\AVG8\avgam.exe
J:\PROGRA~1\AVG\AVG8\avgrsx.exe
J:\PROGRA~1\AVG\AVG8\avgnsx.exe
J:\WINDOWS\system32\igfxsrvc.exe
J:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
J:\Documents and Settings\All Users\Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\system32\twex.exe,
O1 - Hosts: 216.55.133.9 handybackup.com www.handybackup.com www.softlogica.com softlogica.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - J:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - J:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - J:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - J:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - J:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - J:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - J:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - J:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [igfxhkcmd] J:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] J:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [itype] "J:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] J:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [igfxtray] J:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] J:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "J:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] J:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Coast to Coast AM] J:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [Handy Backup] J:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://J:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - J:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - J:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - J:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - J:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - J:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - J:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - J:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Unknown owner - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - J:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - J:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - J:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - J:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - J:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - J:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Novosoft Backup Network Coordinator (NovosoftBackupNetworkCoordinator) - Unknown owner - J:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
O23 - Service: spkrmon - Unknown owner - J:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - J:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11100 bytes

Hi 69john69

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it''s backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can''t guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Thank you for the help. I am at this time installing the OS on a different hard drive to make sure it's clean. Am I correct in assuming that the worm is in the OS of the old hard drive? If so would it be safe to hook up the old unit as a slave and copy my personal files to the new drive and then format the old infected one?
Once again Thanks so much for your help. John

It is in J drive.

If you mean by personal files pictures, documents and so, yes it should be safe.

Thank you once more; you folks do a fine job, This is a big help and I will follow the instructions on protecting my computers form any further intrusions.

Please post a fresh HijackThis log after that and I will give you final instructions :)

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.