Sorry guys.. i m new here, unclear abt forum rules. but i got this problem on my hands. Recently i have been getting popups but they are blocked instantly. however, this keeps switching me out of my programs e.g. full screen such as ppt etc. i find this very annoying but i am unable to track down these malwares as they are blocked almost instantly and the logs do not register it. can anyone help me with this pls? :(

Hello, please see our 'sticky' topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Run the scans first.

Copy paste the HJT log here into this thread along with the results of the on-line anti-virus scan, and a helper will advise you as soon as available to do so.


Cheers. :)

this is my logfile of hijackthis when i ran system scan and save logfile

Logfile of HijackThis v1.99.1
Scan saved at 8:51:03 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\SMC\SMC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwbwL0QoyVdgc16FAz8lRdiS995kPcARYq7etFwqH1PYv/8m9H/Ow7EoI8zsAQXDP6bMy5Kbjc1Hx1JRLvcwz9HVtDJngLHp/j
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: bho2gr Class - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\Lightning Download\LD_Catch.dll
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\system32\ELAN.exe
O4 - HKLM\..\Run: [System Services] kwgvpewcg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [da4n97tm] C:\WINDOWS\system32\da4n97tm.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [System Services] kwgvpewcg.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Services] kwgvpewcg.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [System Services] kwgvpewcg.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115012977921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DIFx - C:\WINDOWS\system32\jash400.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

this is my panda online scanning results


Incident Status Location

Adware:Adware/DollarRevenue Not disinfected C:\defender26.exe
Virus:Trj/Agent.CIU Disinfected C:\dfndrb_2.exe
Adware:Adware/DollarRevenue Not disinfected C:\dfndrc_2.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.com.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.metriweb.be/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.tickle.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[bilbo.counted.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[server.iad.liveperson.net/hc/18766632]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a6zlpsxl.default\cookies.txt[.did-it.com/]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1696c2c-40f795db.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1696c2c-40f795db.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1696c2c-40f795db.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1696c2c-40f795db.zip[Beyond.class]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@i.screensavers[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@toplist[1].txt

Hello and welcome to the forum. You have some nasties, some I can't even identify. I suggest you keep the computer offline until we get it clean. Read about this worm for you information so you will be aware of how this worm has compromised your security. I can remove it, you will need to repair any damage.
http://www.symantec.com/security_response/writeup.jsp?docid=2003-093012-5903-99

Let's do this:

1) Download and run the Symantec removal tool according to the instructions:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-011316-4140-99

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Ad-Watch may block changes we must make, turn it off until you are done:
In the Ad-Watch window have them check the Active option instead of Automatic and it will stop undoing your fix.
1. Right-click on Ad-watch icon in the System Tray.
2.Go to Ad-Watch Settings and uncheck Load Ad-Watch on Windows start up
3. Again in Ad-Watch Settings Select Unload Ad-watch.

(some items may have been remove by the tool, just don't miss any)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you are sure this first item is safe, you may leave it)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...z9HVtDJngLHp/j
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [System Services] kwgvpewcg.exe
O4 - HKLM\..\Run: [da4n97tm] C:\WINDOWS\system32\da4n97tm.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [System Services] kwgvpewcg.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [System Services] kwgvpewcg.exeG
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: DIFx - C:\WINDOWS\system32\jash400.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(You will need to search for these files, and they may be gone, just do not miss them)

csrrs.exe <<< delete that file if there

kwgvpewcg.exe <<< delete that file if there

C:\WINDOWS\system32\da4n97tm.exe <<< delete that file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log so I can see how we did, add any comments you think will help.

Thanks...pskelley
Safer Networking Forums
Additional important instructions.

Your Java program needs and update: http://forums.spybot.info/showpost.php?p=12880&postcount=2

Looks like you are running two Antivirus progams at once and this is not a good thing:
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing) G
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
If this is Antivirus software, you need to uninstall it.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html

hello. i have run the gaobot.exe program but it did not detect the worm. and after running a scan. i am unable to delete csrrs and kwgvpewcg.exe due to them being write protected. i m afraid these methods are ineffective

Logfile of HijackThis v1.99.1
Scan saved at 9:31:58 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\SMC\SMC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: bho2gr Class - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\Lightning Download\LD_Catch.dll
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\system32\ELAN.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [System Services] kwgvpewcg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115012977921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

this is my gaobot log

Symantec W32.Gaobot FixTool 1.35.0

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\foaly666@hotmail.com\SharingMetadata\etky03@hotmail.com\DFSR\Staging\CS{1A6DAD69-674B-C10B-D791-2A8F042C1644}\01\10-{1A6DAD69-674B-C10B-D791-2A8F042C1644}-v1-{A80142A8-A340-42B4-A9C2-B009CE6CE79C}-v10-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\0000&color_text=CCCCCC&color_link=FFFFFF&color_url=999999&color_border=333333&ad_type=text_image&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_his=14&u_java=true (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_id=9557[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=s728x90&regspeed=-1&PageId=1150309284371&random=1150309284371&network=askmen&tile=1150309291421 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_id=95[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=richmedia&regspeed=-1&PageId=1150309289478&random=1150309289478&network=askmen&tile=1150309292906 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_id=95[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=richmedia&regspeed=-1&PageId=1150309329309&random=1150309329309&network=askmen&tile=1150309332406 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_id[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=headermainad&regspeed=-1&PageId=1150309253808&random=1150309253808&network=askmen&tile=1150309260028 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_id[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=headermainad&regspeed=-1&PageId=1150309312012&random=1150309312012&network=askmen&tile=1150309315620 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\3KEQP4H7\hosted_i[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=featureslink2&regspeed=-1&PageId=1150309319929&random=1150309319929&network=askmen&tile=1150309323859 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\5DXFXJE5\hosted_id=9557&re[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=text&regspeed=-1&PageId=1150309291965&random=1150309291965&network=askmen&tile=1150309295281 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\5DXFXJE5\hosted_id=9557[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=300x250&regspeed=-1&PageId=1150309270244&random=1150309270244&network=askmen&tile=1150309260028 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\5DXFXJE5\lor_bg=EEEEEE&color_text=000000&color_link=3C6491&color_url=008000&color_border=EEEEEE&ad_type=text_image&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_java=true (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\NYUWCH6W\hosted_id[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=spotlight_am&regspeed=-1&PageId=1150309313758&random=1150309313758&network=askmen&tile=1150309317156 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\NYUWCH6W\hosted_i[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=featureslink1&regspeed=-1&PageId=1150309317106&random=1150309317106&network=askmen&tile=1150309321468 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\NYUWCH6W\y&size=1x1&regspeed=-1&name=ATAtracker&PageId=1150309310164&random=1150309310164&ct=js&r=http$3A$2F$2Fwww$2Easkmen$2Ecom$2Fmoney$2Fsuccessful$2F39_success$2Ehtml&network=askmen& (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QY8C4RK9\.com%2F&color_bg=000000&color_text=CCCCCC&color_link=FFFFFF&color_url=999999&color_border=333333&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_his=14&u_java=true (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QY8C4RK9\0000&color_text=CCCCCC&color_link=FFFFFF&color_url=999999&color_border=333333&ad_type=text_image&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_his=14&u_java=true (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QY8C4RK9\hosted_id=[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=side300x250&regspeed=-1&PageId=1150309282338&random=1150309282338&network=askmen&tile=1150309286312 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QY8C4RK9\hosted_id=[1].com&pagetype=am_article&site=askmen&dechannel=askmenmoney&size=side300x250&regspeed=-1&PageId=1150309322434&random=1150309322434&network=askmen&tile=1150309325453 (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QY8C4RK9\lor_bg=FFFFFF&color_text=000000&color_link=0000FF&color_url=008000&color_border=FFFFFF&ad_type=text_image&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_java=true (WARNING: not scanned, path to long)
C:\Program Files\??pPatch: (not scanned)
C:\System Volume Information: (not scanned)
W32.Gaobot has not been found on your computer.

Thanks for your feedback, I would appreciate it if you would post only the information I request.

The only thing I see left in the log is O4 - HKCU\..\RunServices: [System Services] kwgvpewcg.exe
What I would like you to do is make sure all files and folder are still visible, then search for this file: kwgvpewcg.exe , while you are at it search for this one also: csrrs.exe

Once you have the location, then do this:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool

At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:

Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

Understand you will be putting the complete pathway on the file into the HJT tool to delete it, make sure you follow the directions. If you find the other one, enter them both before you reboot. Then post another HJT log.

Example of pathway: C:\Windows\kwgvpewcg.exe <<< this is to set an example of the pathway, I have no idea where it is located, you will know that once you use search companion

Please understand these infections are rarely as easy to remove as they were to get there in the first place. When a company like Symantec, offers a tool, we give it a try, if it works or not. That is my first time to use the tool, and I had no idea how it would work, just as I have no use for the log. Removing the junk is often trial and error. We try until we are successful, unless you have a better idea?

Thanks

my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:47:35 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\SMC\SMC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\BitComet\BitComet.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: bho2gr Class - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\Lightning Download\LD_Catch.dll
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\system32\ELAN.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115012977921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I am getting mixed reading on this file: C:\SMC\SMC.exe the balance of the HJT log looks clean of malware. Would you check to find out if this is a valid file:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Along with that information, let me know how the computer is running now.

Thanks

hey. thanks for the help removing those malwares. but my comp still has those popups coming on whenever i m connected to the internet.

Thanks for posting some information, respond to the last post I made, tell me what that is, then do this:

First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


Along with the scan report, I need information. You say you get the popups WHEN connected to the internet. Do you get them when you are not connected? I need to know where these popups are directed you to. This repair is only going to work if you try your best to help me. I am not the one setting in front of the computer. Remote repairs are not easy.

Thanks

sorry. running the scans now. the popups are blocked by my popup ad blocker (i can tell by the funny blocking sound) so i dont know where it leads me to. and nope. i only get popups when connected to a network or online.

OK and thanks for that information, we all get popups online, only way to stop that is stay offline, most sites want to show you adds and only Google is preventing it. I run the same toolbar (Google) and I have had 89 popups blocked today, that is what a popup blocker is supposed to do. It's when you get a trojan that displays popups when you are offline that you have a problem, no blocker can stop those.
Click Options on your blocker and turn the sound off. Google will block the junk without bothering you.

Let me have the information about that file and a look at what ewido has to say, and you should be on your way.

thanks.

oops couple of problems here >< one is tt i m using mozilla firefox with an IE stuck somewhere in the background. so i dont know whether firefox or IE is messing with me. another thing is tt i have other adblockers.. so i donno which one is blocking the popups.... firefox, google, yahoo, adaware, spyware doctor, spybot, mcafee etc.

Hey...I don't know either. Google does have a toolbar for firefox, I use it and rarely open it prefering IE. Yahoo I do not trust, same goes for Spyware Doctor. I see Ad-aware/Adwatch and run the free program, if Adwatch blocks popups, it is not to my knowledge. I also see no evidence of Spybot running in this HJT log?

If you are going to run Google for the popup blocker I would turn off any other blockers and let it do it's job.

erm yeah. i got some examples of the popups after i turned my popup manager off. here are some links that they have been spamming me with

http://ad.yieldmanager.com/
hxxp://shop2deal.com/fullpage.aspx?refcode=YMBCN
hxxp://ad.firstadsolution.com/
and something like adbannerconnect.net

is there anything wrong or those popups are normal? ><

I suppose you will need to turn on what is blocking them. I would take a hard look at the sites you are visiting when you are receving these popups. The site is responsible, and I would avoid the site if I were you. Perhaps an email to them telling them how you feel about their practice of sending you adds when you visit might help them reconsider their advertising practices?


Thanks

hey i ran ewido spyware scan and came up with no less than 40k spyware. i deleted all of them but the problem is that my computer is still laced with popups that are still hitting me. sorry i cant post the scan report for it is too long :S

Edit out all of the cookies and any items in system restore. Then break it into two posts if you have to.

Are these popups still only occuring when you are online?

Thanks

sorry pskelly, but i dont think i can break up 2.4 milliion characters into two posts but the files come from 3 locations: C:\Songs_\, C:\Documents and Settings\Administrator\Shared\, C:\quarantine\

and my system restore does not have the option to edit cookies and files..

and my system restore does not have the option to edit cookies and files..
No it does not, but the ewido scan report does. And ewido will find bad stuff in System Restore and I always clean the System Restore files before I finish so that is why I don't need to see them in the log.

C:\Songs_\, C:\Documents and Settings\Administrator\Shared\, C:\quarantine\

You are going to have to take some initiative here since you are the one in front of the computer.
It may be all of this stuff is infected? I have no way of knowing from here. Here are online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

I do not know what you have stored in C:\Songs\
Or what you store in that C:\Documents and Settings\Administrator\Shared\ <<< folder but I can guess that what ever is in the C:\quarantine\ can be deleted. Sounds like you have a mess you are going to have to fix. I can supply you with additional online scanning tools if you want them, but this is something you are going to have to do.

I do not usually resort to it, but since you have such a hugh amount of possibly infected files, you may want to cut your loses and reformat this computer. Let me know if I can do more.

Thanks...Phil

This topic ihas been archived.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.


Thank you Phil. :)