I was infected with a gnarly dose of spyware and at my wits end to fix it. My computer and internet are running at a snail's pace and I am getting lots of pop ups. I have run Ad-Aware, Spybot, CCleaner, Ewido, and Windows Defender and have still haven't fixed the issue. I then ran Trend Micro's house call and it found Adware_CommandDesktop but could not delete it. I am running Windows XP Pro Version 2002 SP2 on a dell desktop computer. Below is my HJT log and if you need additional info, please let me know. I thank you in advance!!


Logfile of HijackThis v1.97.7
Scan saved at 9:13:14 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\sys09642325245.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\rpcc.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\WINDOWS\system32\7a7a902.exe
F:\WINDOWS\Duce6.exe
F:\Program Files\Common Files\{A0E1A827-05D7-1033-0910-010219020001}\Update.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
O4 - HKLM\..\Run: [sys09642325245] F:\WINDOWS\sys09642325245.exe
O4 - HKLM\..\Run: [pcdf9545] RUNDLL32.EXE wc9d3157.dll,n 002f954300000003c9d3157
O4 - HKLM\..\Run: [wc9d84c6.dll] RUNDLL32.EXE wc9d84c6.dll,I2 002f95430c9d84c6
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [7a7a902.exe] F:\WINDOWS\system32\7a7a902.exe
O4 - HKLM\..\Run: [TheMonitor] F:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] lmrss.exe
O4 - HKCU\..\Run: [7a7a902.exe] F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Bump...

Bump...

Bump....

Welcome to the forum. It is going to be hard to help you since you seem to not bother to read the directions. Here they are:

Please be advised that most forums Pin the information you need at the top of the page. These links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.

http://forums.spybot.info/showthread.php?t=1137
http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288

Follow the directions in the links and post a HJT log created with a properly placed, up to date version of HJT.

Thanks...pskelley
Safer Networking Forums

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.

I posted my problem on this site earlier and was told to follow the directions in the the sticky and re-post my log. After going out of town for 5 days, I can't find my old post, so I created a new one after following the pre-post directions. I have tried lots of different scanners and still am getting slow performance and pop-ups. When I run Spybot, it keeps finding command desktop but can't remove it. Here is my HJT log, I look forward to working with one of your representatives to resolve this. Please let me know if there is anything else I can do to assist you. Thanks in advance...

Logfile of HijackThis v1.99.1
Scan saved at 9:37:17 AM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
C:\kybrdfh_10.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\WINDOWS\Duce6.exe
F:\WINDOWS\win3208564232524.exe
F:\WINDOWS\ms04252456423.exe
F:\WINDOWS\sys01423252456.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\sys02232524564.exe
F:\Program Files\Common Files\{A0E1A827-05D7-1033-0910-010219020001}\Update.exe
F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\win32062456423252006.exe
F:\Hijackthis\HijackThis.exe
F:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {381116A5-FD8E-8420-8102-019812010174} - F:\WINDOWS\system32\xwzosuk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
O4 - HKLM\..\Run: [pcdf9545] RUNDLL32.EXE wc9d3157.dll,n 002f954300000003c9d3157
O4 - HKLM\..\Run: [wc9d84c6.dll] RUNDLL32.EXE wc9d84c6.dll,I2 002f95430c9d84c6
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [7a7a902.exe] F:\WINDOWS\system32\7a7a902.exe
O4 - HKLM\..\Run: [TheMonitor] F:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win3208564232524] F:\WINDOWS\win3208564232524.exe
O4 - HKLM\..\Run: [win3207456423252] F:\WINDOWS\win3207456423252.exe
O4 - HKLM\..\Run: [ms04252456423] F:\WINDOWS\ms04252456423.exe
O4 - HKLM\..\Run: [win3206245642325] F:\WINDOWS\win3206245642325.exe
O4 - HKLM\..\Run: [ms03325245642] F:\WINDOWS\ms03325245642.exe
O4 - HKLM\..\Run: [sys01423252456] F:\WINDOWS\sys01423252456.exe
O4 - HKLM\..\Run: [jmedxv.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\jmedxv.dll,sqskuqe
O4 - HKLM\..\Run: [sys02232524564] F:\WINDOWS\sys02232524564.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Microsoft Update Machine] lmrss.exe
O4 - HKCU\..\Run: [7a7a902.exe] F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: fRUCJILSEurtja - {26491AFE-8CE3-B054-3902-205C5CBA9051} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

Two topics merged.

Welcome back, I will have to assume you have read the information in the links I posted for you. Let me add, if a helper is working with you and you are not going to be able to respond for several days, do let them know, or your topic will get closed...thanks.

I need to let you know that this is a very infected computer, you need to keep it offline as much as possible until you are clean, this junk will attract more. You must follow the directions if you expect this to work.

Thanks to Metallica and any others who helped with this fix.

1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Thanks

Thanks for the assistance. I have followed these directions and it seems that perfomance has improved. I still am getting a few pop ups but not as many as before. Here is my HJT log now:
Logfile of HijackThis v1.99.1
Scan saved at 12:12:59 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\7a7a902.exe
F:\WINDOWS\sys01423252456.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\sys02232524564.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\Duce6.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {381116A5-FD8E-8420-8102-019812010174} - F:\WINDOWS\system32\xwzosuk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pcdf9545] RUNDLL32.EXE wc9d3157.dll,n 002f954300000003c9d3157
O4 - HKLM\..\Run: [wc9d84c6.dll] RUNDLL32.EXE wc9d84c6.dll,I2 002f95430c9d84c6
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [7a7a902.exe] F:\WINDOWS\system32\7a7a902.exe
O4 - HKLM\..\Run: [sys01423252456] F:\WINDOWS\sys01423252456.exe
O4 - HKLM\..\Run: [jmedxv.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\jmedxv.dll,sqskuqe
O4 - HKLM\..\Run: [sys02232524564] F:\WINDOWS\sys02232524564.exe
O4 - HKLM\..\Run: [TheMonitor] F:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] lmrss.exe
O4 - HKCU\..\Run: [7a7a902.exe] F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: fRUCJILSEurtja - {26491AFE-8CE3-B054-3902-205C5CBA9051} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

And the Ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:04:27 PM 8/31/2006

+ Scan result:



F:\Documents and Settings\New Tim\Local Settings\Temp\NNBar_VCSetup_876072.exe -> Adware.Mirar : Cleaned with backup (quarantined).
F:\Documents and Settings\New Tim\Local Settings\Temp\mit14.tmp.cab/NNBar_VCSetup_876072.exe -> Adware.Mirar : Cleaned with backup (quarantined).
F:\Documents and Settings\New Tim\Local Settings\Temp\mit14.tmp/NNBar_VCSetup_876072.exe -> Adware.Mirar : Cleaned with backup (quarantined).
F:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7E1FA6B7-8971-4FB2-9160-2688A3A7B083}\RP800\A0041000.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\kybrdfh_10.exe -> Downloader.Adload.dv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7E1FA6B7-8971-4FB2-9160-2688A3A7B083}\RP800\A0041002.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7E1FA6B7-8971-4FB2-9160-2688A3A7B083}\RP800\A0041003.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7E1FA6B7-8971-4FB2-9160-2688A3A7B083}\RP800\A0041004.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7E1FA6B7-8971-4FB2-9160-2688A3A7B083}\RP800\A0040994.exe -> Downloader.Adload.ef : Cleaned with backup (quarantined).
F:\Program Files\Common Files\{A0E1A827-05D7-1033-0910-010219020001}\Update.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\dfndrfh_10.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
F:\WINDOWS\system\ctldlg32.dll -> Logger.Agent.mn : Cleaned with backup (quarantined).
F:\WINDOWS\system32\rpcc.exe -> Proxy.Small : Cleaned with backup (quarantined).
F:\Documents and Settings\New Tim\Cookies\new tim@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\New Tim\Cookies\new tim@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
F:\Documents and Settings\Tim\Cookies\tim@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
F:\WINDOWS\ms04252456423.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
F:\WINDOWS\sys096423252452006.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
F:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
F:\WINDOWS\uninst104.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

We have a ways to go, I was hoping that fix would have killed more of this junk, it usually does. Follow these directions in the posted order.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Disable Ewido, as it might be trying to interfere...
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {381116A5-FD8E-8420-8102-019812010174} - F:\WINDOWS\system32\xwzosuk.dll
O4 - HKLM\..\Run: [pcdf9545] RUNDLL32.EXE wc9d3157.dll,n 002f954300000003c9d3157
O4 - HKLM\..\Run: [wc9d84c6.dll] RUNDLL32.EXE wc9d84c6.dll,I2 002f95430c9d84c6
O4 - HKLM\..\Run: [7a7a902.exe] F:\WINDOWS\system32\7a7a902.exe
O4 - HKLM\..\Run: [sys01423252456] F:\WINDOWS\sys01423252456.exe
O4 - HKLM\..\Run: [jmedxv.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\jmedxv.dll,sqskuqe
O4 - HKLM\..\Run: [sys02232524564] F:\WINDOWS\sys02232524564.exe
O4 - HKLM\..\Run: [TheMonitor] F:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] lmrss.exe
O4 - HKCU\..\Run: [7a7a902.exe] F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe
O21 - SSODL: fRUCJILSEurtja - {26491AFE-8CE3-B054-3902-205C5CBA9051} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)


Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

lmrss.exe <<< search for this file, delete it if you find it (it is a trojan)

F:\WINDOWS\Duce6.exe <<< file

F:\WINDOWS\sys01423252456.exe <<< file

F:\WINDOWS\sys02232524564.exe <<< file

F:\WINDOWS\system32\7a7a902.exe <<< file

F:\WINDOWS\system32\jmedxv.dll <<< file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Restart the computer and post a new HJT log along with any comments you think will help.

Thanks

You Java program is outdated see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
F:\Program Files\Java\jre1.5.0_06\ <<< out of date

Ok, so I followed your directions. I actually just unistalled windows defender and couldn't find how to deactivate ewido (I just closed it and saw nothing in tools about active protection), although I'm pretty sure its not running. Unfortunately, I was only unable to remove a couple of the files you wanted me too. Here's the rundown:

lmrss.exe <<< search for this file, delete it if you find it (it is a trojan)
(Did not find it)

F:\WINDOWS\Duce6.exe <<< file
(Did not find it)

F:\WINDOWS\sys01423252456.exe <<< file
(deleted it, but another one exists with 2006 after it--should I delete??)
F:\WINDOWS\sys02232524564.exe <<< file
(won't let me delete, says "Access Denied. Make sure disk isn't full or write-protected and that the file is not currently in use." There is also another file with the same name and 2006 at the end--should I delete that one?)

F:\WINDOWS\system32\7a7a902.exe <<< file
(Deleted it)

F:\WINDOWS\system32\jmedxv.dll <<< file
(Got same access denied message as above)

Ran ATF, haven't gotten pop ups since reboot WHICH IS GREAT. Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:51:35 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\sys02232524564.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Hijackthis\HijackThis.exe
F:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [jmedxv.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\jmedxv.dll,sqskuqe
O4 - HKLM\..\Run: [sys02232524564] F:\WINDOWS\sys02232524564.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

Check that, still getting pop ups, they just aren't as quick to pop up after a reboot...

Thanks for the feedback, and you are making progress. Understand this junk is harder to get off than to get on and there is no "right" way to do it.
Understand that Windows does not know if a file is bad or good, it only knows it is running and will deny access. If this is your computer, you need to take ownership of it. Here are the scanners if you ever want to check a file:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Once you know a file is malware, do whatever you must to delete it, start by doing it in safe mode. For today we will do this, Let's see what is left.

Here are our problems:
F:\WINDOWS\sys02232524564.exe
F:\WINDOWS\system32\jmedxv.dll
F:\WINDOWS\system32\sqskuqe <<< I am guessing this one is in the System32 folder, try searching for it to see. Google does not even recognize it so wherever it is, it is bad
We will have to get rough with them progressively. We will start with a tool built into HJT. If it does not work, then we will use Killbox.

1) http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool

At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:

Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

You should be able to kill them all at once, if not do them one at a time. If that does not work:

2) Read the tutorial here: http://forum.malwareremoval.com/viewtopic.php?t=320 then download Killbox from the same site and use it to kill the files. You may be able to enter them all at once also. There are three options, do them in order by number.

Once they are gone then follow with this:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [jmedxv.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\jmedxv.dll,sqskuqe
O4 - HKLM\..\Run: [sys02232524564] F:\WINDOWS\sys02232524564.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new log and let me hear about it.

Thanks

and you will continue to get popups until you get this junk off of your computer

Once again, Thanks for the help. So, I was able to remove two of the three files you wanted using the delete on reboot from HJT. When i rebooted i got an error saying that the jmedxv dll could not be run. Here's the summary:
F:\WINDOWS\sys02232524564.exe
(Removed using HJT reboot feature, there is still one with 2006 at the end as well as the other one I removed earlier, should i delete them??)
F:\WINDOWS\system32\jmedxv.dll
(Removed)
F:\WINDOWS\system32\sqskuqe
(Could not find)

The computer is definitely running faster and alot less pop ups. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 2:48:46 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

OK, good job, that's a clean log. Tell me, theses item are all valid, right?
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopF...ientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab...ientAccess.CAB

Where are these popups coming from? Do they occur when you are offline? Or are they normal popups from surfing? I see no popup blocker in this log? Do you need one?

I also see no antivirus program, it is suicide going online anymore without one. Download this one:
http://free.grisoft.com/freeweb.php do not fool with paid version or trial version, stay with the FREE version. As soon as you have it, update it and do a complete sustem scan. Remove anything it locates and let me know about anything (complete name and pathway) of anything that could not be removed.

Your Security Center must be screaming about no antivirus program? Once it is functioning, open the Control Panel and then the Security Center. Make sure the AV, Firewall and Auto-Updates are all on go. Once you have followed these instructions, report back with the information I requested.

Thanks.

Thanks again for the help--you are a Godsend!!
Yes, those three are valid. By the way, I am no longer getting pop ups, I was getting them before when I was offline, so I believe we are really close to fixing the problem. I use the IE SP2 popup blocker now, so I don't need another one. I downloaded the anitvirus software and ran a scan. It found 8 items and deleted six. Here are the remaining two items (one on each of my two xp profiles):
AVG calls it downloader.obfuskated

1.) 7a7a902.exe location: F:\Documents and Settings\New Tim\Local Settings\Application Data\7a7a902.exe

2.)7a7a902.exe location: F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe

I also turned on all the settings in my Security Center as you instructed me to.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=downloader%2Eobfuskated
These antiviruses all call the stuff something different, this might be what AVG calls it. These two items are bad:

F:\Documents and Settings\New Tim\Local Settings\Application Data\7a7a902.exe <<< delete the file
F:\Documents and Settings\Tim\Local Settings\Application Data\7a7a902.exe <<< delete the file

Do you have multiple users? I see a Tim and a new Tim?

You have the tools to scan them so you don't need me, once you know they are bad (and they are), delete them. I don't have a HJT log so I don't know if they are running in the log, but a doubt it. You can boot to safe mode, use the HJT tool you used earlier, or use the Killbox, delete those files and then run AVG again and it should be clean. Then post a last HJT log for a final look.

Thanks:bigthumb:

So, I was able to navigate directly to those locations and delete the files manually. I rebooted and they did not come back. I ran HJT again and here is my log. I think we may have this licked!!

Logfile of HijackThis v1.99.1
Scan saved at 5:17:31 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.processclaims.com
O16 - DPF: CabDeployment - http://qa-shopflow.pclaims.com/ShopFlowWeb/cab/UDCClientAccess.CAB
O16 - DPF: DownloadClientAccessCab - http://www.processclaims.com/web/cab/DownloadClientAccess.CAB
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155519605250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155519594875
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

Looks good:bigthumb: still need to update that Java program, and allow Windows to update the criticals automatically.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...tashi:) will close your topic in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Great!!! Thanks again for the advice, I can't begin to thank you enough. You did a great job and deserve a pat on the back!!!:bigthumb:

As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers