I have several malware buggers running on my system that I can't seem
to get rid of.  The pop-ups I recieve on my computer are from 
yupsearch, rotator.adjuggler and e.rn11.com.  My computer is very
slow, too.  I have a hijackthis log that i just ran....should I post
it for you?

---

Request for Question Clarification by sublime1-ga on 11 May 2005 12:56 PDT

Posting the hijackthis log would be very helpful.

---

Clarification of Question by mule-ga on 11 May 2005 13:07 PDT

Here ya go...thanks for the assistance!!

Logfile of HijackThis v1.99.1
Scan saved at 1:43:29 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejtg32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event
Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO
Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe"
/STARTMONITOR
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\Kodak\KODAK Software
Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX
Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune
Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) -
http://fdl.msn.com/public/investor/v13/ticker.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman
Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

---

Request for Question Clarification by sublime1-ga on 11 May 2005 15:00 PDT

mule...

About the only entry I see that is bad is igfxtray.exe
It's a WIN32.startpage virus, with a registry entry to
launch the file at Windows startup:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejtg32.exe

Since the file is activated at startup, you may not be
able to delete it without either rebooting into Safe Mode,
which will prevent the registry entry from activating, 
and let you delete the file, or, using msconfig to uncheck
the entry in your startup files before rebooting.

Start -> Run -> type: msconfig -> hit Enter -> go to the
Startup tab and find the entry, and uncheck it. Then
reboot and delete the file.


Then make use of the following, as needed.

Free onnline & downloadable virus scans:

AntiVir:
http://www.free-av.com/

BitDefender:
http://www.bitdefender.com/scan/licence.php

Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx

McAffee:
http://us.mcafee.com/virusInfo/default.asp?

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

Trend Micro and AntiVir are known to pick up on things which
are sometimes missed by Norton. I use AntiVir.

You might also download, install and run the following:

Lavasoft AdAware:
http://www.lavasoft.de/

SpyBot Search and Destroy:
http://www.safer-networking.org
[Looks like you might already have this, but you need
to get the latest updates, and run it regularly]


And, as preventive measures, download and install:

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

WinPatrol
http://www.winpatrol.com/ 
WinPatrol has a tab where you can look at, and disable
or delete, startup entries, in a much more user-friendly
way than with msconfig, as discussed above.


Let me know where this takes you...

sublime1-ga

---

Request for Question Clarification by livioflores-ga on 11 May 2005 21:04 PDT

Hi!!

If the sublime-ga method fails try the following one:

* Download LQfix.zip 
Unzip it and save it to your desktop, don't use it yet.
http://users.pandora.be/bluepatchy/LQfix.zip 

* Reboot into Safe Mode`: !! really important !! 

In safe mode.. 
Doubleclick LQfix.bat that you saved on your desktop before. 
A DOS window will open and close again, this is normal. 

Reboot back to normal mode and post a new HJT log.

Good luck!!

---

Clarification of Question by mule-ga on 16 May 2005 07:52 PDT

Your help and assistance has cleared up my PC.  Thanks for the assistance!!

---

Request for Question Clarification by livioflores-ga on 16 May 2005 08:38 PDT

Please can you tell us which researcher deserve the prize?

Thank you.

---

Request for Question Clarification by sublime1-ga on 16 May 2005 15:50 PDT

What livioflores-ga means is that, up to this point, neither
of us has posted a formal answer, which is something we do
with some computer problems, to make sure the problem is one
that can be properly solved before the fee is claimed.

So it would help if you could tell us which set of instructions
you used to resolve your malware problem. Otherwise I will make
the assumption that it was the first set of instructions, which
was mine, and repost it as an answer. Of course, I'd rather not
do this, if you used the second set of instructions to fix the
problem. So do let us know.

sublime1-ga

mule...

Given your silence since both livioflores-ga and I posted
Requests for Clarification on May 16th, not to mention
myoarin-ga's comment on May 26th, I am posting my original
input as an official answer, as noted.

If I have erred in claiming to have been the one deserving
of the fee, again, do let me know by way of a clarification.
I'll reproduce the information I provided here, for the sake
of future readers:


About the only entry I see that is bad is elitejtg32.exe
It's a WIN32.startpage virus, with a registry entry to
launch the file at Windows startup:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejtg32.exe

Since the file is activated at startup, you may not be
able to delete it without either rebooting into Safe Mode,
which will prevent the registry entry from activating, 
and let you delete the file, or, using msconfig to uncheck
the entry in your startup files before rebooting.

Start -> Run -> type: msconfig -> hit Enter -> go to the
Startup tab and find the entry, and uncheck it. Then
reboot and delete the file.


Then make use of the following, as needed.

Free onnline & downloadable virus scans:

AntiVir:
http://www.free-av.com/

BitDefender:
http://www.bitdefender.com/scan/licence.php

Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx

McAffee:
http://us.mcafee.com/virusInfo/default.asp?

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

Trend Micro and AntiVir are known to pick up on things which
are sometimes missed by Norton. I use AntiVir.

You might also download, install and run the following:

Lavasoft AdAware:
http://www.lavasoft.de/

SpyBot Search and Destroy:
http://www.safer-networking.org
[Looks like you might already have this, but you need
to get the latest updates, and run it regularly]


And, as preventive measures, download and install:

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

WinPatrol
http://www.winpatrol.com/ 
WinPatrol has a tab where you can look at, and disable
or delete, startup entries, in a much more user-friendly
way than with msconfig, as discussed above.


Please do not rate this answer until you are satisfied that  
the answer cannot be improved upon by way of a dialog  
established through the "Request for Clarification" process. 
 
sublime1-ga

You want an easy solution first off all that stuff looked ligit... so
just download adaware, spybot, spy sweeper and spy doctor in safe
mode.. after that run
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
to search for any other spyware or virus's... and download avg if you
need be.. that should take care of it.

Hello Mule-ga,
Back on 16 May, you were delighted that something recommended by
either Sublime-ga or Livioflores-ga solved your problem.
I am sure that they are pleased that they could help you, but their
time and expertise was surely worth at least the $ 15 price you put on
your question.
As you can see from their last postings, they are each being very fair
about wanting the one whose clarification helped you to receive your
recognition  -  that you ask that one to post the information as an
"answer" so that the price can be booked.

I expect that in your pleasure at being "up and running" again you may
have overlooked their last postings.

Waiting to see stars,
Myoarin