Here is my story. After a mate installed Msn messenger plus 3 addon to my pc, ive got adware problem. finally i figured its from lop.com scum and uninstalled it with http://www.mysearchnow.com/help.html 's uninstaller. after some time my antivir popped with an alert containing a "Downloader.Swizzor.8.BK" in an exe in my mydocs/pcuser/localset/TEMP. i deleted that exe from quarantina and after some hours again ive recieved another alert. the exe names totally random such as 284kdfx34.exe last ones name was 7d9334.exe. the point is this exe is created continuously and i dont know what is causing this. ive scanned my pc with lavasofts adaware and grisofts free antivir but they cant find anything. ive checked my task manager but everything seems ok. so i appriciate any help and tnx in adv.

Download HJTsetup.exe from this link http://www.thespykiller.co.uk/files... to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This.Please install it there. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.

Logfile of HijackThis v1.99.1 Scan saved at 16:54:58, on 13.10.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\SOUNDMAN.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe c:\progra~1\intern~1\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [High Definition Audio Properties Shorthcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" /c O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Zoom\Adsl\dslagent.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [nurb blue] C:\DOCUME~1\Fscomp\APPLIC~1\KNOBCO~1\HideModeAdmin.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe the only thing i suspect is the O4 - HKCU\..\Run: [nurb blue] C:\DOCUME~1\Fscomp\APPLIC~1\KNOBCO~1\HideModeAdmin.exe knob cool directory with containing 4 exes which i dont know what are they. ill try deleteting the key from reg. and the directory. then wait and see :D Tnx alot for everything.

http://img177.imageshack.us/img177/... this is the picture of knob cool directory contents. Oh btw. my os is in diffrent language so i've translated the things to English in the log file. so dont bother with them and sorry for the typos. :D

Go to ADD/REMOVE Programs and uninstall the following. MessengerPlus3 FlashGet Ares All versions of 'Java' Then go to C/Program Files and delete those folders if still present. Next, proceed here - http://java.sun.com/javase/download... and install 'Java Runtime Environment (JRE) 5.0 Update 9' Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay. Download Download Ewido(AVG Antispyware) http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewid... You will need this later in safe mode Make sure to update this program. Download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/vie... You will need it later in safe mode. Download, install and update this excellent freebie- Superantispyware here http://www.superantispyware.com/dow... Run HijackThis. Select 'Misc.Tools/Delete a File on Reboot" Navigate to - C:\DOCUME~1\Fscomp\APPLIC~1\KNOBCO~1\HideModeAdmin.exe Click open.Okay. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok Your system must reboot now. Once back in windows, reboot into safemode by doing the following. After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Disable all security programs- AVG, Ewido, etc until they are needed. From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked' R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [nurb blue] C:\DOCUME~1\Fscomp\APPLIC~1\KNOBCO~1\HideModeAdmin.exe O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe Exit Hijack This but remain in safe mode. Run Ewido - make sure of the following settings. Select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Save this scan log. Run Superantispyware Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use firefox also, select at top of ATF cleaner-tick Select all and run again. Reboot into normal windows, run ATF cleaner again and post a fresh 'HJT' log along with the safemode scan log from Ewido.

lol if i delete O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe entries my hardware wont be happy :D and i didnt get why to uninstall flashget or the other programs in first place?. even if i uninstall ill install it back and the keys will be there again afterwards :D anyway i deleted the "knob" key and the "knob" directory and now everything seems fine. nothing appearing after restart or so. Tnx again.

Any entries i listed were either not necessary to run at startup or in the case of Flashget- installs Adware, Ares- installs Adware/Spyware, ALCMTR.EXE- is Spyware. But suit yourself!.