I somehow manage to run the HijackThis.exe and log the processes and suddenly the windows automatically shut down. And then, after re-login back, I must attach it to my email because windows again automatically shutdown when i try to open the .log file. Anyway, this is the log captured by HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 7:56:22 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Documents and Settings\hassim_gso\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\hassim_gso\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\hassim_gso\Local Settings\Application Data\svchost.exe
C:\Documents and Settings\hassim_gso\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\logonui.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 www.mcafee.com
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 www.nai.com
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 www.grisoft.com
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 www.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 www.kaspersky.com
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 www.norton.com
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 www.symantec.com
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 www.trendmicro.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 www.pandasoftware.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 www.f-secure.com
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 www.sophos.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 www.castlecops.com
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 www.virustotal.com
O1 - Hosts: 127.4.7.4 www.ca.com
O1 - Hosts: 127.4.7.4 ca.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-3081] "C:\Documents and Settings\hassim_gso\Local Settings\Application Data\br7185on.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Empty.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://www.putra.upm.edu.my/iNotes.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\j44o0eh3eh4.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: OracleOracle9iDSClientCache - Unknown owner - C:\oracle9ids\BIN\ONRSD.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

You are infected with a variant of the Brontok worm, which I don't think AVG can deal with yet.
Also, speaking of AVG: you mentioned "other staff's pc". The version of AVG that you are running (AVG Free) is only for personal use; you are violating AVG's terms of use by deploying the program in a business environment.

Sophos indicates that their AV products can deal with the worm; I've also read that the NOD and Avast! antivirus programs can do the same.

Dear DMR,

Thank you for giving me the information. About the violation, I have no intention at all to violate at any purpose, I just don't read the terms and condition. I will register if nessecary or uninstall the software if it is still violating. Thank you for reminding me about the violation.

No worries- I'm not the Software Police or anything like that :mrgreen:
I just like to see a company that puts out a good product get paid for that product when/where applicable.

Were you able to use NOD or Avast! to remove the Brontok infection? I'd be curious to know if either of those utilities actually worked.

The Brontok worm is very confusing. I can't understand the infections. Sometimes the computer shutdown itself, sometimes the computer is very slow as a result of a process B**something.exe running using 50% and above of the CPU process, and when I kill the process, another critical such as crss and smss(I don't know what is it) automatically ran and used mostly of the CPU process.
Norton 2005 detected the worm as well as Avast. But the recommendation of both software is move to chest or quarantine. But, unfortunately, the bad worm :evil: has made the registry corrupt and can't be repaired by just moving the infected file/registry to chest or quarantine. I've tried the Microsoft Windows System restore and restored the infected computer back to where it was without infection, successfully.
As I told you, the worm is still wandering about in the network, but most of the computer didn't have data of system restore before. Therefore, It can't be restored or repair. The worst case, it also can't be repaired by booting the computer using XP bootable CD. The only way is to format the computer. .But I didn't started yet the format process because it is such an unpleasing thing to do. HELP ME!!.

Thank you,

Post a new HijackThis log and we'll see if we can remove the infection(s) manually from there.

Finally, After trying several times and days :

Logfile of HijackThis v1.99.1
Scan saved at 1:37:12 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\services.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Visicom Media\AceFTP 3 freeware\aceftp3free.exe
C:\9idvs\bin\rwbuilder.exe
C:\Program Files\HTTP-Tunnel\HTTP-TunnelClient.exe
C:\Program Files\Quest Software\TOAD\TOAD.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\csrss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\9idvs\discoverer902\bin\dis51usr.exe
C:\Program Files\Magneto Software\MegaPing\MegaPing.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\logonui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=localhost:1080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cfzjlmg.exe"
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\pxvlcg6x.slt\prefs.js)
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 www.mcafee.com
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 www.nai.com
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 www.grisoft.com
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 www.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 www.kaspersky.com
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 www.norton.com
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 www.symantec.com
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 www.trendmicro.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 www.pandasoftware.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 www.f-secure.com
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 www.sophos.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 www.castlecops.com
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 www.virustotal.com
O1 - Hosts: 127.4.7.4 www.ca.com
O1 - Hosts: 127.4.7.4 ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [Bron-Spizaetus-cfgmlnry] "C:\WINDOWS\ShellNew\bbm-yrnlmgfc.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-3444] "C:\Documents and Settings\Administrator\Local Settings\Application Data\br7911on.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Empty.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with FreeDAccelerator! - C:\Program Files\Free Download Accelerator 2\FreeDAccelerator.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://sgs.upm.edu.my:7777/discovere.../jinit1318.exe
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77EDD71A-5EDF-42D4-8B14-95D1316B2A2C}: NameServer = 172.16.240.250,172.16.240.251
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: hplun.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Oracle9iDSAgent - Oracle Corporation - C:\9idvs\bin\agntsrvc.exe
O23 - Service: Oracle9iDSClientCache - Unknown owner - C:\9idvs\BIN\ONRSD.EXE

Thanks in advance.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Can you tell us anything about the proxy server setting in this log entry:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=localhost:1080

and the DNS server IP addresses in this entry:
O17 - HKLM\System\CCS\Services\Tcpip\..\{77EDD71A-5EDF-42D4-8B14-95D1316B2A2C}: NameServer = 172.16.240.250,172.16.240.251


2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Avast! and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.


3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cfzjlmg.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 www.mcafee.com
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 www.nai.com
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 www.grisoft.com
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 www.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 www.kaspersky.com
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 www.norton.com
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 www.symantec.com
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 www.trendmicro.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 www.pandasoftware.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 www.f-secure.com
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 www.sophos.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 www.castlecops.com
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 www.virustotal.com
O1 - Hosts: 127.4.7.4 www.ca.com
O1 - Hosts: 127.4.7.4 ca.com
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O4 - HKLM\..\Run: [Bron-Spizaetus-cfgmlnry] "C:\WINDOWS\ShellNew\bbm-yrnlmgfc.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Tok-Cirrhatus-3444] "C:\Documents and Settings\Administrator\Local Settings\Application Data\br7911on.exe"
O4 - Startup: Empty.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://sgs.upm.edu.my:7777/discover...n/jinit1318.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: hplun.dll

4. Reboot into Safe Mode and:

Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run Cleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


- Run Avast!, MS Antispyware, and ewido; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

- Run Spy Sweeper.
* Under the Sweep Options tab, select ALL options under 'What to Sweep'.
* Click the "Sweep" icon and then "Start" to begin scanning.
*When the scan completes, click Next to automatically quarantine all detected items.
*Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.


5. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and delete them if found:

C:\WINDOWS\sembako-cfzjlmg.exe
C:\WINDOWS\ShellNew\bbm-yrnlmgfc.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\br7911on.exe
hplun.dll

- Delete the following folders entirely:

C:\Program Files\NewDotNet
C:\Program Files\Need2Find

6. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated.

Thanks DMR,

I explain two settings above.

[1] That is HTTP tunnel. I used and opened the port 1080 for tunneling the trillian basic for accessing the yahoo messenger and MSN messenger.

[2] I set the TCP/IP manually, so 172.16.240.250/x.x.x.251 are DNS gateway prefer and alternative.

*Is there any trouble with that?

But unfortunately I can't run Hijackthis.exe and any kind of exe (execute application). That's one thing. Another thing is I can't open any hidden files(s)/folder(s). The worst case, I even can't open this website through my computer or open DaniWebIT email via my email, the computer will reboot automatically. So, I can't do whatever you are told to do. So, I don't know what to do. :-|