Hi, thank you for your reply. I've followed exactly your instructions but the virus is still there, it seems that there is some file that continue to generate it. When i run MalwareByte, it finds a virus which i delete; the computer seems to run smooth while i'm not online and the antivirus find nothing. When i connect to the internet, it work only a few minutes and this things happen: Internet explorer does not work or crash. Chrome give blank page with cannot load problem In Firefox happen something strange: if i leave the standard settings it does not work, and in Tools -> Options -> Advanced -> Network -> Connections -> settings i have "use the proxy of the system" (traduction from italian) and it does not work; but IF I set it on "No proxy" or "auto-detect proxy settings for this network" the browser works for a few minutes, then it start to go crazy, i can't deactivate the connection, the computer goes slow, i have no control of it and i must reboot. After that i find a new virus... Here the logs, i'm not attaching it like you asked: The last MalwareBytes log, run from administrator in windows xp provisory mod: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5623 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 28/01/2011 3.31.44 mbam-log-2011-01-28 (03-31-44).txt Scan type: Full scan (C:\|) Objects scanned: 483634 Time elapsed: 2 hour(s), 33 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\programmi\mozilla firefox\test.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161960.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\system volume information\_restore{73b9b787-50d3-4cf4-b158-25e90160905d}\RP596\A0161961.exe (Trojan.Downloader) -> Quarantined and deleted successfully. _______________________________________________________ The last hijackthislog after deleting the virus in the standard mode of windows in my account: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7.00.48, on 28/01/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe C:\Programmi\Avira\AntiVir Desktop\sched.exe C:\Programmi\Avira\AntiVir Desktop\avguard.exe C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe C:\Programmi\Bonjour\mDNSResponder.exe C:\Programmi\Avira\AntiVir Desktop\avshadow.exe C:\Programmi\DCPFLICS\dcpflics.exe C:\Programmi\Google\Update\1.2.183.39\GoogleCrashHandler.exe C:\Programmi\Java\jre6\bin\jqs.exe C:\Programmi\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\Explorer.EXE C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Programmi\Avira\AntiVir Desktop\avgnt.exe C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\RTHDCPL.EXE C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\rundll32.exe C:\Programmi\AirPort\APAgent.exe C:\Programmi\Java\jre6\bin\jusched.exe C:\Programmi\Logitech\SetPointP\SetPoint.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmi\Messenger\msmsgs.exe C:\WINDOWS\system32\mapiicon.exe C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXE C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programmi\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ADSL_A2] A2Installed O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Programmi\AirPort\APAgent.exe" O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" O4 - HKLM\..\Run: [switchBoard] C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [EvtMgr6] C:\Programmi\Logitech\SetPointP\SetPoint.exe /launchGaming O4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [startCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programmi\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Daniele\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [{33F866F4-0E91-4EAB-55BF-3464463241F4}] "C:\Documents and Settings\Daniele\Dati applicazioni\Agkiab\ovad.exe" O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\182.50\is\PhysX_9.09.0203_SystemSoftware.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - .DEFAULT User Startup: elyfa.exe (User 'Default user') O4 - .DEFAULT User Startup: esofy.exe (User 'Default user') O4 - .DEFAULT User Startup: ilogn.exe (User 'Default user') O4 - .DEFAULT User Startup: luukeh.exe (User 'Default user') O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe O23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Programmi\DCPFLICS\dcpflics.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Servizio di Google Update (gupdate1c9cf2766eee058) (gupdate1c9cf2766eee058) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe O23 - Service: M-Audio ProKeysSono Installer (MAudioProKeysSonoService) - Unknown owner - C:\Programmi\M-Audio\ProKeysSono\MAUSBPSInst.exe (file missing) O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe -- End of file - 11001 bytes ______________________________________________________________________ The last piece of the log of Ad-Aware which found another trojan. ******************************** Scan results: ********************************* Scan profile name: Scansione intelligente (ID: smart) Objects scanned: 71767 Objects detected: 4 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 1 Folders.........: 0 LSPs............: 0 Cookies.........: 3 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: c:\documents and settings\daniele\dati applicazioni\ogud\ybol.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 556bd90ca6145741f85be521fa593c27 Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0 Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0 Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0 __________________________________________________________ Every time i run the internet, the virus return and the antivirus find a new .exe with different name and in a different location than the previous virus. If i can't find a method to resolve this problem, i think i will save the important files and format the computer, i need to use the internet in the weekend Thank you again and sorry for my english