Please help - Collected.5.L Trojan

[misterblonde]

Please help me

I am running Windows XP / SP1

I have recently aquired a trojan horse that AVG, Ad-Aware and the rest recognise, but cannot remove. It pops up every 30 seconds.

Here is my HijackThis logfile

Thanks in advance

Mister Blonde

Logfile of HijackThis v1.99.1
Scan saved at 11:08:13, on 12/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\wuamkop32.exe
C:\WINDOWS\System32\msng.exe
C:\WINDOWS\System32\mouse.exe
C:\WINDOWS\System32\java32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\STEH~1\LOCALS~1\Temp\Rar$EX00.141\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\Run: [data] msng.exe
O4 - HKLM\..\Run: [Windows System32] winsys32.exe
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [MicroSun Java] java32.exe
O4 - HKLM\..\RunServices: [WinConfig9324] wincfgkop9.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\RunServices: [data] msng.exe
O4 - HKLM\..\RunServices: [Windows System32] winsys32.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKLM\..\RunServices: [MicroSun Java] java32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pop up Blocker Pro] "C:\Program Files\Pop up Blocker Pro\pdie.exe" Minimize
O4 - HKCU\..\Run: [data] msng.exe
O4 - HKCU\..\Run: [Windows System32] winsys32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [data] msng.exe
O4 - HKCU\..\RunServices: [Windows System32] winsys32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Pop up Blocker Pro - {4308A22D-41CE-4360-99AD-D9F9DB5983FD} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0264709A-936E-42CE-9461-7CDA8F151BE8}: NameServer = 62.241.163.200 158.43.240.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0264709A-936E-42CE-9461-7CDA8F151BE8}: NameServer = 62.241.163.200 158.43.240.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

 

[tj416]

Hi misterblonde,

I suggest that you run one of these Online virus scanners:

• Housecall
• Panda
• RAV Anti-virus Online
• eTrust Anti-virus Scanner

Then, reboot and post a fresh HijackThis log.

 

[khazars]

hi, welcome to TSG.

you need to turn off spybot's teatimer until we clean these pests off.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

download ccleaner

http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.





go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!


. Microsoft® Windows AntiSpyware
. SpyBot search and destroy
. AdAware SE



http://www.majorgeeks.com/downloads31.html


. CWShredder


http://www.soft32.com/download_19014.html





have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\Run: [data] msng.exe
O4 - HKLM\..\Run: [Windows System32] winsys32.exe
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [MicroSun Java] java32.exe
O4 - HKLM\..\RunServices: [WinConfig9324] wincfgkop9.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\RunServices: [data] msng.exe
O4 - HKLM\..\RunServices: [Windows System32] winsys32.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKLM\..\RunServices: [MicroSun Java] java32.exe
O4 - HKCU\..\Run: [data] msng.exe
O4 - HKCU\..\Run: [Windows System32] winsys32.exe

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\System32\wuamkop32.exe
C:\WINDOWS\System32\msng.exe
C:\WINDOWS\System32\mouse.exe
C:\WINDOWS\System32\java32.exe


Now reboot to safe mode find and delete these files and folders if there?



How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=


Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


wincfgkop9.exe
msng.exe
winsys32.exe


Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!




Now run ccleaner.



post another hijack this log, the ewido and active scan logs

 

[misterblonde]

Thanks a LOT for that bud.

Only prob is that the pandasoftware cleaner will not work as I am running Mozilla not IE

Here is the logfile from Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 15:12:30, on 13/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\dhcp32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\STEH~1\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Win64 configuration] win64.exe
O4 - HKLM\..\Run: [REGRUN32] C:\dhcp32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Win64 configuration] win64.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pop up Blocker Pro] "C:\Program Files\Pop up Blocker Pro\pdie.exe" Minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [data] msng.exe
O4 - HKCU\..\RunServices: [Windows System32] winsys32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Pop up Blocker Pro - {4308A22D-41CE-4360-99AD-D9F9DB5983FD} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121165647108
O17 - HKLM\System\CCS\Services\Tcpip\..\{0264709A-936E-42CE-9461-7CDA8F151BE8}: NameServer = 62.241.163.200 158.43.240.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0264709A-936E-42CE-9461-7CDA8F151BE8}: NameServer = 62.241.163.200 158.43.240.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

 

[khazars]

did you turn off spybot's teatimer, it must be disabled to run these fixes.


You need to get Xp SP1 asap and all other patches, you are open to
multiple threats!

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx



if you didn't install partypoker uninstall it and remove all those entries for it iwith hijack this.


O9 - Extra button: Pop up Blocker Pro - {4308A22D-41CE-4360-99AD-D9F9DB5983FD} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe



well, you'll need to run IE just to do the scans, Panda is very good at finding the viruses, not at removing them but then we can do so with the killbox! If you don't want to use IE then download Mwav and post its log, not thwe whole log just the part where it finds viruses etc.


do a ctr/alt/del and in taskmanager stop these processes if running.



win64.exe
dhcp32.exe


have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [Win64 configuration] win64.exe
O4 - HKLM\..\Run: [REGRUN32] C:\dhcp32.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\RunServices: [data] msng.exe
O4 - HKCU\..\RunServices: [Windows System32] winsys32.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1121165647108


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINDOWS\System32\msng.exe
C:\WINDOWS\System32\mouse.exe
C:\dhcp32.exe


boot to safe mode and find and delete this file.


win64.exe
winsys32.exe



* Download the trial version of Ewido Security Suite here


http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know
how.


How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav, double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.

http://www.spywareinfo.dk/download/mwav.exe



post the ewido log and one of the other two and a hijack this log