Weird Pop-up!

[Sake]

I did not find the "C:\WP?OWS" file that you specificed.

I got this when using the tool you recommended:

 

[howard_hopkinso]

While you`ve been away I`ve found some info that may help. Follow these instructions exactly.

Download Advanced process termination programme from HERE. Don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [I}\WINDOWS\ga$o?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [aXatFLi/pWINDOWS\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [aXaiL{o/a$INDO\\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [aXaiL{o/a?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [s*aiL{o/a?aa??,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [s*aii{{oa?o???,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [s=Mii{{a$?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [Is*WINDOWS\g{oo?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [Is*WINDOWS\g???_C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [s=Mii{{aF??a???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [s=Miia$aF??a?·??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [C:\WP?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}\W>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [C:\WP?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}\W>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [C>?P?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}\W>?OWS\,a?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}\WINDOWS\mga$o?.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}\WINDOWS\ma$?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [C>?P?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}i{opWINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}i{oiINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [C:\WINDOW1<m·?a?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [>?WP?OWS\o?jwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [>?WP?OWS\o?jwi?yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [^??? ?9??*?M·?a?:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}?>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
O4 - HKLM\..\Run: [I}?>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe

O4 - HKLM\..\Run: [iyvfvown] C:\pedhmefb.bat

O11 - Options group: [INTERNATIONAL] International*

Click on the fix checked button.

Close HJT.

Run the advance3d termination programme.

C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\mgjwie.exe

kill the above processes....select and then press "ALL" button in PROCESS CONTROL OPTIONS

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\mgjwie.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

 

[Sake]

I can't kill a process I don't have.

 

[howard_hopkinso]

Try running the programme from normal mode.

Then run HJT from normal mode and fix the entries I suggested. Then, try and delete the entries I suggested.

Let me know the outcome.

Regards Howard

 

[Sake]

I don't get what you mean by: "kill the above processes....select and then press "ALL" button in PROCESS CONTROL OPTIONS." I don't see an "ALL" button.

Back to the point: There's still no "C:\Program Files\ISTsvc\istsvc.exe
and C:\WINDOWS\mgjwie.exe" showing up in the apt.exe program.

And I still can't find either of these:
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\mgjwie.exe

 

[howard_hopkinso]

I`m really sorry, but I don`t think there`s any more I can do with this. I`ve tried everything I can think of and still the infection is there. I`ve never come across this infection before and info is thin on the ground.

I hate having to say this, as I don`t like being beaten, but I think it`s time you backed up your important data and reformatted.

Regards Howard

 

[Sake]

Aww... >_< I guess it's for the best.

But.. I don't know how to reformat my computer. <_<

 

[howard_hopkinso]

You need to do the following.

1 restart your computer and go to setup usually by pressing the F2 or delete key.

2 Once you get into setup look for the boot menu and make sure you set it to boot from cd first followed by your hard drive.

3 Put the Windows xp disk into your cd.

4 Now save your settings and exit setup.

5 While your computer is booting you will see a message that says "press any key to boot from cd" press any key.

6 When the welcome to setup screen appears press enter and then press F8 to accept the Microsoft licence agreement.

7 You will be prompted to repair an insallation press the escape key.

8 Now select the partition that you want to reformat and press the D key to delete it you will be asked to confirm that you want to delete the partition.

9 Now press C to create a brand new partition you will be asked what size you want the partition to be in mega bytes. If you just press enter then the partition will be the maximum size that you can have. This is perfectly ok if you don`t want to create multiple partitions.

10 You will now be asked to format the partition select the ntfs file sytem and do a full format.

11 Once the format is complete setup will continue.

Your computer will restart during the remaining setup again you will be asked to press any key to boot from cd DO NOT PRESS ANYTHING. and setup will continue. Once the setup is complete and you are back in Windows remove the Windows cd from your cd drive.

Regards Howard

 

[Sake]

Do I need to save any of my important files/folders? And which partition do I choose?

Lastly, what if I can't find my Windows CD? <_<

 

[howard_hopkinso]

Yes you need to save your important data, preferably to cd or dvd disks.

If you can`t find your Windows cd, you`re screwed I`m afraid.

Unless you can find a way of getting rid of that infection.

You might want to go HERE and post your problem and see if they can sort it out for you.

Please let me know the outcome. Thanks.

Regards Howard

 

[Sake]

Rofl, thanks for putting it so lightly. I'll try that website.

Thank you for all of your great help and support.

 

[howard_hopkinso]

Rofl, thanks for putting it so lightly. I'll try that website.

Thank you for all of your great help and support.

No problem mate.

I`m just sorry I wasn`t able to get rid of that damned infection.

I`d be really grateful, if you`d let me know how you get on with this.

Good luck.

Regards Howard

 

[sw123]

That infection is pretty nasty if it stays on and can't be deleted. I am a programmer(computer programmer, not virus programmer) and if you tell me what the infection does i bet I can make a removal tool and put it up for download.

 

[Sake]

That infection is pretty nasty if it stays on and can't be deleted. I am a programmer(computer programmer, not virus programmer) and if you tell me what the infection does i bet I can make a removal tool and put it up for download.

Well, I'm not great at computers, but there are a few things that are pretty obvious. There'll be a pop-up right before the Windows login screen with some foreign text (I'm guessing Korean) inside, and it changes every time. There's probably more, but that's the most obvious one I noticed. :/