Spyware keeps coming back!!!

[batman321]

the only programs I have installed are spyware/virus programs from http://www.download.com/. I have downloaded heaps of program before this and have had no trouble with viruses/spyware.

[sUBs]

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

Are you familiar with the program - PrintView? Is it something you installed?

[batman321]

I am not familiar with printview. I deleted the folder and all the files inside. here is the latest combofix report:

--------------------------------------------------------------------------

simon - 06-09-23 15:28:25.76 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\simon\Desktop\Net Help"
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))


2006-09-23 12:21 633,822 ---hs---- C:\WINDOWS\system32\jmllm.bak1
2006-09-23 12:19 577,588 ---hs---- C:\WINDOWS\system32\mllmj.dll
2006-09-23 12:10 39,465 --a------ C:\WINDOWS\system32\jkhhe.dll
2006-09-23 12:03 40,973 ---hs---- C:\WINDOWS\system32\qomlihg.dll
2006-09-23 12:02 18,944 --a------ C:\WINDOWS\system32\winrge32.dll
2006-09-22 17:11 0 --a------ C:\WINDOWS\system32\sys_dll.dll
2006-09-11 21:23 122,880 --a------ C:\WINDOWS\system32\cddvdint.dll
2006-09-11 18:09 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2006-09-09 14:03 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2006-09-09 14:03 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2006-09-08 16:34 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-09-08 16:34 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-09-06 17:38 4,239,360 --a------ C:\WINDOWS\system32\qtp-mt334.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-23 15:22 0 --a--c--- C:\Documents and Settings\simon\Application Data\.googlewebacchosts
2006-09-22 18:09 -------- d-------- C:\Program Files\Microsoft Bootvis
2006-09-21 16:28 -------- d-------- C:\Program Files\Common Files
2006-09-21 16:16 -------- d-------- C:\Documents and Settings\simon\Application Data\AVG7
2006-09-21 16:15 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-21 16:15 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-21 16:15 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-21 16:15 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-21 16:15 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-21 16:15 -------- d-------- C:\Program Files\Grisoft
2006-09-21 16:14 -------- d---s---- C:\Documents and Settings\simon\Application Data\Microsoft
2006-09-20 17:34 -------- d-------- C:\Documents and Settings\simon\Application Data\Lavasoft
2006-09-12 17:48 -------- d-------- C:\Program Files\Simon Clarke's CV and Cover Letter
2006-09-11 21:23 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-11 18:10 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-09-11 18:10 -------- d-------- C:\Documents and Settings\simon\Application Data\InterVideo
2006-09-11 18:09 -------- d-------- C:\Program Files\InterActual
2006-09-11 18:09 -------- d-------- C:\Program Files\Creative
2006-09-01 23:47 11973 --a--c--- C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-25 20:26 -------- d-------- C:\Documents and Settings\simon\Application Data\PC Tools
2006-08-22 00:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 21:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 21:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 11:26 -------- d-------- C:\Program Files\Internet Explorer
2006-08-09 18:38 -------- d-------- C:\Program Files\Boinc
2006-08-08 15:06 -------- d-------- C:\Documents and Settings\simon\Application Data\SolidDocuments
2006-08-08 14:57 -------- d-------- C:\Documents and Settings\simon\Application Data\CTdeveloping
2006-08-05 12:50 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-08-05 11:56 -------- d-------- C:\Documents and Settings\simon\Application Data\com.codeode
2006-08-02 14:35 -------- d-------- C:\Program Files\Google
2006-07-29 19:38 -------- d-------- C:\Program Files\Common Files\Services
2006-07-28 01:24 679424 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2006-07-24 15:14 -------- d-------- C:\Program Files\Online Services
2006-07-21 20:24 72704 --a--c--- C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="\"C:\\Applications\\FreeRAM XP Pro 1.51\\FreeRAM XP Pro.exe\" -win"
"RoboForm"="\"C:\\Applications\\Roboform\\RoboTaskBarIcon.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"PCTAVApp"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoCDBurning"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"HideClock"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoControlPanel"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\WINZIP~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EPSON Stylus Photo R210 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I3H2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3H2.EXE /P30 \"EPSON Stylus Photo R210 Series\" /O6 \"USB001\" /M \"Stylus Photo R210\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ImInstaller_IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="incredimail_install[1]"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NVRTCLK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVRTClk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCTAVApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCTAV"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spam Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpamMonitor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Applications\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AVGEMS"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlihg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrge32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 06-09-23 15:30:17.56
ComboFix.txt
ComboFix2.txt

[sUBs]

We have a reinfection. Please post a fresh HJT log.

[batman321]

Logfile of HijackThis v1.99.1
Scan saved at 19:40, on 06-09-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Applications\Spyware Doctor 4\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe
C:\Applications\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Applications\Mozilla Firefox\firefox.exe
C:\Applications\Hijack This\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9D14EE27-049C-461B-9203-F52D4CDC6D76} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\qomlihg.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - blank (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Applications\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O20 - Winlogon Notify: qomlihg - C:\WINDOWS\SYSTEM32\qomlihg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrge32 - C:\WINDOWS\SYSTEM32\winrge32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Applications\Spyware Doctor 4\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[sUBs]

Have Hijackthis fix this:

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - blank (file missing)


Then, run combofix with this command:

"%userprofile%\desktop\combofix.exe" /v mllmj qomlihg winrge32 jkhhe sys_dll

I shall require the combofix log & a fresh HJT log in your next reply

[batman321]

simon - 06-09-24 13:01:53.56 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\simon\desktop"
Command switches used :: /v mllmj qomlihg winrge32 jkhhe sys_dll

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\qomlihg.dll
C:\WINDOWS\system32\winrge32.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\sys_dll.dll
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))


2006-09-11 21:23 122,880 --a------ C:\WINDOWS\system32\cddvdint.dll
2006-09-11 18:09 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2006-09-09 14:03 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2006-09-09 14:03 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2006-09-08 16:34 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-09-08 16:34 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-09-06 17:38 4,239,360 --a------ C:\WINDOWS\system32\qtp-mt334.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-23 21:08 0 --a--c--- C:\Documents and Settings\simon\Application Data\.googlewebacchosts
2006-09-22 18:09 -------- d-------- C:\Program Files\Microsoft Bootvis
2006-09-21 16:28 -------- d-------- C:\Program Files\Common Files
2006-09-21 16:16 -------- d-------- C:\Documents and Settings\simon\Application Data\AVG7
2006-09-21 16:15 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-21 16:15 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-21 16:15 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-21 16:15 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-21 16:15 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-21 16:15 -------- d-------- C:\Program Files\Grisoft
2006-09-21 16:14 -------- d---s---- C:\Documents and Settings\simon\Application Data\Microsoft
2006-09-20 17:34 -------- d-------- C:\Documents and Settings\simon\Application Data\Lavasoft
2006-09-12 17:48 -------- d-------- C:\Program Files\Simon Clarke's CV and Cover Letter
2006-09-11 21:23 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-11 18:10 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-09-11 18:10 -------- d-------- C:\Documents and Settings\simon\Application Data\InterVideo
2006-09-11 18:09 -------- d-------- C:\Program Files\InterActual
2006-09-11 18:09 -------- d-------- C:\Program Files\Creative
2006-09-01 23:47 11973 --a--c--- C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-25 20:26 -------- d-------- C:\Documents and Settings\simon\Application Data\PC Tools
2006-08-22 00:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 21:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 21:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 11:26 -------- d-------- C:\Program Files\Internet Explorer
2006-08-09 18:38 -------- d-------- C:\Program Files\Boinc
2006-08-08 15:06 -------- d-------- C:\Documents and Settings\simon\Application Data\SolidDocuments
2006-08-08 14:57 -------- d-------- C:\Documents and Settings\simon\Application Data\CTdeveloping
2006-08-05 12:50 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-08-05 11:56 -------- d-------- C:\Documents and Settings\simon\Application Data\com.codeode
2006-08-02 14:35 -------- d-------- C:\Program Files\Google
2006-07-29 19:38 -------- d-------- C:\Program Files\Common Files\Services
2006-07-28 01:24 679424 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2006-07-24 15:14 -------- d-------- C:\Program Files\Online Services
2006-07-21 20:24 72704 --a--c--- C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="\"C:\\Applications\\FreeRAM XP Pro 1.51\\FreeRAM XP Pro.exe\" -win"
"RoboForm"="\"C:\\Applications\\Roboform\\RoboTaskBarIcon.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"PCTAVApp"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoCDBurning"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"HideClock"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoControlPanel"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\WINZIP~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EPSON Stylus Photo R210 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I3H2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3H2.EXE /P30 \"EPSON Stylus Photo R210 Series\" /O6 \"USB001\" /M \"Stylus Photo R210\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ImInstaller_IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="incredimail_install[1]"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NVRTCLK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVRTClk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCTAVApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCTAV"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spam Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpamMonitor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Applications\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AVGEMS"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 06-09-24 13:04:22.59
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

[batman321]

Logfile of HijackThis v1.99.1
Scan saved at 13:09, on 06-09-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Applications\Spyware Doctor 4\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe
C:\Applications\Roboform\RoboTaskBarIcon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Applications\Mozilla Firefox\firefox.exe
C:\Applications\Hijack This\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Applications\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Applications\Spyware Doctor 4\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[sUBs]

That's good. It's gone. Let's get rid of some orphaned reg entries


Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTAVApp"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=-

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


* * * * *


Considering that you just had a reinfection, please use your machine as you normally would for the next 2 days. Then, come back & post a fresh HJT log so that I may verify if you're clean

[batman321]

Thanks, I have added the entries to the registry and will post a fresh HJT log in the next few days!

[batman321]

Logfile of HijackThis v1.99.1
Scan saved at 20:01, on 06-09-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Applications\Spyware Doctor 4\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe
C:\Applications\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Applications\Spyware Doctor 4\swdoctor.exe
C:\Applications\Mozilla Firefox\firefox.exe
C:\Applications\Hijack This\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Applications\Zone Alarm\zlclient.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Applications\FreeRAM XP Pro 1.51\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Applications\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Applications\Spyware Doctor 4\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[sUBs]

Quote:

The infections are back to stay...I might have to format my harddrive, (worst case)

Mind explaining this? Apart from installing a rogue scanner (Acceleration Software\Anti-Virus) I don't really see anything wrong in your log.

You can read up on Acceleration Software\Anti-Virus here: http://www.spywarewarrior.com/rogue_...re.htm#ss_note

[batman321]

Each time spyware doctor does a full-system scan, it always finds a number of spyware (always less than 30). AVG does not detect any viruses, so it must only be spyware.

[sUBs]

Show me what Spyware Doctor says. Is it just cookies & orphaned registry entries? Or even entries from System Volume Information folder?

[batman321]

I have included the spyware doctor report as an attachment. The infections are cookies (TXT files). The threat level is low rendering them harmless. Does this mean my spyware problem is solved?

[sUBs]

Learn about cookies by reading this - http://www.cookiecentral.com/faq/ I don't classify them as malicious. More a nuisance but sometimes a necessity. Even TSF places a cookie on your machine. If you're gonna reformat your machine over cookies, might as well reformat everytime you connect to the internet.

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start → Run → type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
6. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

[batman321]

I will endeavour to complete all the steps you mentioned.

Thank you for your unselfish time and help! You have really made a difference! Keep up the great work at Tech Support Forum!!!