Trojan-Spy.Win32.Ardamax.e

Recently , my pc was hit by  Trojan-Spy.Win32.Ardamax.e.

 

I use Hijackthis and save a log file but it was no use.Luckily , Kaspersky Internet Security 2009 saved the day.The KIS 2009 somehow detected and deleted the files.But this Trojan was rather SMART.When KIS 2009 deleted the infected files, it started to multiply again.

It all started when I downloaded LimeWirePro.rar from Rapidshare website.KIS 2009 had given me warning but I just ignored it.Later I extracted the setup.exe and install into my pc.Then , the pc performance started to slow down.When I start browsing, KIS 2009 alerted me with an alarm : ” C:\WINDOWS\SYSTEM32SOGK.EXE denied the link.” It was so annoying for me .

This time when KIS 2009 alerted me , I took the chance to find trojan source.On the main KIS 2009 window , there were two buttons below : Detected and Report.Click the Report button.Another window will appear , highlight and right click to open the located file : -                                                  C:\WINDOWS\SYSTEM32SOGK.EXE

C:\WINDOWS\SYSTEM32SOGK2.EXE

C:\WINDOWS\SYSTEM32SOGK3.EXE

C:\WINDOWS\SYSTEM32SOGK4.EXE

C:\WINDOWS\system32AKV.EXE

Delete all these files in the windows system files folder ( C:\WINDOWS \… ).

My advice is download at least two antispyware application such as SuperAntispyware and Windows Defender.

First I run SuperAntispyWare,the complete scan results was not satisfactory.So I give up.

Second, I run Windows Defender : Complete Scan.

1 item detected : MonitoringTool:Win32/Ardamax, Alert Level : Medium.

 Windows Defender Scan Results : Trojan-Spy.Win32.Ardamax.e is a monitoring software : monitors user activity , such as keystrokes typed.Review the alert details to see why the software was detected.If you do not like how the software operates or if you do not recognize and trust the publisher.consider blocking or removing the software.

Resources :

file : D:\System Volume Information\_restore{4OB2AAEO-EFEO-452F-9643-A66ECDC1C7C8}\RP206\A0050326.exe

file:

D:\Downloads\Compressed\LimeWirePro.rar->LimeWirePro.exe

file:

C:\WINDOWS\system32AKV.exe

container file:

D:\Downloads\Compressed\LimeWirePro.rar

Just click Remove All, all infected files will be deleted.

Ardamax Keylogger is a type of Keyloggers.

Keyloggers record every keystroke you make on your PC, possibly with the intent of capturing usernames and passwords, credit card numbers, bank account numbers, etc. Some keyloggers also take screen shots of your computer activity, monitor emails and online chatting, and?when installed by someone authorized to do so?are often used to monitor child or employee computer activity. Even in cases such as these, keyloggers usually work secretly.

Ardamax Keylogger Prevention Rules

 

Protect your computer from Ardamax Keylogger and other spyware by following these four easy prevention rules.

Rule #1: Keep your Windows Security up-to-date

Microsoft provides updates weekly and can always be downloaded manually from the Microsoft website.
Tip: Regularly visit Windows Update and set your computer to receive security & critical updates automatically.

To get Microsoft Update, go to IE > Tools > Windows Update > Product Updates, and select “ALL High-Priority Security Updates” from the list.

Then open IE and go to Internet Options > Security > Internet, then press “Default Level”, then OK. Now press “Custom Level.”

Rule #2: Download and install a reliable anti-spyware software

A good anti-spyware software that recognizes current Ardamax Keylogger spyware as well as other forms of spyware can can be the answer to all your security issues. Listed below is an anti-spyware program that can effectively reverse the damage of your computer and detect Ardamax Keylogger automatically.

 

If anyone using IE browser , I recommend to download Key Scrambler from www.freewarefiles.com or http://www.qfxsoftware.com/AboutQFX.htm to avoid  Ardamax Keylogger detecting keystrokes typed.Key Scrambler protects you or anyone with encryption formula.

Hooray to KIS 2009 and Windows Defender !!!

 

 

Are you using the pirated copy? Read then..

26Aug Windows XP Professional operating system (OS) – Are you using the pirated copy? Read then..

 

PETALING JAYA: Starting Wednesday, users with pirated copies of Microsoft Corp’s Windows XP Professional operating system (OS) on machines that are Internet-capable could find their computer displays going black and with no screen icons visible.

There are 8.6 million users of Win XP Pro in Malaysia and about three million are expected to suffer the “blackouts,” according to Microsoft Malaysia.

To continue working, the user would need to reset the machine’s desktop background. Everything will return to normal. But when 60 minutes are up, the black screen will reappear and the user must go through the whole process again.

This will keep happening until the user licenses the copy of Win XP Proon the machine by going to a Microsoft reseller or getting a licence online at the www.microsoft.com/malaysia/genuine. Each licence costs RM580.

Just click the above photos to enlarge .

How to enable regedit when infected by virus?

 

How to enable registry whe infected by virus

When your registry is being disabled:

First, maybe the administrator disabled it for some restriction purposes

Second, due to virus. Most of the virus disabled the regedit for you to unable to stop the execution of its program.

Here are the solutions for enabling the regedit again.

• Use the gpedit.msc to enable the registry editor.

Step 1: Hit the window or click startbutton then press “r” or simply click the run

Step 2: type gpedit.msc

Step 3: Click on Administrative Templates

Step 4: Click the System and locate the Prevent access to registryediting tools and double click on it

Step 5: Select the enabled on the optionbutton the click apply.

This will make a policy to prevent access to the registry editing tools, The computer will automatically made the policy.

Step 6: After clicking on apply select the disabled in the option button thenclick the apply again then click ok button when finished.

 

The disabled button will make the policy into default, the computer will automatically configured it and becomes a default comfig which is the registry editor can be access by the user.

And Thats it… Try run the regedit.exe… Have Fun!!!!

 

 

Worm.Brontok Description

Worm.Brontok is a Worm that spreads by sending itself by e-mail to addresses found in the infected machine. Worm.Brontok resides in the attachment by a name of Photo.zip. The message itself may contain the following text: 

Hi, 
I want to share my photo with you. 
Wishing you all the best. 
Regards, 

Once Photo.zip is launched for the first time, a Windows Explorer window pops up with an open ‘My Pictures’ folder. This is the first indication that your computer is infected with this malevolent parasite. Worm.Brontok installs itself into registry and then disables anti-virus applications that can be found in the compromised machine. It also disables system registry tools and the command line (cmd.exe) in order to avoid detection and to aggravate manual removal. Worm.Brontok is a malicious parasite that should be removed from your computer system immediately.

How can I get rid of Worm.Brontok?

The most common spyware removal tactic is to uninstall Worm.Brontok by using the “Add/Remove Programs” utility. However, as there may still be hidden Worm.Brontok files, it’s possible that Worm.Brontok will reappear after reboot. Follow the Worm.Brontok detection and removal methods below.

Worm.Brontok Automatic Detection (Recommended)

Is your PC infected with Worm.Brontok? To safely & quickly detect Worm.Brontok, we highly recommend you…

Download SpyHunter’s FREE Worm.Brontok Scanner.

SpyHunter’s free version is only for spyware detection. If SpyHunter’s spyware scanner detects Worm.Brontok on your PC, you have the option of purchasing SpyHunter’s spyware removal tool to remove Worm.Brontok and other spyware threats.

Worm.Brontok Manual Removal Instructions

Below is a list of Worm.Brontok manual removal instructions and Worm.Brontok components listed to help you remove SpyCrush from your PC. Backup Reminder: Always be sure to back up your PC before making any changes.

Note: This manual removal process may be difficult and you run the risk of destroying your computer. We recommend that you use SpyHunter’s spyware detection tool to check for Worm.Brontok.

Step 1 : Use Windows File Search Tool to Find Worm.Brontok Path

1. Go to Start > Search > All Files or Folders.
2. In the “All or part of the the file name” section, type in “Worm.Brontok” file name(s).
3. To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
4. When Windows finishes your search, hover over the “In Folder” of “Worm.Brontok”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete Worm.Brontok in the following manual removal steps.

Read more about How to Find Worm.Brontok with File Search Tool

Step 2 : Use Windows Task Manager to Remove Worm.Brontok Processes

1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the “Image Name” button to search for “Worm.Brontok” process by name.
3. Select the “Worm.Brontok” process and click on the “End Process” button to kill it.
4. Remove the “Worm.Brontok” processes files:

EKSPLORASI.EXE

BRONSTAB.EXE

Step 3 : Use Registry Editor to Remove Worm.Brontok Registry Values

1. To open the Registry Editor, go to Start > Run > type regedit and then press the “OK” button.
2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
3. To delete “Worm.Brontok” value, right-click on it and select the “Delete” option.
4. Locate and delete “Worm.Brontok” registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-cirrhatus

Step 4 : Detect and Delete Other Worm.Brontok Files

1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
2. Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
3. To change directory, type in “cd name_of_the_folder”.
4. Once you have the file you’re looking for type in “del name_of_the_file”.
5. To delete a file in folder, type in “del name_of_the_file”.
6. To delete the entire folder, type in “rmdir /S name_of_the_folder”.
7. Select the “Worm.Brontok” process and click on the “End Process” button to kill it.
8. Remove the “Worm.Brontok” processes files:

\Documents and Settings\{User Name}\Local Settings\Application Data\winlogon.exe.

\Documents and Settings\{User Name}\Local Settings\Application Data\smss.exe,

\Documents and Settings\{User Name}\Local Settings\Application Data\services.exe,

\Documents and Settings\{User Name}\Local Settings\Application Data\lsass.exe,

\Documents and Settings\{User Name}\Local Settings\Application Data\inetinfo.exe,

\Documents and Settings\{User Name}\Local Settings\Application Data\csrss.exe,

\Documents and Settings\{User Name}\Templates\WowTumpeh.com f�jl,

\Documents and Settings\{User Name}\Start Menu\Programs\Startup\EMPTY.PIF,

EKSPLORASI.EXE

BRONSTAB.EXE

Tok-Cirrhatus

Tok-Cirrhatus-1761

Tok-Cirrhatus-1860

Streamyx Email

Following is two ways to access to your streamyx mail.

Webmail

• Go to webmail.tm.net.my site
• Type in your username
• Select the appropriate domain (streamyx.com)
• Type in your password
• Click ’sign-in’

Pop Email Services

You can obtain your streamyx email through various email programs available such as Microsoft Outlook, Inbox, Netscape Communicator, Outlook Express, etc. To do this, you are required to include your email configuration with the following settings :

Incoming mail server : pop.streamyx.com

Outgoing mail server : smtp.streamyx.com

Do not forget to save these settings. And whenever you login in the future, remember to type in your full username with the domain (e.g. beeqee@streamyx.com) to gain access into your account.

Antivirus 2009

Antivirus 2009 Description

Antivirus 2009, also known as Antivirus2009, is a rogue anti-spyware program that uses false spyware results to lure you to purchase its full version. Antivirus2009 is an updated version of Antivirus 2008. Other Antivirus 2009 aliases that have recently appeared on the Web are: XP Antivirus 2008, Vista Antivirus 2008, Ultimate Antivirus 2008 and System Antivirus 2008.

Antivirus 2009 is usually promoted via a ZLOB/MediaAccess Codec installer found on adult websites. Zlob has been the trojan of choice to infect users with pop ups disguised as system notifications that lead to websites with rogue anti-spyware programs. You can also install Antivirus 2009 manually on the rogue website antivirus-scanner.com. Antivirus 2009 may use its system scanner to display false positives which work as an incentive to make unsuspecting users purchase Antivirus 2009’s commercial version.

Do not click on any link provided by Antivirus 2009. Once you click on the link provided, you’ll be redirected to Antivirus 2009’s website (antivirus2009.com) to download and purchase Antivirus 2009’s rogue anti-spyware program. Antivirus 2009 has the ability to recreate itself after reboot and its “System scan” messages may continue to pop up on your task manager. It is advised to run a scan with a reliable anti-spyware program to check for the presence of Antivirus 2009 on your computer.

How can I get rid of Antivirus 2009?
The most common spyware removal tactic is to uninstall Antivirus 2009 by using the “Add/Remove Programs” utility. However, as there may still be hidden Antivirus 2009 files, it’s possible that Antivirus 2009 will reappear after reboot. Follow the Antivirus 2009 detection and removal methods below.

Antivirus 2009 or Antivirus2009 Automatic Detection (Recommended)
Is your PC infected with Antivirus 2009? To safely & quickly detect Antivirus 2009, we highly recommend you…

Download SpyHunter’s FREE Antivirus 2009 Scanner.

SpyHunter’s free version is only for spyware detection. If SpyHunter’s spyware scanner detects Antivirus 2009 on your PC, you have the option of purchasing SpyHunter’s spyware removal tool to remove Antivirus 2009 and other spyware threats.

View “How Antivirus 2009 Infects Your Computer” Video
Is your PC really infected with Antivirus 2009? View “How Antivirus 2009 Infects Your Computer” video and learn how Antivirus 2009 infects a computer. To fully capture the experience of the video turn your sound ON.

Antivirus 2009 Manual Removal Instructions
Below is a list of Antivirus 2009 manual removal instructions and Antivirus 2009 components listed to help you remove SpyCrush from your PC. Backup Reminder: Always be sure to back up your PC before making any changes.

Note: This manual removal process may be difficult and you run the risk of destroying your computer. We recommend that you use SpyHunter’s spyware detection tool to check for Antivirus 2009.

Step 1 : Use Windows File Search Tool to Find Antivirus 2009 Path

Go to Start > Search > All Files or Folders.
In the “All or part of the the file name” section, type in “Antivirus 2009″ file name(s).
To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
When Windows finishes your search, hover over the “In Folder” of “Antivirus 2009″, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete Antivirus 2009 in the following manual removal steps.
“Antivirus 2009″ files can be found in the directory path(s):

%ProgramFiles%\AV9
%ProgramFiles%\Power-Antivirus-2009
%UserProfile%\Start Menu\Antivirus 2009
%ProgramFiles%\Antivirus 2009

Step 2 : Use Windows Task Manager to Remove Antivirus 2009 Processes

To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Click on the “Image Name” button to search for “Antivirus 2009″ process by name.
Select the “Antivirus 2009″ process and click on the “End Process” button to kill it.
Remove the “Antivirus 2009″ processes files:
AV2009Install[1].exe
Power-Antivirus-2009.exe
c:\WINDOWS\system32\ieupdates.exe
c:\Program Files\Antivirus 2009\av2009.exe
AV2009Install_880405[2].exe
AV2009Install_880405[1].exe
av2009[1].exe
AV2009Install.exe
Antivirus2009.exe
av2009.exe

Step 3 : Use Registry Editor to Remove Antivirus 2009 Registry Values

To open the Registry Editor, go to Start > Run > type regedit and then press the “OK” button.
Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
To delete “Antivirus 2009″ value, right-click on it and select the “Delete” option.
Locate and delete “Antivirus 2009″ registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “75319611769193918898704537500611″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ieupdate”
HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_CURRENT_USER\Software\75319611769193918898704537500611
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Antivirus 2009

Step 4 : Use Windows Command Prompt to Unregister Antivirus 2009 DLL Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Antivirus 2009 DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Antivirus 2009 DLL file is located, use the “dir” command to display the directory’s contents.
To unregister “Antivirus 2009″ DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Antivirus 2009.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.
Search and unregister “Antivirus 2009″ DLL files:

%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
c:\WINDOWS\system32\winsrc.dll

Step 5 : Detect and Delete Other Antivirus 2009 Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
To change directory, type in “cd name_of_the_folder”.
Once you have the file you’re looking for type in “del name_of_the_file”.
To delete a file in folder, type in “del name_of_the_file”.
To delete the entire folder, type in “rmdir /S name_of_the_folder”.
Select the “Antivirus 2009″ process and click on the “End Process” button to kill it.
Remove the “Antivirus 2009″ processes files:

AV2009Install[1].exe
Power-Antivirus-2009.exe
%UserProfile%\Start Menu\Antivirus 2009\Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
%UserProfile%\Desktop\Antivirus 2009.lnk
c:\WINDOWS\system32\scui.cpl
c:\WINDOWS\system32\winsrc.dll
c:\WINDOWS\system32\ieupdates.exe
c:\Program Files\Antivirus 2009\av2009.exe
c:\Program Files\Antivirus 2009
AV2009Install_880405[2].exe
AV2009Install_880405[1].exe
Uninstall Antivirus 2009.lnk
Antivirus 2009.lnk
av2009[1].exe
AV2009Install.exe
Antivirus2009.exe
av2009.exe

ntivirus 2009 Recommendation
RECOMMENDED: To avoid the unnecessary risk of damaging your computer, we highly recommend you use a good spyware cleaner/remover to track Antivirus 2009 and automatically remove Antivirus 2009 as well as other spyware, adware, trojans, and virus threats in your PC.

If you believe you have Antivirus 2009 installed on your computer, check for Antivirus 2009 with SpyHunter’s Free Spyware Scanner.

Download SpyHunter’s FREE Antivirus 2009 Scanner.

SpyHunter’s free version is only for spyware detection. To remove Antivirus 2009 and other spyware threats you can purchase SpyHunter’s spyware removal tool. Since new Antivirus 2009 files are constantly being released, it is normally advised to run SpyHunter’s scanner weekly to get the latest updates on Antivirus 2009 and other spyware threats.

How to remove Antivirus XP 2008 (www.av_xp2008.com).

Antivirus XP 2008 is back, unfortunately. It’s not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent “security” it’s selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.

eah, Google.
Apparently, though, the virus is now being spread in more insidious ways, and numerous people who claim safe browsing habits and up-to-date security definitions are being infected–including two of my friends.
In helping them remove it, I discovered an excellent post on the CNET Forums that explained a detailed and accurate method of removal. I’ve retyped it below with more detail in case you’re not able to get to the forums. It’s not particularly complicated, but if you’re not comfortable with advanced settings, I’d recommend proceeding cautiously or get a friend to help.

A warning before we begin: do not boot your computer into safe mode. Leave it running as you normally would. I tried restarting into safe mode, and the malware was prepared for that–its folders and files became undetectable.
First, in the Start menu, click on Run. If you can’t find the Run option, hit WIN+R. (That’s the key with the Windows icon on it.)
Type in msconfig, and go to the Startup tab. You’re looking for two files. One begins with the string of letters “lph,” and the second begins with “rhc”. The examples provided are longer strings, “lphc35dj0e1an” and “rhc75dj0e1an”, but after the first three letters, the strings are known to change on different computers. Uncheck the boxes next to both of them, then click on Apply and OK or Close at the bottom of the window.

Restart your computer normally. You’ll notice that the background hasn’t changed. To restore your desktop settings, you’ll need to go to Start > Run again, or Win+R. This time, type in Gpedit.msc. On the left nav, look for User Configuration near the middle. Navigate through Administrative Templates, then Control Panel, and finally Display. When you click on display, you’ll see a list of options open in the central pane. Right click on “Remove Display in Control Panel,” and click “Properties.” Then choose “Disabled.”
Repeat those same steps for the following attributes: Hide Desktop, Prevent changing wallpaper, Hide Appearance and Themes, Hide Settings, and Hide Screen Saver. Change all to “Disabled,” then hit Apply, OK, and restart your computer.
You will still see the Antivirus XP 2008 desktop “theme”, but now you can change it. Anywhere on your desktop, right-click and select properties. The first tab that opens should allow you to change your theme. If you also suffer from massive icons, use the last tab on the right, Settings. In the middle of that tab’s window you’ll see a Screen Resolution option, most likely set to 800×600. Move the slider to the left to choose a more aesthetically appealing resolution.

How to remove rvhost.exe aka Trojan Horse?

You have a nasty worm on your computer, so called W32/SillyFDC-G
Let’s start cleaning your computer, shall we?
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Make a new folder to HijackThis! Like this: C:/Hjt/Hijackthis.exe IMPORTANT FOR THE BACKUPS!
I don’t see any firewall running on your computer?( Stop using Windows Defender, because it’s too weak) Please download some other firewall from here
After Downloading & Installing new firewall –> =============== * Click Start * Click Control Panel * Double-click Add or Remove Program * Find and remove this program if found:
Yahoo Messengger
=============== Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. http://www.ewido.net/en/download/ * Install AVG Anti-Spyware by double clicking the installer. * Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked. * On the main screen under Your Computer’s security. * Click on Change state next to Resident shield. It should now change to inactive. * Click on Change state next to Automatic updates. It should now change to inactive. * Next to Last Update, click on Update now. (You will need an active internet connection to perform this) * Wait until you see the Update succesfull message. * Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. =============== Run HijackThis Click on do a system scan only Place a checkmark next to these lines(if still present)
F2 – REG:system.ini: Shell=Explorer.exe RVHOST.exe O2 – BHO: (no name) – {140BD8E3-C167-11D4-B4A3-080000180323} – (no file) O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file) O4 – HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 – Extra button: Sky – {08E730A4-FB02-45BD-A900-01E4AD8016F6} – http://www.skybroadband.com (file missing) (If you don’t need)
Then close all windows except HijackThis and click Fix Checked =============== Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp * Current User Temp * All Users Temp * Temporary Internet Files * Prefetch * Java Cache
*The other boxes are optional* Then click the Empty Selected button.
If you use Firefox:
* Click Firefox at the top and choose: Select All * Click the Empty Selected button. * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
* Click Opera at the top and choose: Select All * Click the Empty Selected button. * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu. ===============
* Go to Start > My Computer * Go to Tools > Folder Options * Click on the View tab * Untick the following:
* Hide extensions for known file types * Hide protected operating system files (Recommended)
* You will get a message warning you about showing protected operating system files, click Yes * Make sure this option is selected:
* Show hidden files and folders * Click Apply and then click OK

Restart your computer to Safe Mode.
1. If the computer is running, shut down Windows, and then turn off the power. 2. Wait 30 seconds, and then turn the computer on. 3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a “keyboard error” message. To resolve this, restart the computer and try again. 4. Ensure that the Safe Mode option is selected. 5. Press Enter. The computer then begins to start in Safe Mode. 6. Login on your usual account. =============== When in Safemode, please find and remove this:
C:\WINDOWS\system32\RVHOST.exe
=============== Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. * Click on Scanner on the toolbar. * Click on the Settings tab. * Under How to act? * Click on Recommended Action and choose Quarantine from the popup menu. * Under How to scan? * All checkboxes should be ticked. * Under Possibly unwanted software: * All checkboxes should be ticked. * Under Reports: * Select Automatically generate report after every scan and uncheck Only if threats were found. * Under What to scan? * Select Scan every file. * Click on the Scan tab. * Click on Complete System Scan to start the scan process. * Let the program scan the machine. * When the scan has finished, follow the instructions below. IMPORTANT : Don’t click on the “Save Scan Report” button before you did hit the “Apply all Actions” button. * Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) * At the bottom of the window click on the Apply all Actions button. (3)
* When done, click the Save Scan Report button. (4) * Click the Save Report as button. * Save the report to your Desktop. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot in Normal Mode.
Please post fresh HijackThis log and AVG report.