On 4 Feb I foolishly opened something on MSN Messenger that I thought was from my daughter - it was not. So I joined this forum which I have found very useful with lots of information. Warnings from Avast log are: sign of Win32:IRCBot-CHZ; Win32:TratBHO; Win32:Trojan-gen; Wi32:Winfixer-F; PS/MPC-gen5; and Win32:Renos-AE. In the avast log there is nothing above warning level.
Since the infection I have been plagued with pop-up warnings about how unsafe my computer is, and that I have dozens of virus, many of them critical. Most run scans, some of which are hard to delete. Following advice in the forum, I downloaded and ran Rogue remover and siri.geeks and both said nothing detected. I have run skybot and “fixed” problems. I have also run Windows Defender which found no harmful software and said computer is running normally - I am surprised as I now get “program not responding” many times a day. I have now installed and run Zone Alarm.
I am sorry that this message is so long, but I am new to the forum and have not had a virus problem for a number of years. I would appreciate your advice please.
I attach the hijacjthis logfile.

Hi there first off you will need to disable tea timer as that will interfere with the fix

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.

.
NEXT

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [SBI] C:\Documents and Settings\Cruz PC User\Local Settings\Temporary Internet Files\Content.IE5\7CEUKDGV\install_sbd_en[1].exe
O4 - HKLM..\Run: [0f6a117c] rundll32.exe “C:\WINDOWS\system32\txjsmacs.dll”,b

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\Cruz PC User\Local Settings\Temporary Internet Files\Content.IE5\7CEUKDGV
C:\WINDOWS\system32\txjsmacs.dll

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Many thanks Essex Boy for your prompt reply. Have re-opened Hijackthis but cannot find 04-HKLM..\Run:[Of6a117c] rundll32.exe"C:\WINDOWS\system32\txjsmacs.dll",b.

There is an entry that that is almost the same but it ends \system32\ummjwrqa.dll"b

Help

Fix that one as it is changing name - then run combofix

Thanks. Logs attached

Highjack log attached

OK a lot was killed there lets try and get the rest

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {5DCB11A3-08BB-42AC-B501-33E0D36918EE} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {69F5C7F3-AAAA-4E31-9673-9FF2629FF9E3} - C:\WINDOWS\system32\mljge.dll (file missing)
O4 - HKLM..\Run: [Windows Video Input] viwsvc.exe

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\viwsvc.exe
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\mljge.dll

Registry::
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5DCB11A3-08BB-42AC-B501-33E0D36918EE}]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F5C7F3-AAAA-4E31-9673-9FF2629FF9E3}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new HijackThis log.

New logs attached

Looking good - how is your computer now ?

A big improvement thank you. A lot quicker, no more antivirus pop-up adds so far, and no “program not responding” messages in the last hour. So will keep my fingers crossed.
Assuming all is still OK after a couple of days, should I remove some of the software I installed (ie. rogueremover, Smitfraud, Superantispy) in an effort to try solve the problem before I posted this?

Now the best part of the day ----- Your log now appears clean

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

Have done everything you said.

With regard to your recommendations, I have the following installed:

Firewall - Zone Alarm (recommended by Which - the UK consumer organisation)

Anti Virus - Avast (recommended by Which)

Anti-spyware - Spybot (recommended by Which) and Windows Defender

Which recommend installing more than one anti-spyware programme as no single program will detect everything (they do say that you need to make sure that real-time protection is activated on only one as they could conflict with each other). Any problems if I delete Win Defender and install your recommendation Spywareblaster?

Microsoft Windows updates are done automatically.

Spywareblaster is a passive blocking programme and does not nor can it delete malware - it just blocks it from installing to the registry

Spybot is now a bit old in the tooth and a worthy replacement would be SuperAntispyware

Hello Essex Boy. One last problem (I hope). Every time I start my computer I now get the message :

RUNDLL
Error loading c:\Windows\system32\ummjwrqa.dll
The specified module could not be found

This was one of the items removed - see my reply 2 and your reply 3 - both on 16 Feb.

How can I stop this message please.

That will just need to be deleted from Hijackthis. Except I did not see any of that in your log ?

Post a new Hijackthis and I will show you the one to delete

Thanks. Hijackthis log attached

Is this a different machine - if not you are now re-infected again with something totally different ?

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.

.
.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {0869846C-26E8-4C4A-B289-32123824E7D2} - (no file)
O2 - BHO: (no name) - {2f95c417-b228-4a73-87d4-4e93f21c743a} - (no file)
O2 - BHO: (no name) - {3CD9C38E-0BC5-4EE7-80AE-D45DA3CFC245} - (no file)
O2 - BHO: (no name) - {4F0B1E54-D6F3-4615-8DF1-2D145F730445} - (no file)
O2 - BHO: (no name) - {599E0596-7738-41FE-9BC7-5E0D0ABA2E6E} - (no file)
O2 - BHO: (no name) - {5DCB11A3-08BB-42AC-B501-33E0D36918EE} - (no file)
O2 - BHO: (no name) - {69F5C7F3-AAAA-4E31-9673-9FF2629FF9E3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {856705D8-E740-4C8F-8FBD-4C0A2B218163} - (no file)
O2 - BHO: (no name) - {9AA57522-2ECD-47DF-BD38-20E7E577A464} - (no file)
O2 - BHO: (no name) - {A8FF89B1-419A-4AB7-A3D3-FBF84D8DBC07} - (no file)
O2 - BHO: (no name) - {C57E113B-AC3B-4A18-AEEF-17422F4D86EF} - (no file)
O2 - BHO: (no name) - {D31267DD-1752-48B9-9655-3B6F642CF644} - (no file)
O2 - BHO: (no name) - {E3DA8869-19CF-491F-B37B-E8EE93405A86} - (no file)
O4 - HKLM..\Run: [Windows Video Input] viwsvc.exe
O4 - HKLM..\Run: [0f6a117c] rundll32.exe “C:\WINDOWS\system32\ummjwrqa.dll”,b
O20 - Winlogon Notify: rqrsrom - C:\WINDOWS\

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

It is the same machine!
combofix.txt and new HijackThis log attached

Spooky it is clean again - do you have multiple users on your system ?

Many thanks. Yes - 2 users - Me (Cruz user) and my wife (Karin).