My daughter's laptop. Vista Home Premium. She is using it with admin rights, but is not normally a high risk user. She showed me the pop-up for Vista Antispy. I showed her how to stop the process via Ctrl/Alt/Del. I downloaded MBAM and it appeared to remove the rogue and av files. About three days later, she got the popups again. So I bought and registered MBAM, ran, removed again, and enabled the Protection Module. I tried to run a full scan, and the full scans do fail - I have been unable to complete a full scan. Another 3 days, and she "says" she has not used the system on the Internet at all, but antispy is back. I ran MBAM again, and found that the Protection Module was turned off. I turned Enabled Protection and removed antispy with a quickscan. Upon reboot my Norton Antivirus blocked installation of downloader trojan. I then let Norton delete downloader. I opened MBAM again, and found Protection Module was turned off again. I have used defogger and DDS, have run GMER as suggested elsewhere in this form. I include as follows: 1. the log of my last run of MBAM that said it "removed" antispy 2. my hijackthis log 3. my GMER log 4. my attach and dds log I have no illusions that my system is clean, so all suggestions are appreciated. ============================================ dirty MBAM log Malwarebytes' Anti-Malware 1.44 Database version: 3807 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18882 3/4/2010 9:17:07 PM mbam-log-2010-03-04 (21-17-07).txt Scan type: Quick Scan Objects scanned: 106857 Time elapsed: 7 minute(s), 7 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 6 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnfo32 (Trojan.Inject) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_shell (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uishf9wuifwuh387fh3wufinhjfdwefe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\Heimerl\AppData\Local\Temp\msnfo32.exe (Trojan.Inject) -> Quarantined and deleted successfully. C:\Users\Heimerl\nah_ojbb.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe (Trojan.Inject) -> Delete on reboot. C:\Windows\Temp\clk1005.nls (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\lwue.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully. C:\Users\Heimerl\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. =================================================== HIJACKTHIS log Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 12:28:33 AM, on 3/5/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18882) Boot mode: Normal Running processes: C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe C:\Windows\system32\taskeng.exe C:\Windows\SYSTEM32\WISPTIS.EXE C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\WTablet\Wacom_TabletUser.exe C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Windows Home Server\WHSTrayApp.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe O1 - Hosts: