[Cheeseball81]

First I would uninstall eAcceleration StopSign Software. It isn't very good, you can read about it here: http://www.spywarewarrior.com/rogue_...re.htm#ss_note

Get the LSP Fix: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of rlls.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Find and delete this file: c:\windows\system32\rlls.dll

Reboot to Normal Mode.

Click here to download the trial version of Ewido Security Suite:
http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· DO NOT run a scan yet.

Restart your computer into Safe Mode now.
(Start tapping the F8 key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

Post a new Hijack This log and the results of the Ewido scan.

[navyjax2]

Figured I'd help out. Remove the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Unless you use a proxy server for an internet connection (Start, Run, type inetcpl.cpl, Connections tab, LAN Settings, check name in proxy text box to find out - if it has some text there, see if it matches something like r21.mchsi.com with a port of 8000 - if not, then ->), remove these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;localhost

To remove eAcceleration StopSign Antivirus, remove the program from Add/Remove Programs (Start, Run, type appwiz.cpl), then these HJT entries, and then the appropriate folders left over, in that order:

O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon1.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\Acceleration Software\StopSignProducts\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe

Remove the following. Note that any program claiming to remove spam, unless it's backed by Norton/Symantec, or McAfee, is likely just adware and garbage, and probably doesn't remove any spam. If it's working for you, then I'll stand corrected, but it's probably just taking up space and not really effective. Look in Add/Remove Programs (Start, Run, type appwiz.cpl) and remove it there first, then these HJT entries:

O4 - HKLM\..\Run: [SpamNukeWeb] C:\Program Files\SpamNuker\spamnuker.exe /auto
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spamnuker.com/product/camp/clickbank/WebSpamNukerInstaller.exe

Remove all these:

O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab

Unless you know what this is and did this on purpose, remove this -

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

You should go to http://www.microsoft.com/downloads and get their Anti-Spyware program, download, install it, and run it. HJT is alright, but we really need to stop living in the dark ages when we've got stuff like Ad-aware, Spybot S&D, Microsoft Anti-Spyware, Webroot's SpySweeper and Pest Patrol all out there that can scan and allow you to get rid of this stuff without the need of help online to figure out what you can remove. Just remove everything those programs find, except questionable stuff - just quarantine that; if you find it changed something you needed, you can go into the Quarantine sections of the programs and have it put the stuff back where it was, from the items you quarantined (obviously, if you just deleted/removed it with the utility instead of quarantining, it is gone, so be careful, but luckily not a lot of stuff out there will give a false positive with those programs, contrary to HJT).

Good luck.

[Cheeseball81]

I'd rather those directions were not followed. Especially fixing the 010's like that.
You are not supposed to fix those like that.

[navyjax2]

I was assuming he had already followed the directions in deleting that c:\windows\system32\rlls.dll file before getting rid of it from HJT. Really, those entries really shouldn't be there. If it really is a valid WinSock entry, he could go to http://compnetworking.about.com/gi/d...sockxpfix.html, download the free WinSock fix utility, then delete the HJT entries. If he loses internet, the tool can be ran then and WinSock will be fixed.

[brendandonhu]

I don't know where you get your info from, but these are perfectly legit:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;localhost