I've run Ad-Aware, Spybot S&D, Norton AV and HJT! on it several times now. It's showing some improvement, and I haven't seen M$ Internet Exploder randomly open up for awhile, but I want to make sure. (IE doesn't ask ZoneAlarm if it can access the 'Net, it just spits out a couple of popups while I'm using Firefox. I installed Firefox on that machine to have something safe to get all the anti-crapware utilities and updates with.)
Now HJT! keeps finding 3 suspicious BHOs, and I can't seem to kill them off. I'm on my own (clean and much faster) computer, so I can't post the HJT! log from the other one, but the problems are {00000000-0000-0000-0000-000000000221}, {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}, (ClearSearch/SideSearch, etc.) and {0199DF25-9820-4bd5-9FEE-5A765AB4371E} AKA "IncrediFind."
I keep seeing a file called [AMCW4] AMCW4.EXE showing up in HKLM\..\Run. It's in the Windows Temp folder. Right-clicking for Properties=>Version shows no info, where most files list the company name, etc. I'm suspicious of it, but can't find any info via Google.
Another one that doesn't quite look right to me is called [qn5T36V] DSE_CI32.EXE, also in HKLM\..\Run. While the Windows "Find" will say that AMCW4 is in the Temp folder, it can't seem to locate DSE_CI32.
Also suspicious to me is [bCu3RWZnV] FINBLE3.EXE, another HJT! O4, and another HKLM\..\Run. Windows doesn't "Find" that one, either.
It makes me wonder if one or more of those might be reinstalling the barfware. Google doesn't return anything on any of those filenames, and there are only two hits on the {0199DF25-etc} number. I found some removal instructions by Googling on "IncrediFind," but none of the numbers match up. I've tried "IncFind" and "Incfin" as Windows files/folders, but no joy. I've trashed them several times with HJT! in Safe mode, but when I restart, they're baaaaaaack.
Any guidance would be appreciated.
--
Doug