Please, please help!

Here’s a problem I’m finding quite baffling. I was on this website the other day and was clicking around when I clicked on a link that tried to open up another window inside my Internet explorer… you might know the kind, not to another sub page of the particular site but a completely different window. Now here’s the crux! The window begins to open up but stops just short of actually having anything inside it. There is nothing. All I see is a smaller window attempting to open up alongside the page I’m already on… it’s completely empty, I can still see the contents of the page beneath it. The narrow blue bar is at the top with Internet Explorer on it and the thin grey lines of a box and that’s all. It will stay there forever until I close it down! What is going on there?

Here’s hoping you can help me! Thanks in advance!

Sounds like a hijack or driveby trojan....

You probably need to run a full set of security software starting with your antivirus.... Then run Spybot Search & Destroy and/or AdAware to check for spyware and a few common hijackers and trojans. Reboot and run HijackThis and then copy/paste the log here for the experts to check out. If you don't have these programs you can find links to them in mjc's security thread... (http://www.pcguide.com/vb/showthread.php?s=&threadid=15179)

I agree,
the clear frames may be transparent gifs, code with no displays.
Or simply frames that did not load properly. Better to be safe and scan.

Thanks guys!

The transparent gifs thing sounds promising and I'll give my system a thorough check thru with my antivirus program. Thanks for the link budfred, but it's exactly the kind of link that the problem is occurring on!

I downloaded HijackThis and am about to run it, tho I'm a little concerned as it reccommends it for advances users and I'm not sure if I'm advanced enough... there's a joke in there somewhere! I'll post back soon with how things have gone.

Cheers!

The link is just to a thread in the Applications and Security forum. If you can't get there through the link, just navigate there. It is the AV/anti-trojan apps thread.

HijackThis is for advanced users to interpret, but anyone can run it and some of the advanced users around here can then interpret it for you.

Make sure you run a spyware scanner too. This kind of thing will often show up in spyware scans....

Ok! I updated my virus checker and ran a full system sweep… nothing!
Ran Spybot and all it found were four tracking cookies, which I removed!
Ran Adaware and it found 1 file called a Dataminer category, which I removed!
Ran HijackThis and here is the log… recommended to show it to you guys before I do any deleting!

Logfile of HijackThis v1.97.7
Scan saved at 5:38:25 PM, on 11/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\SYSTEM\bootconf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [WinMX] C:\PROGRAM FILES\WINMX\WINMX.EXE -m
O4 - HKCU\..\Run: [FreeRAM XP] "C:\WINDOWS\TEMP\FREERAM XP PRO 1.40.EXE" -win
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4291/mcfscan.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37927.3274305556
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Hope this helps!

P.S This happened a few months back and I got rid of it by reformatting my hard drive! I don’t want to have to go thru that again. Thing is I have Zone Alarm as a firewall and AVG virus checker which are running constantly so how do these darn things get in to my pc?

[I]"I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image."
Stephen Hawking (1942 - )

The firewall and antivirus only protect against certain kinds of things. These transparent gifs and similar nasties get implied consent to install themselves on your computer and are not usually blocked by either security program.

Did you reboot after running the spyware scans and before running HijackThis?? If you didn't, please do so and post again. Otherwise, hang on and the experts in this will be along to give you feedback...

Ok! I didn't reboot after running Spyware and before running HijackThis but I have now! Here is the new log!

Cheers!

Logfile of HijackThis v1.97.7
Scan saved at 6:21:19 PM, on 11/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\SYSTEM\bootconf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [WinMX] C:\PROGRAM FILES\WINMX\WINMX.EXE -m
O4 - HKCU\..\Run: [FreeRAM XP] "C:\WINDOWS\TEMP\FREERAM XP PRO 1.40.EXE" -win
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4291/mcfscan.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37927.3274305556
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Just to elaborate on what Budfred had said,

There are other nasty things in the web like Dataminers, Parasites, Scumware, Keyloggers, Trojans, Dialers, Malware, Browser hijackers, and tracking components which are mostly outside the purview of traditional firewalls and antivirus softwares. You need to run specialised software like adaware, spybot etc regularly to avoid getting infected.

I see that you are running WinMx, Is it something like kazaa, If yes you need to run full time spyware protection software like spyware guard ( a freeware) or enable adwatch in adware. It's better to have immunised also through spyware blaster or spybot.

From your log, definitely the following should go,
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Please wait for few more opinions.

Thanks Shanmuga! I'm downloading Spyware Guard as I type this reply!

WinMx is similar to Kazaa but I hear it has less spyware bundled with it.

I'll run Spyware Guard as soon as I can.

Whe you say enable adwatch in adware I assume you mean Adaware! Also did you mean I can constantly immunize thru Spybot?

Cheers!

Yes its adaware.There is an immunisation funciton in spybot which can be accessed by clicking on the 'immunize' button,which "allows you to tweak some internal Internet Explorer settings to block the installation of known spyware (and similar threats) installers. Spybot-S&D is able to set all entries for those that are in its database to be blocked".Note to go through the help file on the immunize screen for full details.

I suggest that you also install spywareblaster, which is similar to spybot immunize function, but more thorugh and also a freeware.You need to run them only once and also when the protections are updated.

I could be wrong about this, but I would run only one of those options. If you have 2 or 3 running at the same time, they are likely to clash and cause more problems than they solve. One spyware protector is probably enough. Another option is to simply use a scan whenever you are done using a file sharing program...

A bit late, but your Hijack this log is clean. Whatever it was didn't install, or has been removed.

Thanks guys so much for all your input!

I have SpywareGuard running constantly now so hopefully no more nasty Trojans or whatever will get in again!

The Adwatch option in my version of Adaware is non-functional; I have to purchase the version that has it enabled. Also, when I click on the immunize button in my Adaware program it tells me that all known bad products are already blocked... this has been the case since I installed it some 4 or 5 weeks ago so I can't see how this thing has gotten in!

Thanks Shanmuga for the advice to delete those two files you mentioned. The O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm is interesting in so much as when I tried to uninstall everything to do with this program earlier in the day I got the message "Error Number 0x80070725, Description: Incompatible version of the RPC stub. Setup will now terminate."

Thanks too David Eaton. As the HijackThis log was clean this time around I'm assuming the offending little blighter is no longer with me, but alas the problem doth persist!

Cheers guys! keep the advice coming!!

"I'll be back!"

I think LimeShop may be the problem. It apparently is part of LimeWire and here is a link (http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=LimeShop&btnG=Google+Search) that will tell you a little bit about it.

Were you able to get rid of it with HijackThis???

@leejj,
Have you updated your adaware definitions file before running, because adaware should have detected and removed limewire. Detailed description on manual removal of limewire is available here (http://www.safersite.com/PestInfo/L/Limewire.asp).

@Budfred,.
If you have 2 or 3 running at the same time, they are likely to clash and cause more problems than they solve.
I am sorry, If I was not clear, I didn't suggest running two spyware programs concurrently, spyware blaster is a run-once program like the immunize function of spybot. Ideally,
1. Run the immunize function of spybot when you first install it and also after applying updates to its detection.
2. If you have installed spywareblaster, the spybot itself finds it and suggests you to run it also for more thorough protection. A shortcut is provided to the spywareblaster within spybot's GUI. So, run it.
3. Use adaware and spybot scans atleast once a week (in my case) for those spyware which escapes the immunize function. Here my suggestion is to run it one after the other, because once or twice i have seen spybot catches where adaware misses and vice-versa.
4. If you are into Kazza, or any such nasty peer to peer networks, the strong suggestion is to run a full time spyware protection like either spyware guard or adwatch of adaware.

shanmuga,

I didn't think you were suggesting to use all three together, I was worried that leejj was thinking of doing it though and wanted to point out that it wouldn't be good to do so. I was not aware that the spybot immunize only ran once since there was a thread earlier about it causing some problems on an ongoing basis...

The immunize function is run once only as per my understanding, unless you Install a optional browser helper (BHO) to prevent future bad downloads. In the menu at the bottom of the window under "Permanently running bad download blocker for Internet Explorer," select Ask for blocking confirmation. Then click Install.This will install the download blocker, which needs to run constantly.There was some concern that the download blocker may interfere with the use of some webpages.

Thanks guys!

I'll take all the latest advice on board and act accordingly... it may take me a good few hours to assimilate but I'll get back to you here!

Shanmuga... I deleted the two files you mentioned and tried again to get rid of anything associated with Limewire. I still can't uninstall it completely because it wont let me via the usual route, you know, through Start - settings - Control panel - Add Remove, I just get the same old error message. I looked for anything associated with Limewire through the find files option but am not sure if I should simply delete everything I find to do with Limewire. Perhaps I could simply delete the Limewire folders from my C drive... would that be wise? I don't know! There is just so much happening now, so much data and advice for me to digest and I'm not the best with computer problem solving but I'm sure I will crack it eventually.

Cheers.

Hey guys!

I dont know if this is related to my problem in any way but I have something called ShowBehind on my computer. I found some info on it and apparently it has something to do with opening pop up windows in my web browser.

Here is some INFO (http://www.pestpatrol.com/PestInfo/s/showbehind.asp) on removing it... I didn't see any reference to it in your HijackThis log, so it may be hiding under another name or only getting booted when you open your browser or something....

Well thanks guys, I've tried everything you have suggested. I've gotten myself extra protection with the SpywareGuard, I've tried the HijackThis program, deleted the things you recommended, ran this check and that check, virus checked until I was blue in the face, used Adaware to root out any unwanted items, but alas, I still have the problem with the browser. Could it be a problem with my Internet Explorer settings at all?

I have no trace of ShowBehind on my system any more apart from the fact that in the add remove programs box the name is still there along with Limewire and Limeshop, I think I may have uninstalled them incorrectly which is why the reference to them persists.

You will need to repair the Registry to fix those if they were in fact uninstalled. (Limewire)
You can try going to Add/Remove programs, click IE 6 and ok, then select repair option for IE6. This should at least attempt to repair IE.

Someone recently mentioned that TweakUI can remove programs from the Add/Remove list when they don't go away the way they are supposed to.

I can think of a couple of ways to check for the browser possibly being the problem. (I don't think it is)... One is that you could run the IE Repair program that is in IE and the second is you could try a different browser like Mozilla, Opera and/or Netscape 7.2 to see if the problem is still there. If it persists, it it probably still something messing with your system.

Guess what? I downloaded and installed another IE browser and lo and behold, the problem was no longer with me. I used the fix option in Microsoft IE 6 from the add/remove programs but it didn't do any good, the same thing is still happening. Do you think that totally uninstalling and reinstalling Microsoft IE 6 might cure the problem?

"LimeWire: On average, 146 objects detected in each machine".
I know How you are feeling leejj, Its frustrating. Are you running the latest versions of Adaware and Spybot, If not update them with the latest protections and run them one after the other.Restart.Run HijackThis and post the log here. BTW did you follow the steps for manual removal of limewire available in the link (http://www.safersite.com/PestInfo/L/Limewire.asp) , I have given you earlier?
What IE browser you have downloaded? Even if you reinstall IE, I think you will be facing the same problem again.

Shanmuga! I followed your advice for the removal of all the limewire files from my computer and it did something though I'm not sure exactly what! There is however no trace of any Limewire or any related files on my computer any more. I'll update Spybot and Adaware as you say and run them consecutively and then run HijackThis and I will post the log here.

I downloaded MyIE2. It seems fine and I don't have the problem that I have with my Microsoft IE, but I would like to have my original IE browser back eventually.

Ok guys! here's the latest log you requested. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 5:49:27 PM, on 12/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\SYSTEM\bootconf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [WinMX] C:\PROGRAM FILES\WINMX\WINMX.EXE -m
O4 - HKCU\..\Run: [FreeRAM XP] "C:\WINDOWS\TEMP\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: UCmore XP - The Search Accelerator.lnk = C:\WINDOWS\SYSTEM\rundll32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4291/mcfscan.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37927.3274305556
O16 - DPF: {607DF741-7D0A-11D4-9EDC-005004189684} - http://www.ucmore.com/download/UCmoreIEx.cab
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\SYSTEM\bootconf.exe
That's your main culprit, You need to download CWShredder from here (http://www.spywareinfo.com/~merijn/files/cwshredder.zip) and run it. After running that utility, restart, again post a HJT log.But before you do that, a couple of suggestions;
If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.If you have run and fixed anything with Spybot Search and Destroy or AdAware, please reboot before scanning.Also, make sure that you actually extract HijackThis to its own folder. DO NOT run it from within a zip manager (Winzip), as no backups will be saved.

Mjc's quick start guide (http://mjc1.com/mirror/hjt/)