OK guys, here is the problem. Scans by Ad-Aware, Spybot S&D, Hi-jack this, CWS Shredder, and anti-virus yield zip at this time. (Earlier in the month, AVG-Free Edition found Java/ByteVerify and quarantined it at my request)McAfee anti-virus has not detected anything. I am getting porn registry keys in HKEY_LOCAL_MACHINE\SOFTWARE]MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\P3P\HISTORY as well as in CURRENT_USERS and USERS sections of the Registry. These entries keep returning after being deleted several times now. What's more: Immunizations under Spybot are becoming unblocked and protection under JavaCool Spyblaster are becoming unblocked. Something is afoot. Anyone got any ideas? P.S. also as anyone else experienced less than adequate help from McAfee? They used to be rather responsive. Now, I think they've overgrown their resources.

p3p is for a privacy setting and may be used by explorer to keep these sites out, check your control panel> internet options > settings for security-privacy- and content, also any of your firewalls that may be using these same addresses to block out, if spy-aware scans dont detect them, they're ignored on purpose.:)

Have you tried copy/pasting your HJT into any auto analyzers? If not I suggest this one first because it quickly pinpoints known nasties under heading of "Malicious" at top in red: HJT DETECTIVE Get HJT to remove all Malicious items (if any). When you are happy with that one you could re-run HJT and post your NEW log in here: HJT ANALYZER The second one is more thorough but creates a long analysis including both good and bad stuff that is running (one good reason for running the other one first). The green ticks are usually safe. Any questionable items search Google using -hijackthis after the search string (otherwise you get a stack of other folks logs). Try Google Groups tab too. "Once you've done all that" I'm happy that you post the log on here and I'll see if I can see any stragglers. Derek.W

Hi guys. I followed feedback from response 1 and 2 without change. Hijack log to follow below. Perhaps I am missing something. (maybe printer?) New info: porn registry keys are also in domains under zone maps in both CURRENT_USER and USERS. Scans have been run in safe mode. Keys have been deleted in safe mode and have come back while still in same safe mode session. Deletion of keys in normal mode appear to be causally related to javacool spyblaster protections coming undone. Help! C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.exe C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe c:\windows\SYSTEM\KB891711\KB891711.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.exe C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.exe C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.exe C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe C:\WINDOWS\SYSTEM\HPZTSB05.exe C:\WINDOWS\SYSTEM\HPHMON04.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe C:\PROGRAM FILES\PC MIGHTYMAX\PCMM.exe C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\HPHIPM11.exe C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\DESKTOP\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.korrnet.org/kcd/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.korrnet.org/kcd/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.korrnet.org/kcd/ N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.stopthebombs.org/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9irczv1w.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9irczv1w.slt\prefs.js) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.exe" /checktask O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.exe O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

Well that looks pretty good to me. That "PC Max" bothers me a tad though. Anything from crack/key generator websites can contain something thrown in that you might not have wanted. If you want to remove it see this: PC Mighty Max I see the analyzer was bleating about HPHmon04 because there was some doubt about where it was located. There is always the chance that a virus will use the name of a known safe file but I came away feeling it was probably OK. The registry entries you mentioned are a bit questionable but it is just possible that it is something your anti-spyware programs is/was blocking. Try downloading CWShredder V2.13 (I think that's the latest) and running it. It's a single file that fixes a particular known nasty if present. You could also try this freebie Trojan finder: A2FREE - JUST DOWN PAGE If you are still in trouble after that lot then it looks like you need more specialised help. You could revamp the post and put it on the Security & Virus forum here (top left). Derek.W