Computer spyware/trojan problems. HJT

I am having some spyware/trojan problems with this computer. It started with a fake anti-virus window popping up. I ran malwarebytes anti-malware, superanti-spyware, spybot search & destroy, and AVG antivirus. They found and removed some items. But I still cannot update Malwarebytes or SuperAnti-Spyware. They say they can't connect to the internet. Also IE8 won't connect to the internet, but Firefox works fine. Here is my HijackThis log. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 1:37:31 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared files\brs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Documents and Settings\Brian\My Documents\Downloads2\Antivirus-Spyware-Adware-Firewalls\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265676467343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265676459593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

Hi klassic,

This line in your log:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Shows that you are infected with Antivirus Soft, which is a fake anti-malware application.

MalwareBytes will remove it but, you must do a little “hokus pokus” in order to fool it so that MalwareBytes can do the full un-install.

Go here and follow the instructions:
http://forums.malwarebytes.org/index.php?showtopic=39312

That should take care of your problem....

2oG

 

I ran the scan that way and it found a few things and removed them. I also updated and SuperAntiSpyware and it found some other related items and removed them. I am still having issues. When I try to log on to webmail.aim.com. It redirects me to a page that asks for my credit card number and pin number. I know this is not right. Also about 10 minutes after I log on to windows and every time I log in to a website I get a pop-up from Microsoft Outlook.

"Either there is no default mail client or the current mail client cannot fulfill the messaging request. Please run Microsoft Outlook and set it as the default mail client."

I assume this is some sort of malware trying to send emails through my address book. I don't have any accounts set up in Outlook so that is why this error is popping up.

 

Fire me a fresh HJT Log and I'll see what's left over..

2oG

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:44 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared files\brs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265676467343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265676459593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6553 bytes

 

Evidently MalwareBytes and SuperAntiSpyware didn't get it all.....

It's still showing up, so do this:


Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now

Click the Fix checked button and close HiJackThis


Reboot, check it out and let me know what's up...

2oG

 

Here is the most recent HJT log. I took a few times to get rid of it. Ran scans with Malwarebytes and SAS and found nothing. But I am still getting the outlook pop-up message.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:56 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared files\brs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265676467343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265676459593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6520 bytes

 

And now the AIM Mail redirect is back.

 

There is nothing in your Log now that indicates a problem.
The malware has dug in really deep and will take a “Big Gun” to drive it out...
I never recommend reformatting unless all other avenues have failed.
ComboFix can dig out the most stuborn malware and it’s what I would use to dislodge it from my own machine.
Follow these instructions to the letter, I must get some sleep and will get back as soon as possible after you have posted a Log from ComboFix......

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.


1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop and DO NOT RUN IT!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt

2oG

 

ComboFix 10-02-25.02 - Brian 02/26/2010 7:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1578 [GMT -6:00]
Running from: c:\documents and settings\Brian\desktop\combofix.exe
Command switches used :: /killall
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\srchasst\nls302en.lex

.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 02:49 . 2010-02-26 02:49 -------- d-----w- c:\program files\Trend Micro
2010-02-25 17:27 . 2010-02-25 17:27 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-02-25 17:27 . 2010-02-25 17:27 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-25 17:27 . 2007-12-23 05:47 110437 ----a-w- c:\documents and settings\HelpAssistant\superdodge.zip
2010-02-25 17:27 . 2007-12-23 05:51 277954 ----a-w- c:\documents and settings\HelpAssistant\risk.zip
2010-02-25 17:27 . 2007-12-23 05:44 448417 ----a-w- c:\documents and settings\HelpAssistant\skiordie.zip
2010-02-25 17:27 . 2007-12-23 05:28 19475 ----a-w- c:\documents and settings\HelpAssistant\riverraid2.zip
2010-02-25 17:19 . 2010-02-26 05:22 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-25 14:55 . 2010-02-26 01:28 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\wlsbls
2010-02-25 14:55 . 2010-02-26 01:28 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\eovxxo
2010-02-23 04:36 . 2010-02-23 04:36 -------- d-----w- c:\documents and settings\Brian\Application Data\PandoraRecovery
2010-02-23 04:36 . 2010-02-23 04:36 -------- d-----w- c:\program files\Pandora Recovery
2010-02-21 20:52 . 2010-02-21 20:57 -------- d-----w- c:\windows\nview
2010-02-21 20:28 . 2010-02-21 20:28 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-21 20:28 . 2010-02-21 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-02-21 20:28 . 2010-02-21 20:57 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-21 20:27 . 2010-01-12 04:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-02-21 20:27 . 2010-01-12 04:03 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-02-21 20:27 . 2010-01-12 04:03 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-02-21 20:27 . 2010-01-12 04:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-02-21 20:27 . 2010-01-12 04:03 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-02-21 20:27 . 2010-01-12 04:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-02-21 16:33 . 2010-02-21 16:34 -------- d-----w- c:\documents and settings\Brian\Application Data\ImgBurn
2010-02-21 16:32 . 2010-02-21 16:32 -------- d-----w- c:\program files\ImgBurn
2010-02-21 14:40 . 2010-02-21 14:40 -------- d-----w- C:\found.000
2010-02-20 14:45 . 2010-02-20 15:02 -------- d-----w- c:\documents and settings\Brian\Application Data\Nitro PDF
2010-02-20 14:45 . 2009-12-16 15:50 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-02-20 14:45 . 2009-12-16 15:50 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2010-02-20 14:45 . 2010-02-20 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2010-02-20 14:38 . 2010-02-20 14:38 -------- d-----w- c:\documents and settings\Brian\Application Data\Downloaded Installations
2010-02-19 23:24 . 2010-02-19 23:24 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-02-19 20:22 . 2010-02-19 20:26 -------- d-----w- c:\program files\Snood
2010-02-18 03:01 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-18 03:01 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-17 22:04 . 2009-12-16 22:05 347136 ----a-w- c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-02-17 22:04 . 2009-12-16 22:05 340992 ----a-w- c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-02-17 22:04 . 2009-12-16 22:05 43008 ----a-w- c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-02-17 22:04 . 2009-12-16 22:05 1452032 ----a-w- c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-02-17 22:04 . 2009-12-16 22:05 471040 ----a-w- c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-02-17 00:41 . 2010-02-17 00:41 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-17 00:40 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-17 00:40 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-17 00:40 . 2004-09-29 18:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-02-17 00:40 . 2004-09-29 18:14 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2010-02-17 00:40 . 2004-09-29 18:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-02-17 00:40 . 2004-09-29 18:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-02-17 00:40 . 2004-09-29 18:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-02-17 00:40 . 2004-09-29 18:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-02-17 00:40 . 2010-02-17 00:40 -------- d-----w- c:\program files\HP
2010-02-17 00:39 . 2010-02-17 00:41 68294 ----a-w- c:\windows\hpoins05.dat
2010-02-17 00:39 . 2004-12-15 23:21 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-02-17 00:39 . 2004-12-15 23:21 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-02-17 00:39 . 2004-12-15 23:21 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-02-17 00:39 . 2004-12-15 23:20 19696 ------w- c:\windows\hpomdl05.dat
2010-02-17 00:39 . 2004-12-15 23:21 708608 ----a-w- c:\windows\system32\hpotiop.dll
2010-02-17 00:39 . 2004-12-15 23:21 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-02-17 00:39 . 2004-12-15 23:21 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-02-17 00:39 . 2004-12-15 23:20 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-02-17 00:39 . 2004-12-15 23:21 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-02-17 00:39 . 2004-12-15 23:21 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-02-17 00:39 . 2004-12-15 23:21 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-02-16 17:20 . 2010-02-17 21:00 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Cyberlink
2010-02-16 17:19 . 2010-02-16 17:19 -------- d-----w- c:\documents and settings\Brian\Application Data\CyberLink
2010-02-16 17:18 . 2010-02-16 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-16 17:18 . 2010-02-16 17:18 -------- d-----w- c:\program files\Common Files\CyberLink
2010-02-16 17:18 . 2010-02-16 17:18 -------- d-----w- c:\program files\CyberLink
2010-02-16 17:18 . 2010-02-16 17:17 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-16 17:17 . 2010-02-16 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-02-16 17:17 . 2010-02-16 17:17 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-02-14 01:00 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-14 01:00 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-13 22:35 . 2010-02-13 22:35 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Eraser 6
2010-02-13 20:23 . 2010-02-13 20:23 -------- d-----w- c:\program files\Eraser
2010-02-13 17:00 . 2010-02-13 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Maxtor
2010-02-13 17:00 . 2010-02-13 17:00 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-02-13 17:00 . 2010-02-13 17:00 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-02-13 17:00 . 2010-02-13 17:00 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-02-13 17:00 . 2010-02-13 17:00 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-02-12 01:06 . 2010-02-26 06:13 0 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\prvlcl.dat
2010-02-11 17:24 . 2010-02-11 17:24 -------- d-----w- c:\windows\Performance
2010-02-11 17:24 . 2010-02-11 17:24 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Microsoft Corporation
2010-02-10 04:02 . 2006-09-12 01:45 110592 ----a-r- c:\windows\system32\drivers\nvtcp.sys
2010-02-10 04:02 . 2006-09-12 01:44 261632 ----a-r- c:\windows\system32\drivers\nvsnpu.sys
2010-02-10 04:02 . 2006-07-02 04:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-02-10 04:00 . 2010-02-10 04:01 -------- d-----w- c:\documents and settings\Brian\Application Data\PeaZip
2010-02-10 04:00 . 2010-02-10 04:00 -------- d-----w- c:\program files\PeaZip
2010-02-10 03:28 . 2010-02-24 03:49 -------- d-----w- c:\program files\PokerStars.NET
2010-02-09 05:37 . 2010-02-10 16:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Download Manager
2010-02-09 05:17 . 2009-03-27 07:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-02-09 05:17 . 2010-02-09 05:17 -------- d-----w- c:\program files\CPUID
2010-02-09 03:36 . 2010-02-14 22:06 -------- d-----w- c:\documents and settings\Brian\Application Data\WeatherWatcherLive
2010-02-09 03:33 . 2010-02-09 03:33 -------- d-----w- c:\program files\Weather Watcher Live
2010-02-09 02:21 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-09 02:15 . 2010-02-09 02:15 -------- d-----w- C:\9a726c984e7388b2d77ec2
2010-02-09 01:59 . 2010-02-09 01:59 -------- d-sh--w- c:\documents and settings\Brian\PrivacIE
2010-02-09 01:58 . 2010-02-09 01:58 -------- d-sh--w- c:\documents and settings\Brian\IETldCache
2010-02-09 01:57 . 2010-02-09 01:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-09 01:53 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-09 01:53 . 2010-02-24 18:07 -------- d-----w- c:\windows\ie8updates
2010-02-09 01:53 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-09 01:53 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-09 01:53 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-09 01:53 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-09 01:53 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-09 01:53 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-09 01:52 . 2010-02-09 01:52 -------- dc-h--w- c:\windows\ie8
2010-02-09 01:47 . 2006-08-14 18:09 1428 ----a-r- c:\windows\system32\drivers\nvphy.bin
2010-02-09 01:47 . 2008-07-30 02:33 446464 ----a-w- c:\windows\system32\nvunrm.exe
2010-02-09 01:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-09 01:42 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-09 01:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-09 01:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-02-09 01:37 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-09 01:34 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-09 01:34 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-02-09 01:34 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-09 01:34 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-02-09 01:33 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-09 01:33 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-09 01:33 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-09 01:20 . 2004-08-04 05:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-09 01:14 . 2010-02-09 01:14 -------- d-----w- c:\windows\system32\scripting
2010-02-09 01:13 . 2010-02-09 01:13 -------- d-----w- c:\windows\system32\en
2010-02-09 01:13 . 2010-02-09 01:13 -------- d-----w- c:\windows\system32\bits
2010-02-09 01:13 . 2010-02-09 01:13 -------- d-----w- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 18:01 . 2007-06-05 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 17:28 . 2007-06-05 11:48 -------- d-----w- c:\program files\SpeedFan
2010-02-19 03:23 . 2007-06-05 11:50 -------- d-----w- c:\program files\Unlocker
2010-02-16 17:18 . 2007-06-05 11:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-16 17:17 . 2007-06-05 11:29 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-13 23:35 . 2007-12-08 02:36 -------- d-----w- c:\program files\Viewpoint
2010-02-13 22:18 . 2007-07-11 22:18 34 ----a-w- c:\windows\popcinfo.dat
2010-02-11 04:10 . 2007-06-05 11:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-09 03:36 . 2007-06-05 11:50 -------- d-----w- c:\program files\Weather Watcher
2010-02-09 02:21 . 2007-06-05 11:44 23216 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 01:15 . 2007-06-05 11:14 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-08 22:51 . 2007-06-05 11:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 20:38 . 2007-06-05 11:49 -------- d-----w- c:\program files\QuickTime Alternative
2010-02-08 20:38 . 2007-06-05 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-08 20:36 . 2007-06-05 11:29 -------- d-----w- c:\documents and settings\Brian\Application Data\AVG7
2010-02-08 20:36 . 2007-06-05 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2010-02-08 20:36 . 2007-06-05 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2010-02-08 20:35 . 2007-06-06 23:11 -------- d-----w- c:\documents and settings\Brian\Application Data\Lavasoft
2010-01-15 11:54 . 2010-01-15 11:54 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-01-12 04:17 . 2010-01-12 04:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17 . 2010-01-12 04:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17 . 2010-01-12 04:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17 . 2010-01-12 04:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17 . 2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17 . 2010-01-12 04:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-12 04:03 . 2007-06-06 03:04 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 04:03 . 2007-06-05 11:39 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-12 04:03 . 2007-06-05 11:39 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2007-04-20 11:05 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2007-04-20 11:05 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03 . 2007-04-20 11:05 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2007-04-20 11:05 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-01 17:20 . 2010-01-01 17:20 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:20 . 2009-12-22 05:20 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-21 19:14 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2007-06-05 11:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 16:11 . 2009-12-16 16:11 65856 ----a-w- c:\windows\system32\NLSSRV32.EXE
2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2003-03-31 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2007-08-09 19:08 . 2007-09-14 00:41 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 19:10 . 2007-09-14 00:41 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-09-11 02:34 . 2007-09-11 02:34 0 --sh--w- c:\windows\SE63B2247.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2010-02-22 3312576]
"WeatherWatcherLive"="c:\program files\Weather Watcher Live\ww.exe" [2009-07-18 1208320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-07-11 137216]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-07-15 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2007-6-5 1056864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-08 21:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^TitanTV Remote Scheduler.lnk]
path=c:\documents and settings\Brian\Start Menu\Programs\Startup\TitanTV Remote Scheduler.lnk
backup=c:\windows\pss\TitanTV Remote Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 14:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-09-01 16:26 66672 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-01-28 23:48 75048 ------w- c:\program files\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2001-12-07 07:31 49152 ----a-w- c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
2001-12-06 18:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2009-12-15 14:46 976784 ----a-w- c:\progra~1\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-13 06:46 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2006-01-13 06:46 311296 ----a-w- c:\windows\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-07-06 20:22 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2006-09-07 17:19 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8176:TCP"= 8176:TCP:Services

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [2/16/2006 4:21 PM 35200]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/8/2010 3:28 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/8/2010 3:28 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/16 11:18];c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl [1/28/2010 5:48 PM 87536]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/8/2010 3:28 PM 285392]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2/8/2010 11:17 PM 12672]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/16/2009 10:11 AM 65856]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/12/2007 2:21 PM 18864]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [9/25/2007 6:08 PM 815104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCANDIS5
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\tqriz7z5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-WeatherWatcher - c:\program files\Weather Watcher\ww.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3229B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7efb852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-02-26 07:40:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 13:39

Pre-Run: 486,022,402,048 bytes free
Post-Run: 486,024,130,560 bytes free

- - End Of File - - E4BDBF96C09875718CA158AEDB57F3BB

 

CF tried to set up the Microsoft Recovery Console but it said it could not connect to the internet. It also set IE as my default web browser.

 

Klassic,

Well, CF dug out SRCHASST parasite hijacker

The attacker puts the executable .exe into an alternate data stream
ADS - WINDOWS: deleted 128 bytes in 1 streams.

Also Deleted:
c:\windows\srchasst\nls302en.lex
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx

I see nothing else in the Log that might be a problem.

Yes, CF tries to load the Recovery Console but I don’t recomend it unless you have knowledge and experence using DOS commands. That’s for oldGeeks like me, that were around before windows. lol

Just set your Firefox as the default browser and everything else should be OK.

Let me know if that cleared up the problem and how is your computer doing now?

2oG

 

Well yesterday (after cf scan) the Outlook popup was still there, but it seems to be gone today. Didn't use the computer all day. But the computer still seems to be freezing if FF is open for more than 10-15 minutes. Mouse still moves when it freezes, but everything else on screen stops. Time even stops.

 

The outlook pop-up issue was gone, but now it is back again.

 

Sounds like something has screwed up Outlook. Since you are not using it as your mail client, you can uninstall Microsoft Outlook.

To uninstall, open the Control Panel (click Start, Settings, and Control Panel; in Windows XP, click Start, Control Panel) and double-click the Add/Remove Programs icon (Add Or Remove Programs in WinXP). In the dialog box, review the list of installed programs and highlight the entry for Microsoft Office. Click the corresponding Change (in WinXP) button to access a Microsoft Office setup and maintenance utility. The utility will ask how you want to proceed; respond by selecting the option for adding or removing features. On the next screen, you will see a list of applications, including an entry for Microsoft Outlook For Windows. Click this entry, select Not Available from the pop-up menu, and click the Update Now button to remove Outlook from your system.

2oG

 

So I just uninstalled Office as I have a newer version I am gonna load. The Outlook error is gone, but the computer is still freezing when I am in Firefox or Internet Explorer. It doesn't freeze if I am not using those programs. This is so confusing. I have never had this many issues with a computer that I couldn't figure out.