Email Hijack??

It is a bad idea to have more than one full feature virus application running on your PC. Choose which one you want. Norton or AVG? Uninstall the other.

What do you mean by,
"when I use IE for just a short period I will inevitabley find returned emails again."

IE does not send email. Did you mean that if you run IE you have problems with Outlook Express emails being returned? What if IE is not running, do you still have problems? How about an OS?

Did you run ALL of the steps here: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Download HijackThis from the link in the tutorial. And shutdown all applications especially browsers and run a HijackThis scan save it to hjtlog1.txt. Now open up 1 Internet Explorer browser session and do another scan with HijackThis. Save this it to hjtlog2.txt. Now post both logs back here as .txt file attachments.

 

Okay first problem! If you followed the tutorial properly, you would not be using an old version of HijackThis and you would not be running it from the Desktop. Get the current version of HJT and put it into its own folder as recommended here: < Hijack This Tutorial And How To Post Your Log File >

Also you should not have any browsers open when running HJT. In your first log you had
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

In your second log, you had:
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

And why be inconsistent. Use one or the other when trying to resolve issues like this. What I was looking for were differences between safe mode and normal mode.

In fact you are ask to shut down lots of other stuff too but at least the browsers should always be shutdown. They will affect the ability of HJT to fix problems later too.

You need to stop playing all these online games too. You have way too many O16 lines with gaming stuff. While some may not be problems, online gaming typically does lead to issues.

As a start to fixing you problems you need to get the proper version of HijackThis and follow my directions (shut down browsers and unnecessary applications first). Then fix these lines with HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14b826dac9861a0dbb01/netzip/RdxIE601.cab

Now look at the other O16 lines a give below, and if you do not recognize them and/or know you do not need them fix them too:

O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo02.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.5.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

After that post a new HJT log attachment and let me know if your problems have changed.

 

I will jump in as Chaslang is not on. It looks good now. FYI, when he said if you dont recognize something, remove it. Case in point: O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/gr...k-ob-assets.cab and similar are games installed by Pogo, if you play there, they could have been left. If you no longer play there, no biggies or they will be re-downloaded anyhow. I also see MSN games, Uproar and Yahoo games to name some others.

Again, this is not a big deal, just want to teach you or others reading how to recognize lines that are safe. These games that load on most gaming sites end up in 016.

 

I agree MA! The HJT log look good now.

Dabearslady,
Let us know about the email problem.

 

That's great news! MA & I are happy we could help. Even happier to have another problem off the in progress list.