Freezing Browser !

If you do not like or trust Norton then why don't you uninstall it instead of having to install AVG. First you must only use one AV. They can cause conflicts with each other and make it difficult or impossible to remove problems. Also they each require loads of valuable system resources.

Until you uninstall one of them now, we are going nowhere.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\prfsic.exe
C:\WINDOWS\System32\plurinit.exe
C:\Program Files\CxtPls\CxtPls.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0124A648-E06F-FC8C-4E3B-1B14764D71E9} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {9FE13CF7-8771-9253-28A5-B4B05238AA13} - (no file)
O4 - HKLM\..\Run: [sFsV35P] prfsic.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [do39RRjpj] plurinit.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\prfsic.exe
C:\WINDOWS\System32\plurinit.exe
C:\Program Files\CxtPls <--- the whole folder
C:\Program Files\Spyware Doctor <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. Tell me if you do not find any of these or cannot delete them.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I just realize you never updated your HJT version to the one I gave you. Please do that and post a new HJT log.

Why are you having your firewall block IE? Also ndisuio.sys is okay too.

 

You're welcome Gene! Happy to hear it all worked out.

Other than the two O2 BHO lines:

O2 - BHO: (no name) - {0124A648-E06F-FC8C-4E3B-1B14764D71E9} - (no file)
O2 - BHO: (no name) - {9FE13CF7-8771-9253-28A5-B4B05238AA13} - (no file)

Your log is clean. Don't worry about those lines! The file is gone and they can do no harm. There are a bunch of problems like this around where we cannot get HJT of even manual registry editing to remove those registry keys.

You should now make sure you have complete the equivalent of all the steps in the below link (many you have already done):

How to Protect yourself from malware!

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {0124A648-E06F-FC8C-4E3B-1B14764D71E9} - (no file)
O2 - BHO: IE SP2 AddOn - {16857A1C-5574-4CC2-AE1B-6B1CFBF0CEB7} - C:\WINDOWS\System32\sphla.dll
O2 - BHO: (no name) - {9FE13CF7-8771-9253-28A5-B4B05238AA13} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\sphla.dll
C:\WINDOWS\System32\ie2cltr.dll

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

The below items were not in your HJT log last time. I'm wondering why they now appear?
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEB616F-B856-4E52-A26A-CABBEF05DF0B}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EF95B9-0564-46B0-879E-1CC30B2E48D5}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9D1BAF-E855-466F-9A1B-6D79AEE34BC8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDF84D10-08AD-40AD-B7A1-909923425F86}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CDC6EB-2D30-401F-997E-B45A6F54070B}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CEB616F-B856-4E52-A26A-CABBEF05DF0B}: NameServer = 69.50.176.156,195.225.176.31

 

Is this your ISP:

If so, the IP address are OK.

Where did this WareOut.exe program come from all of a sudden? Do yourself a favor and do not download anything unless you get it from Majorgeeks. This is malware!

First look in Add/Remove programs for an uninstall to WareOut and uninstall it if found.
If that does not work, follow the steps below.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
WareOut.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WareOut <--- the whole folder

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Personally I would fix the below two items but they are up to you. They are for auto updates for HP and Logitech products. I do not want anyone given permission to automatically install or change anything on my PCs.
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

 

I would still double check with the University network admins to see if that is where they get their service from. They should be able to tell you if that is a valid address.

So is everything from my last message fixed now?
How are things working?

 

You're welcome! Typically what is found in the O17 lines is the address of your Domain Name Server (DNS) or the name of a domain (if you are part of a domain - which you are not).
If there is a address in there that is not part of your network, you could be suffer from a DNS hijack, or you could also have an old address in there from another network. The latter happens quite often when people move PCs (like laptops) around from office to home or to different networks (like your house then to a friends house).

 

I don't know! That is why I questioned when they all of a sudden appeared. You can have HijackThis fix those entries and see what happens. They can always be restored in necessary from the Backups HJT makes.

 

Have HJT fix those O17 lines. Then reboot and see if they stay fixed. Also see how things work afterwards. If you run into a problem like the O17 lines were needed, you can also restore them from the Backups that HJT creates.