My Scan Results

Welcome to MGs!

Let's get an installed programs list from HijackThis.
Run HijackThis, click Open the Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment too.

 

Your version of FireFOx is way out of date. You should update.

You should uninstall: Viewpoint Media Player

You should never install valid software (iRiver in your case) into the root folder of your system like this. It makes it look too much like malware and also it is too easy to delete the file by mistake. The best practice is to install software in their normal recommended default folders which is almost always a subfolder in C:\Program Files. Here is what I'm referring too:
C:\Updater.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

Both of the below P2P programs are good ways to give yourself malware headaches, especially if they are older versions which contain malware themselves. But downloading from any P2P server is simply asking for trouble (as you last messages proves too).
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [fko8gr4s] C:\WINDOWS\system32\fko8gr4s.exe
O4 - HKLM\..\Run: [mhupyn] C:\WINDOWS\mhupyn.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\PartyPoker <--- the whole folder
C:\Program Files\EmpirePoker <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\WINDOWS\system32\fko8gr4s.exe
C:\WINDOWS\mhupyn.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

AOL is junk! If you don't need it to connect to the Internet then dump it. They make it difficult for you to cancel. You always get forwarded to someone in another country that keeps trying to offer you deals for a few months free service. Don't tolerate it. Immediately tell them to either cancel your subscription now or to connect you to a supervisor who understands what I want to cancel means.

I see you are still running LimeWire and Ares Lite Edition
Bad idea! But that your decision. If you are going to keep them, make sure it is the most recent version and stop loading them at startup. Just run them when you want to connect to their service. Also when you are done downloading, make sure you kill the processes. It will remain running in your tray.

At the current time you are running AOL's Firewall plugin and McAfee Firewall. Uninstall or disable this pluging from AOL.

Did you forget to fix these next two lines? Fix them now?
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

You forgot to answer my previous question:

 

You were not suppose to delete Ares files. You should have uninstalled it. The program is still trying to load when you start up. We will fix it below.

Empire Poker is still there. This time before doing any of the below fixes make sure you have shut down all spyware protection (shut down MS Antispyware and also AOL's antispyware and any others providing real time protection).


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe <--- this should stop Limewire from loading at startup.
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Ares Lite Edition <--- the whole folder
C:\Program Files\EmpirePoker <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Let's also get an installed programs list from HijackThis.
Run HijackThis, click Open the Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment too.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I still see Viewpoint Media Player in your install list. Did you try to uninstall?

I also see a bunch of AOL stuff installed. Do you use AOL?
I still see the firewall plugin:
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1127540474\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome!

In the How to protect thread, you will see a suggestion to use FireFox. You should try to get them to use it. It will probably be faster than AOL's browser but to each is own. Note the, you do not need all of the other AOL baggage or even a monthly AOL access charge. I believe you can just uninstall ALL of it and just download and user there browser. See: AOL Explorer (I'm not saying I recommend using this, but I do know some people who like it. Personally I still would not use anything from AOL).