Why Do I Keep Seeing This?? / It's still happening!!!

Why Do I Keep Seeing This??

I have run Spybot, Adware, Spyware Nuker, and Microsoft AntiSpyware (Yesterday AND Today!!!), yet I keep getting a balloon in my tray saying that my computer may be infected with spyware, and a popup on my screen saying that Windows has detected activity within my firewall of spyware....etc. I guess I should have copied it down....Anyway, I have Microsoft AntiSpyware running in my tray AND I have a popup blocker running...so WHY DO I KEEP SEEING THIS???? Please help!! My computer is wicked slow, and I can not think of what I DIDNT do.

Thanks!!!

 

Re: Why Do I Keep Seeing This??

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Re: Why Do I Keep Seeing This??

Ok I have done every single step in that list you provided. When I finally got to the adware and spybot scans, adware found only one issue, and spyware found nothing....BUT, I am still getting these messages. I wrote them down....

The first one comes from the right hand side of my tray....it is a bubble with a Yellow Shield with an exclamation point and says "Your computer might be at risk. Virsu proction status is bad. Spyware activity detected. Find out how to protect yourself here"

The other is a Windows Security Center notice that appears in the middle of the screen and says "Windows Firewall detected suspicious network activity on your computer. Malicioussoftware codes try to steal your privacy information, such as credit cards numbers, email passwords (etc. you get the point....)."

Does anyone know why this is happening?

 

It's still happening!!!

Ok I have done every single step in that list you provided. When I finally got to the adware and spybot scans, adware found only one issue, and spyware found nothing....BUT, I am still getting these messages. I wrote them down....

The first one comes from the right hand side of my tray....it is a bubble with a Yellow Shield with an exclamation point and says "Your computer might be at risk. Virsu proction status is bad. Spyware activity detected. Find out how to protect yourself here"

The other is a Windows Security Center notice that appears in the middle of the screen and says "Windows Firewall detected suspicious network activity on your computer. Malicioussoftware codes try to steal your privacy information, such as credit cards numbers, email passwords (etc. you get the point....)."

Does anyone know why this is happening?

 

Re: It's still happening!!!

You have a Trojan (and maybe more).

More Info: Trojan - SpyDldr-A

I merged your threads so that BJ doesn't lose track of you. He has requested a HijackThis log, so go ahead and do that.

I also suggest you Download and Install Ewido Security Suite

DoubleClick the Ewido Icon on your desktop and allow it to update to the latest malware definitions (Click Update > Start). Then, exit Ewido and boot to Safe Mode.
When in Safe Mode, open Ewido and click Scanner. Be sure the following boxes are checked (Binder - Crypter – Archives) and then Start Scan.

Allow Ewido to fix what it finds and click on Save Report. Save the log to where it can be easily found and attach it along with your HijackThis log as per BJ's instructions in post #2.

Best Luck
PP

 

I have my log file, however, I can not find any go advanced button, and each time I click manage attachments I get a red circle with a line through it and nothing happens. What am I doing wrong?

 

Just copy and past it into your post and we'll deal with it.

Did you try the EWIDO?

PP

 

Ok I used the EWIDO, here is that log:

Inline logs attached!

PLEASE HELP!!!!

 

I do not see that Trojan in your logs. It may be quite difficult to track down due to the randomly generated name. The below will clean your HJT log a bit, but likely won't flush out the trojan.

Let's try this:

-- First, disable SpyBotSD's TeaTimer as it will interfere with these steps.

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

Now scan with HijackThis and Check the Boxes for the following, if they remain:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - Startup: DLHelperEXE.exe

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9FFD6F-C5F3-4E10-809B-A49F4EB08DF6}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A1CB40-DFEE-4234-8FA6-38126146C3E6}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{B21654AA-638D-4529-81D6-8B9B90C45A4D}: NameServer = 195.95.218.1,85.255.112.7

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if it should remain:

DLHelperEXE.exe --> You'll need to look for this with Windows Explorer

NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.

Reboot to Normal Windows and Scan with HijackThis and attach that log.



Let's also try this:
Please Download RKFiles.zip and extract it to its own folder - C:\Program Files\RKTOOL.

Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt .

Please attach that Log along with the Fresh HijackThis Log and we'll go from there . . . .


Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Hey! Ok I did what you said, and am attaching both my logs.



I downloaded a new popup blocker from your site (Smart Popup Blocker), and am no longer seeing those two Virus messages, but I am concerned that that is only because this popup blocker isnt letting me, and not because the Virus is gone. Should I disable the blocker, or assume that my computer is now clean? The only things is, my computer is running REALLLLLYYYY slow, and I have broadband so there is no reason for such a huge lag. It even runs slow when I do not have an IE browser open. What now?

~Dawn

 

Hi Dawn,

You can fix these entries with HJT:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} -

Be sure to disable SpyBot so these fixes take . . .


You do not have a virus - It is a trojan that causes the popups and, if you click the popup, it tries to sell you some crap anti-spyware app. Uggh. . . .

The thing is, I do not see the trojan in your logs, so removing it may prove difficult unless we can pin it down.

-- How many different User Accounts are on your machine?

-- Do you get the popups when you disconnect from the internet?


Try this Panda ActiveScan - Let it fix what it finds and then save and attach the log it produces. Let's see if it catches the Trojan.

I'll check back Sunday evening.

** I should add, before I forget, that your Windows XP is Waaay out of date! AFTER we sort this Trojan mess out, you really need to visit Windows Updates and get updated!

PP

 

Hey PP,


Ok I deleted the entries you mentioned HJT, and I ran the Panda ActiveScan...here is that log:

Incident Status Location
Virus:Trj/Qhost.BP Disinfected Operating system
Spyware:spyware/wareout No disinfected C:\DOCUMENTS AND SETTINGS\DAWN NICHOLLS\APPLICATION DATA\wo.tmp
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}

I only have one user account on my computer. I don't get any popups except for the two you already know about. I havent really had any problems with my computer in the last year, and it has always run nice and fast. Now I get those two popups and it lagsssss badly. UGH!!!

Thank so much for trying so hard to help me....I really appreciate it.

Let me know what's next.

~Dawn

 

Happy to try to help!

This particular trojan is proving to be a real pain in the ass to track down! I imagine that eventually the good anti-spy tools like EWIDO will catch up to it. Until that happens, all we can do is try various things to flush it into the open.
At the moment, I do not see it in your Logs.


First, let's deal with those two items you noted in last post:
-- You'll need to navigate to this one and delete it manually: C:\DOCUMENTS AND SETTINGS\DAWN NICHOLLS\APPLICATION DATA\wo.tmp

-- Copy and paste the information in bold below to notepad. Save it to your Desktop as type "all files" and name it fixbaddie.reg


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY]
"{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}"=-



Now, DoubleClick on the fixbaddie.reg file you made and follow the prompts to allow it to merge into the registry.


Now, let's try to find that Trojan responsible for the popups . . . .

Please download Silent Runners and save it to your Desktop.
DoubleClick on Silent Runners and allow it to run. If your AV prevents the script from being run, you will have to allow it.

It will create a log - Please attach that for me and let's see what it has to tell us. I'll check back as time permits.

PP

 

Windows Script Host access is disabled on this machine. Contact your administrator for details.....this is what it says when I try to open Silent Runners....want to tell me how to allow it?

 

That's not a bad thing, to disable the WSH - It prevents malicious scripts from being run on your machine!

There are a number of ways we can try to get the script to run - some are more complex than others.

We can try the easy way first . . . . Note that you will likely need to have Administrator Privileges.

-- Locate Silent Runners and RightClick on it. Select Open With > Choose Program > Browse > My Computer > Local Disc C: > Windows > System32 and then choose either Wscript.exe or Cscript.exe and run SilentRunners

Hopefully, you will be able to run it that way . . .. And hopefully, after all the hassle, it will have something to help us!!!

Best luck
PP

 

Ok I followed the directions you gave me and still nada. Trying to run it with WScript gives me the same error message, and the CScript opens and closes (VERY VERY QUICKLY!!!) a black box...exactly the same kind you would use to ping an IP address. So much for the easy way....guess we are going to need to try things the hard way....what would that be?

~Dawn

 

I am not sure if we can get the script to run from a command prompt. The restrictions may override it. And, at this point, I don't know how productive it would be to hack the registry to change permissions. Silent Runners may have nothing to tell us.

Let's take a different tack and try a full Ad-aware scan. Make sure it is Internet Updated to the latest definitions when you run the scan.
Then, please attach the full log.

Also, can you give me any more info about the popups? Can you tell where they are from?

Hang in there! I know this can get quite annoying . . .
If the Ad-aware log has nothing to say, I have a few more triks up my sleeve....

PP

 

Ok so when all is said and done I realize Im going to owe you my first born!!

I clicked on the balloon popup that comes from the right hand side of my tray and I tried to print the screen to this box, but that didnt work. It doesnt have a URL that I can copy and paste either. It actually LOOKS like it might be legitamate, even though I know it isnt. I pasted the screen print into a word pad document, but I can't figure out how to attach it. The other pop up...the one that says Windows Security Center takes me to this URL
http://microsoftspywareremoval.com/search.php?q=spyware

Here is my adware log:





So Houdini....what's your next trick?

~Dawn

 

I am not seeing anything of use there . . . .Crap! The next trick is going to be considerably more difficult.

I need to get a look at certain registry keys - Rather than try to run a script, let’s try this:

*Note: Don’t do anything other than what I ask in the registry – Serious computer borking can occur!!


FIRST:
Go Start > Run > type regedit > Enter

Now, navigate first to HKEY_CLASSES_ROOT/CLSID and RightClick on the CLSID folder icon. Select Export and save to your Desktop as type .txt (text file) and name it clsid

Next, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
RightClick on the Run folder icon and select Export. Save to your desktop as type .txt (text file) and name it Run

Now, exit out of the registry.

Now, please UPLOAD those two files as ATTACHMENTS with your next post using the manage attachments tool in the “Additional Options” section when you post back.

You will have to ZIP the clsid.txt as it will probably be about 12-15 megs. The run.txt will be much smaller and easily attachable.

Again, be careful in the registry.
I'll see if I can pinpoint the popups - Should this fail, I would suggest waiting for the Anti-Spy tools like EWIDO to catch up to this. Right now, though, my curiosity has the better of me. . . . LOL!

PP

 

Because with me nothing is EVER easy, I do not have the first registry you asked me for...I have TONS of things that start with "C" but none that go CLSID.....why?!?!?!?


I did attached the Run.txt though.

So here are my two questions....

1.) Ummm how come I dont have that first registry key you were looking for?

2.) Our IT guy at work said that the only way to solve this issue I am having is to go buy Norton's and that I shouldnt be messing with my comp myself. Is it worth the cost I am going to pay to purchase this software?

Ok Houdini...you're up!!!

~Dawn

 

Ok so I'm a little slow...I found the CLSID BUT it is 511 KB, and the attachment thing will only let me upload 97.7KB....I believe I am officially frustrated.

 

Did you ZIP it?

I didn't see anything under the run key. I, too, am frustrated!

As for the suggestion to buy Norton . . . . I'm surprised to hear that coming from an "IT guy," LOL! Sure, Norton is decent, but it is quite bloated and there are many better options available.

Also, a tool like EWIDO will be more effective against this type of crap. And, I also prefer Online Scans like Panda because you are much more likely to have the latest malware definitions.


I must admit, though . . . I am a bit stymied!! Without being able to run some of the generic tools like Silent Runners, it makes things a bt difficult. I suppose we could change the permissions . . .

PP

 

Yes I did zip it. Unzipped it's 10.1 MB....zipped its 511 KB, but I guess that is too big....Do I just give up now, and deal with the popups? I hate to suck you into the hell that is my computer!!!

~Dawn

 

Hi Dawn,

Go to my other home iamnotageek.com and start a thread in the Spyware Forum titled @PP and upload the Zipped file for me there. I think we can handle ZIPs up to 590KB at IANAG.

Anyhoo, try that and I'll look at it and post back what I find (if anything) here in this thread.

PP

 

Hi Dawn,

I'm still looking at the file (a lot to go through ) but my initial searches showed no sign of the signiture of the family of Trojan associated with this particulat popup. I will double-check some of the more recent items.

Also, it may be wothwhile for you to run TrendMicro Housecall - Maybe it will find this guy . . . Try their new Spyware Scan as well and let me know how you fare.

You should probably disable SpyBot's Tea Timer beforehand.

PP

 

Hey Houdini! I disabled the tea timer and ran the program you suggested. It found 2 files...one was adware, and I forget what the other was. Doesn't really matter though because it was not the thing we were looking for. I got the pop up a few times before I left for work this morning. Anyway, DRASTIC as I know it may be....would doing a complete system restore solve it? I pretty much have everything I need backed up on disk, and while it would be a pain in the butt to reinstall alot of my software, it might be easier then dealing with this stupid thing!!!!!


~Dawn

 

Yeah - A reformat would solve the problem, but there is always the possibility of it coming back. If your popup blockers block it, you may want to leave it alone for a while and see if any anti-spy tools catch up to it and are able to remove it.

I did find a suspicious entry in the clsid file - I do not know what it is. It is on another computer and I'll post it next chance I get.

I'm still rather surprised none of the scans could catch it . . ..


PP

 

Yeah the popup blocker isnt catching it anymore, and it is coming with more and more frequency. This will teach me to look at sites I'm not supposed to! I'll wait for your next post about the CLSID file and then I'll go from there.

~Dawn

 

Hi Dawn,

This is the key I am unsure about:

HKEY_CLASSES_ROOT\CLSID\{700016CF-23E4-16CB-9F2E-730A000091E1}

Try navigating to it via regedit as you did before and RightClick and export the key and save it where you can find it. ( This way, if it turns out to be needed, you can put it back )

Then, RightClick and DELETE that key from the registry and let's see if that helps.

As I said, I'm not too certain about this one. That's why you should play it safe with the exported backup.

Best luck
PP

 

Hey Houdini,

Ok I put it on my desktop and then deleted it. Here is my question though....technically it is still on my computer right? Because it is on my desktop. So how does deleting it from that list really do anything? Also, how was I supposed to save it? As a .reg file or a .txt one?

 

It takes it out of the registry (your compy's "brain") so that it cannot be called. If it turns out to be the culprit, you can delete that backup.

Just save it as a .reg file - If you want to put it back into the registry, just DoubleClick on it and follow the prompts to do so.


Did you reboot and see if that darn popup came back? I have a feeling we missed it again! If that is the case, I may be out of tricks . . .

PP

 

Hey Houdini....

This is my latest Ewido scan....I just ran it and I havent given the pop ups time to come back yet...BUT...I think MAYBE I got it this time....what says you?!?!

~Dawn

 

I says that it looks promising!

It could be these guys here:

C:\WINDOWS\system32\hgqhp.exe -> TrojanDropper.Agent.qb
C:\WINDOWS\system32\hclean32.exe -> Trojan.Qhost.qr

I'll keep my fingers crossed

BTW - You should hang on to EWIDO. It is a relative newcomer to the world of anti-malware tools, but it does a damn fine job!

PP

 

HOUDINI!!


(with fingers crossed) I haven't had a popup yet!!! I think it's gone!! I'll miss posting to you, but thanks for all your help! You certainly earned the nic I gave you!

~Dawn

 

Cool! Glad I could help you get it sorted out

You don't need an ill compy to visit MajorGeeks . . . Heck, I learn something new here every day!

Happy Computing
PP

 

So I will just leave this here for you to figure out....

Want to take a guess?

~Dawn

 

It can't be good . . .

If the popups are back, please attach a fresh HJT log from Normal Windows boot for me - maybe it will show something this time.

Also, if they have indeed returned, how long were they gone between the time we killed them the first time and when they returned? Did you reboot in that time?

I want to figure out if this is a reinfection or if the trojan remained on your machine after the first attempt to clean it . . . .

I am tied up for the next few days, but will try to keep an eye on this thread.

PP

 

Hey glad you found me. I'm attaching both my HJ log, and a second Ewido log. Again it found hijack spyware.

Ok so after we found that stuff my comp was FINE!!! This stuff started again 2 days ago. I'm thinking that MAYBE it's because I turned my system restore back on?? Is that possible? I know for SURE that it isnt because I've been to any "bad" sites which is where I know I got it from.

You should ask whoever tied ya up to make sure the ropes are comfy and not too tight!!

~Dawn

 

That would just take the fun right out of it, wouldn't it?

It looks like the same crew of trojans from the last time. Interesting, though - This type usually has randomly named .exes and these are the same, which kinda leads me to believe that they were not cleaned before.

- - Also, it could be that the Spybot Tea Timer has gotten in the way of cleaning, so keep that off for a while.


With the viewing of hidden files enabled, try to navigate to the following and, if they are still hanging around, kill 'em:

C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\rdsndin.exe

Let me know what you find - Will check back when I can.

PP

 

Very true on the ropes...well I at least hope they are the fuzzy kind!!


None of those files were there for me to kill...and I thought I had closed the tea-timer. Ok so here is the $1,000,000.00 question...how do I stop this crap from coming back? I thought that Ewido had gotten rid of it.

Hope you have a couple more tricks Houdini, cause this sucks!

~Dawn

 

Yeah, this thing is a real pain in the ass!

Can you find this on your machine?

WINDOWS\APPLOG\HCLEAN32.LGC

If so, attach it for me.

PP

 

Is there more to the file then that? I tried to do a search on my comp and it said "Windows/APPLOG is not a valid file"

I know you are loving this!

~Dawn

 

Use Windows Explorer to try to find this.

Also, look in Windows for Balloon.wav and Baloon.wav and see if they turn up . . .


I've still got a few more ideas, but gotta fix dinner and then out the door I go . . . Hey, it is Saturday Night! Also, we may need change those script permissions after all, if some of the ideas don't work . . .

I'll try to check back on Sunday.

PP

 

Ok I don't have that Windows/APPLOG on my comp at all as far as I can tell. I did find the balloon.wav though. Am I not supposed to have that?

Have you been untied yet?

~Dawn

 

We'll get rid of it once we pin down the others.

Sunday through Wednsday are my really busy days of the week, so I will be hitting and running a lot during that time.

- - I'd like to see a fresh HijackThis log from Normal Windows boot.

-- Use regedit as you did before to see if the following keys are present on your machine:

HKEY_LOCAL_MACHINE\Software\CLASSES\HCLEAN32.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ruins

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls --> note the s (urls)

HKEY_LOCAL_MACHINE\SOFTWARE\WareOut

Let me know what you find. At this point, I just need to know if they exist.


-- Also, look for these:
C:\WINDOWS\SYSTEM32\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\RDT.INI

Again let me know what you find.


I will try to see if there is an easy way to get scripts to run on your machine so that we can try a few generic locators. Or, perhaps we can just KillBox the known baddies and remove the reg keys manually . . . .

I'll check back when time permits - It may be Tuesday, so hang in there!

PP

 

Hey Houdini...ok I checked for the things you asked about, and the only one I have is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls, and Yup I noted the "S".

What's next?

~Dawn

 

Good question, lol! I really expected you to find more . . . .

Let's try this:

Please download the attached REGLK TOOL by IMM and extract it to its own folder.
Open the folder and run REGLK.EXE. Give it a little time and then run VIEWME.BAT. When the text file opens, please attach it.

If that doesn't shed any new light on the issue, we'll try a "blanket" type fix for this baddie.

Still tied up , so hang in there!

PP

 

Ok Houdini here is that log you were looking for. I hope you know what it means, because it makes no sense to me!!

So is this the most stubborn trojan you've ever dealt with, or is there still hope for me?

~Dawn

 

Yeah . . .This thing hides itself pretty well. I think we'll try the "blanket fix" approach - we'll throw a bunch of darts and hope some of them hit the target, lol!

But first, I'd like two final logs:

1 - Please download Generic Detection Tool - NT/2000/XP
THEN:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log for me.

2 - I'd like to see a fresh HijackThis log as well.

I'll take a look at those and see if I can formulate some decent "darts" and get back to you with a possible fix as time permits.

PP

 

Ok here are the logs you asked for. I feel like I should be paying you for all of this time you are putting into me and my comp problems.