Suspicious activity - advice please

I found these from some virus scans:


Incident Status Location

Virus:JS/Coolnow No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\_AS115.tmp\motor.cab[pavoe.dll]


C:\WINDOWS\system32\ActiveScan\imscan.dll

You have a CWS infection, and possibly a couple other problems. Please see Please perform the following prior to posting a HJT log and take the steps outlined there. Pay particular attention to placin' and runnin' HJT ... its should be in a folder of its own on your root drive, and should be run with no other browsers, windows, chat /messagin', or email clients open. Use Ctrl+Alt+Delete to shut everything else down before runnin' HJT.

When done, post a fresh HJT log back here, and we'll take it from there.

Followed all the steps. Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:32:34 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\nwiz32.exe
C:\WINDOWS\system32\ctupdclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvUpdater] nwiz32.exe
O4 - HKLM\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109750565800
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

can someone respond please?
thank you

Patience, partner. You'll soon be gettin' the attention somebody else is gettin' at the moment.

OK - sorry to keep ya waitin.

Here's what I'd suggest to start with.

Print out these instructions and get all the suggested downloads before starting with this, as you will have to disconnect from the internet durin' the cleanup.

Make sure your Windows is operatin' properly apart from your browser issues. Turn off System Restore. Right-click the "My Computer" icon on your desktop and click "Properties". Click the "System Restore" tab, select "Turn off System Restore", click Apply > Yes > OK. Doing this will remove your saved restore points, so be sure Windows itself is operatin' satisfactorily. When the cleanup has been completed, re-enable System Restore by followin' the same procedure. Then, set a fresh restore point and reboot. DO NOT RE-ENABLE SYSTEM RESTORE UNTILL THE ENTIRE CLEANUP PROCESS HAS BEEN COMPLETED!

Enable Explorer to view all files. Open "My Computer", click "Tools", select "Folder Options", and click the "View" tab. Place a check mark in the following boxes:

"Display the contents of system folders"
"Display full path in address bar"

Under "Hidden Files and folders" select the "Show hidden files and folders" button

Uncheck the following boxes:

"Hide extensions for known file types"
"Hide protected operating system files" (Recommended)"
Click "Yes" to confirm, Click "Apply", then click "OK" . Close the folder.


Download LSP-Fix. Just download it to a folder you will be able to find easily later. It may or may not be needed, but if it is necessary, you'll have it. Removal of some yuckware can prevent you from accessing the internet. In the event this happens, you will need to run LSP-Fix to repair things.

Download Cleanup. Again, just save it to an easilly findable folder. We will use this, but not just yet.

Open AdAware and have it check for updates by clicking the blue-ish globe icon at the upper right of the page and following the onscreen prompts. When the update process has been completed, click the grey-ish "Gear" icon to open AdAware's Configuration and Settings utility.

On the first tab, "General", be sure all 3 buttons in the top panel, "Safety", are green and checkmarked. Next, from the lefthand colum, select "Scanning". Be sure the 1st 2 buttons in the top panel, "Drives, folders, & files", are green and checkmarked. The 3rd button, "Skip files larger than ... ", should be red and display an "x". If any button is not as it should be, click to change its setting.

Under "Select drives and folders to scan", be certain AdAware is configured to scan your entire root drive (the drive on which Windows resides, usually "C".

In the bottom panel, "Memory & Registry", all buttons should be green and checked.

From the lefthand column, select "Advanced". In the first 2 panels, all buttons should be green and checked. In the bottom panel, "Alternate Data Streams", both buttons should be red and display an "x"

From the lefthand panel, select the last option, "Tweak". In the righthand panel, select the 1st option, "Scanning Engine" to open its tree. The 3rd button, "Run scan as background ... etc", should be red and display an "x", all other buttons should be green and checked.

Click "Cleaning Engine" to open its tree. The first 5 buttons should be green and checked, the last 3 should be red and display an "x".

Click "Proceed" to save the settings, but do not run an AdAware scan yet, just close the application.

Next, go to LavaSoft and download AdAware VX2Cleaner Plugin[/i][/u]. Read, understand, and follow the directions on that page to install the plugin. Don't run it yet, but be sure you know how to.

Download and install Microsoft Windows Antispyware. Before runnin' it, click its "Advanced Options" icon, then click the "Browser Hijack Restore" icon. At the bottom of the page that will open, click "Select All", then click "Restore". Go back up to the top of the page, click "File", and click "Check for updates". When that's been done, disconnect from the internet, then click "Spyware Scan". Click "Scan options", and see to it that "Full system scan" is selected, and that all 3 boxes underneath it are checked; Scan Memory", "Scan drives/folders", and "Deep scan folders". Also check to be sure that "Scan drives/folders is configured to scan your entire root drive (click the little folder icon; your root drive - (C) - should be selected). Now, click "Run Scan Now" and let it run to completion, followin' whatever prompts or instructions - if any - it might pop up.

Create a folder on your root drive and name it "Sysclean". Download Trend Micro's Sysclean Package to that folder. Into the same folder, download the Latest Pattern File. This will be a compressed folder; extract the contents. When you have done so, the Sysclean folder should contain 3 items: a folder named "lpt528", a compressed folder named "lpt.528.zip", and the application "sysclean.com". Move sysclean.com into the lpt528 folder.

Reboot into safe mode, find and open the lpt528 folder, then click sysclean.com to run the application. When it has completed, note the full path and name of all files it says it could not clean or delete, if any.

Still in safe mode, open AdAware, and run the VX2 Cleanup plugin, followed by an AdAware system scan, being sure the "Use custom scanning options" button is checked, and have AdAware fix whatever, if anything, it finds. Reboot normally, but do not connect to the internet, and run another full AdAware scan, again fixing whatever, if anything, it finds.

Now, run Cleanup, and reboot normally when it prompts you to. Run a new HJT scan immediately followin' bootup, connect to the internet, and post the fresh log to this thread.

I followed all of the above steps, except one. The sysclean.com file wouldn't work when I extracted it. It wasn't readable. There was no lpt.528.zip, instead it was lsp532.zip.

Here's my updated HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:39:42 PM, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\nwiz32.exe
C:\WINDOWS\system32\ctupdclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvUpdater] nwiz32.exe
O4 - HKLM\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109750565800
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Prolly not your fault; I think mebbe I screwed ya up some there - looks like I goofed the link to the pattern file. My bad, sorry 'bout that.

Lets try Sysclean again, usin' these links:

Sysclean

Pattern File

Note: the application sysclean.com and the pattern file MUST be in the same folder!. It doesn't matter whether sysclean.com is placed in the extracted pattern file folder, or if the extracted pattern file is moved into the Sysclean folder, but sysclean.com and the extracted pattern file must be together with one another in one folder.

I tried the same thing again, yet I'm not able to run the sysclean.com file. As well the extracted pattern file shows up as an unreadable file. They are in the same folder on the desktop.

I'm pretty sure the infection is still there. I'm really at a loss as to what to do next.

Odd ... well, lets try to get to the bottom of this.

You mentioned Sysclean was in a desktop folder - You don't want it on your desktop, you want it on your root drive. Create a folder on your "C" drive:

Press the Windows Key and the "E" key simultaneously. When Explorer opens, locate your "C" drive, double-click to open it. When it has opened, go to the toolbar, select "File", select "New", select "Folder", name the folder "Sysclean", then close all folders.

Now, right-click this link and select "Save As", and direct the download into the "Sysclean" folder you just created: Sysclean

Now, left-click this link to bring you to the pattern file download page: Pattern File. On that page, you will find



"lpt552.zip" is the zip file you want. Right-click on it, select "Save As", and direct it into the Sysclean folder. When the download has completed, open the Sysclean folder, locate the lpt552.zip folder, right-click on it, and select "Extract All". When the Extract Wizard opens, the dialog box under "Files will be extracted to this directory:" should be highlighted and read "C:\Sysclean\lpt552". I suggest you click in the dialog box to remove the highlight, then delete just the portion that reads: "\lpt552", leavin' only ""C:\Sysclean" in the dialog box, then click "Next" to extract the files. When the extraction has completed, close the Extract Wizard, navigate to and open the Sysclean folder. It should contain 4 items: the zipped folder "lpt552.zip", the Sysclean.com MS-DOS application, a file named "lpt$vpn.552, and a file named "WHATSNEW.TXT. If thats what you see, close all other browsers or windows, disconnect from the internet, disable your own antivirus and/or antispyware applications, exit all other applications (use Ctrl-Alt-Delete to bring up Task Manager to make sure), then, with no other browsers or windows open or applications runnin', click Sysclean.com to launch the application. An MS-DOS box will pop up, a buncha new files will appear in the folder, then the Sysclean scanner itself will open and the scan will begin. It should take a pretty fair while to run; a half hour or more, sometimes much more, dependin' on your processor, memory, and how large and full your drive is.


If you follow the create-folder, download, and extract process I laid out, and the results are not as expected, please give me details of what you did, what happened, and the exact name of the files in the Sysclean folder.

I've closely followed everything up until running sysclean.com. THe files are in the same folder in my root drive, yet the extracted sysclean.com file is just a 'file' and it won't let me execute it. THis is the same thing I had last time, I'll try to run it but it only asks me what program to execute it with. I tried to execute it with the default.pif ms-dos file in the windows folder but nothing happened.
I'm wondering if i should check if my antivirus has a restore point and restore my computer to an earlier point. Sorry for the difficulties, but this is where i'm stuck

Sorry you're stuck, too. sysclean.com is not an extractable file, its an executable, a 2.75MB MS-DOS application; clickin' on it oughtta cause it to execute. When it executes, it should pop up a black-and-white MS-DOS box on your desktop, begin unpackin its necessary files, then open and run the Trend Sysclean scan engine, usin' the pattern, or .dat, files of lpt$vpn.552. Not real sure what's goin' on there; I gotta figure I'm not explainiin' somethin' to you quite clearly enough. Not too surprisin' if that's the case; really, I'm a lousy teacher.

Oh, well, lets skip Sysclean for now. With your own AV disabled, go here: BitDefender Scan Online
Run a scan with BitDefender. Be sure to check "Auto Clean". Make a note of anything it can't remove. Don't reboot unless it tells you to. If It tells you to reboot to finish its cleanup, reboot, revisit the website, and run it again. Don't reboot the second time, even if it tells you to.

Without havin' rebooted, go here: Trend Micro - Free online virus Scan
Be sure you check "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the full file name and location so we can deal with it later.

Run Cleanup again, reboot, revisit Trend, and run the scan one more time, then reboot into safemode, and run CWShredder twice-in-a-row while in safemode.

While still in safemode, run the Ad-Aware VX2 Cleaner plugin once more, then a full Ad-Aware scan, bein' sure the scan options are set as I advised you earlier. Fix anything found.

When the Ad-Aware scan has finished, and while still in safe mode, run Microsoft Antispyware once more, again with its settin's as advised earlier. When it has finished, and while still in safe mode, run it one more time.

Run Cleanup one more time, then reboot normally, run a fresh-after-boot HJT scan, and post the log, if you would, please. I may not get to it tonight, but I'll get to it soon as I can, or mebbe Don77, Craven de Kere, or Monger will be along - anyhow, you won't be ignored.

The Trend-Micro scan found one malware yet everything else turned up clean. I'm still seeing some suspicious things in the HJT log though (ie. nwiz32):

Logfile of HijackThis v1.99.1
Scan saved at 10:00:54 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\nwiz32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109750565800
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

That log actually looks pretty clean now; nwiz.32.exe is a component of nVidia video adapter software, and while not critical to the operation of your nVidia based device, it offers little to users who do not employ the advanced features of nVidia hardware. You could have HJT fix it if you wish, user choice. To set your mind at ease, navigate to C:\WINDOWS\system32\nwiz32.exe, right-click on the file, select "Properties", select the "Version" tab, and verify it is indeed from nVidia Corp.

Another one you have there that gets folks upset once in a while is C:\WINDOWS\system32\ctfmon.exe ; this one is what amounts to a usually unnecessary component of Microsoft Office applications. Again, verify it it you wish; disabling it through HJT will have little or no effect on your machine's functionin' in most cases. That one, actually, I'd just live with; it doesn't do much for most folks, but gettin' rid of it hardly is worth the hassle compared to any benefit derived. (Gee, thanks, Microsoft )

However, I suggest you run Microsoft Antispyware again, click its "Advanced Options" icon, then click the "Browser Hijack Restore" icon. At the bottom of the page that will open, click "Select All", then click "Restore", confirm if prompted, and then click "Scan Now", followed by one more run of Cleanup and a normal reboot. Once that's been done, you should be able to reset your home page to whatever you want via Internet Options, or through Spybot S&D's advanced browser/search reset utilities (Consult Spybot's documentation). Give that a shot, and lemme know what happens. I think we're close to done here, but I'd like to know if you're still experiencin' any suspicious symptoms before we sign off on this one..