dhamblet, if you have to attach logs in the future, it is best to attach each separately> not on a separate reply, but a separate attachment- it makes it easier to work with.
In the HJ log, when I request either of the URLs below for your homepage, I get
http://hp-desktop.aol.com/
Checking hpwis.com brings up another site:
http://www.insiderinfo.com/
This redirect usually displays like this: The redirects usually shows like this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
But it is still a redirect and should be checked for removal:
Please open HijackThis, and select
Do a system scan only.
Place a checkmark next to the following entries in BOLD(if present): Do not click on FixChecked until you have checked all the entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - (no file)
O4 - HKCU\..\Policies\Explorer\Run: [SunJavaUpdater] C:\WINDOWS\system32\0.exe
(0.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.)
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe">> scans the Windows registry for orphan file/folder references
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe>> monitors Registry changes in Real Time
(you are running 2 Registry programs in Real Time. This can cause a conflict. Suggest disabling one of them and uninstalling-or-since AdWatch goes with the paid version of AdAware, suggest just disable AdWatch)
O21 - SSODL: TFEXpjP - {5C283C24-F682-968E-6A91-9D8877AA20E4} - (no file)
(ShellServiceObjectDelayLoad is an undocumented autorun method, normally used by a few Windows system components. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious.
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
(MarketBrowser is Personal Finance Software If you have downloaded this and are using it without problem. If not, please check for removal.Currently MKBrowser only provides viewing, but a future version will also provide editing and searching)
Then, close all other open windows, leaving only HijackThis open, and select
Fix checked.
Please download ComboFix
HERE.:
With ComboFix, at the download window, please
rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please run a full system scan with your antivirus program. If anything is found, please attach the log. include new log from a HijackThis rescan and the Combofix report in your next reply.