possible browser hijack G-Connect

[Brynn]

Hi Folks,
I'm not sure what to make of this, but hopefully some of you tech-types can shed some light.

Something less than a week ago, when I logged on to the internet it looked like my browser had been hijacked.  I immediately killed my connection (dialup) and ran all my security scans.  Nothing!  Log back on, everything is fine.  Working and surfing for hours -- something like 6 hours later, looks like the same hijack.

In the titlebar, it says G-Connect, and in the address field, it's really, really long -- 1st an IP address, then a bunch of characters, then "myaccount.earthlink.net", then more characters, then my email address (EarthLink account), then a bunch more characters, which at this point are almost all "-"s.  The browser window contains nothing, completely blank.  No matter what address I try to browse to, no matter how many refreshes, this is all I see -- the same G-Connect in the titlebar, the same address in the address field, and the same blank bowser window.  I log off, run all my scans again, all clean.  Log back on, everything's fine.  Everything fine for a couple of days.  But then again, when I log on to the internet, G-Connect in titlebar again, same address, same blank window.  I go through the same routine, log off, scan, all scans clean, log back on, everything works fine. Everything was fine for a few hours, then it happened AGAIN.

Because of the "myaccount.earthlink.net", and my email address (EarthLink account) in the address field, and because all my scans came up clean, and because the problem is random, it doesn't happen all the time, I wondered if it was more of a problem with my connection.  So I contacted EarthLink tech support, explained the problem, answered their questions, and performed all the troubleshooting steps they recommended.  Well, because of the language barrier with EL tech support....ok not exactly a language barrier, but in my experience most EL (Dell too) techs can barely speak English.  For those who just want to be walked through the troubleshooting and resolution, step by step, this doesn't seem to affect the quality of support.  But for those who want or need to understand the problem and/or solution, or otherwise want to learn from the experience, it's nearly impossible.  I typically have to make 4 or 5 calls before I feel confident that the problem was correctly identified, that the solution was appropriate, and have at least a general understanding of what went wrong and how it was fixed.

I guess I'll save the details of the fiasco that became several hours long, for their "How did we do?" survey.  But briefly, the 2nd one told me if his solution didn't work, I'd have to reinstall OS.  The 3rd said I'd have to reinstall IE.  The 4th said my TCP/IP protocols were corrupted.  And the 5th told me I had to contact my computer manufacturer for help reinstalling the TCP/IP protocol.  Interestingly, on my 2nd call to Dell tech support (finally someone with a lighter accent, who did not mind answering my questions) I learned that the steps which the EL techs had walked me through actually are the steps to reinstall the TCP/IP protocols.  So basically, EL just wanted to get rid of me!  ....oops, sorry -- guess I really need to  :soapboax:  about the language thing.

Anyway, Dell took me through a longer version of reinstalling those protocols, more or less "manually" (starting with deleting something out of the registry).  She was very nice and very helpful, and very patient with me!  She said if this did not solve the problem, we would have to try System Restore, and if that didn't fix it, we'd have to reinstall OS (which I call "playing the OS card" -- if you can't fix it, just give up...another  :soapboax: of mine).  But the problem was not solved.  And because 7 different techicians all thought this G-Connect problem was corrupted TCP/IP protocols, and because of my many clean scans, I wasn't too worried about a possible security issue.  And since it's occurring randomly, the last couple of days, and since I don't think System Restore should be taken as lightly as it seems to be, I've done nothing.  I mean, if System Restore turns out to be my best option, I'll be grateful for it.  I'm just not sure the problem has even been identified correctly yet!  When I get G-Connect, I just log off, wait a few minutes, and log back on.  And basically I've been hoping it will just go away ( :oops:  .....well, at least we know I'm human!  Yes?!)

So, just now, it occurred to me that I didn't necessarily need to rely entirely on tech support.  I decided to Google on "G-Connect".  Lo and behold, there is actually an ISP by that name (www.g-connect.com)!  Although I did not follow any of the many links from Google (goodness knows what they might do if actually visit their site!), there are enough search results that I do believe it's a legitimate....allbeit unscrupulous...ISP.

Sorry for that long explanation, but here are my questions:
Is this truly a browser hijack?  Why aren't my scans picking it up?  Why aren't my blockers blocking it?  How can I get rid of it?

I only just now Googled, and in a mild panic, dashed here to post!  But while waiting for a reply, I will update all my definitions, run all my scans AGAIN! and I've even thought of searching some larger and busier security forums, to see if it's been discussed, but not picked up by Google yet.  So as I learn more (if I learn more), I will post (to this thread) with my progress.

Thanks, as always, for any and all help and support on this problem  :flowers:

[Corrine]

Brynn, please post a HJT log.  Let's see what that shows us. 

For the sake of completeness:

Please download HijackThis© from:  http://www.thespykiller.co.uk/files/HJTsetup.exe . 

Note:  This is a complete installer that installs HijackThis to your computer to at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.

At the download prompt, choose "Save".  After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it.  When the installation is complete, double-click the HijackThis icon on your desktop.  Select "Do a system scan and save logfile".  Select a name for this first logfile and a text file will be produced.  Please have word wrap turned ON in Notepad. Copy the text file and paste it here as a reply.

[Brynn]

Hi Corrine,
Ok, I can do that  :thumbsup:   Thanks for your reply  :)
I guess these days, it's always better safe than sorry, but I hate to take up yours and LzD's valuable time on something that's not really a problem.  So if there's some reasonable explanation for this "hijack-like" behavior, I'm really fine with that, and wouldn't need a big troubleshooting process.   So please feel free to tell me not to worry my pretty little head, lol!

But for now, I already have HijackThis, and ran a scan earlier today.
The only thing I see that's different from usual, is one line that's missing.  Here I've copied it from an earlier logfile:

"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://groups.msn.com/SupportforChronicPain"

It used to be the 2nd line in the 2nd section of the logfile, right after...beneath, the R0 entry.  I'll type *x* where it used to be.  However, I first noticed it missing a month ago, and this G-Connect problem started just a week ago.

Ok then, I'll stop babbling  :smash:   For whatever it's worth, the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:53:11 AM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Javacool\SpywareGuard\sgmain.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\ewido\ewido anti-malware\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido\ewido anti-malware\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hijack This\HT v1.99.1\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain
*x*
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido\ewido anti-malware\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Javacool\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Shortcut to glidesvc.exe.lnk = C:\Program Files\GlidePoint\glidesvc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.alteviltech.com
O15 - Trusted Zone: http://www.arthritis.org
O15 - Trusted Zone: http://www.ashp.org
O15 - Trusted Zone: http://www.auafoundation.org
O15 - Trusted Zone: http://www.bbusa.net
O15 - Trusted Zone: http://*.beermespix.com
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.ccfa.org
O15 - Trusted Zone: http://www.cirque.com
O15 - Trusted Zone: http://www.colorschemer.com
O15 - Trusted Zone: http://www.computerhaven.com
O15 - Trusted Zone: http://*.computerhaven.com
O15 - Trusted Zone: http://www.computerhaven.info
O15 - Trusted Zone: http://*.computerhaven.info
O15 - Trusted Zone: http://live-symantec.custhelp.com
O15 - Trusted Zone: http://forums.us.dell.com
O15 - Trusted Zone: http://www.support.dell.com
O15 - Trusted Zone: http://www.dingbatpages.com
O15 - Trusted Zone: http://kb.earthlink.net
O15 - Trusted Zone: http://myaccount.earthlink.net
O15 - Trusted Zone: http://securitycenterkb.earthlink.net
O15 - Trusted Zone: http://support.earthlink.net
O15 - Trusted Zone: http://tr.earthlink.net
O15 - Trusted Zone: http://webmail.earthlink.net
O15 - Trusted Zone: http://webmail.pas.earthlink.net
O15 - Trusted Zone: www.earthlink.net
O15 - Trusted Zone: http://www.echoecho.com
O15 - Trusted Zone: http://forum.echoechoplus.com
O15 - Trusted Zone: http://www.endometriosisassn.org
O15 - Trusted Zone: http://images.fws.gov
O15 - Trusted Zone: http://www.gimptalk.com
O15 - Trusted Zone: http://www.hepc-connection.org
O15 - Trusted Zone: http://www.homestead.com
O15 - Trusted Zone: http://*.imageshack.us
O15 - Trusted Zone: http://downloadfinder.intel.com
O15 - Trusted Zone: http://*.intel.com
O15 - Trusted Zone: http://bbs.keyhole.com
O15 - Trusted Zone: http://www.keyhole.com
O15 - Trusted Zone: http://*.keyhole.com
O15 - Trusted Zone: http://www.landzdown.com
O15 - Trusted Zone: http://login.live.com
O15 - Trusted Zone: http://www.lupus.org
O15 - Trusted Zone: http://www.lupuscolorado.org
O15 - Trusted Zone: http://www.m-w.com
O15 - Trusted Zone: http://www.medicare.gov
O15 - Trusted Zone: http://www.medscape.com
O15 - Trusted Zone: http://*.medscape.com
O15 - Trusted Zone: http://www.msisurvey.com
O15 - Trusted Zone: http://g.msn.com
O15 - Trusted Zone: http://groups.msn.com
O15 - Trusted Zone: www.msnusers.com
O15 - Trusted Zone: http://forum.worldwind.arc.nasa.gov
O15 - Trusted Zone: http://www.painfoundation.org
O15 - Trusted Zone: http://login.passport.com
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://service.symantec.com
O15 - Trusted Zone: http://www.symantec.com
O15 - Trusted Zone: http://www.tessellations.org
O15 - Trusted Zone: http://www.theacpa.org
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102567996858
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido\ewido anti-malware\ewido anti-spyware 4.0\guard.exe
O23 - Service: GlidePoint Touchpad Client (GlidePoint) - Cirque Corporation - C:\Program Files\GlidePoint\glidesvc.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

THANKS AGAIN !!

[Corrine]

I hate to take up yours and LzD's valuable time on something that's not really a problem

Fiddlesticks!  You are a LzD member and contributor to the site.  Of course we will do what we can to help.  :rose:


Yes, the difference between the R0 and R1 is that the R0 is a start page:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain

(OT:  I see you have your Cirque touch pad.  :) )

[Brynn]

 :thumbsup:  Ok, I'll try not to feel so bad then....in the future.  :hug:

As for now, unfortunately, I'm pretty sure I've got some malware.
Symptoms:

• While I have not seen the hijack-looking page since posting this thread, I have been having intermittant slow downs -- slow-WAY-downs -- well, actually it's more like freeze-ups :(.  I'll be working along just fine, and then suddenly, nothing will work.  It's like I have too many large programs running, and the cpu gets max'd out.  Except when I check the Task Manager, the cpu is NOT max'd, not even close (2%, 5%, 10%).  And when the freeze is over, it does NOT execute any clicks I might have made during the freeze, like it does when the cpu gets overloaded.  Also, it shows all programs and processes are responding and running.  The freeze-up lasts for, well, I haven't actually timed it, but I would say up to 5 or 10 minutes.
• Then once the system is responding to clicks once again, it is very slow, like it takes 30 seconds, or maybe up to a minute, to respond to one click (one which usually takes up to 5 secs).  This slow down phase might last for something like 5 or 10 minutes.
• Then sometimes the system freezes up again, although the 2nd freeze is not as long as the 1st.  Then everything goes back to normal, as far as speed.  I haven't timed the interval between episodes, but I'll try and remember to.  However I have noticed that the longer I'm logged on to the computer, the more frequently it happens.
• It doesn't just happen when I'm online.  It happens sometimes when I'm offline too.
• During restarts, a blank window opens which says....hhm, either Open Connection or Close Connection in the titlebar (don't remember exactly which one, but pretty sure it's Close).  Sometimes it happens right after I click restart but before it shuts down, and sometimes it happens after it starts back up and the desktop is once again displayed.  And it's a blank Windows Explorer window, not a browser window.
• Restarts take for-EVER.

Let's see, specs.....

• Windows XP SP2 Home
• IE6 SP2
• CWShredder
• Ad-Aware SE personal (free)
• Spybot S&D
• SpywareBlaster
• ewido free
• Norton Internet Security 2005 (which I'm seriously considering replacing with other programs, before next renewal) and which includes, firewall, av, spam blocker, ad and pop-up blockers
• IE-SpyAd
• HijackThis
• CCleaner
• very old versions of Sysclean and Silent Runners

Everything fully updated as of yesterday.

What have I done for troubleshooting?

• I've run scans with ALL my programs with current definitions -- not even a tracking cookie has turned up.
• I've looked at the Task Manager during episodes, and I've already mentioned the results.
• I've checked to make sure I don't have anything set for automatic updates.  This is the very reason I avoid automatic updates -- so that I don't get mysterious and frustrating slow-downs!

 
I just got the brand new version of ewido, not set for automatic update.  Just haven't had it long enough to know if it "calls home" for some other reason.  I can't think of anything else that's new or changed significantly.

So, are there any other scanners which might pick up particularly well-hidden malware?  Does my HT logfile look ok?  I don't notice any changes beyond what already mentioned.  Well, I'm thinking I should probably stay offline until we figure something out.  Even though the problem happens when I'm not online, I'm thinking if I stay offline, at least the malware can't call home.  Right?  Ok then, I'll check back from time to time, rather than wait here for replies.  Thanks again for any help or ideas anyone can come up with.
All best  :hug:

PS -- yes, new mouse, will post to ergonomics thread when this problem is resolved :)

[Corrine]

My only comment about Norton -- NAV is a resource hog.

How about if we take a look at a startup list:

Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up.
Then copy and paste the notepad text that appears to this topic.

[Brynn]

Wow, I sure can't make heads or tails of that!
If it contains any personal info, such as email address, I'll let you either delete or disguise it.  Does it give us any clues?

StartupList report, 7/22/2006, 8:32:44 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijack This\HT

v1.99.1\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2

(6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Norton Internet

Security\ISSVC.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\ewido anti-malware\ewido

anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton

AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft

Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\ewido\ewido anti-malware\ewido

anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
C:\Program Files\Restore

Desktop\RestoreDesktop.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700

series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft

Shared\Works Shared\wkcalrem.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Javacool\SpywareGuard\sgmain.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program

Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Microsoft

Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HT

v1.99.1\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start

Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program

Files\Javacool\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start

Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
CallWave.lnk = C:\Program Files\CallWave\IAM.exe
HPAiODevice(hp psc 700 series) - 1.lnk =

C:\Program Files\Hewlett-Packard\AiO\hp psc 700

series\Bin\hpobrt07.exe
Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
Microsoft Works Calendar Reminders.lnk = ?
Shortcut to glidesvc.exe.lnk = C:\Program

Files\GlidePoint\glidesvc.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Wi

nlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Wi

nlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
MMTray = "C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe"
WorksFUD = C:\Program Files\Microsoft

Works\wkfud.exe
Microsoft Works Portfolio = C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program

Files\Common Files\Microsoft Shared\Works

Shared\WkUFind.exe
Share-to-Web Namespace Daemon = C:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
ccApp = "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
Symantec NetDriver Monitor =

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
mmtask = "C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe"
LTWinModem1 = ltmsg.exe 9
!ewido = "C:\Program Files\ewido\ewido

anti-malware\ewido anti-spyware 4.0\ewido.exe"

/minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

OnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe"

/background
Restore Desktop = "C:\Program Files\Restore

Desktop\Restore Desktop.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
RestoreDesktop = C:\Program Files\Restore

Desktop\RestoreDesktop.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

OnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

OnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

OnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed

Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe

OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe

OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s

/n /i:/UserInstall

%SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook

Express\setup50.exe" /APP:OE /CALLER:WINNT /user

/install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser

.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe

setupapi,InstallHinfSection MarketplaceLinkInstall

896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook

Express\setup50.exe" /APP:WAB /CALLER:WINNT /user

/install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u

%SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon:

load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon:

run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon:

load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon:

run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows:

run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows:

load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows:

run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows:

AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from

C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -

{53707962-6F74-2D53-2644-206D7942484F}
Norton Internet Security - C:\Program Files\Common

Files\Symantec Shared\AdBlocking\NISShExt.dll -

{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll -

{BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Owner.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE =

file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program

Files\Microsoft XML Parser for Java.osd

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program

Files\IEAWSDC.DLL
CODEBASE =

http://office.microsoft.com/templates/ieawsdc.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 =

C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE =

http://go.microsoft.com/fwlink/?linkid=39204

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program

Files\avsniff.dll
CODEBASE =

http://security.symantec.com/sscv6/SharedContent/v

c/bin/AvSniff.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program

Files\MsnPUpld.dll
CODEBASE =

http://groups.msn.com/controls/PhotoUC/MsnPUpld.ca

b

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE =

http://v5.windowsupdate.microsoft.com/v5consumer/V

5Controls/en/x86/client/wuweb_site.cab?11025679968

58

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program

Files\rufsi.dll
CODEBASE =

http://security.symantec.com/sscv6/SharedContent/c

ommon/bin/cabsa.cab

[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE =

http://sc.groups.msn.com/controls/FileUC/MsnUpld.c

ab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE =

http://v4.windowsupdate.microsoft.com/CAB/x86/ansi

/iuctl.CAB?38490.7334375

[ActiveDataInfo Class]
InProcServer32 =

C:\PROGRA~1\COMMON~1\SYMANT~1\SymAData.dll
CODEBASE =

https://www-secure.symantec.com/techsupp/asa/SymAD

ata.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys

(system)
Microsoft Kernel Acoustic Echo Canceller:

system32\drivers\aec.sys (manual start)
AFD Networking Support Environment:

\SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k

LocalService (disabled)
Application Layer Gateway Service:

%SystemRoot%\System32\alg.exe (manual start)
Application Management:

%SystemRoot%\system32\svchost.exe -k netsvcs

(manual start)
ASP.NET State Service:

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\as

pnet_state.exe (manual start)
RAS Asynchronous Media Driver:

System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller:

System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol:

System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe

-k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys

(manual start)
Automatic LiveUpdate Scheduler: "C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"

(autostart)
Background Intelligent Transfer Service:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Computer Browser:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Symantec Event Manager: "C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Network Proxy: "C:\Program Files\Common

Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Password Validation: "C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe"

(manual start)
Symantec Settings Manager: "C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe"

(autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe

(manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe

(disabled)
.NET Runtime Optimization Service v2.0.50727_X86:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco

rsvw.exe (manual start)
COM+ System Application:

C:\WINDOWS\System32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

(manual start)
Cryptographic Services:

%SystemRoot%\system32\svchost.exe -k netsvcs

(autostart)
DCOM Server Process Launcher:

%SystemRoot%\system32\svchost -k DcomLaunch

(autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k

netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service:

%SystemRoot%\System32\dmadmin.exe /com (manual

start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Microsoft Kernel DLS Syntheiszer:

system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k

NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys

(manual start)
Print Class Driver for IEEE-1284.4:

System32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4:

System32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter:

System32\DRIVERS\dot4usb.sys (manual start)
Microsoft Kernel DRM Audio Descrambler:

system32\drivers\drmkaud.sys (manual start)
Error Reporting Service:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Event Log: %SystemRoot%\system32\services.exe

(autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe

-k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program

Files\ewido\ewido anti-malware\ewido anti-spyware

4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program

Files\ewido\ewido anti-malware\ewido anti-spyware

4.0\guard.exe (autostart)
Fast User Switching Compatibility:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Floppy Disk Controller Driver:

System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys

(manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys

(system)
GlidePoint Touchpad Client: "C:\Program

Files\GlidePoint\glidesvc.exe" (autostart)
GlidePoint USB Touchpad Filter:

system32\DRIVERS\glideusb.sys (manual start)
Generic Packet Classifier:

System32\DRIVERS\msgpc.sys (manual start)
Help and Support:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Human Interface Device Access:

%SystemRoot%\System32\svchost.exe -k netsvcs

(disabled)
Microsoft HID Class Driver:

system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k

HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver:

System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
IMAPI CD-Burning COM Service:

C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver:

system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver:

System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver:

System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator:

System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys

(manual start)
PnP ISA/EISA Bus Driver:

System32\DRIVERS\isapnp.sys (system)
ISSvc: "C:\Program Files\Norton Internet

Security\ISSVC.exe" (autostart)
Keyboard Class Driver:

System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer:

system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
LiveUpdate:

"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"

(manual start)
TCP/IP NetBIOS Helper:

%SystemRoot%\System32\svchost.exe -k LocalService

(autostart)
Lucent Modem Driver: system32\DRIVERS\ltmdmxp.sys

(manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k

netsvcs (disabled)
Microsoftvirus:

"C:\WINDOWS\System32\sysoverload.exe" -netsvcs

(disabled)
NetMeeting Remote Desktop Sharing:

C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device:

system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys

(system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys

(manual start)
WebDav Client Redirector:

System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator:

C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe

/V (manual start)
Microsoft Streaming Service Proxy:

system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy:

system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy:

system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver:

System32\DRIVERS\mssmbios.sys (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program

Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe" (autostart)
NAVENG:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2006071

9.024\NAVENG.Sys (manual start)
NAVEX15:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2006071

9.024\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver:

System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol:

System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver:

System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys

(system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys

(system)
Network DDE: %SystemRoot%\system32\netdde.exe

(disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe

(disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual

start)
Network Connections:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Network Location Awareness (NLA):

%SystemRoot%\system32\svchost.exe -k netsvcs

(manual start)
NT LM Security Support Provider:

%SystemRoot%\System32\lsass.exe (manual start)
Removable Storage:

%SystemRoot%\system32\svchost.exe -k netsvcs

(manual start)
IPX Traffic Filter Driver:

System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver:

System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

(system)
Parallel port driver: System32\DRIVERS\parport.sys

(manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe

(autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe

(autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys

(manual start)
Processor Driver: System32\DRIVERS\processr.sys

(system)
Protected Storage: %SystemRoot%\system32\lsass.exe

(autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys

(manual start)
Direct Parallel Link Driver:

System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver:

System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys

(manual start)
Remote Access Connection Manager:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Remote Access PPPOE Driver:

System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys

(manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager:

C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver:

System32\DRIVERS\redbook.sys (system)
Routing and Remote Access:

%SystemRoot%\System32\svchost.exe -k netsvcs

(disabled)
Remote Procedure Call (RPC) Locator:

%SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC):

%SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual

start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet

Adapter NT Driver: System32\DRIVERS\RTL8139.SYS

(manual start)
Security Accounts Manager:

%SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton Internet

Security\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton Internet

Security\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: "C:\Program Files\Norton Internet

Security\Norton AntiVirus\SAVScan.exe" (autostart)
ScriptBlocking Service:

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

(autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe

(manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe

-k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe

-k netsvcs (autostart)
System Event Notification:

%SystemRoot%\system32\svchost.exe -k netsvcs

(autostart)
Serenum Filter Driver:

System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys

(system)
Windows Firewall/Internet Connection Sharing

(ICS): %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Shell Hardware Detection:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe"

(autostart)
SPBBCDrv: \??\C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe"

(autostart)
Microsoft Kernel Audio Splitter:

system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe

(autostart)
System Restore Filter Driver:

System32\DRIVERS\sr.sys (system)
System Restore Service:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service:

%SystemRoot%\System32\svchost.exe -k LocalService

(manual start)
Windows Image Acquisition (WIA):

%SystemRoot%\System32\svchost.exe -k imgsvc

(autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys

(manual start)
Microsoft Kernel GS Wavetable Synthesizer:

system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider:

C:\WINDOWS\System32\dllhost.exe

/Processid:{49CB0F61-979F-42B1-A26C-A07EA6D768C4}

(manual start)
Symantec Core LC: "C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

(autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS

(manual start)
SymEvent: \??\C:\Program

Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS

(manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS

(manual start)
SYMIDSCO:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs

\20060710.095\symidsco.sys (manual start)
symlcbrd:

\??\C:\WINDOWS\system32\drivers\symlcbrd.sys

(autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS

(manual start)
SYMREDRV:

\SystemRoot\System32\Drivers\SYMREDRV.SYS (manual

start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS

(system)
Microsoft Kernel System Audio Device:

system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts:

%SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys

(system)
Terminal Device Driver:

System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost

-k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Distributed Link Tracking Client:

%SystemRoot%\system32\svchost.exe -k netsvcs

(autostart)
Windows User Mode Driver Framework:

C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver:

System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host:

%SystemRoot%\System32\svchost.exe -k LocalService

(manual start)
Uninterruptible Power Supply:

%SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller

Miniport Driver: System32\DRIVERS\usbehci.sys

(manual start)
USB Root Hub (usbport):

System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport

Driver: System32\DRIVERS\usbuhci.sys (manual

start)
VGA Display Controller.:

\SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy:

%SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Remote Access IP ARP Driver:

System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver:

system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k

LocalService (autostart)
Windows Management Instrumentation:

%systemroot%\system32\svchost.exe -k netsvcs

(autostart)
Portable Media Serial Number Service:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
WMI Performance Adapter:

C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual

start)
Security Center: %SystemRoot%\System32\svchost.exe

-k netsvcs (autostart)
Automatic Updates:

%systemroot%\system32\svchost.exe -k netsvcs

(autostart)
Wireless Zero Configuration:

%SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Network Provisioning Service:

%SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver:

system32\drivers\ialmsbw.sys (system)
Intel(R) Graphics Chipset (KCH) Driver:

system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not

found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\pol

icies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\pol

icies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36,347 bytes
Report generated in 1.265 seconds

Command line options:
   /verbose  - to add additional info on each

section
   /complete - to include empty sections and

unsuspicious data
   /full     - to include several rarely-important

sections
   /force9x  - to include Win9x-only startups even

if running on WinNT
   /forcent  - to include WinNT-only startups even

if running on Win9x
   /forceall - to include all Win9x and WinNT

startups, regardless of platform
   /history  - to list version history only

[Corrine]

No, nothing personal shown and also nothing appears out of the ordinary.

Have you removed R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain and has it made a difference?

[Brynn]

Oh, I didn't realize I was supposed to remove it!
I thought it was a problem that the R1 item had disappeared, not a good thing.
But do you understand that I actually want that to be my home/start page?

[Brynn]

Are you saying that removing it would solve some of my problems?
But it's been there, my start page, since, well, for a long time.  Long before these problems started.

[Corrine]

I misunderstood and thought it had become your start page and hadn't been previously.

[Brynn]

So it sounds like everything is probably ok, then?
Is there any other reasonable explanation for the little freeze-ups I've been having?  Like for example, some program doing routine maintenance on itself, or something like that?

I installed The GIMP graphics program not too long ago, which frequently max's out my cpu and/or crashes.  And while the symptoms I've described are happening when it's NOT open, I still wonder if The GIMP is somehow behind this problem.  What's keeping me from just uninstalling/deleting it, just to be very safe, is that I really love it!!  It is incredibly versatile, especially for a free program!

Well, meanwhile, some quick searches in Google and several large security sites have not turned up any possible explanations for the G-Connect.  Although I doubt I've covered every possible resource yet.  Can you recommend maybe some key forums where new malware is often identified?  Not that I want to post about this, because I trust that you and LzD are well-connected.  But I would like to keep an eye out for other possible similar reports.

As long as I keep having these little freeze-ups, I'll keep an eye on this thread, as well.  If they ever go away, I'll post to close the thread.  Otherwise, I'll keep looking for info and hoping it doesn't get worse, lol!  Thanks very much for your help, Corrine, and everyone else who has worked on this weird little problem  :flowers:

Hoping for the best   :thanks:

[Brynn]

AH-HA!!!

Doesn't happen often, but it CAN be helpful to read threads whose topics I don't understand.  Because look at this:

"If your PC is running to hot then yes it will do things a lot slower..."

(by GR@PH;<'S in this thread
http://www.landzdown.com/index.php?topic=9423.0)

I have recently changed the location of my computer, temporarily, to avoid water getting into it via a leak in the ceiling/roof......LONG story, LOL!!  But don't worry, no water got to it, thanks to  :mrgreen: 
Just kidding, really I just moved it out from under the leak.  Whew!!  Anyway, no doubt circulation is reduced ;)  Even though I just moved it maybe 8 to 12 inches, it was directly in the path of cool air from the air conditioner.  Now it is tucked in behind a wall which partially divides the room.

Hhhmmm, doesn't explain the G-Connect part of the problem though.  Well, I'll still "keep my eyes peeled,"  but relieved about the freeze-ups/slow-downs.  Thanks again for listening   :hug:

[Brynn]

Hi again Folks
:mitch:
I think I've found the real reason for my brief freeze-ups.  This does not explain the G-Connect thing either.  But between the heat and the following, at least I have solved the freeze-ups.

Reference this thread in the Wilder's Ewido Forum:
http://www.wilderssecurity.com/showthread.php?t=140800

Even though I had previously checked in the Task Manager for cpu being max'd, I had not looked closely at individual programs' use.  By keeping the Task Mgr open, I could look at it quickly during a freeze, and after 3 freezes in a row in which I caught ewido.exe using cpu, I decided to look more closely.

What I see is ewido.exe using cpu almost contantly, values in Task Mgr fluctuating 00 up to 08, although only when I'm online.  Wilder's folks are blaming it on my low RAM, but my RAM isn't causing ewido.exe to use cpu.  Ewido.exe would be using cpu, even if I had a thousand MB of RAM.  Ewido.exe is using more cpu than any other, maybe even all other programs I have (although only when I'm logged on to the internet).  So the freezes happen when I perform some other task which normally uses a lot of cpu (save a page, post a message, upload a doc, etc.), and ewido spikes at the exact some time

Anyway, easy fix -- uninstall ewido v 4!  I suppose I could reinstall the previous version, although don't know that it's available any more.  Anyway, they'll eventually stop supporting it.  If I ever need ewido, all I have to do is reinstall is, update it, and set to go!

Even though the G-Connect is still a mystery, I think we can call the freeze-up problem solved.   :Yahoo: