Windows default programs hijacked?

Greetings all,

Been having a interesting problem for a while now. Everytime I try launching IE it asks me if I want IE to be the default program; even though it's already been set in windows as the default.

Also when I click on hyper link mailto: it launches like 50 little many windows instead of bringing up outlook which is set as my windows default.

I've gone in and tried to change them back to IE and Outlook but it doesn't matter.

I've got all updates for windows, IE, security etc...

I've already ran adaware, spybot, and cws shredder. below is copy of hijackthis.

Thanks in advance for the help!

Logfile of HijackThis v1.98.2
Scan saved at 9:02:48 AM, on 10/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
F:\WINDOWS\system32\Brmfrmps.exe
F:\WINDOWS\System32\drivers\CDAC11BA.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\sstray.exe
F:\Program Files\Scansoft\PaperPort\pptd40nt.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\Fletch\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe F:\WINDOWS\System32\crazytalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://F:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - F:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01f5afb7a46cff7e1c02/netzip/RdxIE601.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.lifescan.com/otdms/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.smugmug.com/photos/activex/XUpload.ocx

 

Hi klrdad and welcome to the forum.

When you say you use Outlook, is that Outlook Express or the Microsoft Outlook that is part of the MS Office package?

I didn't see any items that I would expect to cause the exact problem you asked about. OTOH, I did not look as closely at the entire HJT log file as I might have so could have missed something.

Several comments though.

F:\Documents and Settings\Fletch\Desktop\HijackThis.exe
Bad place to have Hijackthis. It needs to be in a regular folder of it's own. F:\HJT or similar.

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
You don't want this one. See Adware.dap from the symantec site for details.

O8 - Extra context menu item: LimeShop Preferences - file://F:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
Mixed reviews on this one. It is automatically loaded and set to launch at start-up when you get the LimeWire download accelerator. It does some tracking of your shopping habits. You can remove it via control panel and add/remove if you wish.

The O3 - Toolbar item should go away if you run HJT, scan, and check the box to remove it then let HJT clean things. Don't do this until you've moved the HJT app though.

 

i believe an attempt to repair IE can be made. Go to Start\Run and type in sfc /scannow and press Enter.

 

It's Outlook and not Outlook express. I've tried using the repair functions to no availe...

Hmm in trying to do the scan it, for some reason the system can't seem to
find the files it's looking for on the orgianl install cd rom. The cd is in good
shape/clean and I'm certain it's the original install cd...

My windows is full updated with all updates and security patches...

Thanks for the input all!

 

Did you move Hijackthis and use it to remove the entries?

I'm a little suspicious of other 'download helper' things you have loaded. Not positive that any are bad but you do have some unusual ones.

With the odd behavior you are seeing, I think a shotgun approach may be in order at this point.

From IE, dump all your temporary internet files, cookies, and history. Close IE.

Run a drive cleanup of all your hard drives. Get rid of everything - although you can skip the "compress old files" piece to save time if you wish.

Run HJT and get rid of all the entries I listed in the first reply plus several others.

O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm

Also get rid of all the 016 items. Any you need will be reloaded on your next visit to a site that needs them.

From a command prompt, start => run => cmd and OK, do

Code:

chkdsk x: /r

where x: indicates to do it for all your partitions. Answer prompts to have it run at next boot for any drives that won't allow it now. The system drive won't and possibly others.

Boot to safe mode and uninstall DAP if possible. Otherwise, delete the folder.

Try the sfc /scannow again.