TechSpot

Gostats and crosspixel interfering with Firefox

By dbreed53
Mar 3, 2011
  1. I have been having redirect problems in Firefox and yesterday I thought I had cured part of it. I dl'd Malwarebytes, scanned and it found entries in the registry that it removed and quarantined.

    These are as follows;
    MBW LOG EXCERPTS
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and deleted successfully.

    END OF LOG EXCERPTS.

    Then I tested to see if Google search results would behave properly, ie., click a results link and get to the right page. For the most part, yes, but not all, and darn few after the first error. So, following another tip, I began disabling Add-ons and Extensions.
    The one I found that caused problems without fail is as follows;

    Add-On/Plug-In
    Java (TM) Platform SE 6 U24 6.0.240.7
    Next Generation Java Platform 1.6.0_24 for Mozilla Browsers

    Disabling this seems to help with most of the search results re-directs, but not all.

    Today, trying to further trace down what causes my problems, I have found that gostats.com, mostly, is causing a real annoyance.

    If I click on a, for instance, an embedded link in a HTML format, Glenn Beck newsletter in Outlook, it opens a new tab in my browser, then just as it begins to display the page, redirects to gostats.com and just sits there forever displaying a blank screen. However, if I clicked the Stop icon (red X), then click the back button, the page will display.

    So it annoyed me, and I returned here, where I found valuable information yesterday, to do more research, and LO! And Behold!!!!, As I am trying to register here, I experience the EXACT SAME ISSUE! When I submitted my user data to register, both gostats.com and something called crosspixelwhatever got in the way and behaved exactly the same.

    So, I hit the X and the back arrow, and there was the next page in the process, this also occurs when trying to get search result within your site, and selecting threads from the results of the search.

    So, what do I need to run on my system to provide the logs you require to investigate this issue?

    BTW, I want to thank my geek brethren for their efforts here to make the world a safer place to compute. ;-)

    David Reed
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, David. I'll be glad to help with the redirecting. But please understand:

    1. I need the entire logs for the programs you will run.
    2. You should not take any action while I am helping you unless I instruct you to.

    Having said those things, I refer you to this: If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    I will look over your description and the entries, but will not take any action until I see the full logs.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The following does not take the place of the scans in the thread, but are only directed at the immediate problem. This does not take the place of malware cleaning, so it is important you follow the steps on the thread.

    1. You do not need to put a Java plugin on Firefox. The update and current Java you have for the operating system will also apply to Java.
    2. The redirects you mentioned are for targeted ads and web stats. Please do the following:

    Reset Cookies
    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

    You can run Superantispyware, check the line to remove what is found and remove the Tracking Cookies you have now:
    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
     
  4. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Directions

    Bobbye,

    I will follow your first reply, first.
    I will follow your second reply, next.
    I will do neither until Friday late afternoon, or evening.

    Thanks!

    David
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Take you time David. Post when ready.
     
  6. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    reply with logs

    I ran my Webroot Scan today, it found no errors.
    However, although I don't know the date, it did find a problem recently.
    It found;
    Troj/JavaDI-BC
    It quarantined it.

    Today I ran Avira free and it found nothing.
    I also ran TFC, it ran, cleaned and ordered a reboot, I did.

    I ran Malwarebytes days ago and it did find a problem in the registry and corrected it.
    Step 1
    I ran it again today and it found nothing, here is the log for each day;


    From 03/01/2011
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5916

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/1/2011 10:27:09 AM
    mbam-log-2011-03-01 (10-26-54).txt

    Scan type: Quick scan
    Objects scanned: 141898
    Time elapsed: 3 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 3
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> No action taken.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    From 03/05/2011

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5968

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/5/2011 3:42:24 PM
    mbam-log-2011-03-05 (15-42-24).txt

    Scan type: Quick scan
    Objects scanned: 142096
    Time elapsed: 2 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)


    Then there is the log from GMER;

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-05 15:54:15
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 SAMSUNG_HD080HJ/P rev.ZH100-46
    Running: yp3jjjun.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\awdiipog.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip 8A5DB0D0
    Device \Driver\Tcpip \Device\Ip 8A6CF020
    Device \Driver\Tcpip \Device\Ip 8A467B50
    Device \Driver\Tcpip \Device\Ip 8A3D08F8

    AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\Tcp 8A5DB0D0
    Device \Driver\Tcpip \Device\Tcp 8A6CF020
    Device \Driver\Tcpip \Device\Tcp 8A467B50
    Device \Driver\Tcpip \Device\Tcp 8A3D08F8

    AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\Udp 8A5DB0D0
    Device \Driver\Tcpip \Device\Udp 8A6CF020
    Device \Driver\Tcpip \Device\Udp 8A467B50
    Device \Driver\Tcpip \Device\Udp 8A3D08F8

    AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\RawIp 8A5DB0D0
    Device \Driver\Tcpip \Device\RawIp 8A6CF020
    Device \Driver\Tcpip \Device\RawIp 8A467B50
    Device \Driver\Tcpip \Device\RawIp 8A3D08F8

    AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    ---- EOF - GMER 1.0.15 ----


    Then there are the logs from DDS;

    from DDS.txt


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by David at 16:14:17.04 on Sat 03/05/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1438 [GMT -6:00]
    .
    AV: Webroot Internet Security Complete *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Complete *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
    C:\Documents and Settings\David\My Documents\Downloads\DDS\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.msn.com
    uSearch Page = hxxp://www.google.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uWindow Title = Internet Explorer, optimized for Bing and MSN
    uDefault_Page_URL = hxxp://www.msn.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
    BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
    TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
    mRun: [smapp] "c:\program files\analog devices\soundmax\SMTray.exe"
    dRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
    StartupFolder: c:\docume~1\david\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    mPolicies-system: DisableStatusMessages = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289649019863
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289649186457
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\5spsnxg0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Webroot malicious URL filtering: {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} - c:\program files\webroot\security\current\plugins\browserextension\ff_ptc
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: capability.policy.policynames - allowclipboard
    FF - user.js: capability.policy.allowclipboard.sites - hxxp://wsm.ezsitedesigner.com
    FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
    FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
    ============= SERVICES / DRIVERS ===============
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-11-15 122184]
    R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
    R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-9-7 202048]
    R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-15 45072]
    R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-11-15 3897984]
    R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-3-5 3251928]
    R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [2010-12-4 105856]
    R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2010-12-4 105856]
    S2 AHDDC2;Ashampoo HDD Control 2 Service; [x]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
    S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-4 9216]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2011-1-2 3567]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-12-31 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-12-31 11104]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
    .
    =============== Created Last 30 ================
    .
    2011-03-05 22:06:00 685056 -c--a-w- c:\windows\isRS-000.tmp
    2011-03-01 16:02:06 -------- dc----w- c:\docume~1\david\applic~1\Malwarebytes
    2011-03-01 16:01:00 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 16:00:59 -------- dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-01 16:00:56 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-01 16:00:56 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 01:54:48 -------- dc-h--w- c:\windows\ie8
    2011-02-27 21:07:03 -------- dc----w- c:\docume~1\david\locals~1\applic~1\Mozilla
    2011-02-27 21:04:56 -------- dc----w- c:\program files\Bing Bar Installer
    2011-02-26 07:24:37 -------- dc----w- c:\docume~1\david\applic~1\Avery
    2011-02-23 15:34:45 -------- dc----w- c:\docume~1\david\applic~1\Auslogics
    2011-02-20 18:11:18 -------- dc----w- c:\docume~1\alluse~1\applic~1\V CAST Media Manager
    2011-02-20 18:01:07 -------- dc----w- c:\docume~1\alluse~1\applic~1\Verizon
    2011-02-20 18:01:02 -------- dc----w- c:\docume~1\david\locals~1\applic~1\V CAST Media Manager
    2011-02-20 17:51:31 -------- dc----w- c:\program files\Verizon V CAST Media Manager
    2011-02-20 17:47:45 221184 -c--a-w- c:\windows\system32\wmpns.dll
    2011-02-20 17:47:32 -------- dc----w- c:\program files\Windows Media Connect 2
    2011-02-20 17:44:40 -------- dc----w- c:\windows\system32\LogFiles
    2011-02-20 17:19:10 -------- dc----w- c:\program files\common files\Motorola Shared
    2011-02-20 17:19:00 -------- dc----w- c:\program files\Motorola
    2011-02-17 15:48:05 -------- dc----w- c:\program files\Avery Dennison
    2011-02-07 12:51:27 -------- dc----w- c:\documents and settings\david\bookmarkbackups
    2011-02-05 06:57:26 73728 -c--a-w- c:\windows\system32\javacpl.cpl
    .
    ==================== Find3M ====================
    .
    2011-02-03 03:40:23 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-01-23 16:29:35 44 -c--a-w- c:\windows\system32\msssc.dll
    2011-01-21 14:44:37 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 -c--a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 -c--a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 -c--a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 -c--a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 -c--a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 -c--a-w- c:\windows\system32\html.iec
    2010-12-19 21:54:00 79872 -csha-r- c:\windows\system32\streamcil.dll
    2010-12-09 15:15:09 718336 -c--a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 -c--a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 16:17:10.59 ===============
    Then from DDS attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/13/2010 3:56:08 AM
    System Uptime: 3/5/2011 4:08:53 PM (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 09E0h
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2791/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 53.406 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    V: is CDROM (CDFS)
    Z: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme Gigabit Ethernet
    Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3005103C&REV_01\4&1886B119&0&00E1
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme Gigabit Ethernet
    PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3005103C&REV_01\4&1886B119&0&00E1
    Service: b57w2k
    .
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&1117367&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&1117367&0
    Service: i8042prt
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&1117367&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&1117367&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    RP1: 12/19/2010 7:11:43 PM - System Checkpoint
    RP2: 12/21/2010 10:14:59 AM - System Checkpoint
    RP3: 12/23/2010 1:13:55 AM - System Checkpoint
    RP4: 12/24/2010 1:23:05 AM - System Checkpoint
    RP5: 12/24/2010 10:23:07 AM - Installed Verizon Wireless AC30 Firmware Updates.
    RP6: 12/24/2010 10:24:28 AM - Removed VZAccess Manager.
    RP7: 12/24/2010 10:25:40 AM - Installed VZAccess Manager.
    RP8: 12/26/2010 12:48:08 AM - System Checkpoint
    RP9: 12/27/2010 3:52:24 AM - System Checkpoint
    RP10: 12/28/2010 4:14:30 AM - System Checkpoint
    RP11: 12/29/2010 12:52:44 AM - Software Distribution Service 3.0
    RP12: 12/29/2010 9:28:31 AM - Installed Windows XP KB915800-v4.
    RP13: 12/29/2010 9:28:46 AM - Installed Windows XP Windows Search 4.0.
    RP14: 12/30/2010 9:58:30 AM - System Checkpoint
    RP15: 1/1/2011 10:18:24 AM - Installed Active@ Hard Disk Monitor
    RP16: 1/2/2011 11:49:35 AM - System Checkpoint
    RP17: 1/2/2011 7:40:05 PM - Removed WinZip 14.0
    RP18: 1/2/2011 10:21:32 PM - Removed Active@ Hard Disk Monitor
    RP19: 1/3/2011 11:23:49 PM - Auslogics Regisry Defrag - before defragmentation
    RP20: 1/5/2011 9:38:57 AM - System Checkpoint
    RP21: 1/7/2011 2:14:56 AM - System Checkpoint
    RP22: 1/8/2011 2:18:38 AM - System Checkpoint
    RP23: 1/9/2011 6:40:37 AM - System Checkpoint
    RP24: 1/10/2011 7:28:02 AM - System Checkpoint
    RP25: 1/12/2011 12:52:39 AM - System Checkpoint
    RP26: 1/13/2011 12:12:57 AM - Software Distribution Service 3.0
    RP27: 1/14/2011 2:26:49 AM - System Checkpoint
    RP28: 1/16/2011 11:57:54 AM - System Checkpoint
    RP29: 1/17/2011 12:24:41 PM - System Checkpoint
    RP30: 1/20/2011 10:57:12 AM - System Checkpoint
    RP31: 1/22/2011 12:52:50 AM - System Checkpoint
    RP32: 1/23/2011 9:50:19 AM - Removed Realtek High Definition Audio Driver
    RP33: 1/23/2011 10:02:08 AM - Installed Realtek AC'97 Audio
    RP34: 1/23/2011 12:15:01 PM - Auslogics Regisry Defrag - before defragmentation
    RP35: 1/24/2011 3:13:39 PM - System Checkpoint
    RP36: 1/26/2011 1:34:28 AM - System Checkpoint
    RP37: 1/27/2011 7:00:58 AM - System Checkpoint
    RP38: 1/30/2011 3:13:46 PM - System Checkpoint
    RP39: 1/31/2011 3:16:11 PM - System Checkpoint
    RP40: 2/1/2011 9:08:33 PM - System Checkpoint
    RP41: 2/4/2011 2:38:14 AM - System Checkpoint
    RP42: 2/5/2011 12:53:39 AM - Removed Java(TM) 6 Update 22
    RP43: 2/5/2011 12:56:41 AM - Installed Java(TM) 6 Update 23
    RP44: 2/6/2011 1:59:20 AM - System Checkpoint
    RP45: 2/7/2011 10:59:41 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP46: 2/9/2011 12:57:23 AM - System Checkpoint
    RP47: 2/10/2011 12:04:02 AM - Software Distribution Service 3.0
    RP48: 2/11/2011 1:43:44 AM - System Checkpoint
    RP49: 2/12/2011 2:42:37 AM - System Checkpoint
    RP50: 2/13/2011 2:48:25 AM - System Checkpoint
    RP51: 2/14/2011 9:00:37 AM - System Checkpoint
    RP52: 2/14/2011 10:37:51 AM - Installed Windows XP -- Software Updates KB952011.
    RP53: 2/16/2011 12:17:02 AM - Installed Java(TM) 6 Update 24
    RP54: 2/17/2011 1:02:54 AM - System Checkpoint
    RP55: 2/17/2011 9:47:39 AM - Installed DesignPro 5
    RP56: 2/18/2011 10:07:43 AM - System Checkpoint
    RP57: 2/19/2011 11:23:13 AM - System Checkpoint
    RP58: 2/20/2011 11:43:35 AM - Installed Windows Media Player 11
    RP59: 2/20/2011 11:44:36 AM - Installed Windows XP Wudf01000.
    RP60: 2/20/2011 11:48:30 AM - Installed Windows XP MSCompPackV1.
    RP61: 2/21/2011 3:00:15 AM - Software Distribution Service 3.0
    RP62: 2/22/2011 3:00:14 AM - Software Distribution Service 3.0
    RP63: 2/23/2011 3:00:15 AM - Software Distribution Service 3.0
    RP64: 2/23/2011 9:26:14 AM - Software Distribution Service 3.0
    RP65: 2/25/2011 7:36:46 AM - System Checkpoint
    RP66: 2/26/2011 2:52:53 AM - Software Distribution Service 3.0
    RP67: 2/26/2011 2:54:08 AM - Software Distribution Service 3.0
    RP68: 2/26/2011 10:11:10 AM - Software Distribution Service 3.0
    RP69: 2/27/2011 1:19:43 PM - Auslogics Regisry Defrag - before defragmentation
    RP70: 2/27/2011 7:56:27 PM - Installed Windows Internet Explorer 8.
    RP71: 2/27/2011 9:56:30 PM - Software Distribution Service 3.0
    RP72: 3/1/2011 1:42:45 AM - System Checkpoint
    RP73: 3/2/2011 1:44:50 AM - System Checkpoint
    RP74: 3/3/2011 1:55:18 AM - System Checkpoint
    RP75: 3/4/2011 2:41:02 AM - System Checkpoint
    RP76: 3/5/2011 3:48:49 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    1600
    1600_Help
    1600Trb
    7-Zip 9.20
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Shockwave Player 11.5
    Advertising Center
    AiO_Scan
    AiOSoftware
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Software Update
    Auslogics BoostSpeed
    Broadcom Management Programs
    Broadcom NetXtreme Ethernet Controller
    BufferChm
    Capture-A-ScreenShot
    DeepBurner v1.9.0.228
    DeLorme Street Atlas USA 2009
    DesignPro 5
    Destinations
    Director
    DolbyFiles
    DVDFab 8.0.6.1 (18/12/2010)
    Fax
    FinalTorrent 2010
    Foxit Reader
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Image Zone 4.7
    HP Image Zone Express
    HP Product Assistant
    HP Product Detection
    HP PSC & OfficeJet 4.7
    HP Software Update
    HPSystemDiagnostics
    ImagXpress
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 24
    Juniper Networks Cache Cleaner 6.5.0
    Juniper Networks Setup Client
    Malwarebytes' Anti-Malware
    Menu Templates - Pack 1
    Menu Templates - Starter Kit
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Ultimate 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    MotoHelper 2.0.24 Driver 4.7.1
    MotoHelper MergeModules
    Motorola Mobile Drivers Installation 4.7.1
    Movie Templates - Starter Kit
    Mozilla Firefox (3.6.14)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MV RegClean 5.9 English
    Nero 6 Demo
    Nero 9 Essentials
    Nero BurnRights
    Nero BurnRights Help
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero DiscSpeed
    Nero DiscSpeed Help
    Nero DriveSpeed
    Nero DriveSpeed Help
    Nero Express Help
    Nero InfoTool
    Nero InfoTool Help
    Nero Installer
    Nero Online Upgrade
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero StartSmart OEM
    Nero Vision
    Nero Vision Help
    NeroExpress
    neroxml
    OGA Notifier 2.0.0048.0
    Picasa 3
    ProductContext
    QFolder
    Quicken 2010
    QuickTime
    Readme
    Scan
    ScannerCopy
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows XP (KB923789)
    SoundMAX
    System Requirements Lab for Intel
    The Weather Channel Toolbar
    TrayApp
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Outlook 2007 Junk Email Filter (KB2492475)
    Update for Windows Internet Explorer 8 (KB976662)
    Verizon V CAST Media Manager
    Verizon Wireless AC30 Firmware Updates
    VZAccess Manager
    WebFldrs XP
    WebReg
    Webroot Software
    Windows Essentials Media Codec Pack 2.2c
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
    ZTE USB Drivers
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/5/2011 3:51:20 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:51:05 PM, error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).
    3/5/2011 3:50:00 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    3/5/2011 3:47:55 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    3/5/2011 3:22:52 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:22:52 PM, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:22:52 PM, error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:22:52 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:22:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    3/5/2011 3:22:52 PM, error: Service Control Manager [7031] - The MotoHelper Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    3/3/2011 12:23:39 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    2/28/2011 5:47:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    2/28/2011 5:47:46 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/28/2011 5:47:45 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/28/2011 10:54:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    2/27/2011 1:25:54 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabmig.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabimp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabfind.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\setup50.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\oemiglib.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\oemig50.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:13:07 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msimn.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\isignup.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2600.0.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\inetwiz.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwutil.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwtutor.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2600.0.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwrmind.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwres.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2600.0.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwhelp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwdl.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn2.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn1.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
    2/27/2011 1:11:42 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\trialoc.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2600.0.
    2/27/2011 1:11:33 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    2/27/2011 1:11:33 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
    2/27/2011 1:11:33 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    .
    ==== End Of File ===========================

    So, there we are.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I see a few entries to remove. Please go ahead and run the following:


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    Can you please tell me which is these Webroot Software program you have?
    Antivirus with Spy Sweeper
    Internet Security Essentials
    Internet Security Complete


    Please keep this in mind:
     
  8. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    My Webroot Program

    I have the
    WISC
    Webroot Internet Security Complete program.

    I am running the Eset NOD32 program now.
    It has found 1 threat, so far.

    Win32/Registry Booster Program.

    Oops! make that 4 threats and counting....................
     
  9. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Eset NOD32 Log

    Here is the log from the online Eset NOD32 scan;

    C:\Documents and Settings\David\Application Data\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application
    C:\Documents and Settings\David\My Documents\Downloads\MV_Registry_Cleaner\setup.exe probably a variant of Win32/PSW.OnLineGames.FLWMCES trojan
    C:\Documents and Settings\David\My Documents\Downloads\Uniblue\registrybooster.exe Win32/RegistryBooster application
    C:\Documents and Settings\David\My Documents\Downloads\Uniblue\speedupmypc.exe Win32/SpeedUpMyPC application
    C:\Documents and Settings\David\My Documents\Downloads\WinZip\rb10_4_6_1_19.exe Win32/RegistryBooster application
     
  10. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    The ComboFix Log

    Combo fix did not behave as expected in your post.
    A) It insisted on closing my VZAccess Manager connection, then when it asked to setup Recovery Console(which is already installed AND active) I would reconnect to the Internet and it (ComboFix) report that I did not have an active connection, which in fact, I did.

    So, I said no to the prompt to setup Recovery Console and it finally ran and produced the following log;

    ComboFix 11-03-05.01 - David 03/07/2011 13:23:03.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1365 [GMT -6:00]
    Running from: c:\documents and settings\David\My Documents\Downloads\ComboFix\ComboFix2.exe
    AV: Webroot Internet Security Complete *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Complete *Enabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\David\Application Data\inst.exe
    c:\windows\system32\msssc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 19:15 . 2011-03-07 19:18 -------- dc----w- C:\32788R22FWJFW.7.tmp
    2011-03-07 19:07 . 2011-03-07 19:15 -------- dc----w- C:\32788R22FWJFW.6.tmp
    2011-03-07 18:59 . 2011-03-07 19:00 -------- dc----w- C:\32788R22FWJFW.5.tmp
    2011-03-07 18:58 . 2011-03-07 18:59 -------- dc----w- C:\32788R22FWJFW.4.tmp
    2011-03-07 18:56 . 2011-03-07 18:58 -------- dc----w- C:\32788R22FWJFW.3.tmp
    2011-03-07 18:55 . 2011-03-07 18:56 -------- dc----w- C:\32788R22FWJFW.2.tmp
    2011-03-07 18:54 . 2011-03-07 18:55 -------- dc----w- C:\32788R22FWJFW.1.tmp
    2011-03-07 18:51 . 2011-03-07 19:19 -------- dc----w- C:\ComboFix
    2011-03-07 17:19 . 2011-03-07 17:19 -------- dc----w- c:\program files\ESET
    2011-03-07 02:12 . 2011-03-07 02:12 -------- dc----w- c:\program files\Microsoft Games
    2011-03-06 14:50 . 2011-03-06 14:53 -------- dc----w- c:\program files\Verizon Wireless
    2011-03-06 14:50 . 2009-11-03 02:47 95248 -c--a-w- c:\windows\system32\PTDMWmcp64.dll
    2011-03-06 14:50 . 2009-11-03 02:47 88592 -c--a-w- c:\windows\system32\PTDMWmcp.dll
    2011-03-06 14:50 . 2011-03-06 14:50 -------- dc----w- c:\program files\PANTECH
    2011-03-06 12:57 . 2011-03-06 12:57 -------- dc----w- c:\program files\Analog Devices
    2011-03-01 16:02 . 2011-03-01 16:02 -------- dc----w- c:\documents and settings\David\Application Data\Malwarebytes
    2011-03-01 16:01 . 2010-12-21 00:09 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 16:00 . 2011-03-01 16:00 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 16:00 . 2011-03-01 16:01 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 16:00 . 2010-12-21 00:08 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 01:54 . 2011-02-28 01:57 -------- dc-h--w- c:\windows\ie8
    2011-02-27 21:07 . 2011-02-27 21:07 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\Mozilla
    2011-02-27 21:04 . 2011-02-27 21:06 -------- dc----w- c:\program files\Bing Bar Installer
    2011-02-26 07:24 . 2011-02-26 07:24 -------- dc----w- c:\documents and settings\David\Application Data\Avery
    2011-02-20 19:21 . 2011-02-20 19:21 -------- dc----w- c:\documents and settings\David\Application Data\Apple Computer
    2011-02-20 18:11 . 2011-02-20 18:11 -------- dc----w- c:\documents and settings\All Users\Application Data\V CAST Media Manager
    2011-02-20 18:01 . 2011-02-20 20:07 -------- dc----w- c:\documents and settings\David\Application Data\vlc
    2011-02-20 18:01 . 2011-02-20 18:01 -------- dc----w- c:\documents and settings\All Users\Application Data\Verizon
    2011-02-20 18:01 . 2011-02-23 18:00 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\V CAST Media Manager
    2011-02-20 17:47 . 2008-04-14 11:42 221184 -c--a-w- c:\windows\system32\wmpns.dll
    2011-02-20 17:47 . 2011-02-20 17:47 -------- dc----w- c:\program files\Windows Media Connect 2
    2011-02-20 17:44 . 2011-02-20 17:45 -------- dc----w- c:\windows\system32\drivers\UMDF
    2011-02-20 17:44 . 2011-02-20 17:44 -------- dc----w- c:\windows\system32\LogFiles
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Common Files\Motorola Shared
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Motorola
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\program files\Avery Dennison
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Avery
    2011-02-16 06:19 . 2011-02-16 06:19 -------- dc----w- c:\program files\Common Files\Java
    2011-02-07 12:51 . 2011-02-07 12:51 -------- dc----w- c:\documents and settings\David\bookmarkbackups
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-16 10:11 . 2010-11-15 08:24 122184 -c--a-w- c:\windows\system32\drivers\pwipf6.sys
    2011-02-03 03:40 . 2010-11-29 05:43 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 01:19 . 2011-02-05 06:57 73728 -c--a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44 . 2002-08-29 10:41 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2001-08-23 12:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2002-08-29 09:14 1854976 -c--a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2002-08-29 10:41 301568 -c--a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2002-08-29 10:41 916480 -c--a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2002-08-29 10:41 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2002-08-29 10:41 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2002-08-29 10:41 730112 -c--a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-11-13 10:09 385024 -c--a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2002-08-29 10:40 718336 -c--a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2002-08-29 10:40 33280 -c--a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2002-08-29 08:04 2148864 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2002-08-29 01:04 2027008 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
    @="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
    [HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
    @="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
    [HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
    @="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
    [HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
    @="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
    [HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-03-05 1372696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\David\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-10-22 3826968]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [11/15/2010 2:24 AM 122184]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 6:00 AM 14336]
    R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [9/7/2010 10:47 AM 202048]
    R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [11/15/2010 1:36 AM 45072]
    R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [3/5/2011 4:04 PM 3251928]
    R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [12/4/2010 10:14 AM 105856]
    R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [12/4/2010 10:14 AM 105856]
    S2 AHDDC2;Ashampoo HDD Control 2 Service; [x]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
    S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 9:02 AM 136176]
    S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [12/4/2010 10:14 AM 9216]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/2/2011 11:42 PM 3567]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [12/31/2010 1:21 AM 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [12/31/2010 1:21 AM 11104]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-07 c:\windows\Tasks\Backup C Drive.job
    - c:\documents and settings\David\My Documents\Data\Backup.bat [2010-11-15 14:18]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper MUM.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-07 c:\windows\Tasks\MotoHelper Routing.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper Update.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-07 c:\windows\Tasks\WECPUpdate.job
    - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\5spsnxg0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Webroot malicious URL filtering: {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} - c:\program files\Webroot\Security\current\plugins\browserextension\ff_ptc
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Webroot: {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} - %profile%\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
    FF - user.js: capability.policy.policynames - allowclipboard
    FF - user.js: capability.policy.allowclipboard.sites - hxxp://wsm.ezsitedesigner.com
    FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
    FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-07 13:29
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0CE4D85-C555-1540-7150-1CC97E4806B2}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC95D26E-155E-D3C6-2F87-B5A5F288F569}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-07 13:32:03
    ComboFix-quarantined-files.txt 2011-03-07 19:32
    .
    Pre-Run: 58,803,847,168 bytes free
    Post-Run: 58,776,719,360 bytes free
    .
    - - End Of File - - D24BB1C665C38A742C558F794B3D11F9


    I hope my choices and efforts were appropriate.

    David
     
  11. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    another thing

    I noticed, months ago, that my right-click context menu no longer had; the option to "send" "to desktop".

    About this time, I updated my subscription to AuslogicsSpeedUpMyPC/Boost Registry. It now seems, based in the scan logs, this is the source of my issues.

    I first thought I might have changed an option in the registry that caused this, but now I am not so sure.


    For a tweaker, I am not real disciplined about record keeping checking things out before doing more things. 'Heads up' to the "tweakers" out there!!
     
  12. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    WinZip

    That bugs me. I have used it forever, and I bought a subscription a few years ago, but felt it was overpriced for the standard unzipping I do. I don't package files to zip for upload but maybe once a year.

    So, when the subscription ran out last year, I ignored it and just recently got 7-zip as a free alternative.
     
  13. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    My browwsers

    are behaving normally when clicking results in search windows of Google..

    Thanks.

    But, I don't know what we did, or why.
    I still don't have the "send to" option of desktop, so something is still amiss.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you know that I get en email feedback for every reply you make? Perhaps you would consider using the Edit feature instead.
    ==========================================
    How to Restore Missing “Desktop (create shortcut)” Item in Send To Menu in Windows XP, Vista and 7
    For Windows XP:
    1. Click on Start> Run> type the following command in RUN dialog box:
    2. It'll re-create the missing "Desktop (create shortcut) option in "Send To" menu.
    Enter, then Exit.
    =========================================
    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Documents and Settings\David\Application Data\Uniblue\RegistryBooster\_temp\ub.exe 
      C:\Documents and Settings\David\My Documents\Downloads\MV_Registry_Cleaner\setup.exe C:\Documents and Settings\David\My Documents\Downloads\Uniblue\registrybooster.exe 
      C:\Documents and Settings\David\My Documents\Downloads\Uniblue\speedupmypc.exe 
      C:\Documents and Settings\David\My Documents\Downloads\WinZip\rb10_4_6_1_19.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    Heads up: Found on MV_Registry_Cleaner This is your biggest concern:
    The Trojan-PSW:W32/OnlineGames family is quite large. Variants are designed to steal confidential information from players of popular online games, such as World of Warcraft.

    Source & additional information can be found at http://www.f-secure.com/v-descs/trojan-psw_w32_onlinegames.shtml

    I recommend that you uninstall all of the following:
    Uniblue RegistryBooster
    Uniblue SpeedUpMyPC
    MV RegClean

    We don't recommend registry Cleaners for anyone- you have 2!

    I'll be back after dinner to finish up.
     
  15. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Sorry about the

    multiple emails.
    I ran OTM, here is the log;

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\David\Application Data\Uniblue\RegistryBooster\_temp\ub.exe moved successfully.
    File/Folder C:\Documents and Settings\David\My Documents\Downloads\MV_Registry_Cleaner\setup.exe C:\Documents and Settings\David\My Documents\Downloads\Uniblue\registrybooster.exe not found.
    C:\Documents and Settings\David\My Documents\Downloads\Uniblue\speedupmypc.exe moved successfully.
    C:\Documents and Settings\David\My Documents\Downloads\WinZip\rb10_4_6_1_19.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: David
    ->Temp folder emptied: 133394 bytes
    ->Temporary Internet Files folder emptied: 1315573 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 50475302 bytes
    ->Flash cache emptied: 1472 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 49635 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 43164792 bytes

    Total Files Cleaned = 91.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03072011_201214

    Files moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_698.dat moved successfully.

    Registry entries deleted on Reboot...

    I am uninstalling the apps listed after this and awaiting notification from you.

    I removed MV RegClean and Registry booster, but Speed up my PC is not in my installed programs list, or in my Programs folders.
     
  16. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Starting over

    Since ComboFix has left my system in a state where it seems to be booting from other than my normal system files, ie., boot.ini with the following line;
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons , and has left two new directories; c:\cmdcons and c:\Qoobox, I have to assume we are not done.

    I have added AdBlock to FireFox and subscribed to Easy List. I downloaded SuperASW, but have not installed it yet.
    I can say that my browsers are not only functioning correctly, but also seem to be a bit faster than in the past.

    So, to confirm all the steps, I have started over, beginning with Malwarebyte, then Gmer, then DDS, then Eset, then Combofix and finally OTM.

    The following logs are from the most recent of each process. Note that this time, OTM was NOT able to move the suspect entries found by Eset.

    Malwarebyte log;

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5968

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/7/2011 10:44:28 PM
    mbam-log-2011-03-07 (22-44-28).txt

    Scan type: Quick scan
    Objects scanned: 141983
    Time elapsed: 2 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Gmer log;

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-07 22:46:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 SAMSUNG_HD080HJ/P rev.ZH100-46
    Running: yp3jjjun.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\awdiipog.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip 8A3AFEB8

    AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\Tcp 8A3AFEB8

    AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\Udp 8A3AFEB8

    AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    Device \Driver\Tcpip \Device\RawIp 8A3AFEB8

    AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    ---- EOF - GMER 1.0.15 ----

    DDS Logs

    DDS .txt
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by David at 22:47:24.54 on Mon 03/07/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1349 [GMT -6:00]
    .
    AV: Webroot Internet Security Complete *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Complete *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
    C:\Program Files\Webroot\Security\current\plugins\sync\WRSyncManager.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\David\My Documents\Downloads\DDS\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
    BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
    TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
    uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
    dRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
    StartupFolder: c:\docume~1\david\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
    mPolicies-system: DisableStatusMessages = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289649019863
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289649186457
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: {FA3EACCC-A53F-41E2-8AD6-E2A499C11E17} = 69.78.96.14 66.174.92.14
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\5spsnxg0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\5spsnxg0.default\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}\platform\winnt_x86-msvc\components\wrxpcom.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Webroot malicious URL filtering: {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} - c:\program files\webroot\security\current\plugins\browserextension\ff_ptc
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Webroot: {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} - %profile%\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: capability.policy.policynames - allowclipboard
    FF - user.js: capability.policy.allowclipboard.sites - hxxp://wsm.ezsitedesigner.com
    FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
    FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-11-15 122184]
    R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
    R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-9-7 202048]
    R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-15 45072]
    R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-11-15 3897984]
    R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-3-5 3251928]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
    R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [2010-12-4 105856]
    R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2010-12-4 105856]
    S2 AHDDC2;Ashampoo HDD Control 2 Service; [x]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
    S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-4 9216]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2011-1-2 3567]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-12-31 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-12-31 11104]
    .
    =============== Created Last 30 ================
    .
    2011-03-08 04:45:00 -------- dc----w- C:\NewLogs
    2011-03-08 03:45:52 -------- dcsha-r- C:\cmdcons
    2011-03-07 18:39:58 98816 -c--a-w- c:\windows\sed.exe
    2011-03-07 18:39:58 89088 -c--a-w- c:\windows\MBR.exe
    2011-03-07 18:39:58 256512 -c--a-w- c:\windows\PEV.exe
    2011-03-07 18:39:58 161792 -c--a-w- c:\windows\SWREG.exe
    2011-03-07 17:19:31 -------- dc----w- c:\program files\ESET
    2011-03-07 02:12:10 -------- dc----w- c:\program files\Microsoft Games
    2011-03-06 14:50:53 -------- dc----w- c:\program files\Verizon Wireless
    2011-03-06 14:50:44 95248 -c--a-w- c:\windows\system32\PTDMWmcp64.dll
    2011-03-06 14:50:44 88592 -c--a-w- c:\windows\system32\PTDMWmcp.dll
    2011-03-06 14:50:40 -------- dc----w- c:\program files\PANTECH
    2011-03-06 12:57:44 -------- dc----w- c:\program files\Analog Devices
    2011-03-01 16:02:06 -------- dc----w- c:\docume~1\david\applic~1\Malwarebytes
    2011-03-01 16:01:00 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 16:00:59 -------- dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-01 16:00:56 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-01 16:00:56 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 01:54:48 -------- dc-h--w- c:\windows\ie8
    2011-02-27 21:07:03 -------- dc----w- c:\docume~1\david\locals~1\applic~1\Mozilla
    2011-02-27 21:04:56 -------- dc----w- c:\program files\Bing Bar Installer
    2011-02-26 07:24:37 -------- dc----w- c:\docume~1\david\applic~1\Avery
    2011-02-20 18:11:18 -------- dc----w- c:\docume~1\alluse~1\applic~1\V CAST Media Manager
    2011-02-20 18:01:07 -------- dc----w- c:\docume~1\alluse~1\applic~1\Verizon
    2011-02-20 18:01:02 -------- dc----w- c:\docume~1\david\locals~1\applic~1\V CAST Media Manager
    2011-02-20 17:47:45 221184 -c--a-w- c:\windows\system32\wmpns.dll
    2011-02-20 17:47:32 -------- dc----w- c:\program files\Windows Media Connect 2
    2011-02-20 17:44:40 -------- dc----w- c:\windows\system32\LogFiles
    2011-02-20 17:19:10 -------- dc----w- c:\program files\common files\Motorola Shared
    2011-02-20 17:19:00 -------- dc----w- c:\program files\Motorola
    2011-02-17 15:48:05 -------- dc----w- c:\program files\Avery Dennison
    2011-02-07 12:51:27 -------- dc----w- c:\documents and settings\david\bookmarkbackups
    .
    ==================== Find3M ====================
    .
    2011-02-03 03:40:23 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 01:19:39 73728 -c--a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44:37 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 -c--a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 -c--a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 -c--a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 -c--a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 -c--a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 -c--a-w- c:\windows\system32\html.iec
    2010-12-19 21:54:00 79872 -csha-r- c:\windows\system32\streamcil.dll
    2010-12-09 15:15:09 718336 -c--a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 -c--a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 22:48:16.98 ===============

    DDS Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/13/2010 3:56:08 AM
    System Uptime: 3/7/2011 10:29:19 PM (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 09E0h
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2791/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 54.732 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    Z: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme Gigabit Ethernet
    Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3005103C&REV_01\4&1886B119&0&00E1
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme Gigabit Ethernet
    PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3005103C&REV_01\4&1886B119&0&00E1
    Service: b57w2k
    .
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&1117367&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse

    Eset Log

    C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021524.exe Win32/RegistryBooster application
    C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021525.exe Win32/SpeedUpMyPC application
    C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021526.exe Win32/RegistryBooster application

    ComboFix log

    ComboFix 11-03-06.06 - David 03/07/2011 23:41:41.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1292 [GMT -6:00]
    Running from: c:\documents and settings\David\My Documents\Downloads\ComboFix\ComboFix.exe
    AV: Webroot Internet Security Complete *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Complete *Enabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\LogFiles
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-08 04:45 . 2011-03-08 05:36 -------- dc----w- C:\NewLogs
    2011-03-07 17:19 . 2011-03-07 17:19 -------- dc----w- c:\program files\ESET
    2011-03-07 02:12 . 2011-03-07 02:12 -------- dc----w- c:\program files\Microsoft Games
    2011-03-06 14:50 . 2011-03-06 14:53 -------- dc----w- c:\program files\Verizon Wireless
    2011-03-06 14:50 . 2009-11-03 02:47 95248 -c--a-w- c:\windows\system32\PTDMWmcp64.dll
    2011-03-06 14:50 . 2009-11-03 02:47 88592 -c--a-w- c:\windows\system32\PTDMWmcp.dll
    2011-03-06 14:50 . 2011-03-06 14:50 -------- dc----w- c:\program files\PANTECH
    2011-03-06 12:57 . 2011-03-06 12:57 -------- dc----w- c:\program files\Analog Devices
    2011-03-01 16:02 . 2011-03-01 16:02 -------- dc----w- c:\documents and settings\David\Application Data\Malwarebytes
    2011-03-01 16:01 . 2010-12-21 00:09 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 16:00 . 2011-03-01 16:00 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 16:00 . 2011-03-01 16:01 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 16:00 . 2010-12-21 00:08 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 01:54 . 2011-02-28 01:57 -------- dc-h--w- c:\windows\ie8
    2011-02-27 21:07 . 2011-02-27 21:07 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\Mozilla
    2011-02-27 21:04 . 2011-02-27 21:06 -------- dc----w- c:\program files\Bing Bar Installer
    2011-02-26 07:24 . 2011-02-26 07:24 -------- dc----w- c:\documents and settings\David\Application Data\Avery
    2011-02-20 19:21 . 2011-02-20 19:21 -------- dc----w- c:\documents and settings\David\Application Data\Apple Computer
    2011-02-20 18:11 . 2011-02-20 18:11 -------- dc----w- c:\documents and settings\All Users\Application Data\V CAST Media Manager
    2011-02-20 18:01 . 2011-02-20 20:07 -------- dc----w- c:\documents and settings\David\Application Data\vlc
    2011-02-20 18:01 . 2011-02-20 18:01 -------- dc----w- c:\documents and settings\All Users\Application Data\Verizon
    2011-02-20 18:01 . 2011-02-23 18:00 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\V CAST Media Manager
    2011-02-20 17:47 . 2008-04-14 11:42 221184 -c--a-w- c:\windows\system32\wmpns.dll
    2011-02-20 17:47 . 2011-02-20 17:47 -------- dc----w- c:\program files\Windows Media Connect 2
    2011-02-20 17:44 . 2011-02-20 17:45 -------- dc----w- c:\windows\system32\drivers\UMDF
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Common Files\Motorola Shared
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Motorola
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\program files\Avery Dennison
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Avery
    2011-02-16 06:19 . 2011-02-16 06:19 -------- dc----w- c:\program files\Common Files\Java
    2011-02-07 12:51 . 2011-02-07 12:51 -------- dc----w- c:\documents and settings\David\bookmarkbackups
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-16 10:11 . 2010-11-15 08:24 122184 -c--a-w- c:\windows\system32\drivers\pwipf6.sys
    2011-02-03 03:40 . 2010-11-29 05:43 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 01:19 . 2011-02-05 06:57 73728 -c--a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44 . 2002-08-29 10:41 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2001-08-23 12:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2002-08-29 09:14 1854976 -c--a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2002-08-29 10:41 301568 -c--a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2002-08-29 10:41 916480 -c--a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2002-08-29 10:41 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2002-08-29 10:41 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2002-08-29 10:41 730112 -c--a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-11-13 10:09 385024 -c--a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2002-08-29 10:40 718336 -c--a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2002-08-29 10:40 33280 -c--a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2002-08-29 08:04 2148864 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2002-08-29 01:04 2027008 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
    @="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
    [HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
    @="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
    [HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
    @="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
    [HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
    @="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
    [HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\David\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-10-22 3826968]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [11/15/2010 2:24 AM 122184]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 6:00 AM 14336]
    R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [9/7/2010 10:47 AM 202048]
    R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [11/15/2010 1:36 AM 45072]
    R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [3/5/2011 4:04 PM 3251928]
    R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [12/4/2010 10:14 AM 105856]
    R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [12/4/2010 10:14 AM 105856]
    S2 AHDDC2;Ashampoo HDD Control 2 Service; [x]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
    S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 9:02 AM 136176]
    S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [12/4/2010 10:14 AM 9216]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/2/2011 11:42 PM 3567]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [12/31/2010 1:21 AM 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [12/31/2010 1:21 AM 11104]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - awdiipog
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-07 c:\windows\Tasks\Backup C Drive.job
    - c:\documents and settings\David\My Documents\Data\Backup.bat [2010-11-15 14:18]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper MUM.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-07 c:\windows\Tasks\MotoHelper Routing.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper Update.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-08 c:\windows\Tasks\WECPUpdate.job
    - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\5spsnxg0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Webroot malicious URL filtering: {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} - c:\program files\Webroot\Security\current\plugins\browserextension\ff_ptc
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Webroot: {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} - %profile%\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: capability.policy.policynames - allowclipboard
    FF - user.js: capability.policy.allowclipboard.sites - hxxp://wsm.ezsitedesigner.com
    FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
    FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-07 23:47
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0CE4D85-C555-1540-7150-1CC97E4806B2}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC95D26E-155E-D3C6-2F87-B5A5F288F569}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1164)
    c:\windows\system32\WININET.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\WRASHooks.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\AntiSpamInterface.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\WINSPAMCATCHER.dll
    c:\program files\Webroot\Security\current\plugins\sync\WebRootShellExt.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\IME\SPGRMR.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-03-07 23:50:56
    ComboFix-quarantined-files.txt 2011-03-08 05:50
    .
    Pre-Run: 62,712,119,296 bytes free
    Post-Run: 62,704,185,344 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 49933DB86EF84B9E005FACC56A22265C

    OTM Log

    Error: Unable to interpret <C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021524.exe Win32/RegistryBooster application> in the current context!
    Error: Unable to interpret <C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021525.exe Win32/SpeedUpMyPC application> in the current context!
    Error: Unable to interpret <C:\System Volume Information\_restore{2A8C64FC-B234-45DA-8413-ADEAF52EB0C3}\RP85\A0021526.exe Win32/RegistryBooster application> in the current context!

    OTM by OldTimer - Version 3.1.17.2 log created on 03072011_235523
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please sit back and let me do the work. Ask me questions if you need to, but don't "assume." You can't just randomly "start over" in the middle of a cleaning!


    ===================================
    • c:\Qoobox is where Combofix puts the quarantined files.
    • System Volume is the System Restore points. This is a protected Windows System file. The entry has already been remove from being active in the system by ITM and I will have you create a new restore point and drop the old ones when we're through.
    • c:\cmdcons
    More on that here: http://support.microsoft.com/kb/233979
    And there are also many other sites with information on it.

    And this is something you ask me about if you're concerned instead of deciding to go into panic mode:
    When something doesn't go as expected, you let the helper know:
    See reference to C:\Cmdcons
    ====================================
    David, If you ever ask for help in the future on one of the internet computer forums, please note that all or most will have a thread detailing scans for you to run and instructions on how to do it. When you ask for help, it's the helper's job to review the entire log and decide which entries need to go or be investigated.

    You helper will guide you through what to do and no action should be taken during a cleaning unless you have been instructed to take it.
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    C:\cmdcons
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=-
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0CE4D85-C555-1540-7150-1CC97E4806B2}*]
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC95D26E-155E-D3C6-2F87-B5A5F288F569}*]
    Driver::
    AHDDC2
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Have you set this? FF - prefs.js: browser.startup.homepage - about:blank
     
  18. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Sitting back, relaxing, recalling some Moody Blues.......

    You are right. I was hasty, and presumptuous, and should not make ASSumptions.
    Otherwise, why would I be here asking for help, if I know so much, right?

    Ok, I have just arrived home, had a long day on little sleep, and am going to retire for the night, for I must arise early to attend to matters not of my choosing, earlier than I would if I had my 'druthers.

    I have reviewed your entire post, and have a few questions I will post, before I act.
    Which will not be tonight, much to my chagrine.
    Patience is a virtue I am still practicing, and practicing, and practicing, ad infinitum.

    Thanks, Bobbye.

    David
     
  19. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    got it.

    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    C:\cmdcons
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=-
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0CE4D85-C555-1540-7150-1CC97E4806B2}*]
    [HKEY_USERS\S-1-5-21-1715567821-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC95D26E-155E-D3C6-2F87-B5A5F288F569}*]
    Driver::
    AHDDC2
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================

    [/quote]

    If I understand the above correctly, in order to "run this script" I place it in the ComboFix folder, then run ComboFix and it utilizes that script for commands. I can't actually "run" a .txt file, right?

    Yes, I created the user.js file to have FF set my home page to a blank page at startup, per instructions from Mozilla.org
     
  20. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    New Results 03/10/2011 10:55am

    Bobbye,

    Here is the log from running ComboFix with the script. I did figure out I had to have combofix.exe and the script saved on the Desktop to drag and drop, ;-)

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    ComboFix 11-03-06.06 - David 03/10/2011 10:33:50.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1359 [GMT -6:00]
    Running from: c:\documents and settings\David\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
    AV: Webroot Internet Security Complete *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Complete *Disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\cmdcons
    c:\cmdcons\1394BUS.SY_
    c:\cmdcons\1394VDBG.SY_
    c:\cmdcons\ABP480N5.SY_
    c:\cmdcons\ACPI.SY_
    c:\cmdcons\ACPIEC.SY_
    c:\cmdcons\ADPU160M.SY_
    c:\cmdcons\AHA154X.SY_
    c:\cmdcons\AIC78U2.SY_
    c:\cmdcons\AIC78XX.SY_
    c:\cmdcons\ALIIDE.SY_
    c:\cmdcons\AMSINT.SY_
    c:\cmdcons\ASC.SY_
    c:\cmdcons\ASC3350P.SY_
    c:\cmdcons\ASC3550.SY_
    c:\cmdcons\ATAPI.SY_
    c:\cmdcons\autochk.exe
    c:\cmdcons\autofmt.exe
    c:\cmdcons\BIOSINFO.INF
    c:\cmdcons\bootsect.dat
    c:\cmdcons\BOOTVID.DL_
    c:\cmdcons\C_1252.NL_
    c:\cmdcons\C_437.NL_
    c:\cmdcons\CBIDF2K.SY_
    c:\cmdcons\CD20XRNT.SY_
    c:\cmdcons\CDFS.SY_
    c:\cmdcons\CDROM.SY_
    c:\cmdcons\CLASSPNP.SY_
    c:\cmdcons\CMDIDE.SY_
    c:\cmdcons\CPQARRAY.SY_
    c:\cmdcons\DAC2W2K.SY_
    c:\cmdcons\DAC960NT.SY_
    c:\cmdcons\DISK.SY_
    c:\cmdcons\DISK101
    c:\cmdcons\DISK102
    c:\cmdcons\DISK103
    c:\cmdcons\DISK104
    c:\cmdcons\DISK105
    c:\cmdcons\DISK106
    c:\cmdcons\DMBOOT.SY_
    c:\cmdcons\DMIO.SY_
    c:\cmdcons\DMLOAD.SY_
    c:\cmdcons\DPTI2O.SY_
    c:\cmdcons\DRVMAIN.SDB
    c:\cmdcons\FASTFAT.SY_
    c:\cmdcons\FDC.SY_
    c:\cmdcons\FLPYDISK.SY_
    c:\cmdcons\FTDISK.SY_
    c:\cmdcons\HAL.DL_
    c:\cmdcons\HALAACPI.DL_
    c:\cmdcons\HALACPI.DL_
    c:\cmdcons\HALAPIC.DL_
    c:\cmdcons\HALMACPI.DL_
    c:\cmdcons\HALMPS.DL_
    c:\cmdcons\HALSP.DL_
    c:\cmdcons\HIDCLASS.SY_
    c:\cmdcons\HIDPARSE.SY_
    c:\cmdcons\HIDUSB.SY_
    c:\cmdcons\HPN.SY_
    c:\cmdcons\I2OMGMT.SY_
    c:\cmdcons\I2OMP.SY_
    c:\cmdcons\I8042PRT.SY_
    c:\cmdcons\INI910U.SY_
    c:\cmdcons\INTELIDE.SY_
    c:\cmdcons\ISAPNP.SY_
    c:\cmdcons\KBDA1.DLL
    c:\cmdcons\KBDA2.DLL
    c:\cmdcons\KBDA3.DLL
    c:\cmdcons\KBDAL.DLL
    c:\cmdcons\KBDARME.DLL
    c:\cmdcons\KBDARMW.DLL
    c:\cmdcons\KBDAZE.DLL
    c:\cmdcons\KBDAZEL.DLL
    c:\cmdcons\KBDBE.DLL
    c:\cmdcons\KBDBLR.DLL
    c:\cmdcons\KBDBR.DLL
    c:\cmdcons\KBDBU.DLL
    c:\cmdcons\KBDCA.DLL
    c:\cmdcons\KBDCLASS.SY_
    c:\cmdcons\KBDCR.DLL
    c:\cmdcons\KBDCZ.DLL
    c:\cmdcons\KBDCZ1.DLL
    c:\cmdcons\KBDCZ2.DLL
    c:\cmdcons\KBDDA.DLL
    c:\cmdcons\KBDDIV1.DLL
    c:\cmdcons\KBDDIV2.DLL
    c:\cmdcons\KBDDV.DLL
    c:\cmdcons\KBDES.DLL
    c:\cmdcons\KBDEST.DLL
    c:\cmdcons\KBDFA.DLL
    c:\cmdcons\KBDFC.DLL
    c:\cmdcons\KBDFI.DLL
    c:\cmdcons\KBDFR.DLL
    c:\cmdcons\KBDGAE.DLL
    c:\cmdcons\KBDGEO.DLL
    c:\cmdcons\KBDGKL.DLL
    c:\cmdcons\KBDGR.DLL
    c:\cmdcons\KBDGR1.DLL
    c:\cmdcons\KBDHE.DLL
    c:\cmdcons\KBDHE220.DLL
    c:\cmdcons\KBDHE319.DLL
    c:\cmdcons\KBDHEB.DLL
    c:\cmdcons\KBDHELA2.DLL
    c:\cmdcons\KBDHELA3.DLL
    c:\cmdcons\KBDHEPT.DLL
    c:\cmdcons\KBDHID.SY_
    c:\cmdcons\KBDHU.DLL
    c:\cmdcons\KBDHU1.DLL
    c:\cmdcons\KBDIC.DLL
    c:\cmdcons\KBDINDEV.DLL
    c:\cmdcons\KBDINGUJ.DLL
    c:\cmdcons\KBDINHIN.DLL
    c:\cmdcons\KBDINKAN.DLL
    c:\cmdcons\KBDINMAR.DLL
    c:\cmdcons\KBDINPUN.DLL
    c:\cmdcons\KBDINTAM.DLL
    c:\cmdcons\KBDINTEL.DLL
    c:\cmdcons\KBDIR.DLL
    c:\cmdcons\KBDIT.DLL
    c:\cmdcons\KBDIT142.DLL
    c:\cmdcons\KBDKAZ.DLL
    c:\cmdcons\KBDKYR.DLL
    c:\cmdcons\KBDLA.DLL
    c:\cmdcons\KBDLT.DLL
    c:\cmdcons\KBDLT1.DLL
    c:\cmdcons\KBDLV.DLL
    c:\cmdcons\KBDLV1.DLL
    c:\cmdcons\KBDMON.DLL
    c:\cmdcons\KBDNE.DLL
    c:\cmdcons\KBDNEC.DLL
    c:\cmdcons\KBDNO.DLL
    c:\cmdcons\KBDPL.DLL
    c:\cmdcons\KBDPL1.DLL
    c:\cmdcons\KBDPO.DLL
    c:\cmdcons\KBDRO.DLL
    c:\cmdcons\KBDRU.DLL
    c:\cmdcons\KBDRU1.DLL
    c:\cmdcons\KBDSF.DLL
    c:\cmdcons\KBDSG.DLL
    c:\cmdcons\KBDSL.DLL
    c:\cmdcons\KBDSL1.DLL
    c:\cmdcons\KBDSP.DLL
    c:\cmdcons\KBDSW.DLL
    c:\cmdcons\KBDSYR1.DLL
    c:\cmdcons\KBDSYR2.DLL
    c:\cmdcons\KBDTAT.DLL
    c:\cmdcons\KBDTH0.DLL
    c:\cmdcons\KBDTH1.DLL
    c:\cmdcons\KBDTH2.DLL
    c:\cmdcons\KBDTH3.DLL
    c:\cmdcons\KBDTUF.DLL
    c:\cmdcons\KBDTUQ.DLL
    c:\cmdcons\KBDUK.DLL
    c:\cmdcons\KBDUR.DLL
    c:\cmdcons\KBDURDU.DLL
    c:\cmdcons\KBDUS.DLL
    c:\cmdcons\KBDUSL.DLL
    c:\cmdcons\KBDUSR.DLL
    c:\cmdcons\KBDUSX.DLL
    c:\cmdcons\KBDUZB.DLL
    c:\cmdcons\KBDVNTC.DLL
    c:\cmdcons\KBDYCC.DLL
    c:\cmdcons\KBDYCL.DLL
    c:\cmdcons\KD1394.DL_
    c:\cmdcons\KDCOM.DL_
    c:\cmdcons\KSECDD.SYS
    c:\cmdcons\L_INTL.NL_
    c:\cmdcons\LBRTFDC.SY_
    c:\cmdcons\migrate.inf
    c:\cmdcons\MOUNTMGR.SY_
    c:\cmdcons\MRAID35X.SY_
    c:\cmdcons\NTDETECT.COM
    c:\cmdcons\NTFS.SYS
    c:\cmdcons\NTKRNLMP.EX_
    c:\cmdcons\OHCI1394.SY_
    c:\cmdcons\OPRGHDLR.SY_
    c:\cmdcons\PARTMGR.SY_
    c:\cmdcons\PCI.SY_
    c:\cmdcons\PCIIDE.SY_
    c:\cmdcons\PCIIDEX.SY_
    c:\cmdcons\PCMCIA.SY_
    c:\cmdcons\PERC2.SY_
    c:\cmdcons\PERC2HIB.SY_
    c:\cmdcons\QL1080.SY_
    c:\cmdcons\QL10WNT.SY_
    c:\cmdcons\QL12160.SY_
    c:\cmdcons\QL1240.SY_
    c:\cmdcons\QL1280.SY_
    c:\cmdcons\RAMDISK.SY_
    c:\cmdcons\SBP2PORT.SY_
    c:\cmdcons\SCSIPORT.SY_
    c:\cmdcons\SERENUM.SY_
    c:\cmdcons\SERIAL.SY_
    c:\cmdcons\SETUPDD.SY_
    c:\cmdcons\SETUPLDR.BIN
    c:\cmdcons\SETUPREG.HIV
    c:\cmdcons\SFLOPPY.SY_
    c:\cmdcons\SLIP.SY_
    c:\cmdcons\SPARROW.SY_
    c:\cmdcons\SPCMDCON.SYS
    c:\cmdcons\SPDDLANG.SY_
    c:\cmdcons\STREAMIP.SY_
    c:\cmdcons\SYM_HI.SY_
    c:\cmdcons\SYM_U3.SY_
    c:\cmdcons\SYMC810.SY_
    c:\cmdcons\SYMC8XX.SY_
    c:\cmdcons\SYSTEM32\NTDLL.DLL
    c:\cmdcons\SYSTEM32\SMSS.EXE
    c:\cmdcons\TFFSPORT.SY_
    c:\cmdcons\TOSIDE.SY_
    c:\cmdcons\txtsetup.sif
    c:\cmdcons\ULTRA.SY_
    c:\cmdcons\USBCCGP.SY_
    c:\cmdcons\USBD.SY_
    c:\cmdcons\USBEHCI.SY_
    c:\cmdcons\USBHUB.SY_
    c:\cmdcons\USBOHCI.SY_
    c:\cmdcons\USBPORT.SY_
    c:\cmdcons\USBSTOR.SY_
    c:\cmdcons\USBUHCI.SY_
    c:\cmdcons\VGA.SY_
    c:\cmdcons\VGAOEM.FO_
    c:\cmdcons\VIAIDE.SY_
    c:\cmdcons\VIDEOPRT.SY_
    c:\cmdcons\winnt.sif
    c:\cmdcons\WMILIB.SY_
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    -------\Legacy_AHDDC2
    -------\Service_AHDDC2
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-08 07:30 . 2011-03-08 07:30 -------- dc----w- c:\program files\jv16 PowerTools
    2011-03-08 05:55 . 2011-03-08 05:55 -------- dc----w- C:\_OTM
    2011-03-08 04:45 . 2011-03-08 06:32 -------- dc----w- C:\NewLogs
    2011-03-07 17:19 . 2011-03-07 17:19 -------- dc----w- c:\program files\ESET
    2011-03-06 14:50 . 2011-03-06 14:53 -------- dc----w- c:\program files\Verizon Wireless
    2011-03-06 14:50 . 2009-11-03 02:47 95248 -c--a-w- c:\windows\system32\PTDMWmcp64.dll
    2011-03-06 14:50 . 2009-11-03 02:47 88592 -c--a-w- c:\windows\system32\PTDMWmcp.dll
    2011-03-06 14:50 . 2011-03-06 14:50 -------- dc----w- c:\program files\PANTECH
    2011-03-06 12:57 . 2011-03-06 12:57 -------- dc----w- c:\program files\Analog Devices
    2011-03-01 16:02 . 2011-03-01 16:02 -------- dc----w- c:\documents and settings\David\Application Data\Malwarebytes
    2011-03-01 16:01 . 2010-12-21 00:09 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 16:00 . 2011-03-01 16:00 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 16:00 . 2011-03-01 16:01 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 16:00 . 2010-12-21 00:08 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 01:54 . 2011-02-28 01:57 -------- dc-h--w- c:\windows\ie8
    2011-02-27 21:07 . 2011-02-27 21:07 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\Mozilla
    2011-02-27 21:04 . 2011-02-27 21:06 -------- dc----w- c:\program files\Bing Bar Installer
    2011-02-26 07:24 . 2011-02-26 07:24 -------- dc----w- c:\documents and settings\David\Application Data\Avery
    2011-02-20 19:21 . 2011-02-20 19:21 -------- dc----w- c:\documents and settings\David\Application Data\Apple Computer
    2011-02-20 18:11 . 2011-02-20 18:11 -------- dc----w- c:\documents and settings\All Users\Application Data\V CAST Media Manager
    2011-02-20 18:01 . 2011-02-20 20:07 -------- dc----w- c:\documents and settings\David\Application Data\vlc
    2011-02-20 18:01 . 2011-02-20 18:01 -------- dc----w- c:\documents and settings\All Users\Application Data\Verizon
    2011-02-20 18:01 . 2011-02-23 18:00 -------- dc----w- c:\documents and settings\David\Local Settings\Application Data\V CAST Media Manager
    2011-02-20 17:47 . 2008-04-14 11:42 221184 -c--a-w- c:\windows\system32\wmpns.dll
    2011-02-20 17:47 . 2011-02-20 17:47 -------- dc----w- c:\program files\Windows Media Connect 2
    2011-02-20 17:44 . 2011-02-20 17:45 -------- dc----w- c:\windows\system32\drivers\UMDF
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Common Files\Motorola Shared
    2011-02-20 17:19 . 2011-02-20 17:19 -------- dc----w- c:\program files\Motorola
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\program files\Avery Dennison
    2011-02-17 15:48 . 2011-02-17 15:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Avery
    2011-02-16 06:19 . 2011-02-16 06:19 -------- dc----w- c:\program files\Common Files\Java
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-16 10:11 . 2010-11-15 08:24 122184 -c--a-w- c:\windows\system32\drivers\pwipf6.sys
    2011-02-09 13:53 . 2002-08-29 10:41 270848 -c--a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2002-08-29 10:40 186880 -c--a-w- c:\windows\system32\encdec.dll
    2011-02-03 03:40 . 2010-11-29 05:43 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 01:19 . 2011-02-05 06:57 73728 -c--a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2010-11-13 09:50 2067456 -c--a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-11-13 09:50 677888 -c--a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2002-08-29 10:41 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2001-08-23 12:00 290048 -c--a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2002-08-29 09:14 1854976 -c--a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2002-08-29 10:41 301568 -c--a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2002-08-29 10:41 916480 -c--a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2002-08-29 10:41 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2002-08-29 10:41 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2002-08-29 10:41 730112 -c--a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-11-13 10:09 385024 -c--a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
    @="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
    [HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
    @="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
    [HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
    @="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
    [HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
    @="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
    [HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
    2011-02-16 10:55 326928 -c--a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-03-05 1372696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\David\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-10-22 3826968]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [11/15/2010 2:24 AM 122184]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 6:00 AM 14336]
    R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [9/7/2010 10:47 AM 202048]
    R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [11/15/2010 1:36 AM 45072]
    R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [3/5/2011 4:04 PM 3251928]
    R3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [12/4/2010 10:14 AM 105856]
    R3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [12/4/2010 10:14 AM 105856]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
    S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 9:02 AM 136176]
    S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [12/4/2010 10:14 AM 9216]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/2/2011 11:42 PM 3567]
    S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [12/31/2010 1:21 AM 16472]
    S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [12/31/2010 1:21 AM 11104]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-10 c:\windows\Tasks\Backup C Drive.job
    - c:\documents and settings\David\My Documents\Data\Backup.bat [2010-11-15 14:18]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper MUM.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-07 c:\windows\Tasks\MotoHelper Routing.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-02-20 c:\windows\Tasks\MotoHelper Update.job
    - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]
    .
    2011-03-10 c:\windows\Tasks\WECPUpdate.job
    - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\5spsnxg0.default\
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Webroot malicious URL filtering: {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} - c:\program files\Webroot\Security\current\plugins\browserextension\ff_ptc
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Webroot: {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} - %profile%\extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: capability.policy.policynames - allowclipboard
    FF - user.js: capability.policy.allowclipboard.sites - hxxp://wsm.ezsitedesigner.com
    FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
    FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-10 10:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3596)
    c:\windows\system32\WININET.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\WRASHooks.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\AntiSpamInterface.dll
    c:\program files\Webroot\Security\Current\plugins\antispam\WINSPAMCATCHER.dll
    c:\program files\Webroot\Security\current\plugins\sync\WebRootShellExt.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\IME\SPGRMR.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
    c:\progra~1\Webroot\Security\Current\plugins\cleanup\WRCLEA~1.EXE
    c:\program files\Webroot\Security\current\plugins\sync\WRSyncManager.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-10 10:48:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-10 16:48
    .
    Pre-Run: 63,199,821,824 bytes free
    Post-Run: 63,243,583,488 bytes free
    .
    - - End Of File - - 1FD88ECB0A92D788323C749BF3C48DB0
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    One more scan to make sure there are no bad entries left:

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Has the redirecting improved?
     
  22. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    HijackThis log

    Here is the log from HijackThis;

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:18:22 PM, on 3/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
    C:\Program Files\Webroot\Security\current\plugins\sync\WRSyncManager.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
    O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
    O3 - Toolbar: Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll
    O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" (User 'Default user')
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289649019863
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1289649186457
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA3EACCC-A53F-41E2-8AD6-E2A499C11E17}: NameServer = 69.78.96.14 66.174.92.14
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

    --
    End of file - 6548 bytes


    Yes, the redirecting seems to have been fixed altogether.
    Thanks very much for your help, and your patience.

    Now, the only issue I have is that the VZAccess Manager and the Volume Control icons keep disappearing from the SysTray, no matter how many times I check the box to make them appear there.

    For instance, if I open the properties of either, the box is checked, but the icon does not appear. But, if I uncheck the box, apply the change, then recheck the box and apply the change, they appear. Until I reboot.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    David, are you making the icon changes through the Taskbar Properties?

    Right click on the Taskbar> Properties> Check 'Hide Inactive Icons'> then click on Customize (you don't get the Customize option if you don't click that 'hide' first)> Find the 2 icons for the processes you mentioned> Highlight each and set the dialog box to Always show> Click OK> Apply> OK

    If these are on startup, they should both appear. The Volume Control icon usually doesn't disappear unless you sound does. Keep in mind also that the Notification Area has limited space. If you see << on the left side, it means there are more icons but they can't fit. Just click the << to see them.

    Are you no longer using Windows Messenger. There are 2 09 entries in the HJT log that say 'no file'.

    The HJT log is fine. You have some backgroung processes running, probably from the Startup Menu that you don't need unlss you're actually using it. Example: HP Digital Imaging and all other HP processes.
     
  24. dbreed53

    dbreed53 TS Rookie Topic Starter Posts: 17

    Sysray Icons

    No. I am doing the Volume control in the Control Panel, Sounds Settings.
    Likewise with the VZAccess Manager, in the Properties page of the application.
    I have the 'Hide Inactive Icons' UNchecked.
    Have done this before. Does not change the behavior, oddly enough.
    VZAccess manager does load at startup, but no icon, and when minimized, no icon, as per settings in the app.
    Although the Sound icon does not appear, all sound functions, function.
    I have the toolbar 'unlocked' so I can manage the rows in Quick Launch. I manage the width of it by increasing the number of rows in the Taskbar, I currently have three, to fit my whim. The SysTray expands as necessary for apps that use it. Currently, it has one column, Outlook, Search Indexer, and Webroot are the occupants, next to the Time/Date.
    Yes, I NEVER use it. I am over 40 and have a cellphone. :)
    Would it help to clean that up?
    I VERY INFREQUENTLY use the scanner feature nowadays. I used to use daily to fax documents when I was trucking.
    What do you recommend?
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    David, I'm getting ready to shut down for the night. Drat for this time change- gets me all confused about when it's time to go to bed!

    Follow my path through the Taskbar properties for the icons. I explained to you that the Customize feature is greyed out unless you CHECK 'hide inactive icons.'. Once you click on Customize and get in the icon area, you can change to 'always show', always hide' or 'never show'. But you can't get in there unless you check the 'hide inactive' first! Some dumb software writer thought that one up!

    Keep the Toolbar locked! It can wonder around if you don't. Just put the cursor on the top of the Taskbar until you see the double arrow and move it up to widen. Then lock the taskbar back.

    Will finish in the AM.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...