Hi; I think something's got me. I'm running WinXP Home SP3 with Spyware Doctor, ESET NOD32 and Zone Alarm Pro. I use CCleaner pretty regular and sometimes ToniArts Easy Cleaner and Empty Temp Folders 283. I use Mozilla Firefox 3.5.4, IE8 just for Update and Secunia PSI to stay current.
I boot sometimes and get the background screen only. I also have to wait for Firefox to load like my computer is busy when I want to use it. I tried to shut down a couple of times and got hung up where I got a frozen screen and had to force power off. Sometimes Task Manager worked and sometimes it didn't. I saw some posts for rebooting the explore.exe file but haven't tried that yet. I ran Hijack This and saw a number of BHO's with no name and no file. I'm wondering about these since I recognize most of the other filenames.
Canon printer,NVidia GeForce 6800 graphics card, COX internet, Nikon camera, MS Office 2003

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:38 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.ie7pro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183737383453
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 11837 bytes

Hi,

Please do the following:

• Open HiJackThis
• Click on Do a system scan only
• Check the boxes next to ONLY the entries listed below (if still present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

• Close all windows except Hijackthis and click Fix Checked
• Click Yes when prompted
• Close HijackThis.

NEXT


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Thanks, CatByte;
Here are the logs:
DDS (Ver_09-10-26.01) - NTFSx86
Run by Fred at 13:23:20.78 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.919 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\LTMSG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Fred\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.ie7pro.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - No File
uRun: [Yahoo! Pager] 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gStart] c:\garmin\gStart.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [LTMSG] LTMSG.exe 7
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\fred\startm~1\programs\startup\pictur~1.lnk - c:\program files\nikon\pictureproject in touch\PictureProjectInTouch.exe
StartupFolder: c:\docume~1\fred\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.cox.com/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183737383453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\syste scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fred\applic~1\mozilla\firefox\profiles\67bv014j.default\
FF - prefs.js: browser.startup.homepage - hxxp://sandiego.cox.net/cci/home
FF - component: c:\documents and settings\fred\application data\mozilla\firefox\profiles\67bv014j.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\fred\application data\mozilla\firefox\profiles\67bv014j.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\fred\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-24 206256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-2-24 218504]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-9-23 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-9-23 439664]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-1-21 348752]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-7-14 44776]
S3 S3chipid;S3chipid;\??\c:\docume~1\fred\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\s3chipid.sys --> c:\docume~1\fred\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\S3chipid.sys [?]

=============== Created Last 30 ================

2009-10-28 05:19:58 0 d-----w- c:\program files\iPod
2009-10-28 05:19:53 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-01 21:05:09 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-24 03:04:56 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 02:47:58 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-09-08 02:47:58 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 05:08:39 20857148 ----a-w- c:\documents and settings\fred\jre-6u15-linux-i586.bin
2009-08-07 04:57:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 02:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-08-18 02:39:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 13:25:01.51 ===============

Any success with the GMER scan?

Hi; here's the rootkit scan.

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi, CatByte;
Finally finished, Trojan.Generic exposed, removed with spyware doctor. Log enclosed.

Hi,

Please do the following:



Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

Hi, CatByte;
I ran Spyware Doctor and had many hits- some info points, cookies and the trojan.generic previously mentioned. I ran NOD32 scan before I saw your last post- clean.

Hi,

Your logs are clean,

Just some housekeeping to do now.

Please do the following:


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

• Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Note: If there are any other logs/tools left on your desktop after running this tool, > right click and delete, but keep MalwareBytes, it is a good program to have. Update and run it occasionally.


NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them
  Then consider a password keeper, to keep all your passwords safe.
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox, IE and chrome.
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Hi, CatByte;
Big thanks for the help; I couldn't have figured this out without your help.
FCS

You are more than welcome

stay safe

~CB

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.