[tfelcone]

Hello,

Ran into this last week.
Symptoms - on 2nd or 3rd click google search results seem to get pointed to 209.85.171.9 (FWIW)

Checked the 'Read this before posting' section
Ran ATF Cleaner (IE and Firefox)
Malewarebytes - came up clean
SuperAntiSpyware - which found and removed the Reg entry for trojan.dnschanger-codec
Ran NOD32 in safe mode which found another virus - quarantined then deleted.
I found this interesting, I could rename cmd.exe to cmd.1exe and while I'm watching, another
cmd.exe would pop up in the windows\system32 folder. This behavior stopped after I ran
NOD32 in safe mode, the phony cmd.exe has not reappeared.
Also - currently no command window, no regedit (no access to ipconfig), cmd.exe is missing.

Downloaded and ran HJT, and saved log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:38 PM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [HSTURL] "C:\PROGRA~1\Verizon\content\app\McciBrowser.exe" -APPKEY=verizon_portal -URL=file://C:\PROGRA~1\Verizon\content\startFrame.html?launchType=normal
O4 - HKLM\..\Policies\Explorer\Run: [OVdEmZfvwO] C:\Documents and Settings\All Users\Application Data\itmvozkh\cninqnwt.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://bluesky.dewb...ries/vpnweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168025685250
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} (SAXFileEE FileDownload ActiveX Control) - http://appsnet.bentl...d/SAXFileEE.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O16 - DPF: {D6D5ACA4-4C57-4C75-8D68-BC185E924B4C} (PWFileTransfer Control) - http://portals.jacob...eTransferEN.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystan...acheManager.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8671 bytes


Any help appreciated,

Thanks,

Tom F.

Edited by tfelcone, 02 March 2009 - 03:24 PM.

[Advertisements]

Hello, tfelcone, and welcome to GeeksToGo!

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[handhfan]

Hello, tfelcone, and welcome to GeeksToGo!

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[tfelcone]

Hi handhfan,

I dowloaded combofix to the desktop and ran it.
However, I didn't get any of the dialog boxes, just a small progress bar then it seemed to stall?
I rebooted and my startup programs started up (ZA, NOD32 etc.) and the google hijack -seems-
to have stopped, I can also access the command window.

For good measure I'd still like to send you the ComboFix log, will running it again cause any problems?

Thanks,

Tom F.

[handhfan]

Not sure if it ran fully, but if it did, the log would be at C:\ComboFix.txt.

If you can't find it, run this instead for now. (If you do find the log, this next step will be unneccessary, just post that log instead.)

• Download OTListIt2 to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

The log for OTListIt2 will be very long and may not fit in one post, since there is a character limit on posts. Please make sure that it didn't get cut off, and feel free to post the rest of it in a separate reply.

[tfelcone]

Handhfan,

No Combofix log - so here's the OTListIT log


OTListIt logfile created on: 3/5/2009 8:39:53 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\home\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 208.50 Mb Available Physical Memory | 40.88% Memory free
1.22 Gb Paging File | 0.88 Gb Available in Paging File | 72.24% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 6.19 Gb Free Space | 16.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEPC
Current User Name: home
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Eset\nod32krn.exe (Eset )
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
PRC - C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe (Verizon)
PRC - C:\Program Files\Verizon\SmartBridge\MotiveSB.exe (Motive Communications, Inc.)
PRC - C:\Program Files\Eset\nod32kui.exe (Eset )
PRC - C:\Program Files\Winamp\winampa.exe ()
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Documents and Settings\home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\home\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NOD32krn [Auto | Running]) -- C:\Program Files\Eset\nod32krn.exe (Eset )
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (vpnagent [Auto | Running]) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe (Cisco Systems, Inc.)
SRV - (vsmon [Auto | Running]) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)

========== Driver Services (SafeList) ==========

DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (AMON [Auto | Running]) -- C:\WINDOWS\system32\drivers\amon.sys (Eset )
DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (E1000 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e1000325.sys (Intel Corporation)
DRV - (hamachi_oem [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\gan_adapter.sys (Applied Networking Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (KLIF [System | Running]) -- C:\WINDOWS\system32\DRIVERS\klif.sys (Kaspersky Lab)
DRV - (MREMPR5 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)
DRV - (MRENDIS5 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)
DRV - (nod32drv [System | Running]) -- C:\WINDOWS\system32\drivers\nod32drv.sys ()
DRV - (pavboot [Boot | Running]) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Running]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (srescan [Boot | Running]) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Zone Labs, LLC)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (vcdrom [System | Running]) -- C:\WINDOWS\system32\drivers\VCdRom.sys (Microsoft Corporation)
DRV - (vpnva [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\vpnva.sys (Cisco Systems, Inc.)
DRV - (vsdatant [System | Running]) -- C:\WINDOWS\System32\vsdatant.sys (Zone Labs, LLC)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - prefs.js..browser.startup.homepage: "http://en-us.start.m...en-US:official"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} -> %ProgramFiles%\REAL\REALPLAYER\BROWSERRECORD [C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD] -> [2008/04/15 02:52:14 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/03/01 19:21:16 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/02/12 04:39:51 00,000,000 | ---D | M]
FF - C:\Documents and Settings\home\Application Data\mozilla\Extensions [2009/02/12 04:40:18 00,000,000 | ---D | M]
FF - C:\Documents and Settings\home\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/02/12 04:40:18 00,000,000 | ---D | M]
FF - C:\Documents and Settings\home\Application Data\mozilla\Firefox\Profiles\gbee9uyi.default\extensions [2007/02/01 20:30:42 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions [2009/02/12 04:40:20 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/02/12 04:39:51 00,000,000 | ---D | M]

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll (BitComet)
O2 - BHO: (Verizon Broadband Toolbar) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ZoneAlarm Spy Blocker BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKLM\..\Toolbar: (Verizon Broadband Toolbar) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll File not found
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE (Eset )
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe (Verizon)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [Google Update] "C:\Documents and Settings\home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\imon.dll (Eset )
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: dewberry.com ([bluesky] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyds...DSL/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.h...nosticsxp2k.cab (Reg Error: Key error.)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://bluesky.dewb...ries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1168025685250 (WUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} http://appsnet.bentl...d/SAXFileEE.cab (SAXFileEE FileDownload ActiveX Control)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer....l/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {D6D5ACA4-4C57-4C75-8D68-BC185E924B4C} http://portals.jacob...eTransferEN.cab (PWFileTransfer Control)
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} http://www.candystan...acheManager.CAB (CacheManager.CacheManagerCtrl)
O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[1 C:\Documents and Settings\home\My Documents\*.tmp files]
[2009/03/05 20:36:34 | 00,498,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTListIt2.exe
[2009/03/03 20:48:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\My Documents\Downloads
[2009/03/03 20:48:14 | 00,002,237 | ---- | C] () -- C:\Documents and Settings\home\Desktop\Google Chrome.lnk
[2009/03/03 20:47:14 | 00,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1326574676-839522115-1003.job
[2009/03/03 20:43:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\Local Settings\Application Data\Deployment
[2009/03/03 20:27:08 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/03 20:27:05 | 00,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/03/03 20:26:53 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/03/03 20:23:10 | 00,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cmd.exe
[2009/03/03 20:23:10 | 00,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
[2009/03/03 20:22:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\Desktop\cmddgi
[2009/03/03 20:16:40 | 00,106,645 | ---- | C] () -- C:\Documents and Settings\home\Desktop\cmddgi.zip
[2009/03/02 19:47:32 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/03/02 12:27:32 | 02,933,037 | R--- | C] () -- C:\Documents and Settings\home\Desktop\ComboFix.exe
[2009/03/02 09:36:21 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\home\Desktop\HijackThis.lnk
[2009/03/02 09:36:19 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/02 09:35:48 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\home\Desktop\HJTInstall.exe
[2009/03/02 08:50:20 | 00,133,120 | ---- | C] () -- C:\Documents and Settings\home\My Documents\topo-temp-04606102-Dewberry[2].dgn
[2009/03/01 20:23:41 | 03,863,808 | ---- | C] (ESET) -- C:\Documents and Settings\home\Desktop\SysInspector.exe
[2009/03/01 19:43:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/01 19:42:49 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\home\Desktop\NTREGOPT.lnk
[2009/03/01 19:42:49 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\home\Desktop\ERUNT.lnk
[2009/03/01 19:42:44 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/01 19:40:01 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\home\Desktop\erunt_setup.exe
[2009/03/01 19:30:02 | 00,000,000 | ---D | C] -- C:\Program Files\SystemRestore
[2009/03/01 16:07:40 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/03/01 11:21:00 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/03/01 11:20:07 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/02/28 07:24:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\Application Data\U3
[2009/02/28 07:24:30 | 00,026,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\USBSTOR.SYS
[2009/02/28 07:24:30 | 00,026,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbstor.sys
[2009/02/26 04:19:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/02/26 04:19:19 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/02/26 04:19:15 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/02/26 04:19:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\Application Data\SUPERAntiSpyware.com
[2009/02/26 04:18:33 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/02/26 04:17:57 | 06,043,680 | ---- | C] () -- C:\Documents and Settings\home\Desktop\SUPERAntiSpyware.exe
[2009/02/25 22:26:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\home\Application Data\Malwarebytes
[2009/02/25 22:26:34 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/25 22:26:34 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/25 22:26:31 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/25 22:26:29 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/25 22:26:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/25 22:25:11 | 02,876,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\home\Desktop\mbam-setup.exe
[2009/02/24 21:30:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2009/02/24 21:30:38 | 00,000,000 | ---D | C] -- C:\Program Files\Cisco
[2009/02/21 14:51:50 | 00,034,816 | ---- | C] () -- C:\Documents and Settings\home\My Documents\infomercial.doc
[2009/02/20 07:29:12 | 00,003,936 | ---- | C] () -- C:\Documents and Settings\home\My Documents\questions for dr_ fuhrman.eml
[2009/02/16 08:50:02 | 01,602,637 | ---- | C] () -- C:\Documents and Settings\home\Desktop\hr1_engrossed.pdf
[2009/02/11 04:49:13 | 03,252,692 | ---- | C] () -- C:\Documents and Settings\home\Desktop\Dental_Claim_Form.pdf
[2009/02/10 20:11:37 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\home\My Documents\writingideas.doc

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[1 C:\Documents and Settings\home\My Documents\*.tmp files]
[2009/03/05 20:36:57 | 42,594,336 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/03/05 20:36:42 | 00,498,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTListIt2.exe
[2009/03/05 20:30:23 | 00,352,917 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/03/05 20:30:23 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/05 20:30:13 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/05 19:28:46 | 00,499,892 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/03/05 17:49:14 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1326574676-839522115-1003.job
[2009/03/04 21:07:53 | 00,001,152 | -H-- | M] () -- C:\Documents and Settings\home\My Documents\Default.rdp
[2009/03/03 20:48:14 | 00,002,237 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Google Chrome.lnk
[2009/03/03 20:27:05 | 00,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/03/03 20:16:40 | 00,106,645 | ---- | M] () -- C:\Documents and Settings\home\Desktop\cmddgi.zip
[2009/03/02 12:29:00 | 02,933,037 | R--- | M] () -- C:\Documents and Settings\home\Desktop\ComboFix.exe
[2009/03/02 09:36:21 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\home\Desktop\HijackThis.lnk
[2009/03/02 09:35:50 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\home\Desktop\HJTInstall.exe
[2009/03/02 08:47:56 | 00,133,120 | ---- | M] () -- C:\Documents and Settings\home\My Documents\topo-temp-04606102-Dewberry[2].dgn
[2009/03/01 20:23:48 | 03,863,808 | ---- | M] (ESET) -- C:\Documents and Settings\home\Desktop\SysInspector.exe
[2009/03/01 19:42:49 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\home\Desktop\NTREGOPT.lnk
[2009/03/01 19:42:49 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\home\Desktop\ERUNT.lnk
[2009/03/01 19:40:24 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\home\Desktop\erunt_setup.exe
[2009/03/01 11:26:54 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/02/26 20:55:35 | 01,656,336 | -H-- | M] () -- C:\Documents and Settings\home\Local Settings\Application Data\IconCache.db
[2009/02/26 04:19:19 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/02/26 04:17:59 | 06,043,680 | ---- | M] () -- C:\Documents and Settings\home\Desktop\SUPERAntiSpyware.exe
[2009/02/25 22:26:34 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/25 22:25:31 | 02,876,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\home\Desktop\mbam-setup.exe
[2009/02/22 07:32:27 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\home\My Documents\infomercial.doc
[2009/02/20 07:34:44 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\home\My Documents\writingideas.doc
[2009/02/20 07:29:14 | 00,003,936 | ---- | M] () -- C:\Documents and Settings\home\My Documents\questions for dr_ fuhrman.eml
[2009/02/16 16:50:22 | 00,141,824 | ---- | M] () -- C:\Documents and Settings\home\Desktop\polliwogplaceexpenses.xls
[2009/02/16 16:50:05 | 00,141,824 | ---- | M] () -- C:\Documents and Settings\home\My Documents\polliwogplaceexpenses.xls
[2009/02/16 08:50:02 | 01,602,637 | ---- | M] () -- C:\Documents and Settings\home\Desktop\hr1_engrossed.pdf
[2009/02/15 16:22:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/11 04:49:13 | 03,252,692 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Dental_Claim_Form.pdf
[2009/02/10 10:38:15 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Microsoft Office Excel 2003.lnk

========== LOP Check ==========

[2009/02/26 04:19:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/01 07:51:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/04/07 09:08:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bentley
[2008/02/06 19:22:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bentley-08.11.00.50-WIP
[2009/02/24 21:30:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2008/09/21 07:59:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2007/12/25 20:53:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/21 05:50:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\itmvozkh
[2008/08/26 03:54:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/02/25 22:26:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/24 21:30:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/01/29 19:39:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2008/08/23 07:44:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2008/02/25 20:38:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2009/02/26 04:19:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/10/12 09:35:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/01/05 14:40:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2007/11/01 15:16:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/02/28 08:38:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/02/28 07:24:46 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\home\Application Data
[2009/03/01 07:53:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Adobe
[2007/04/07 09:08:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Bentley
[2009/02/28 08:53:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\CameraWindowDC
[2008/04/25 20:44:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\CANON INC
[2008/08/23 18:58:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2007/02/11 19:27:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\DivX
[2008/02/18 09:07:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Google
[2007/01/05 14:33:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Identities
[2008/11/26 12:14:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Luxology
[2007/07/05 06:22:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Macromedia
[2009/02/25 22:26:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Malwarebytes
[2008/04/29 19:06:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\home\Application Data\Microsoft
[2007/02/05 08:16:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Motive
[2008/10/22 06:04:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Move Networks
[2009/02/12 04:40:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Mozilla
[2007/11/29 21:41:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\ProjectWise
[2008/02/25 20:41:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Quark
[2008/01/30 07:48:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Real
[2007/02/03 21:28:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\SecondLife
[2007/01/29 19:46:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Sun
[2009/02/26 04:19:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\SUPERAntiSpyware.com
[2009/02/28 07:27:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\U3
[2007/01/29 19:36:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Verizon
[2007/06/12 21:01:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\vlc
[2007/11/01 15:16:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\Yahoo!
[2009/02/28 08:59:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\home\Application Data\ZoomBrowser EX
[2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/05 17:49:14 | 00,000,922 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1326574676-839522115-1003.job
[2009/03/05 20:30:23 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D455373F
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5DAABF18
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\home\Desktop\Thumbs.db:encryptable
< End of report>

############################################################
Here's extras.txt

OTListIt Extras logfile created on: 3/5/2009 8:39:53 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\home\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 208.50 Mb Available Physical Memory | 40.88% Memory free
1.22 Gb Paging File | 0.88 Gb Available in Paging File | 72.24% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 6.19 Gb Free Space | 16.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEPC
Current User Name: home
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.scr [@ = MicroStation Resource] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Documents and Settings\home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"{0DF34F71-6182-474F-B6FE-0B2AF069E6FD}" = VBA (2627.01)
"{17E1BC18-8B8C-4160-B759-C47294B5A9C2}" = Cisco AnyConnect VPN Client
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}" = Rhapsody Player Engine
"{2472DD00-D197-4310-A8ED-0171119A84C9}" = Bentley MicroStation V8 Athens Edition 08.11.00.50-WIP
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA5E4CC-58ED-4ED0-AC9E-ED0759E9166E}" = RedistSysFiles
"{5AD315BE-2E3E-446D-8FF9-75A73445DC47}" = Bentley MicroStation V8i 08.11.05.17
"{624D19C3-D55D-4368-BC10-9B53036D8358}" = HP Driver Diagnostics
"{6C902450-3EEB-4A9D-9B34-A42248B8C30F}" = Bentley MicroStation V8 XM Edition 08.09.03.65
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C167BA1-A880-45DE-AC2D-5B9201BF4040}" = Bentley InRoads Group XM Edition (V8.9)
"{90F50409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications ® Core
"{90F60409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications ® Core - English
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9CCE527D-356F-41A8-9718-77A68AC065FB}" = PlayLinc
"{9FDA98CF-9B2E-439C-95D9-BCD7D5713D60}" = MicroStation
"{9FDA98CF-9B2E-439C-95D9-BCD7D5713D60}_0" = Bentley MicroStation (V 08.05.02.55) - 1
"{A13D16C5-38A9-4D96-9647-59FCCAB12A85}" = Visual Basic for Applications ® Core - English
"{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}" = QuarkXPress 7.31
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{E7E254C0-94AA-4B33-AF6D-5276A169A680}" = TONKA Search & Rescue 2
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FB97C283-1F3C-42D4-AE01-ADC1DC12F774}" = Visual Basic for Applications ® Core
"7-Zip" = 7-Zip 4.57
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Bentley MicroStation (V 07.01.05.03)" = Bentley MicroStation (V 07.01.05.03)
"BitComet" = BitComet 0.83
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CSCLIB" = Canon Camera Support Core Library
"Diego's Wolfpup Rescue" = Diego's Wolfpup Rescue
"Dig'nRigs" = Dig'nRigs
"DivX Content Uploader" = DivX Content Uploader
"Dr. Seuss Kindergarten 1.0" = Dr. Seuss Kindergarten
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"FLVPlayer" = FLV Player 1.3.3
"HijackThis" = HijackThis 2.0.2
"hp deskjet 960c series" = hp deskjet 960c series (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2
"JSKR_1.2" = JumpStart Reading for Kindergartners v1.2
"JSMUSIC_1.0" = JumpStart Music v1.0
"KG98_2.5" = JumpStart Kindergarten 98 v2.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mbjr32" = Math Blaster Ages 4-6
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Millie and Bailey Preschool" = Millie and Bailey Preschool
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NOD32" = NOD32 Antivirus System
"PhotoRecord" = Canon PhotoRecord
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Connections Drivers
"QuickTime 3.0" = QuickTime 3.0
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.3.21
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Verizon Online Help and Support" = Verizon Online Help and Support
"Virtools3DLifePlayer" = Virtools 3D Life Player
"VLC media player" = VideoLAN VLC media player 0.8.6b
"VZBB" = Verizon Broadband Toolbar
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoneAlarm" = ZoneAlarm
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]

[tfelcone]

....and the rest of extras.txt



========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/7/2008 7:00:19 AM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module unknown, version 0.0.0.0, fault address 0x02db93c5.

Error - 5/12/2008 9:38:25 AM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module unknown, version 0.0.0.0, fault address 0x02d74319.

Error - 5/14/2008 7:20:46 PM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module unknown, version 0.0.0.0, fault address 0x02d55c18.

Error - 5/31/2008 8:56:38 AM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module unknown, version 0.0.0.0, fault address 0x05d56d5a.

Error - 6/5/2008 3:38:15 PM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module imon.dll, version 2.70.32.0, fault address 0x0002472a.

Error - 6/6/2008 4:39:23 AM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.6.0, faulting module libffmpeg_plugin.dll,
version 0.0.0.0, fault address 0x0019cad8.

Error - 7/3/2008 8:24:08 AM | Computer Name = HOMEPC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16608, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2008 9:26:07 AM | Computer Name = HOMEPC | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/22/2008 1:00:01 PM | Computer Name = HOMEPC | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/29/2008 6:42:34 PM | Computer Name = HOMEPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16608, faulting
module unknown, version 0.0.0.0, fault address 0x001a9710.

[ Cisco AnyConnect VPN Client Events ]
Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: CCstpProtocol::sendCloseMessage Return code: 0xFE1C000B File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\CstpProtocol.cpp
Line:
652 Description: TLSPROTOCOL_ERROR_CONNECTION_PENDING

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: initiateTunnel Return code: 0xFE1F0018 File: C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\CstpProtocol.cpp
Line:
1113 Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN_BY_USER

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: ITunnelProtocol::initiateTunnel Return code: 0xFE1F0018 File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\TunnelStateMgr.cpp
Line:
806 Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN_BY_USER

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: CTunnelStateMgr::initiateComplete Return code: 0xFE1F0018
File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\TunnelMgr.cpp
Line:
636 Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN_BY_USER

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: CTlsTunnelMgr::initiateTunnel Return code: 0xFE1F0018 File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\VpnMgr.cpp
Line:
2565 Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN_BY_USER

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: ITunnelProtocol::terminateTunnel Return code: 0xFE1C000B File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\TunnelStateMgr.cpp
Line:
253 Description: TLSPROTOCOL_ERROR_CONNECTION_PENDING

Error - 2/24/2009 10:40:30 PM | Computer Name = HOMEPC | Source = vpnagent | ID = 50331649
Description = Function: CTunnelStateMgr::terminateTunnel Return code: 0xFE1C000B File:
C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Agent\TunnelMgr.cpp
Line:
289 Description: TLSPROTOCOL_ERROR_CONNECTION_PENDING

Error - 2/24/2009 10:43:47 PM | Computer Name = HOMEPC | Source = vpndownloader | ID = 50659329
Description = Function: stat Return code: 2 File: C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Downloader\ManifestInfo.cpp
Line:
1203 Description: The system cannot find the file specified.

Error - 2/24/2009 10:43:47 PM | Computer Name = HOMEPC | Source = vpndownloader | ID = 50659329
Description = Function: FileCbSize Return code: 0xFE000002 File: C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Downloader\ManifestInfo.cpp
Line:
171 Description: unknown

Error - 2/24/2009 10:43:48 PM | Computer Name = HOMEPC | Source = vpndownloader | ID = 50659329
Description = Function: CIPAddr::setIPAddress Return code: 0xFE24000A File: C:\temp\build\thehoff\release0.662121392113-Mon-23-Apr-2007-10-08-48\release\Common\Utility\ipaddr.cpp
Line:
100 Description: unknown

[ System Events ]
Error - 2/25/2009 5:50:15 AM | Computer Name = HOMEPC | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/25/2009 5:50:15 AM | Computer Name = HOMEPC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >

[handhfan]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 12.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator.")

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11

Please do an online scan with Kaspersky WebScanner

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply, along with a new HijackThis log.

[tfelcone]

Handhfan,

Updated Java, will run kaspersky and HJT when I get home tonight.

Thx,

Tom F.

[handhfan]

Okay.

[tfelcone]

Handhfan,

Here's the Kaspersky OL scan log and the HJT log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 07, 2009 00:26:53
Records in database: 1875644
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 73971
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:35:58

No malware has been detected. The scan area is clean.

The selected area was scanned.

-------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:35 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [OVdEmZfvwO] C:\Documents and Settings\All Users\Application Data\itmvozkh\cninqnwt.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://bluesky.dewb...ries/vpnweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168025685250
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} (SAXFileEE FileDownload ActiveX Control) - http://appsnet.bentl...d/SAXFileEE.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O16 - DPF: {D6D5ACA4-4C57-4C75-8D68-BC185E924B4C} (PWFileTransfer Control) - http://portals.jacob...eTransferEN.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystan...acheManager.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9157 bytes

Let me know if you need anything else.

Tom F.

[handhfan]

Is your computer running better now?

[tfelcone]

Let's see...
No irritating Google redirects.
DOS Window opens again
Regedit works again
Can use my companies VPN
Yes much better.
Thanks.
Anything yes I should do?

Tom F.

[handhfan]

Your logs look clean. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. If you have any questions or other problems, please let me know. Other than that, and the steps below, you should be all set.

• Make sure you have an Internet Connection.
• Download OTCleanIt to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please update Adobe Reader, by downloading and installing Adobe Reader 9.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard gives you realtime protection from spyware.
• Super Antispyware OR Malwarebytes' Anti-Malware to help remove any spyware that may have gotten on your computer.
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites.
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed.
• Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see this article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To keep your operating system up to date visit Microsoft Windows Update monthly. Remember to be aware of what emails you open and websites you visit.

Have a safe and happy computing day!

[tfelcone]

Handhfan,

Ran OTCleanIT
Updated to Acrobat 9
Set new System Restore Point.
Have ERUNT, Malewarebytes.
HAve SpywareGuard
Have SpywareBlaster.
Updated HOSTS File.
Recovery console is installed.

Thanks for all your help and security tips.

Tom F.

[handhfan]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.