here is my "HijackThis" Tell me if anything looks suspicious

For my piece of mind i would like to know if anything looks suspicious in any of the information that is included in this hijack this. Not too long ago i had some virus issues I want to make sure they have been resolved. And as you probably already know i helped my friend with some infections of his own, and when i opened some files that were transported from his system to my system using a USB i got some of his nasties LOL. Luckily my antivirus program picked up on it immediately and Quaranteed them.

So to make a long story short I just want to make sure that i am completely clean.

Thanks for all the help guyz

----------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:20 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Installations\HIJACKTHIS\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\PROGRAMS Files\SnagIt 9.1.0.206\SnagitBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\PROGRAMS Files\SnagIt 9.1.0.206\SnagitIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - Winlogon Notify: vtsqp - C:\WINNT\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Owner\Desktop\ToDo.html

--
End of file - 6322 bytes

Last edited by Zorx on 28th February 2009, 2:03 am; edited 2 times in total

Here is a more recent log file from hijack this i cleaned a few things recently with Malwarebytes so there might be less things wrong with my comp. Here it is.


----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:43 PM, on 2/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
H:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\PROGRAMS Files\SnagIt 9.1.0.206\SnagitBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\PROGRAMS Files\SnagIt 9.1.0.206\SnagitIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - Winlogon Notify: vtsqp - C:\WINNT\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Owner\Desktop\ToDo.html

--
End of file - 6327 bytes
-------------------

Hello.
This log looks okay.
There is one leftover and Java needs updating, but I don't class this as 'infected' and not really an emergency', so lets work on the other machine before I work on this, I don't want to get confused.

Sorry i don't want that either

Please as you were. :whistle:

Here is my updated hijackthis
-----------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:08 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Installations\HIJACKTHIS\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - Winlogon Notify: vtsqp - C:\WINNT\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Owner\Desktop\ToDo.html

--
End of file - 6140 bytes

Also i see a few entries in the above log as 'no name' what does that mean?

Hello.
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
  O15 - Trusted Zone: http://Download.windowsupdate.com
  O15 - Trusted Zone: http://*.windowsupdate.com
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
  O20 - Winlogon Notify: vtsqp - C:\WINNT\
  
  This line, do you know what it is?
  O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Owner\Desktop\ToDo.html <<< if you haven't set this yourself, fix it along with the rest of the above lines.
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

yes that is a file on my active desktop that i created it is a todo list. I'm gonna work on those steps i'll get back to you as soon as i'm done.

I understand these files i'm deleting are not threats per se but can you give me the reasoning behind deleting windows update and JAVA plugins?

Hello.

I'm not deleting the windows updates in general, I'm deleting the trusted zone entries, using the trusted zone is a bad idea. Setting a domain in trusted zone allows that domain to send anything to your machine WITHOUT it being questioned, just a security measure.

The Java items is activeX, not plugins. They are empty items, there's no .cab file for the Java activeX to launch to, and malware can abuse this.

The last winlogon notify looks like a leftover vundo key.

That trusted zone was created through Zone Alarm i think

Do you think i should modify zone alarm in some way to change the trusted zone configuration? or find myself a different firewall program. The thing is i don't want this problem again in the future and i've been thinking of switching programs for a while. Zone alarm has too many program prompts in my opinion.

There are a few different choices for firewalls I can provide, but I want to see a DDS log first to make sure everything looks okay.

sure i'll run DDS now

ok here is the DDS Log file

-----------------


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:34:49.12 on Fri 02/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.382 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k HPZ12
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com
uSearch Bar =
mWindow Title = internet explorer
uSearchAssistant = www.msn.com
uCustomizeSearch = www.msn.com
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [IMJPMIG8.1] c:\winnt\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\winnt\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &AOL Toolbar search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\v4.Windowsupdate
Trusted Zone: microsoft.com\Windowsupdate
DPF: Microsoft XML Parser for Java
DPF: {1D0D9077-3798-49BB-9058-393499174D5D}
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zreqny3k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.getrichslowly.org/blog/2008/07/02/how-to-open-multiple-accounts-at-ing-direct/|http://lifehacker.com
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\winnt\system32\drivers\klif.sys [2008-12-2 148496]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2007-7-31 353680]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
R3 scrcap;scrcap;c:\winnt\system32\drivers\scrcap.sys [2006-9-27 9006]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\winnt\system32\drivers\usbscan.sys [2007-2-11 15104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-8 33752]
S3 iscFlash;iscFlash;\??\c:\winnt\system32\drivers\iscflash.sys --> c:\winnt\system32\drivers\iscflash.sys [?]

=============== Created Last 30 ================

2009-02-26 22:23 54,156 a---h--- c:\winnt\QTFont.qfn
2009-02-26 22:23 1,409 a------- c:\winnt\QTFont.for
2009-02-21 14:17 -cd----- C:\Sandbox
2009-02-21 14:15 1,670 a------- c:\winnt\Sandboxie.ini
2009-02-21 14:14 --d----- c:\program files\Sandboxie
2009-02-20 19:44 361,600 a------- c:\winnt\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-20 18:39 --d----- c:\program files\GRETECH
2009-02-20 09:15 --d----- c:\program files\Uniblue
2009-02-20 09:15 --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-02-20 09:12 -cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-17 21:25 410,984 a------- c:\winnt\system32\deploytk.dll
2009-02-16 23:07 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-16 23:07 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-02-16 23:07 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-16 23:07 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 23:07 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 18:42 1,642,496 a------- c:\winnt\system32\ChilkatMail_v7_9.dll
2009-02-10 18:42 1,085,440 a------- c:\winnt\system32\ChilkatSocket.dll
2009-02-10 18:42 659,456 a------- c:\winnt\system32\ChilkatCharset.dll
2009-02-10 18:42 569,344 a------- c:\winnt\system32\CkString.dll
2009-02-10 18:42 1,294,336 a------- c:\winnt\system32\ChilkatXml.dll
2009-02-10 18:42 1,122,304 a------- c:\winnt\system32\ChilkatHttp.dll
2009-02-08 21:50 --d----- c:\program files\TubeSpinner.com
2009-02-08 20:10 --d----- c:\docume~1\alluse~1\applic~1\GlobalSCAPE
2009-02-08 20:07 --d----- c:\program files\GlobalSCAPE
2009-02-06 18:00 --d----- c:\documents and settings\all users\Micro Niche Finder
2009-02-06 18:00 --d----- c:\docume~1\alluse~1\applic~1\Micro Niche Finder
2009-02-06 17:59 --d----- c:\program files\Micro Niche Finder
2009-02-06 00:03 685,056 a------- c:\winnt\is-7V1E1.exe
2009-02-06 00:03 10,498 a------- c:\winnt\is-7V1E1.msg
2009-02-06 00:03 804 a------- c:\winnt\is-7V1E1.lst
2009-02-05 22:10 765,736 a------- c:\winnt\system32\MSWORD.OLB
2009-02-05 22:10 --d----- c:\program files\SENuke
2009-02-05 21:59 64,000 a------- c:\winnt\system32\wiaaut.oca
2009-02-05 21:59 547,840 a------- c:\winnt\system32\wiaaut.dll
2009-02-05 21:59 102,400 a------- c:\winnt\system32\DinkITXPUIMenus.ocx
2009-02-05 21:59 65,536 a------- c:\winnt\system32\EnhSliderOcx.ocx
2009-01-30 21:19 --d-h--- c:\winnt\PIF
2009-01-28 21:59 389,120 -------- c:\winnt\system32\fpres632.dll
2009-01-28 21:59 385,024 -------- c:\winnt\system32\fpmon6.dll

==================== Find3M ====================

2009-02-27 21:35 220,589,856 a--sh--- c:\winnt\system32\drivers\fidbox.dat
2009-02-27 00:28 2,945,768 a--sh--- c:\winnt\system32\drivers\fidbox.idx
2009-02-21 20:27 361,600 a------- c:\winnt\system32\drivers\TCPIP.SYS
2009-02-06 00:36 147,728 a------- c:\winnt\system32\asycfilt.dll.tmp
2008-12-25 16:24 4,212 a---hr-- c:\winnt\system32\zllictbl.dat
2008-12-14 23:14 82,312 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2003-03-28 15:00 30,573 ac------ c:\program files\servers-original.ini
2001-06-20 15:19 40,960 ac------ c:\program files\ACMonitor_X83.exe
2001-01-07 21:49 2,012 ac------ c:\program files\readme multiproxy.txt
2004-10-08 18:01 56 -c-shr-- c:\winnt\system32\D159613D6A.sys
2006-05-03 04:06 163,328 -c-shr-- c:\winnt\system32\flvDX.dll
2007-02-21 05:47 31,232 -c-shr-- c:\winnt\system32\msfDX.dll
2007-04-17 14:59 1,392,628 -c-sh--- c:\winnt\system32\pqstv.bak2
2007-04-27 21:12 1,419,309 -c-sh--- c:\winnt\system32\pqstv.ini2
2009-02-27 21:36 220,593,440 a--sh--- c:\winnt\system32\drivers\fidbox.dat

============= FINISH: 21:39:08.92 ===============

Hello.
Guess I was right about the vundo, two leftover files from it.
Run this quick bat file, other than this, the log looks fine.

Now open a new notepad file.
Input this into the notepad file:

@echo off
attrib -h -s
del c:\winnt\system32\pqstv.bak2
attrib -h -s
del c:\winnt\system32\pqstv.ini2
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Finally, some good free firewalls are Kerio, or Outpost
A tutorial on understanding and using firewalls may be found here.

Remember, if you switch firewalls, uninstall Zonealarm, otherwise it wil conflict with whichever firewall you have chosen.
===

I'm off to bed now, cya soon.

I'll take a look at those shortly.

As for my friends computer to be on the safe side should i do a DDS log after i run that fix.reg file? You didn't mention it in your last post in that thread.

thanks

Here is the DDs again i believe the files still exist.

I also noticed as i was running the fix.bat file i almost didn't catch it but it said"could not find.." or something like that. Any way here is the log


-----------------\\

your
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:52:07.08 on Fri 02/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.413 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k HPZ12
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com
uSearch Bar =
mWindow Title = internet explorer
uSearchAssistant = www.msn.com
uCustomizeSearch = www.msn.com
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [IMJPMIG8.1] c:\winnt\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\winnt\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &AOL Toolbar search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\v4.Windowsupdate
Trusted Zone: microsoft.com\Windowsupdate
DPF: Microsoft XML Parser for Java
DPF: {1D0D9077-3798-49BB-9058-393499174D5D}
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zreqny3k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.getrichslowly.org/blog/2008/07/02/how-to-open-multiple-accounts-at-ing-direct/|http://lifehacker.com
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zreqny3k.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\winnt\system32\drivers\klif.sys [2008-12-2 148496]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2007-7-31 353680]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
R3 scrcap;scrcap;c:\winnt\system32\drivers\scrcap.sys [2006-9-27 9006]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\winnt\system32\drivers\usbscan.sys [2007-2-11 15104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-8 33752]
S3 iscFlash;iscFlash;\??\c:\winnt\system32\drivers\iscflash.sys --> c:\winnt\system32\drivers\iscflash.sys [?]

=============== Created Last 30 ================

2009-02-26 22:23 54,156 a---h--- c:\winnt\QTFont.qfn
2009-02-26 22:23 1,409 a------- c:\winnt\QTFont.for
2009-02-21 14:17 -cd----- C:\Sandbox
2009-02-21 14:15 1,670 a------- c:\winnt\Sandboxie.ini
2009-02-21 14:14 --d----- c:\program files\Sandboxie
2009-02-20 19:44 361,600 a------- c:\winnt\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-20 18:39 --d----- c:\program files\GRETECH
2009-02-20 09:15 --d----- c:\program files\Uniblue
2009-02-20 09:15 --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-02-20 09:12 -cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-17 21:25 410,984 a------- c:\winnt\system32\deploytk.dll
2009-02-16 23:07 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-16 23:07 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-02-16 23:07 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-16 23:07 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 23:07 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 18:42 1,642,496 a------- c:\winnt\system32\ChilkatMail_v7_9.dll
2009-02-10 18:42 1,085,440 a------- c:\winnt\system32\ChilkatSocket.dll
2009-02-10 18:42 659,456 a------- c:\winnt\system32\ChilkatCharset.dll
2009-02-10 18:42 569,344 a------- c:\winnt\system32\CkString.dll
2009-02-10 18:42 1,294,336 a------- c:\winnt\system32\ChilkatXml.dll
2009-02-10 18:42 1,122,304 a------- c:\winnt\system32\ChilkatHttp.dll
2009-02-08 21:50 --d----- c:\program files\TubeSpinner.com
2009-02-08 20:10 --d----- c:\docume~1\alluse~1\applic~1\GlobalSCAPE
2009-02-08 20:07 --d----- c:\program files\GlobalSCAPE
2009-02-06 18:00 --d----- c:\documents and settings\all users\Micro Niche Finder
2009-02-06 18:00 --d----- c:\docume~1\alluse~1\applic~1\Micro Niche Finder
2009-02-06 17:59 --d----- c:\program files\Micro Niche Finder
2009-02-06 00:03 685,056 a------- c:\winnt\is-7V1E1.exe
2009-02-06 00:03 10,498 a------- c:\winnt\is-7V1E1.msg
2009-02-06 00:03 804 a------- c:\winnt\is-7V1E1.lst
2009-02-05 22:10 765,736 a------- c:\winnt\system32\MSWORD.OLB
2009-02-05 22:10 --d----- c:\program files\SENuke
2009-02-05 21:59 64,000 a------- c:\winnt\system32\wiaaut.oca
2009-02-05 21:59 547,840 a------- c:\winnt\system32\wiaaut.dll
2009-02-05 21:59 102,400 a------- c:\winnt\system32\DinkITXPUIMenus.ocx
2009-02-05 21:59 65,536 a------- c:\winnt\system32\EnhSliderOcx.ocx
2009-01-30 21:19 --d-h--- c:\winnt\PIF
2009-01-28 21:59 389,120 -------- c:\winnt\system32\fpres632.dll
2009-01-28 21:59 385,024 -------- c:\winnt\system32\fpmon6.dll

==================== Find3M ====================

2009-02-27 21:52 220,622,112 a--sh--- c:\winnt\system32\drivers\fidbox.dat
2009-02-27 00:28 2,945,768 a--sh--- c:\winnt\system32\drivers\fidbox.idx
2009-02-21 20:27 361,600 a------- c:\winnt\system32\drivers\TCPIP.SYS
2009-02-06 00:36 147,728 a------- c:\winnt\system32\asycfilt.dll.tmp
2008-12-25 16:24 4,212 a---hr-- c:\winnt\system32\zllictbl.dat
2008-12-14 23:14 82,312 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2003-03-28 15:00 30,573 ac------ c:\program files\servers-original.ini
2001-06-20 15:19 40,960 ac------ c:\program files\ACMonitor_X83.exe
2001-01-07 21:49 2,012 ac------ c:\program files\readme multiproxy.txt
2004-10-08 18:01 56 -c-shr-- c:\winnt\system32\D159613D6A.sys
2006-05-03 04:06 163,328 -c-shr-- c:\winnt\system32\flvDX.dll
2007-02-21 05:47 31,232 -c-shr-- c:\winnt\system32\msfDX.dll
2007-04-17 14:59 1,392,628 -c-sh--- c:\winnt\system32\pqstv.bak2
2007-04-27 21:12 1,419,309 -c-sh--- c:\winnt\system32\pqstv.ini2

============= FINISH: 21:54:50.42 ===============

May be Zone alarm is interfering ?

Hello.
Maybe it is, maybe it's my scripting.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\winnt\system32\pqstv.bak2
  c:\winnt\system32\pqstv.ini2
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

I will try OTMove i'll let you know the results soon.

Here is the Otmovie it log

looks like it's fine
it says move where are they moved to?
-----------------

========== FILES ==========
c:\winnt\system32\pqstv.bak2 moved successfully.
c:\winnt\system32\pqstv.ini2 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02282009_212826

Yep.
How's the machine running now?

Looks good. There are a few things i want to mention though:

All the below i noticed happened while virus was on computer whether or not it was due to the virus i don't know. I haven't shut down my computer after the virus was cleaned though.

1. when i shut down sometimes it hangs at the windows is shutting down screen forever like for 10 minutes and up

2. When i log on to my computer even though i uninstall regcure there is still a reminder dialog screen, and also whenever the computer starts Zonealarm asks me if i want to let program access internet. Of course i always say Deny. But i don't know what's causing that.

3 Also sometimes out the blue like today there is a sound like when i connect my USB device to my computer. But my usb was not connected and i was not downloading anything so i don't know where that sound is coming from maybe something is downloading without my knowledge?

Thanks you, i would appreciate it if you have any answers to the above questions.

1. Could just be general lag.
2. The regcure could be a leftover something, maybe it's a job file, maybe a leftover run value.
3. See if the sound happens more than once, if it happens just the once today, ignore it.

I get random problems too, for example today: windows updates changed my keyboard language from UK to US.

Yes to #3 that has happened before not just today. Maybe 3 or 4 times before today.


Although i've never had windows update do that to me before i can see that happening

Yeah, stupid thing. Sometimes M$ just don't think things through.

Anyway, off to bed.

Yeah later thanks again!