SpywareBlaster, SpywareGuard, & BHO's

So here's the story...

A while back, I think on 5/14/04, I installed a program on my computer called SurfFastNow. I got it from CNet. It was supposed to increase my internet speed (I have 56K, so I can use all the extra speed I can get.) SurfFastNow is a piece of crap, do not put it on your computer!!! Realizing that it didn't do anything and was nothing more than a nuisance, I uninstalled it. After I had gotten rid of it, SpywareGuard kept giving me alerts that some BHO was trying to change some settings on my computer. It gave me the option to keep the BHO or reject it. I kept telling it to reject it, but new alerts kept popping up. Eventually I got it to stop, I forget exactly how, but the next day I could not get onto the internet (I have AOL). AOL Help couldn't fix it, I tried everything I could think of but I couldn't fix it, so eventually I had to call Microsoft and they got it working. The problem was that although my computer was able to access IP addresses for websites, somehow the IP addresses for the websites that I wanted to visit got changed. My computer was trying to access the wrong IP addresses, and thus nothing would happen when I tried to go to various websites. I think this had something to do with Browser Helper Objects (BHO's), but I'm not certain about that. I uninstalled SpywareGuard because I figured that it didn't actually protect me so there was no point to keeping it.

Yesterday I put on a Spiderman theme that I also got from CNet. It put some spyware and (I think) a couple Trojans on my computer, and it also made my computer freeze, so I got rid of it. But the same thing happened as before: the internet would not work! I was able to fix it today by restoring the spyware I had removed with Ad-Aware and the viruses I had found with AVG. (Note: I had Ad-Aware long before the first time the internet stopped working, and I installed AVG after I got the internet working again, with Microsoft's help.) After restoring these files I was able to get online again. I then re-deleted the spyware and viruses, and I am still able to go online. Could someone please explain to me what is going on?

And now for my idea...

Today I re-installed SpywareGuard because if this happens again it will alert me of any BHO’s. If I remember correctly, when it asks you if you want to keep the BHO or remove it, it tells you the CLSID. My thought is that I could copy this CLSID and put it into SpywareBlaster as a custom block, and that would prevent the problem from reoccurring and also prevent the BHO alerts from popping up one after another, since I think the same ones kept popping up over and over again. Would this work?

Aside from me not downloading crap, which I have sworn to stop doing, does anyone have any ideas on how I can fix this problem for good?

 

"able to access IP addresses for websites, somehow the IP addresses for the websites that I wanted to visit got changed."

That sounds similar to what happens if you have been given an unwanted Hosts file.

"My thought is that I could copy this CLSID and put it into SpywareBlaster as a custom block"

If you indeed do that and it is not already part of SpywareBlasters database....would you mind posting it. If found to be legit as far as malware....Javacool and others might want to check it out.

"Aside from me not downloading crap, which I have sworn to stop doing, does anyone have any ideas on how I can fix this problem for good?"

Sure....stop downloading crap

Seriously....from the looks of what symtoms your describing....I suggest you follow the below link, have your system looked at further and post a HighJackThis log.

Please read before posting your log!


Also....take a look at the below Sticky of how best to tighten your Security settings.

Why did I get infected in the first place

Good luck,
Bubba

 

Thanks for the reply, Bubba. I looked at both of the links you gave me. I didn't mention this in my previous post, but I also use Spybot Search & Destroy in addition to Ad-Aware. I update them both frequently. I also downloaded HijackThis after the first time I got the internet fixed, but I'm not confident enough with it to make any changes on my own.

That sounds similar to what happens if you have been given an unwanted Hosts file.

I downloaded both IE-SpyAd and an IE hosts file as recommended in "Why did I get infected in the first place." If the problem is an unwanted Hosts file, will this fix it? Or at least enable me to fix it on my own should I get another unwanted Hosts file?

If you indeed do that and it is not already part of SpywareBlasters database....would you mind posting it. If found to be legit as far as malware....Javacool and others might want to check it out.

Well, I'm hoping it doesn't happen again! But if it does, I will be sure to.

I had another thought: when the internet was down, I could log onto AOL (on the third dialing attempt, so not exactly ideal) but I could not access any sites. I could not get to any sites with Internet Explorer either. On some site I read that the AOL browser is just a fancy front-end for Internet Explorer. I downloaded 3 browsers (Netscape, NetCaptor, and Avant) in the hope that if the internet should get messed up again and I couldn't fix it, I could still browse the web using one of these.

Here is my HijackThis log file:

Logfile of HijackThis v1.97.7
Scan saved at 8:47:21 PM, on 5/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\aiepk.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5d60ff48-95be-4956-b4c6-6bb168a70310} - (no file)
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg0c36.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {8EDAF4D8-D20F-4454-BDB9-681AA6F45449} - C:\WINDOWS\btdpsjyi.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: (no name) - {C538F3C0-BE56-4C54-A9E7-1BD88CDEBEB0} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\aiepk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg0c36.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpywareGuard.lnk.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38133.0447222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B477225-42EF-4B15-B085-CE7B64D60A8E}: NameServer = 198.81.17.4

 

Hi computerkiller,
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: NavErrRedir Class - {5d60ff48-95be-4956-b4c6-6bb168a70310} - (no file)
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg0c36.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {8EDAF4D8-D20F-4454-BDB9-681AA6F45449} - C:\WINDOWS\btdpsjyi.dll

O2 - BHO: (no name) - {C538F3C0-BE56-4C54-A9E7-1BD88CDEBEB0} - (no file)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - (no file)

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll

O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg0c36.dll

O10 - Hijacked Internet access by New.Net

Then reboot and delete:
C:\Program Files\QuickSearch <= entire folder
C:\WINDOWS\System32\sfg0c36.dll

Regards,

Pieter

 

Thanks for the help, Pieter. I did what you said. However, "C:\WINDOWS\System32\sfg0c36.dll" did not exist in the first place. Everything seems to be working well, which means that I didn't mess anything up! I'm not sure what exactly you had me do, though. Will this prevent my computer from getting messed up again in the future? Or will it always be in danger as long as I'm around?

Bubba, I did add one custom block to SpywareBlaster.

Name: NewDotNet SearchBar
CLSID: {82315A18-6CFB-44A7-BDFD-90E36537C252}

I'm not sure if this is a legitimate block or not. I used BHO Demon (which I downloaded a couple hours ago) to scan for BHO's and I know that NewDotNet is bad so I blocked it with BHO Demon and then added a custom block to SpywareBlaster, in case it should return.

Thank you both for all the help.

Just for kicks, here's my new HijackThis log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:24:34 AM, on 5/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\aiepk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Jeff\Desktop\Jeff\Entertainment\Programs\aiepk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpywareGuard.lnk.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38133.0447222222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B477225-42EF-4B15-B085-CE7B64D60A8E}: NameServer = 198.81.18.4