aboutblank

[jstut]

As a neophyte, can someone give me a heads up on Hijack this and protocol?
Working against AboutBlank.

Need a solution.



Let me guess...no quick fix.

[pugs]

Hello,

Actually theres a few versions of About Blank. Download Hijack This from www.tomcoyote.com/hjt or if that doesnt work from here http://tools.zerosrealm.com/hjt.zip Save it to its own folder, not on the desktop or temp folder, close all other programs and select scan. When finished the scan button changes to save log. It opens notepad with the log. Copy and paste the entire log here in this thread.

[jstut]

Logfile of HijackThis v1.98.2
Scan saved at 11:34:05 AM, on 8/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.63.236.109.79.downloads.est...21330OneCC.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/wins...searchie32.exe

[pugs]

Hello,

Well you dont have About Blank, but you do have a different Coolweb infection. Download CWShredder from here, http://tools.zerosrealm.com/CWShredder.zip
Make sure when you run shredder you update it first and then select fix, not only scan. Then post a new Hijack This log.

[jstut]

Yes..This is the log after I started slogging through.
PC is less buggy, but I want to make sure I'm hitting more than the "Symptom".

I went ahead and wiped the "jump in your face" guys, and am at the point of tuning up.

I'll post the log....Thanks pugs.

[jstut]

Yes..This is the log after I started slogging through.
PC is less buggy, but I want to make sure I'm hitting more than the "Symptom".

I went ahead and wiped the "jump in your face" guys, and am at the point of tuning up.

I'll post the log....Thanks pugs.

stut


........

[InTheWayBoy]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe

Those all look suspicous enough to be removed...I would also download CWShredder and Spybot and run those if you haven't already. Plus, clean out your temp folders too!

[jstut]

Yes, puled the temps as well.

You got a couple i had missed!!! Thanks....I'll be back.

Think this grabbed the solutions.

[pugs]

Well actually CWShredder should have removed just about all the nasties in that log as this is a very old CWS infection that is well known. The reason you got infected is because of an unpatched system. Be sure to keep up with windows updates, they really make a difference.

[jstut]

Thanks Pugs!

I was walking Richard through the update, and realize my machine is no longer "Autoupdating" Where do I go, to reset this to happen auto.
Also (probably a new thread). I got locked in a loop.....I'll be back.

[jstut]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe

Those all look suspicous enough to be removed...I would also download CWShredder and Spybot and run those if you haven't already. Plus, clean out your temp folders too!

No go. Still getting a home page reset.

[jstut]

Thanks. I shot another one below...
Thouhgt we had this!
Home page is still getting reset. Have Rich downloading updates.

We did a HJT fix, but immediately got the deleted files back.

I must be doing something assinine to be missing this.

[pugs]

Fix the entries while in safe mode. Also delete any files or folders related to it while still in safe mode. Then run Hijack This in safe mode still. Reboot normally and run Hijack This again. what you want to do is look at both logs and see if the infection came back after you rebooted. If so there may be a hidden dll there. If so I have some ideas for you. I will also talk to Merijn, a good friend of mine. He made Hijack This and CWShredder and will know if something isnt working right.

[jstut]

Sill no Bingo.
Richard has run everything he can get his hands on with no success. I ran into a guy today who mentioned a "Host.JSP" ??? file?
Does that make sense?

[jstut]

ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
Scan saved at 8:31:05 PM, on 8/31/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\NEGD.DAT
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: GeekSuperheroBHO Class - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

.. keeps coming back. Attached hjt log