Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pos.tmp Virus (not Sure Of Name)


  • Please log in to reply
9 replies to this topic

#1 bmreid

bmreid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 22 February 2008 - 02:40 PM

Hi,

I found a large amount of pos.tmp files in the My Documents folder as well as a large red X on my C drive icon.

Also getting the typical warnings associated with this virus (A Critical error could occur, etc.)



The computer has been used by someone else for about 6 months and I'm pretty sure a few viruses and some adware have found their way onto my hard disk. I've tried to fix what I could but I'm running into a variety of troubles.
I've used Symantec, McAfee Avert Stinger, Spybot S&D, Ad-Aware, and Housecall as well as deleting temporary internet files.


I am grateful for any help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:15 PM, on 2/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\WSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\windows
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\FNTS~1\logonui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\s?stem32\n?tdde.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\TASKMAN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Begin2Search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Macafee] LSAS.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\WINDOWS\System32\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\System32\ossproxy.exe -boot
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\zmixjb.exe
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [function SafeOnlo] c:\WINDOWS\System32\function SafeOnload()
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\WINDOWS\System32\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [function PUWSta] c:\WINDOWS\System32\function PUWStart()
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [function isInt(nu] c:\WINDOWS\System32\function isInt(numIn)
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [com_dmi3] C:\WINDOWS\System32\com_dmi3.exe
O4 - HKLM\..\Run: [A:hover {background: #FFCC00; color: bla] c:\WINDOWS\System32\A:hover {background: #FFCC00; color: black;}
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</SCRIPT>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [ this.width = wi] c:\WINDOWS\System32\ this.width = width;
O4 - HKLM\..\Run: [ this.url = ] c:\WINDOWS\System32\ this.url = url;
O4 - HKLM\..\Run: [ this.top = screen.availHeight/2 - height/2; // ce] c:\WINDOWS\System32\ this.top = screen.availHeight/2 - height/2; // center
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.statusbar= fa] c:\WINDOWS\System32\ this.statusbar= false;
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.Show = PUW_S] c:\WINDOWS\System32\ this.Show = PUW_Show;
O4 - HKLM\..\Run: [ this.scrollbars= fa] c:\WINDOWS\System32\ this.scrollbars= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.ontop = fa] c:\WINDOWS\System32\ this.ontop = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.locationbar = fa] c:\WINDOWS\System32\ this.locationbar = false;
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.frequency = 1; // how many times show per renewal time pe] c:\WINDOWS\System32\ this.frequency = 1; // how many times show per renewal time period
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [ return shouldS] c:\WINDOWS\System32\ return shouldShow;
O4 - HKLM\..\Run: [ return !isNaN(checkn] c:\WINDOWS\System32\ return !isNaN(checknum);
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ if (! this.on] c:\WINDOWS\System32\ if (! this.ontop)
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [ else if (window.onl] c:\WINDOWS\System32\ else if (window.onload)
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [ var exp = new Dat] c:\WINDOWS\System32\ var exp = new Date();
O4 - HKLM\..\Run: [ var allCookies = document.coo] c:\WINDOWS\System32\ var allCookies = document.cookie;
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ var freqStr = allCookies.substring(start+9,e] c:\WINDOWS\System32\ var freqStr = allCookies.substring(start+9,end);
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ this.frequency = parseInt(freqS] c:\WINDOWS\System32\ this.frequency = parseInt(freqStr);
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ -->
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\WINDOWS\System32\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\WINDOWS\System32\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\WINDOWS\System32\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [function PUW_Sh] c:\WINDOWS\System32\function PUW_Show()
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKLM\..\Run: [ if (gPopupWindow.CheckFrequenc] c:\WINDOWS\System32\ if (gPopupWindow.CheckFrequency())
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [yxkzef] C:\WINDOWS\yxkzef.exe
O4 - HKLM\..\Run: [Fqfeu] C:\Program Files\Avllun\Owdl.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.c] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [agynfba] C:\WINDOWS\agynfba.EXE
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=o] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [laikecj] C:\WINDOWS\laikecj.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [vshlsin] C:\WINDOWS\vshlsin.exe
O4 - HKLM\..\Run: [pofkteo] C:\WINDOWS\pofkteo.exe
O4 - HKLM\..\Run: [eivvfbq] C:\WINDOWS\eivvfbq.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mqltarr] C:\WINDOWS\mqltarr.exe
O4 - HKLM\..\Run: [kodwzne] C:\WINDOWS\kodwzne.exe
O4 - HKLM\..\Run: [ddjzhvh] C:\WINDOWS\ddjzhvh.exe
O4 - HKLM\..\Run: [<title> Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>
O4 - HKLM\..\Run: [<meta NAME="description" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="description" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<meta NAME="keywords" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="keywords" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Expires" CONTENT="] c:\WINDOWS\System32\<META HTTP-EQUIV="Expires" CONTENT="-1">
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- trafficclub.com] c:\WINDOWS\System32\<!-- trafficclub.com -->
O4 - HKLM\..\Run: [<!-- exec: 0.0452699661255] c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->
O4 - HKLM\..\Run: [<!-- domain: beneditutti.com] c:\WINDOWS\System32\<!-- domain: beneditutti.com -->
O4 - HKLM\..\Run: [<!-- ip: 65.151.55.61] c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->
O4 - HKLM\..\Run: [<!-- fingerprint: ] c:\WINDOWS\System32\<!-- fingerprint: -->
O4 - HKLM\..\Run: [<!-- country: US] c:\WINDOWS\System32\<!-- country: US -->
O4 - HKLM\..\Run: [<!-- service: 1] c:\WINDOWS\System32\<!-- service: 1 -->
O4 - HKLM\..\Run: [<!-- rand: 13/100] c:\WINDOWS\System32\<!-- rand: 13/100 -->
O4 - HKLM\..\Run: [<!-- count: 1/0] c:\WINDOWS\System32\<!-- count: 1/0 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 1] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">
O4 - HKLM\..\Run: [<!-- exec: 0.10525894165039] c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->
O4 - HKLM\..\Run: [<!-- ip: 74.128.245.214] c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->
O4 - HKLM\..\Run: [<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3] c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->
O4 - HKLM\..\Run: [<!-- rand: 27/100] c:\WINDOWS\System32\<!-- rand: 27/100 -->
O4 - HKLM\..\Run: [<!-- ] c:\WINDOWS\System32\<!-- -->
O4 - HKLM\..\Run: [<!-- OK] c:\WINDOWS\System32\<!-- OK -->
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.10721898078918] c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->
O4 - HKLM\..\Run: [<!-- service: 2] c:\WINDOWS\System32\<!-- service: 2 -->
O4 - HKLM\..\Run: [<!-- rand: 67/100] c:\WINDOWS\System32\<!-- rand: 67/100 -->
O4 - HKLM\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKLM\..\Run: [<!-- exec: 0.10528993606567] c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->
O4 - HKLM\..\Run: [<!-- ip: 74.130.4.25] c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->
O4 - HKLM\..\Run: [<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc] c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->
O4 - HKLM\..\Run: [<!-- service: 6] c:\WINDOWS\System32\<!-- service: 6 -->
O4 - HKLM\..\Run: [<!-- rand: 82/100] c:\WINDOWS\System32\<!-- rand: 82/100 -->
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">Click here to enter</a>.
O4 - HKLM\..\Run: [<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099] c:\WINDOWS\System32\<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">
O4 - HKLM\..\Run: [<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter<] c:\WINDOWS\System32\<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter</a>.
O4 - HKLM\..\Run: [<TITLE>tool4ame.com</TI] c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>
O4 - HKLM\..\Run: [<META NAME="Keywords" CONTENT] c:\WINDOWS\System32\<meta name="keywords" content="">
O4 - HKLM\..\Run: [<META NAME="Description" CONTENT] c:\WINDOWS\System32\<META NAME="Description" CONTENT="">
O4 - HKLM\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKLM\..\Run: [html,] c:\WINDOWS\System32\html,body
O4 - HKLM\..\Run: [margin:] c:\WINDOWS\System32\margin:0px;
O4 - HKLM\..\Run: [padding:] c:\WINDOWS\System32\padding:0px;
O4 - HKLM\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKLM\..\Run: [<b] c:\WINDOWS\System32\<body>
O4 - HKLM\..\Run: [body,td,div,.p,a{font-family:arial,sans-seri] c:\WINDOWS\System32\body,td,div,.p,a{font-family:arial,sans-serif; }
O4 - HKLM\..\Run: [<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content] c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content="">
O4 - HKLM\..\Run: [div,td{color:#0] c:\WINDOWS\System32\div,td{color:#000;}
O4 - HKLM\..\Run: [function exittraffic() { if (flag == 1) { mhppop();] c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop(); } }
O4 - HKLM\..\Run: [var rm_section_id = 174] c:\WINDOWS\System32\var rm_section_id = 174688;
O4 - HKLM\..\Run: [var rm_banned_pop_types =] c:\WINDOWS\System32\var rm_banned_pop_types = 29;
O4 - HKLM\..\Run: [var rm_pop_times = ] c:\WINDOWS\System32\var rm_pop_times = 100;
O4 - HKLM\..\Run: [var rm_pop_frequency = 86] c:\WINDOWS\System32\var rm_pop_frequency = 86400;
O4 - HKLM\..\Run: [rmShowPo] c:\WINDOWS\System32\rmShowPop();
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe"
O4 - HKLM\..\Run: [family: arial; text-decoration: underline; color: blue;" onclick="flag=0" target="_top" onMouseOver="return changelink('http://www.kids-law.com')" onMouseOut="returnlink()"><span style="color: blue; text-decoration: underline">Personal Injury Lawyer</span></a>] c:\WINDOWS\System32\family: arial; text-decoration: underline; color: blue;" onclick="flag=0" target="_top" onMouseOver="return changelink('http://www.kids-law.com')" onMouseOut="returnlink()"><span style="color: blue; text-decoration: underline">Personal Injury Lawyer</span></a><br>
O4 - HKLM\..\Run: [ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/] c:\WINDOWS\System32\ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp1
O4 - HKLM\..\Run: [a.catTitleP{font-weight: bold;font-size: 10] c:\WINDOWS\System32\a.catTitleP{font-weight: bold;font-size: 10pt;}
O4 - HKLM\..\Run: [<TITLE>nobrainnewbie.com</TI] c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>
O4 - HKLM\..\Run: [<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY] c:\WINDOWS\System32\<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY -->
O4 - HKLM\..\Run: [<script TYPE="text/javascript" SRC="http://content.91s.com/rmtag3.js"></SCR] c:\WINDOWS\System32\<script TYPE="text/javascript" SRC="http://content.91s.com/rmtag3.js"></SCRIPT>
O4 - HKLM\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKLM\..\Run: [var rm_host = "http://ad.91s.c] c:\WINDOWS\System32\var rm_host = "http://ad.91s.com";
O4 - HKLM\..\Run: [<!-- END TAG] c:\WINDOWS\System32\<!-- END TAG -->
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.d] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
O4 - HKLM\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKLM\..\Run: [ <meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Style-Type" content="text/c] c:\WINDOWS\System32\<meta http-equiv="Content-Style-Type" content="text/css">
O4 - HKLM\..\Run: [ <META name="description" content="beneditutti.c] c:\WINDOWS\System32\ <META name="description" content="beneditutti.com">
O4 - HKLM\..\Run: [ <META name="keywords" content="bender, nedi, tutti] c:\WINDOWS\System32\ <META name="keywords" content="bender, nedi, tutti">
O4 - HKLM\..\Run: [ <title>beneditutti.com</ti] c:\WINDOWS\System32\ <title>beneditutti.com</title>
O4 - HKLM\..\Run: [ <script type="text/javascript" src="http://beneditutti.com/templates/poster/height.js"></scri] c:\WINDOWS\System32\ <script type="text/javascript" src="http://beneditutti.com/templates/poster/height.js"></script>
O4 - HKLM\..\Run: [ <link href="http://beneditutti.com/templates/poster/default.css" rel="stylesheet" type="text/c] c:\WINDOWS\System32\ <link href="http://beneditutti.com/templates/poster/default.css" rel="stylesheet" type="text/css">
O4 - HKLM\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <div id="siteheade] c:\WINDOWS\System32\ <div id="siteheader">
O4 - HKLM\..\Run: [ <div id="pagehead] c:\WINDOWS\System32\ <div id="pageheader">
O4 - HKLM\..\Run: [ <a href='http://beneditutti.com/?Domain=beneditutti.com'>beneditutti.com</a> <div id="tagli] c:\WINDOWS\System32\ <a href='http://beneditutti.com/?Domain=beneditutti.com'>beneditutti.com</a> <div id="tagline">
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div id="nav_inqui] c:\WINDOWS\System32\ <div id="nav_inquiry">
O4 - HKLM\..\Run: [ <a target="inquiry" href="http://beneditutti.com/index.php?Query=2UR5L6xy6mNAODRBGYadc75F6Nh1tfJxZfxGsYbrK3QWKQffToXXWMM9CPk0XspeTaM1UuJP3PY3rrsKiTgZwsows4CRW8N5B2nL%2B7wz6B7ZOD6J6c2%2BWPklhfVzRtuFQw%3D%3D">Inquire&nbsp;about&nbsp;this&nbsp;Domain</a> </] c:\WINDOWS\System32\ <a target="inquiry" href="http://beneditutti.com/index.php?Query=2UR5L6xy6mNAODRBGYadc75F6Nh1tfJxZfxGsYbrK3QWKQffToXXWMM9CPk0XspeTaM1UuJP3PY3rrsKiTgZwsows4CRW8N5B2nL%2B7wz6B7ZOD6J6c2%2BWPklhfVzRtuFQw%3D%3D">Inquire&nbsp;about&nbsp;this&nbsp;Domain</a> </div>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [#blank {display:no] c:\WINDOWS\System32\#blank {display:none;}
O4 - HKLM\..\Run: [#GENHeader {width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px] c:\WINDOWS\System32\#GENHeader {width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px 0;}
O4 - HKLM\..\Run: [#GENHeader .GENurl {color:#366] c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}
O4 - HKLM\..\Run: [#GENHeader form {margin:0; padding:10px 0 0 ] c:\WINDOWS\System32\#GENHeader form {margin:0; padding:10px 0 0 0px}
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [body{background-color:#FFF;color:#000;font-family:Verd] c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana,
O4 - HKLM\..\Run: [Geneva, Arial, Helvet] c:\WINDOWS\System32\Geneva, Arial, Helvetica,
O4 - HKLM\..\Run: [a:link{color:#000;text-decoration:no] c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}
O4 - HKLM\..\Run: [a:visited{color:#000;text-decoration:no] c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}
O4 - HKLM\..\Run: [a:hover{color:#C] c:\WINDOWS\System32\a:hover{color:#C03;}
O4 - HKLM\..\Run: [a:active{color:#FF4500;text-decoration:underli] c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}
O4 - HKLM\..\Run: [a.nave] c:\WINDOWS\System32\a.navelem{
O4 - HKLM\..\Run: [display:bl] c:\WINDOWS\System32\display:block;
O4 - HKLM\..\Run: [font-family:Verdana, Arial, Helvetica, sans-se] c:\WINDOWS\System32\font-family:Verdana, Arial, Helvetica, sans-serif;
O4 - HKLM\..\Run: [font-size:1] c:\WINDOWS\System32\font-size:11px;
O4 - HKLM\..\Run: [font-weight:] c:\WINDOWS\System32\font-weight:700;
O4 - HKLM\..\Run: [color:#] c:\WINDOWS\System32\color:#000;
O4 - HKLM\..\Run: [background-color:#D8D] c:\WINDOWS\System32\background-color:#D8DFEE;
O4 - HKLM\..\Run: [background-image: url(http://63.214.247.19/_wi/bullet.g] c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);
O4 - HKLM\..\Run: [background-repeat:no-rep] c:\WINDOWS\System32\background-repeat:no-repeat;
O4 - HKLM\..\Run: [width:24] c:\WINDOWS\System32\width:241px;
O4 - HKLM\..\Run: [height:2] c:\WINDOWS\System32\height:24px;
O4 - HKLM\..\Run: [text-indent:2] c:\WINDOWS\System32\text-indent:28px;
O4 - HKLM\..\Run: [line-height:2] c:\WINDOWS\System32\line-height:21px;
O4 - HKLM\..\Run: [text-decoration:n] c:\WINDOWS\System32\text-decoration:none;
O4 - HKLM\..\Run: [cursor:poin] c:\WINDOWS\System32\cursor:pointer;
O4 - HKLM\..\Run: [margin:0 0 ] c:\WINDOWS\System32\margin:0 0 1px;
O4 - HKLM\..\Run: [border-top-width: ] c:\WINDOWS\System32\border-top-width: 1px;
O4 - HKLM\..\Run: [border-right-width: ] c:\WINDOWS\System32\border-right-width: 1px;
O4 - HKLM\..\Run: [border-bottom-width: ] c:\WINDOWS\System32\border-bottom-width: 1px;
O4 - HKLM\..\Run: [border-left-width: ] c:\WINDOWS\System32\border-left-width: 1px;
O4 - HKLM\..\Run: [border-top-style: n] c:\WINDOWS\System32\border-top-style: none;
O4 - HKLM\..\Run: [border-right-style: so] c:\WINDOWS\System32\border-right-style: solid;
O4 - HKLM\..\Run: [border-bottom-style: so] c:\WINDOWS\System32\border-bottom-style: solid;
O4 - HKLM\..\Run: [border-left-style: n] c:\WINDOWS\System32\border-left-style: none;
O4 - HKLM\..\Run: [border-right-color: #FFF] c:\WINDOWS\System32\border-right-color: #FFFFFF;
O4 - HKLM\..\Run: [border-bottom-color: #FFF] c:\WINDOWS\System32\border-bottom-color: #FFFFFF;
O4 - HKLM\..\Run: [a.navelem:hover{background-color:#6987BC;color:#F] c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}
O4 - HKLM\..\Run: [.title_background{background-color:#6987BC;height:25px;padding-left:0px;padding-top:0px;padding-bottom:0] c:\WINDOWS\System32\.title_background{background-color:#6987BC;height:25px;padding-left:0px;padding-top:0px;padding-bottom:0px;}
O4 - HKLM\..\Run: [.title_text{color:#FFF;font-size:18pt;line-height:] c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%
O4 - HKLM\..\Run: [.title_text a{color:#FFF;font-size:12] c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}
O4 - HKLM\..\Run: [.title_sub_text{color:#FFF;font-size:8] c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}
O4 - HKLM\..\Run: [.tagline_text{color:#000;font-size:12px;font-weight:7] c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}
O4 - HKLM\..\Run: [.search_form{font-size:10] c:\WINDOWS\System32\.search_form{font-size:10px;}
O4 - HKLM\..\Run: [.description_text{color:#000;font-size:12px;line-height:20] c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}
O4 - HKLM\..\Run: [.bullet1{list-style-image: url(http://63.214.247.19/_wi/arrow-red.gif);margin-bottom:5] c:\WINDOWS\System32\.bullet1{list-style-image: url(http://63.214.247.19/_wi/arrow-red.gif);margin-bottom:5px;}
O4 - HKLM\..\Run: [a.resultsurl{text-decoration:none;font:10px Arial, Helvetica, sans-serif;color:#324A] c:\WINDOWS\System32\a.resultsurl{text-decoration:none;font:10px Arial, Helvetica, sans-serif;color:#324A7A;}
O4 - HKLM\..\Run: [a.resultsurl:hover{text-decoration:none;color:#8997] c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}
O4 - HKLM\..\Run: [#relatedterms{top:100px;font-size:11px;color:#FFF;background-color:#005680;margin:5px;padding:5] c:\WINDOWS\System32\#relatedterms{top:100px;font-size:11px;color:#FFF;background-color:#005680;margin:5px;padding:5px;}
O4 - HKLM\..\Run: [.disclaimer{color:#999;font-size:10] c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}
O4 - HKLM\..\Run: [.TextField{color:#000;font-size:11px;font-family:Ar] c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial,
O4 - HKLM\..\Run: [Helvet] c:\WINDOWS\System32\Helvetica,
O4 - HKLM\..\Run: [sans-serif;width:255px;height:20px;border-color:#CCC;border-style:inset;border-width:1] c:\WINDOWS\System32\sans-serif;width:255px;height:20px;border-color:#CCC;border-style:inset;border-width:1px;}
O4 - HKLM\..\Run: [.title_sub_text a,.title_sub_text a:visited,#relatedterms a,#relatedterms a:visited{color:#F] c:\WINDOWS\System32\.title_sub_text a,.title_sub_text a:visited,#relatedterms a,#relatedterms a:visited{color:#FFF;}
O4 - HKLM\..\Run: [.title_sub_text a:hover,#relatedterms a:hover{color:#D8DF] c:\WINDOWS\System32\.title_sub_text a:hover,#relatedterms a:hover{color:#D8DFEE;}
O4 - HKLM\..\Run: [.tagline_background,.description_background{background-color:#D8DF] c:\WINDOWS\System32\.tagline_background,.description_background{background-color:#D8DFEE;}
O4 - HKLM\..\Run: [.results,.resultsheader{font-family:Arial, Helvetica, sans-serif;font-size:12] c:\WINDOWS\System32\.results,.resultsheader{font-family:Arial, Helvetica, sans-serif;font-size:12px;}
O4 - HKLM\..\Run: [ <script type="text/javascri] c:\WINDOWS\System32\ <script type="text/javascript">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ top.location = self.location.h] c:\WINDOWS\System32\ top.location = self.location.href;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ function sf] c:\WINDOWS\System32\ function sf() {
O4 - HKLM\..\Run: [ isSearch2 = eval(document.forms["form_search2] c:\WINDOWS\System32\ isSearch2 = eval(document.forms["form_search2"]);
O4 - HKLM\..\Run: [ if(document.forms["form_search1"].searchq1.valu] c:\WINDOWS\System32\ if(document.forms["form_search1"].searchq1.value) {
O4 - HKLM\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKLM\..\Run: [ if(isSearc] c:\WINDOWS\System32\ if(isSearch2){
O4 - HKLM\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKLM\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKLM\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKLM\..\Run: [ return t] c:\WINDOWS\System32\ return true;
O4 - HKLM\..\Run: [ <style type="text/c] c:\WINDOWS\System32\ <style type="text/css">
O4 - HKLM\..\Run: [ fo] c:\WINDOWS\System32\ form {
O4 - HKLM\..\Run: [ padding: ] c:\WINDOWS\System32\ padding: 0px;
O4 - HKLM\..\Run: [ </st] c:\WINDOWS\System32\ </style>
O4 - HKLM\..\Run: [function cl(t] c:\WINDOWS\System32\function cl(tx) {
O4 - HKLM\..\Run: [window.status] c:\WINDOWS\System32\window.status=tx;
O4 - HKLM\..\Run: [<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid] c:\WINDOWS\System32\<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/">
O4 - HKLM\..\Run: [Brain Fitness Program] c:\WINDOWS\System32\Brain Fitness Program</a>
O4 - HKLM\..\Run: [Brain Health] c:\WINDOWS\System32\Brain Health</a>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [<tr valign="bott] c:\WINDOWS\System32\<tr valign="bottom">
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [2] c:\WINDOWS\System32\2007,
O4 - HKLM\..\Run: [Copyright 1997-2007 Omniture, Inc. More info availabl] c:\WINDOWS\System32\Copyright 1997-2007 Omniture, Inc. More info available at
O4 - HKLM\..\Run: [#GENQuery {width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:b] c:\WINDOWS\System32\#GENQuery {width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bold}
O4 - HKLM\..\Run: [#GENQuery .GENresultsinfo {color:#000; font-size:12px; font-weight:nor] c:\WINDOWS\System32\#GENQuery .GENresultsinfo {color:#000; font-size:12px; font-weight:normal}
O4 - HKLM\..\Run: [#GENQuery .GENKeyWord {color:#000; font-weight:bold; text-decoration:no] c:\WINDOWS\System32\#GENQuery .GENKeyWord {color:#000; font-weight:bold; text-decoration:none;}
O4 - HKLM\..\Run: [#GENQuerybot {width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:b] c:\WINDOWS\System32\#GENQuerybot {width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:both}
O4 - HKLM\..\Run: [#GENQuerybot .GENKeyWord {color:#000; font-weight:bold; text-decoration:no] c:\WINDOWS\System32\#GENQuerybot .GENKeyWord {color:#000; font-weight:bold; text-decoration:none;}
O4 - HKLM\..\Run: [#GENContainer {WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%] c:\WINDOWS\System32\#GENContainer {WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%');}
O4 - HKLM\..\Run: [#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cen] c:\WINDOWS\System32\#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center}
O4 - HKLM\..\Run: [#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 10] c:\WINDOWS\System32\#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%;}
O4 - HKLM\..\Run: [#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px ] c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0}
O4 - HKLM\..\Run: [#GENResults h1 {padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:nor] c:\WINDOWS\System32\#GENResults h1 {padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:normal}
O4 - HKLM\..\Run: [#GENResults h3 {padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e] c:\WINDOWS\System32\#GENResults h3 {padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6c1}
O4 - HKLM\..\Run: [#GENResults ul {margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:no] c:\WINDOWS\System32\#GENResults ul {margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:none;}
O4 - HKLM\..\Run: [#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKLM\..\Run: [#GENResults a.Title {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000] c:\WINDOWS\System32\#GENResults a.Title {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000cc;}
O4 - HKLM\..\Run: [#GENResults a.Title:hover {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff66] c:\WINDOWS\System32\#GENResults a.Title:hover {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff6600;}
O4 - HKLM\..\Run: [#GENResults .Description {font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:1] c:\WINDOWS\System32\#GENResults .Description {font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16px}
O4 - HKLM\..\Run: [#GENResults a.URL {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margi] c:\WINDOWS\System32\#GENResults a.URL {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin:0}
O4 - HKLM\..\Run: [#GENResults a.URL:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b] c:\WINDOWS\System32\#GENResults a.URL:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00;}
O4 - HKLM\..\Run: [#lander_container {border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:blo] c:\WINDOWS\System32\#lander_container {border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:block;}
O4 - HKLM\..\Run: [#lander_container li {list-style-type:disc; padding:0; margin:0 0 0 1] c:\WINDOWS\System32\#lander_container li {list-style-type:disc; padding:0; margin:0 0 0 10px}
O4 - HKLM\..\Run: [#GENSpnsrRslt {margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e] c:\WINDOWS\System32\#GENSpnsrRslt {margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6c1}
O4 - HKLM\..\Run: [#GENSpnsrRslt h2 {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:upperc] c:\WINDOWS\System32\#GENSpnsrRslt h2 {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:uppercase}
O4 - HKLM\..\Run: [#GENSpnsrRslt .SRBlock {margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .SRBlock {margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:none}
O4 - HKLM\..\Run: [#GENSpnsrRslt .sr {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .sr {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKLM\..\Run: [#GENSpnsrRslt .srlast {margin:0 0 0 0; padding:0 0 5px 0; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .srlast {margin:0 0 0 0; padding:0 0 5px 0; list-style-type:none}
O4 - HKLM\..\Run: [#GENRelateds {FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 1] c:\WINDOWS\System32\#GENRelateds {FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15px}
O4 - HKLM\..\Run: [#GENRelateds h1 {font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capital] c:\WINDOWS\System32\#GENRelateds h1 {font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitalize}
O4 - HKLM\..\Run: [#GENRelateds ul {margin:0 0 0 0px; paddin] c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0px; padding:0}
O4 - HKLM\..\Run: [#GENRelateds li {list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:1] c:\WINDOWS\System32\#GENRelateds li {list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12px}
O4 - HKLM\..\Run: [#GENRelateds a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitali] c:\WINDOWS\System32\#GENRelateds a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitalize;}
O4 - HKLM\..\Run: [#GENRelateds a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff66] c:\WINDOWS\System32\#GENRelateds a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff6600;}
O4 - HKLM\..\Run: [#GENBtmPages {width:100%; text-align:center; margin:-20px 0 10px 0; padding-bottom:24px; float:le] c:\WINDOWS\System32\#GENBtmPages {width:100%; text-align:center; margin:-20px 0 10px 0; padding-bottom:24px; float:left;}
O4 - HKLM\..\Run: [#GENBtmPages img {vertical-align:mid] c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}
O4 - HKLM\..\Run: [#GENBtmPages a {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-se] c:\WINDOWS\System32\#GENBtmPages a {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-serif}
O4 - HKLM\..\Run: [#GENBtmPages a:hover {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-se] c:\WINDOWS\System32\#GENBtmPages a:hover {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-serif}
O4 - HKLM\..\Run: [#GENbotlinks {clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:cen] c:\WINDOWS\System32\#GENbotlinks {clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:center}
O4 - HKLM\..\Run: [#GENbotlinks ul {margin:0; padding:0; list-style-type:n] c:\WINDOWS\System32\#GENbotlinks ul {margin:0; padding:0; list-style-type:none}
O4 - HKLM\..\Run: [#GENbotlinks .list {list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #0] c:\WINDOWS\System32\#GENbotlinks .list {list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #000;}
O4 - HKLM\..\Run: [#GENbotlinks .end {list-style-type:none; display:inline; margin:0; padding:0 7px 0 7] c:\WINDOWS\System32\#GENbotlinks .end {list-style-type:none; display:inline; margin:0; padding:0 7px 0 7px;}
O4 - HKLM\..\Run: [#GENbotlinks a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitali] c:\WINDOWS\System32\#GENbotlinks a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitalize }
O4 - HKLM\..\Run: [#GENbotlinks a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#000] c:\WINDOWS\System32\#GENbotlinks a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc}
O4 - HKLM\..\Run: [#GENBtmForm {font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #] c:\WINDOWS\System32\#GENBtmForm {font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #999}
O4 - HKLM\..\Run: [#GENBtmForm form {margin:0 0 0 0; paddin] c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0; padding:0}
O4 - HKLM\..\Run: [#GENFooter {text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:1] c:\WINDOWS\System32\#GENFooter {text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18px}
O4 - HKLM\..\Run: [#GENFooter a {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:n] c:\WINDOWS\System32\#GENFooter a {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:none}
O4 - HKLM\..\Run: [#GENFooter a:hover {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underl] c:\WINDOWS\System32\#GENFooter a:hover {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underline}
O4 - HKLM\..\Run: [#GENFooter span {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#] c:\WINDOWS\System32\#GENFooter span {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#999}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ p
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ font-size: 1] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKLM\..\Run: [ font-family: arial, helvetica, sans se] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKLM\..\Run: [ color: #000] c:\WINDOWS\System32\ color: #000000;
O4 - HKLM\..\Run: [ font-weight: nor] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKLM\..\Run: [ .dom] c:\WINDOWS\System32\ .domain
O4 - HKLM\..\Run: [ font-size: 2] c:\WINDOWS\System32\ font-size: 22px;
O4 - HKLM\..\Run: [ color: #394] c:\WINDOWS\System32\ color: #394958;
O4 - HKLM\..\Run: [ font-weight: b] c:\WINDOWS\System32\ font-weight: bold;
O4 - HKLM\..\Run: [ .cour] c:\WINDOWS\System32\ .courtesy
O4 - HKLM\..\Run: [ font-family: arial,helvetica,sanse] c:\WINDOWS\System32\ font-family: arial,helvetica,sanserif;
O4 - HKLM\..\Run: [ color: #424] c:\WINDOWS\System32\ color: #424242;
O4 - HKLM\..\Run: [ line-height: 1] c:\WINDOWS\System32\ line-height: 14px;
O4 - HKLM\..\Run: [ font-weight:b] c:\WINDOWS\System32\ font-weight:bold;
O4 - HKLM\..\Run: [ .loo] c:\WINDOWS\System32\ .looking
O4 - HKLM\..\Run: [ font-weight:nor] c:\WINDOWS\System32\ font-weight:normal;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ .try
O4 - HKLM\..\Run: [ color: wh] c:\WINDOWS\System32\ color: white;
O4 - HKLM\..\Run: [ .copyr] c:\WINDOWS\System32\ .copyright
O4 - HKLM\..\Run: [ .rel] c:\WINDOWS\System32\ .related
O4 - HKLM\..\Run: [ color: #343] c:\WINDOWS\System32\ color: #343D46;
O4 - HKLM\..\Run: [ .relse] c:\WINDOWS\System32\ .relsearch
O4 - HKLM\..\Run: [ color: #0B0] c:\WINDOWS\System32\ color: #0B0085;
O4 - HKLM\..\Run: [ .checkp] c:\WINDOWS\System32\ .checkprice
O4 - HKLM\..\Run: [ .li] c:\WINDOWS\System32\ .linkhd
O4 - HKLM\..\Run: [ color: #464] c:\WINDOWS\System32\ color: #464646;
O4 - HKLM\..\Run: [ .sponsor] c:\WINDOWS\System32\ .sponsorinfo
O4 - HKLM\..\Run: [ .sponso] c:\WINDOWS\System32\ .sponsorurl
O4 - HKLM\..\Run: [ color: #030] c:\WINDOWS\System32\ color: #03007A;
O4 - HKLM\..\Run: [ text-decoration: n] c:\WINDOWS\System32\ text-decoration: none;
O4 - HKLM\..\Run: [ a:] c:\WINDOWS\System32\ a:link
O4 - HKLM\..\Run: [ text-decoration: underl] c:\WINDOWS\System32\ text-decoration: underline;
O4 - HKLM\..\Run: [ a:vis] c:\WINDOWS\System32\ a:visited
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [#blank { display:non] c:\WINDOWS\System32\#blank { display:none; }
O4 - HKLM\..\Run: [#GENHeader { width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px ] c:\WINDOWS\System32\#GENHeader { width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px 0; }
O4 - HKLM\..\Run: [#GENHeader .GENurl { color:#366a] c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }
O4 - HKLM\..\Run: [#GENHeader form { margin:0; padding:10px 0 0 0] c:\WINDOWS\System32\#GENHeader form { margin:0; padding:10px 0 0 0px }
O4 - HKLM\..\Run: [#GENQuery { width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bo] c:\WINDOWS\System32\#GENQuery { width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bold }
O4 - HKLM\..\Run: [#GENQuery .GENresultsinfo { color:#000; font-size:12px; font-weight:norm] c:\WINDOWS\System32\#GENQuery .GENresultsinfo { color:#000; font-size:12px; font-weight:normal }
O4 - HKLM\..\Run: [#GENQuery .GENKeyWord { color:#000; font-weight:bold; text-decoration:non] c:\WINDOWS\System32\#GENQuery .GENKeyWord { color:#000; font-weight:bold; text-decoration:none; }
O4 - HKLM\..\Run: [#GENQuerybot { width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:bo] c:\WINDOWS\System32\#GENQuerybot { width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:both }
O4 - HKLM\..\Run: [#GENQuerybot .GENKeyWord { color:#000; font-weight:bold; text-decoration:non] c:\WINDOWS\System32\#GENQuerybot .GENKeyWord { color:#000; font-weight:bold; text-decoration:none; }
O4 - HKLM\..\Run: [#GENContainer { WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100] c:\WINDOWS\System32\#GENContainer { WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%');
O4 - HKLM\..\Run: [#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cent] c:\WINDOWS\System32\#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center }
O4 - HKLM\..\Run: [#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100] c:\WINDOWS\System32\#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%; }
O4 - HKLM\..\Run: [#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0] c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0 }
O4 - HKLM\..\Run: [#GENResults h1 { padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:norm] c:\WINDOWS\System32\#GENResults h1 { padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:normal }
O4 - HKLM\..\Run: [#GENResults h2 { padding-left:5p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px; }
O4 - HKLM\..\Run: [#GENResults h3 { padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6] c:\WINDOWS\System32\#GENResults h3 { padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6c1 }
O4 - HKLM\..\Run: [#GENResults ul { margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:non] c:\WINDOWS\System32\#GENResults ul { margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:none; }
O4 - HKLM\..\Run: [#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKLM\..\Run: [#GENResults a.Title { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000c] c:\WINDOWS\System32\#GENResults a.Title { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000cc; }
O4 - HKLM\..\Run: [#GENResults a.Title:hover { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff660] c:\WINDOWS\System32\#GENResults a.Title:hover { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff6600; }
O4 - HKLM\..\Run: [#GENResults h2 { padding-left:5px;font-size:13p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px; }
O4 - HKLM\..\Run: [#GENResults h3 a{color:#0000cc;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:norm] c:\WINDOWS\System32\#GENResults h3 a{color:#0000cc;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:normal;}
O4 - HKLM\..\Run: [#GENResults h3 a:hover{color:#ff6600;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:norm] c:\WINDOWS\System32\#GENResults h3 a:hover{color:#ff6600;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:normal;}
O4 - HKLM\..\Run: [#GENResults .Description { font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16] c:\WINDOWS\System32\#GENResults .Description { font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16px }
O4 - HKLM\..\Run: [#GENResults a.URL { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin] c:\WINDOWS\System32\#GENResults a.URL { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin:0 }
O4 - HKLM\..\Run: [#GENResults a.URL:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b0] c:\WINDOWS\System32\#GENResults a.URL:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; }
O4 - HKLM\..\Run: [#lander_container { border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:bloc] c:\WINDOWS\System32\#lander_container { border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:block; }
O4 - HKLM\..\Run: [#lander_container li { list-style-type:disc; padding:0; margin:0 0 0 10] c:\WINDOWS\System32\#lander_container li { list-style-type:disc; padding:0; margin:0 0 0 10px }
O4 - HKLM\..\Run: [#GENSpnsrRslt { margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6] c:\WINDOWS\System32\#GENSpnsrRslt { margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6c1 }
O4 - HKLM\..\Run: [#GENSpnsrRslt h2 { font-family:Arial, Helvetica, sans-serif; font-size:8px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:upperca] c:\WINDOWS\System32\#GENSpnsrRslt h2 { font-family:Arial, Helvetica, sans-serif; font-size:8px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:uppercase }
O4 - HKLM\..\Run: [#GENSpnsrRslt .SRBlock { margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .SRBlock { margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:none }
O4 - HKLM\..\Run: [#GENSpnsrRslt .sr { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .sr { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKLM\..\Run: [#GENSpnsrRslt .srlast { margin:0 0 0 0; padding:0 0 5px 0; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .srlast { margin:0 0 0 0; padding:0 0 5px 0; list-style-type:none }
O4 - HKLM\..\Run: [#GENRelateds { FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15] c:\WINDOWS\System32\#GENRelateds { FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15px }
O4 - HKLM\..\Run: [#GENRelateds h1 { font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitali] c:\WINDOWS\System32\#GENRelateds h1 { font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitalize }
O4 - HKLM\..\Run: [#GENRelateds ul { margin:0 0 0 0px; padding] c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0px; padding:0 }
O4 - HKLM\..\Run: [#GENRelateds li { list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12] c:\WINDOWS\System32\#GENRelateds li { list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12px }
O4 - HKLM\..\Run: [#GENRelateds a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitaliz] c:\WINDOWS\System32\#GENRelateds a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitalize; }
O4 - HKLM\..\Run: [#GENRelateds a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff660] c:\WINDOWS\System32\#GENRelateds a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff6600; }
O4 - HKLM\..\Run: [#GENBtmPages img { vertical-align:midd] c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }
O4 - HKLM\..\Run: [#GENBtmPages a { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-ser] c:\WINDOWS\System32\#GENBtmPages a { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-serif }
O4 - HKLM\..\Run: [#GENBtmPages a:hover { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-ser] c:\WINDOWS\System32\#GENBtmPages a:hover { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-serif }
O4 - HKLM\..\Run: [#GENbotlinks { clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:cent] c:\WINDOWS\System32\#GENbotlinks { clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:center }
O4 - HKLM\..\Run: [#GENbotlinks ul { margin:0; padding:0; list-style-type:no] c:\WINDOWS\System32\#GENbotlinks ul { margin:0; padding:0; list-style-type:none }
O4 - HKLM\..\Run: [#GENbotlinks .list { list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #00] c:\WINDOWS\System32\#GENbotlinks .list { list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #000; }
O4 - HKLM\..\Run: [#GENbotlinks .end { list-style-type:none; display:inline; margin:0; padding:0 7px 0 7p] c:\WINDOWS\System32\#GENbotlinks .end { list-style-type:none; display:inline; margin:0; padding:0 7px 0 7px; }
O4 - HKLM\..\Run: [#GENbotlinks a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitali] c:\WINDOWS\System32\#GENbotlinks a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitalize }
O4 - HKLM\..\Run: [#GENbotlinks a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000] c:\WINDOWS\System32\#GENbotlinks a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc }
O4 - HKLM\..\Run: [#GENBtmForm { font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #9] c:\WINDOWS\System32\#GENBtmForm { font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #999 }
O4 - HKLM\..\Run: [#GENBtmForm form { margin:0 0 0 0; padding] c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0; padding:0 }
O4 - HKLM\..\Run: [#GENFooter { text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18] c:\WINDOWS\System32\#GENFooter { text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18px }
O4 - HKLM\..\Run: [#GENFooter a { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:no] c:\WINDOWS\System32\#GENFooter a { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:none }
O4 - HKLM\..\Run: [#GENFooter a:hover { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underli] c:\WINDOWS\System32\#GENFooter a:hover { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underline }
O4 - HKLM\..\Run: [#GENFooter span { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#9] c:\WINDOWS\System32\#GENFooter span { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#999 }
O4 - HKLM\..\Run: [#wrapper {/*border:1px solid #859eab;*/ margin:0 auto; padding:0; width:800px; border:10px #fff solid; background-color:#fff; min-height:475p] c:\WINDOWS\System32\#wrapper {/*border:1px solid #859eab;*/ margin:0 auto; padding:0; width:800px; border:10px #fff solid; background-color:#fff; min-height:475px; }
O4 - HKLM\..\Run: [#header { height: 50px; position:relative; width:100%; background:url(custom/images/newreg_top_bg_b.gif) repeat-] c:\WINDOWS\System32\#header { height: 50px; position:relative; width:100%; background:url(custom/images/newreg_top_bg_b.gif) repeat-x; }
O4 - HKLM\..\Run: [#greybar { height: 7px; width:100%; background-color:#68c4f0; margin:1px 0 0 ] c:\WINDOWS\System32\#greybar { height: 7px; width:100%; background-color:#68c4f0; margin:1px 0 0 0; }
O4 - HKLM\..\Run: [#left_col { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:380px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#left_col { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:380px; border-top:4px solid #c0d731; }
O4 - HKLM\..\Run: [#right_col { float:right; padding:10px; margin:15px 0 0 0; width:390px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#right_col { float:right; padding:10px; margin:15px 0 0 0; width:390px; border-top:4px solid #c0d731; }
O4 - HKLM\..\Run: [#nav_search_holder { border-top:2px solid #d7eaee; clear:bot] c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaee; clear:both; }
O4 - HKLM\..\Run: [#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:lef] c:\WINDOWS\System32\#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:left; }
O4 - HKLM\..\Run: [#nav_bottom h1 { padding:0 0 5px 0; margin:0; font-family:Verdana, Arial, Helvetica; font-size:12px; text-align:left; color:#cc] c:\WINDOWS\System32\#nav_bottom h1 { padding:0 0 5px 0; margin:0; font-family:Verdana, Arial, Helvetica; font-size:12px; text-align:left; color:#ccc; }
O4 - HKLM\..\Run: [#search_area { height: 30px; width:50%; margin:10px 0 5px 0; border:1px solid #d7eaee; float:right; text-align:righ] c:\WINDOWS\System32\#search_area { height: 30px; width:50%; margin:10px 0 5px 0; border:1px solid #d7eaee; float:right; text-align:right; }
O4 - HKLM\..\Run: [#footer { margin:0; padding:0; width:100%; clear:bot] c:\WINDOWS\System32\#footer { margin:0; padding:0; width:100%; clear:both; }
O4 - HKLM\..\Run: [#brand h1 { font-family:Georgia; color:#fff; font-size:22px; font-weight:70] c:\WINDOWS\System32\#brand h1 { font-family:Georgia; color:#fff; font-size:22px; font-weight:700; }
O4 - HKLM\..\Run: [#date { position:absolute; right:10px; top:25px; width:137px; color:#d1d1d1; text-align:right;margin:0; padding:2px; height:14px; vertical-align:middle; font-size:12p] c:\WINDOWS\System32\#date { position:absolute; right:10px; top:25px; width:137px; color:#d1d1d1; text-align:right;margin:0; padding:2px; height:14px; vertical-align:middle; font-size:12px; }
O4 - HKLM\..\Run: [#vert_nav { margin:0pt; padding:5px 0 2px 0; width:100%; background:#e8f8f] c:\WINDOWS\System32\#vert_nav { margin:0pt; padding:5px 0 2px 0; width:100%; background:#e8f8ff; }
O4 - HKLM\..\Run: [#navlist { margin:0pt; padding:0pt; height:10] c:\WINDOWS\System32\#navlist { margin:0pt; padding:0pt; height:100% }
O4 - HKLM\..\Run: [#vert_nav ul { font-family:Arial, Helvetica, sans-serif; font-size:14px; font-weight:bold; list-style-type:none; margin:0pt; padding:0p] c:\WINDOWS\System32\#vert_nav ul { font-family:Arial, Helvetica, sans-serif; font-size:14px; font-weight:bold; list-style-type:none; margin:0pt; padding:0pt; }
O4 - HKLM\..\Run: [#vert_nav li { border-bottom:1px solid #fff; margin:0pt; padding:0; width:100%; text-align:lef] c:\WINDOWS\System32\#vert_nav li { border-bottom:1px solid #fff; margin:0pt; padding:0; width:100%; text-align:left; }
O4 - HKLM\..\Run: [#vert_nav a:link, #navlist a:visited { color:#1178a9; margin:0pt; padding:6px 0pt 6px 27px; text-decoration:non] c:\WINDOWS\System32\#vert_nav a:link, #navlist a:visited { color:#1178a9; margin:0pt; padding:6px 0pt 6px 27px; text-decoration:none; }
O4 - HKLM\..\Run: [#vert_nav a { background-image:url(custom/images/newreg_bullet_b.gif); background-position:10px 8px; background-repeat:no-repeat; display:block; margin:0pt; text-transform:capitalize; width:aut] c:\WINDOWS\System32\#vert_nav a { background-image:url(custom/images/newreg_bullet_b.gif); background-position:10px 8px; background-repeat:no-repeat; display:block; margin:0pt; text-transform:capitalize; width:auto; }
O4 - HKLM\..\Run: [#vert_nav a:hover { background-color:#c0d731; background-image:url(custom/images/newreg_bullet_over.gif); background-position:13px 8px; color:#ff] c:\WINDOWS\System32\#vert_nav a:hover { background-color:#c0d731; background-image:url(custom/images/newreg_bullet_over.gif); background-position:13px 8px; color:#fff; }
O4 - HKLM\..\Run: [#bottom_navlist { margin: 0; padding:0; text-align:lef] c:\WINDOWS\System32\#bottom_navlist { margin: 0; padding:0; text-align:left; }
O4 - HKLM\..\Run: [#bottom_navlist ul, #bottom_navlist li { margin: 0; padding: 0; display: inline; list-style-type: none; font-family:Arial, Helvetica, sans-serif; font-size: 12p] c:\WINDOWS\System32\#bottom_navlist ul, #bottom_navlist li { margin: 0; padding: 0; display: inline; list-style-type: none; font-family:Arial, Helvetica, sans-serif; font-size: 12px; }
O4 - HKLM\..\Run: [#bottom_navlist a { line-height: 25px; font-weight: bold; margin: 2px 8px 10px 0px; text-decoration: underline; color: #1178a9; padding: 2p] c:\WINDOWS\System32\#bottom_navlist a { line-height: 25px; font-weight: bold; margin: 2px 8px 10px 0px; text-decoration: underline; color: #1178a9; padding: 2px; }
O4 - HKLM\..\Run: [#bottom_navlist a:hover {/*border-bottom: 4px solid #e4601a;*/ padding: 2px;/*bottom-moving block */ background:#c0d731; text-decoration:non] c:\WINDOWS\System32\#bottom_navlist a:hover {/*border-bottom: 4px solid #e4601a;*/ padding: 2px;/*bottom-moving block */ background:#c0d731; text-decoration:none; }
O4 - HKLM\..\Run: [#bottom_navlist a:hover { color: #ff] c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff; }
O4 - HKLM\..\Run: [#results_left { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:600p] c:\WINDOWS\System32\#results_left { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:600px; }
O4 - HKLM\..\Run: [#results_rightnav { float:right; padding:10px; margin:15px 0 0 0; width:160px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#results_rightnav { float:right; padding:10px; margin:15px 0 0 0; width:160px; border-top:4px solid #c0d731; }
O4 - HKLM\..\Run: [#results_rightnav h1 { padding:0 0 10px 3px; margin:0; font-family:Verdana, Arial, Helvetica; font-size:13px; text-align:left; color:#99] c:\WINDOWS\System32\#results_rightnav h1 { padding:0 0 10px 3px; margin:0; font-family:Verdana, Arial, Helvetica; font-size:13px; text-align:left; color:#999; }
O4 - HKLM\..\Run: [3c736887] rundll32.exe "C:\WINDOWS\System32\extlcvdy.dll",b
O4 - HKLM\..\Run: [BM3f405b1b] Rundll32.exe "C:\WINDOWS\System32\jtanbaaf.dll",s
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [uruq] C:\PROGRA~1\COMMON~1\uruq\uruqm.exe
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.c] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=XCTR5165&s=beneditutti.com">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=o] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [<title> Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>
O4 - HKCU\..\Run: [<meta NAME="description" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="description" CONTENT="beneditutti.com">
O4 - HKCU\..\Run: [<meta NAME="keywords" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="keywords" CONTENT="beneditutti.com">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Expires" CONTENT="] c:\WINDOWS\System32\<META HTTP-EQUIV="Expires" CONTENT="-1">
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6640&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKCU\..\Run: [<!-- trafficclub.com] c:\WINDOWS\System32\<!-- trafficclub.com -->
O4 - HKCU\..\Run: [<!-- exec: 0.0452699661255] c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->
O4 - HKCU\..\Run: [<!-- domain: beneditutti.com] c:\WINDOWS\System32\<!-- domain: beneditutti.com -->
O4 - HKCU\..\Run: [<!-- ip: 65.151.55.61] c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->
O4 - HKCU\..\Run: [<!-- fingerprint: ] c:\WINDOWS\System32\<!-- fingerprint: -->
O4 - HKCU\..\Run: [<!-- country: US] c:\WINDOWS\System32\<!-- country: US -->
O4 - HKCU\..\Run: [<!-- service: 1] c:\WINDOWS\System32\<!-- service: 1 -->
O4 - HKCU\..\Run: [<!-- rand: 13/100] c:\WINDOWS\System32\<!-- rand: 13/100 -->
O4 - HKCU\..\Run: [<!-- count: 1/0] c:\WINDOWS\System32\<!-- count: 1/0 -->
O4 - HKCU\..\Run: [<!-- COOKIE OVERRIDE : 1] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->
O4 - HKCU\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">
O4 - HKCU\..\Run: [<!-- exec: 0.10525894165039] c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->
O4 - HKCU\..\Run: [<!-- ip: 74.128.245.214] c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->
O4 - HKCU\..\Run: [<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3] c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->
O4 - HKCU\..\Run: [<!-- rand: 27/100] c:\WINDOWS\System32\<!-- rand: 27/100 -->
O4 - HKCU\..\Run: [<!-- ] c:\WINDOWS\System32\<!-- -->
O4 - HKCU\..\Run: [<!-- OK] c:\WINDOWS\System32\<!-- OK -->
O4 - HKCU\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKCU\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.128.245.214&hl=en">Click here to enter</a>.
O4 - HKCU\..\Run: [<!-- exec: 0.10721898078918] c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->
O4 - HKCU\..\Run: [<!-- service: 2] c:\WINDOWS\System32\<!-- service: 2 -->
O4 - HKCU\..\Run: [<!-- rand: 67/100] c:\WINDOWS\System32\<!-- rand: 67/100 -->
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.c] c:\WINDOWS\System32\<frame src="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter<] c:\WINDOWS\System32\<a href="http://searchportal.information.com/?a_id=6710&domainname=beneditutti.com">Click here to enter</a>.
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\System32\Netverchk.exe
O4 - HKCU\..\Run: [<!-- exec: 0.10528993606567] c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->
O4 - HKCU\..\Run: [<!-- ip: 74.130.4.25] c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->
O4 - HKCU\..\Run: [<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc] c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->
O4 - HKCU\..\Run: [<!-- service: 6] c:\WINDOWS\System32\<!-- service: 6 -->
O4 - HKCU\..\Run: [<!-- rand: 82/100] c:\WINDOWS\System32\<!-- rand: 82/100 -->
O4 - HKCU\..\Run: [<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=] c:\WINDOWS\System32\<frame src="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">
O4 - HKCU\..\Run: [<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">Click here to enter<] c:\WINDOWS\System32\<a href="http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=WORL2323&s=beneditutti.com&ip=74.130.4.25&hl=en">Click here to enter</a>.
O4 - HKCU\..\Run: [<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099] c:\WINDOWS\System32\<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">
O4 - HKCU\..\Run: [<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter<] c:\WINDOWS\System32\<a href="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">Click here to enter</a>.
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\System32\BastaYa.exe
O4 - HKCU\..\Run: [<TITLE>tool4ame.com</TI] c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>
O4 - HKCU\..\Run: [<META NAME="Keywords" CONTENT] c:\WINDOWS\System32\<meta name="keywords" content="">
O4 - HKCU\..\Run: [<META NAME="Description" CONTENT] c:\WINDOWS\System32\<META NAME="Description" CONTENT="">
O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKCU\..\Run: [html,] c:\WINDOWS\System32\html,body
O4 - HKCU\..\Run: [margin:] c:\WINDOWS\System32\margin:0px;
O4 - HKCU\..\Run: [padding:] c:\WINDOWS\System32\padding:0px;
O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKCU\..\Run: [<b] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [body,td,div,.p,a{font-family:arial,sans-seri] c:\WINDOWS\System32\body,td,div,.p,a{font-family:arial,sans-serif; }
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ -->
O4 - HKCU\..\Run: [<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content] c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content="">
O4 - HKCU\..\Run: [div,td{color:#0] c:\WINDOWS\System32\div,td{color:#000;}
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraffic() { if (flag == 1) { mhppop();] c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop(); } }
O4 - HKCU\..\Run: [var rm_section_id = 174] c:\WINDOWS\System32\var rm_section_id = 174688;
O4 - HKCU\..\Run: [var rm_banned_pop_types =] c:\WINDOWS\System32\var rm_banned_pop_types = 29;
O4 - HKCU\..\Run: [var rm_pop_times = ] c:\WINDOWS\System32\var rm_pop_times = 100;
O4 - HKCU\..\Run: [var rm_pop_frequency = 86] c:\WINDOWS\System32\var rm_pop_frequency = 86400;
O4 - HKCU\..\Run: [rmShowPo] c:\WINDOWS\System32\rmShowPop();
O4 - HKCU\..\Run: [family: arial; text-decoration: underline; color: blue;" onclick="flag=0" target="_top" onMouseOver="return changelink('http://www.kids-law.com')" onMouseOut="returnlink()"><span style="color: blue; text-decoration: underline">Personal Injury Lawyer</span></a>] c:\WINDOWS\System32\family: arial; text-decoration: underline; color: blue;" onclick="flag=0" target="_top" onMouseOver="return changelink('http://www.kids-law.com')" onMouseOut="returnlink()"><span style="color: blue; text-decoration: underline">Personal Injury Lawyer</span></a><br>
O4 - HKCU\..\Run: [ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/] c:\WINDOWS\System32\ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp1
O4 - HKCU\..\Run: [<TITLE>nobrainnewbie.com</TI] c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>
O4 - HKCU\..\Run: [<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY] c:\WINDOWS\System32\<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY -->
O4 - HKCU\..\Run: [<script TYPE="text/javascript" SRC="http://content.91s.com/rmtag3.js"></SCR] c:\WINDOWS\System32\<script TYPE="text/javascript" SRC="http://content.91s.com/rmtag3.js"></SCRIPT>
O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKCU\..\Run: [var rm_host = "http://ad.91s.c] c:\WINDOWS\System32\var rm_host = "http://ad.91s.com";
O4 - HKCU\..\Run: [</SCR] c:\WINDOWS\System32\</SCRIPT>
O4 - HKCU\..\Run: [<!-- END TAG] c:\WINDOWS\System32\<!-- END TAG -->
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.d] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Style-Type" content="text/c] c:\WINDOWS\System32\<meta http-equiv="Content-Style-Type" content="text/css">
O4 - HKCU\..\Run: [ <META name="description" content="beneditutti.c] c:\WINDOWS\System32\ <META name="description" content="beneditutti.com">
O4 - HKCU\..\Run: [ <META name="keywords" content="bender, nedi, tutti] c:\WINDOWS\System32\ <META name="keywords" content="bender, nedi, tutti">
O4 - HKCU\..\Run: [ <title>beneditutti.com</ti] c:\WINDOWS\System32\ <title>beneditutti.com</title>
O4 - HKCU\..\Run: [ <script type="text/javascript" src="http://beneditutti.com/templates/poster/height.js"></scri] c:\WINDOWS\System32\ <script type="text/javascript" src="http://beneditutti.com/templates/poster/height.js"></script>
O4 - HKCU\..\Run: [ <link href="http://beneditutti.com/templates/poster/default.css" rel="stylesheet" type="text/c] c:\WINDOWS\System32\ <link href="http://beneditutti.com/templates/poster/default.css" rel="stylesheet" type="text/css">
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <div id="siteheade] c:\WINDOWS\System32\ <div id="siteheader">
O4 - HKCU\..\Run: [ <div id="pagehead] c:\WINDOWS\System32\ <div id="pageheader">
O4 - HKCU\..\Run: [ <a href='http://beneditutti.com/?Domain=beneditutti.com'>beneditutti.com</a> <div id="tagli] c:\WINDOWS\System32\ <a href='http://beneditutti.com/?Domain=beneditutti.com'>beneditutti.com</a> <div id="tagline">
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [ <div id="nav_inqui] c:\WINDOWS\System32\ <div id="nav_inquiry">
O4 - HKCU\..\Run: [ <a target="inquiry" href="http://beneditutti.com/index.php?Query=2UR5L6xy6mNAODRBGYadc75F6Nh1tfJxZfxGsYbrK3QWKQffToXXWMM9CPk0XspeTaM1UuJP3PY3rrsKiTgZwsows4CRW8N5B2nL%2B7wz6B7ZOD6J6c2%2BWPklhfVzRtuFQw%3D%3D">Inquire&nbsp;about&nbsp;this&nbsp;Domain</a> </] c:\WINDOWS\System32\ <a target="inquiry" href="http://beneditutti.com/index.php?Query=2UR5L6xy6mNAODRBGYadc75F6Nh1tfJxZfxGsYbrK3QWKQffToXXWMM9CPk0XspeTaM1UuJP3PY3rrsKiTgZwsows4CRW8N5B2nL%2B7wz6B7ZOD6J6c2%2BWPklhfVzRtuFQw%3D%3D">Inquire&nbsp;about&nbsp;this&nbsp;Domain</a> </div>
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [#blank {display:no] c:\WINDOWS\System32\#blank {display:none;}
O4 - HKCU\..\Run: [#GENHeader {width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px] c:\WINDOWS\System32\#GENHeader {width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px 0;}
O4 - HKCU\..\Run: [#GENHeader .GENurl {color:#366] c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}
O4 - HKCU\..\Run: [#GENHeader form {margin:0; padding:10px 0 0 ] c:\WINDOWS\System32\#GENHeader form {margin:0; padding:10px 0 0 0px}
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [body{background-color:#FFF;color:#000;font-family:Verd] c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana,
O4 - HKCU\..\Run: [Geneva, Arial, Helvet] c:\WINDOWS\System32\Geneva, Arial, Helvetica,
O4 - HKCU\..\Run: [a:link{color:#000;text-decoration:no] c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}
O4 - HKCU\..\Run: [a:visited{color:#000;text-decoration:no] c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}
O4 - HKCU\..\Run: [a:hover{color:#C] c:\WINDOWS\System32\a:hover{color:#C03;}
O4 - HKCU\..\Run: [a:active{color:#FF4500;text-decoration:underli] c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}
O4 - HKCU\..\Run: [a.nave] c:\WINDOWS\System32\a.navelem{
O4 - HKCU\..\Run: [display:bl] c:\WINDOWS\System32\display:block;
O4 - HKCU\..\Run: [font-family:Verdana, Arial, Helvetica, sans-se] c:\WINDOWS\System32\font-family:Verdana, Arial, Helvetica, sans-serif;
O4 - HKCU\..\Run: [font-size:1] c:\WINDOWS\System32\font-size:11px;
O4 - HKCU\..\Run: [font-weight:] c:\WINDOWS\System32\font-weight:700;
O4 - HKCU\..\Run: [color:#] c:\WINDOWS\System32\color:#000;
O4 - HKCU\..\Run: [background-color:#D8D] c:\WINDOWS\System32\background-color:#D8DFEE;
O4 - HKCU\..\Run: [background-image: url(http://63.214.247.19/_wi/bullet.g] c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);
O4 - HKCU\..\Run: [background-repeat:no-rep] c:\WINDOWS\System32\background-repeat:no-repeat;
O4 - HKCU\..\Run: [width:24] c:\WINDOWS\System32\width:241px;
O4 - HKCU\..\Run: [height:2] c:\WINDOWS\System32\height:24px;
O4 - HKCU\..\Run: [text-indent:2] c:\WINDOWS\System32\text-indent:28px;
O4 - HKCU\..\Run: [line-height:2] c:\WINDOWS\System32\line-height:21px;
O4 - HKCU\..\Run: [text-decoration:n] c:\WINDOWS\System32\text-decoration:none;
O4 - HKCU\..\Run: [cursor:poin] c:\WINDOWS\System32\cursor:pointer;
O4 - HKCU\..\Run: [margin:0 0 ] c:\WINDOWS\System32\margin:0 0 1px;
O4 - HKCU\..\Run: [border-top-width: ] c:\WINDOWS\System32\border-top-width: 1px;
O4 - HKCU\..\Run: [border-right-width: ] c:\WINDOWS\System32\border-right-width: 1px;
O4 - HKCU\..\Run: [border-bottom-width: ] c:\WINDOWS\System32\border-bottom-width: 1px;
O4 - HKCU\..\Run: [border-left-width: ] c:\WINDOWS\System32\border-left-width: 1px;
O4 - HKCU\..\Run: [border-top-style: n] c:\WINDOWS\System32\border-top-style: none;
O4 - HKCU\..\Run: [border-right-style: so] c:\WINDOWS\System32\border-right-style: solid;
O4 - HKCU\..\Run: [border-bottom-style: so] c:\WINDOWS\System32\border-bottom-style: solid;
O4 - HKCU\..\Run: [border-left-style: n] c:\WINDOWS\System32\border-left-style: none;
O4 - HKCU\..\Run: [border-right-color: #FFF] c:\WINDOWS\System32\border-right-color: #FFFFFF;
O4 - HKCU\..\Run: [border-bottom-color: #FFF] c:\WINDOWS\System32\border-bottom-color: #FFFFFF;
O4 - HKCU\..\Run: [a.navelem:hover{background-color:#6987BC;color:#F] c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}
O4 - HKCU\..\Run: [.title_background{background-color:#6987BC;height:25px;padding-left:0px;padding-top:0px;padding-bottom:0] c:\WINDOWS\System32\.title_background{background-color:#6987BC;height:25px;padding-left:0px;padding-top:0px;padding-bottom:0px;}
O4 - HKCU\..\Run: [.title_text{color:#FFF;font-size:18pt;line-height:] c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%
O4 - HKCU\..\Run: [.title_text a{color:#FFF;font-size:12] c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}
O4 - HKCU\..\Run: [.title_sub_text{color:#FFF;font-size:8] c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}
O4 - HKCU\..\Run: [.tagline_text{color:#000;font-size:12px;font-weight:7] c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}
O4 - HKCU\..\Run: [.search_form{font-size:10] c:\WINDOWS\System32\.search_form{font-size:10px;}
O4 - HKCU\..\Run: [.description_text{color:#000;font-size:12px;line-height:20] c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}
O4 - HKCU\..\Run: [.bullet1{list-style-image: url(http://63.214.247.19/_wi/arrow-red.gif);margin-bottom:5] c:\WINDOWS\System32\.bullet1{list-style-image: url(http://63.214.247.19/_wi/arrow-red.gif);margin-bottom:5px;}
O4 - HKCU\..\Run: [a.resultsurl{text-decoration:none;font:10px Arial, Helvetica, sans-serif;color:#324A] c:\WINDOWS\System32\a.resultsurl{text-decoration:none;font:10px Arial, Helvetica, sans-serif;color:#324A7A;}
O4 - HKCU\..\Run: [a.resultsurl:hover{text-decoration:none;color:#8997] c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}
O4 - HKCU\..\Run: [#relatedterms{top:100px;font-size:11px;color:#FFF;background-color:#005680;margin:5px;padding:5] c:\WINDOWS\System32\#relatedterms{top:100px;font-size:11px;color:#FFF;background-color:#005680;margin:5px;padding:5px;}
O4 - HKCU\..\Run: [.disclaimer{color:#999;font-size:10] c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}
O4 - HKCU\..\Run: [.TextField{color:#000;font-size:11px;font-family:Ar] c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial,
O4 - HKCU\..\Run: [Helvet] c:\WINDOWS\System32\Helvetica,
O4 - HKCU\..\Run: [sans-serif;width:255px;height:20px;border-color:#CCC;border-style:inset;border-width:1] c:\WINDOWS\System32\sans-serif;width:255px;height:20px;border-color:#CCC;border-style:inset;border-width:1px;}
O4 - HKCU\..\Run: [.title_sub_text a,.title_sub_text a:visited,#relatedterms a,#relatedterms a:visited{color:#F] c:\WINDOWS\System32\.title_sub_text a,.title_sub_text a:visited,#relatedterms a,#relatedterms a:visited{color:#FFF;}
O4 - HKCU\..\Run: [.title_sub_text a:hover,#relatedterms a:hover{color:#D8DF] c:\WINDOWS\System32\.title_sub_text a:hover,#relatedterms a:hover{color:#D8DFEE;}
O4 - HKCU\..\Run: [.tagline_background,.description_background{background-color:#D8DF] c:\WINDOWS\System32\.tagline_background,.description_background{background-color:#D8DFEE;}
O4 - HKCU\..\Run: [.results,.resultsheader{font-family:Arial, Helvetica, sans-serif;font-size:12] c:\WINDOWS\System32\.results,.resultsheader{font-family:Arial, Helvetica, sans-serif;font-size:12px;}
O4 - HKCU\..\Run: [ <script type="text/javascri] c:\WINDOWS\System32\ <script type="text/javascript">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKCU\..\Run: [ top.location = self.location.h] c:\WINDOWS\System32\ top.location = self.location.href;
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ function sf] c:\WINDOWS\System32\ function sf() {
O4 - HKCU\..\Run: [ isSearch2 = eval(document.forms["form_search2] c:\WINDOWS\System32\ isSearch2 = eval(document.forms["form_search2"]);
O4 - HKCU\..\Run: [ if(document.forms["form_search1"].searchq1.valu] c:\WINDOWS\System32\ if(document.forms["form_search1"].searchq1.value) {
O4 - HKCU\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKCU\..\Run: [ if(isSearc] c:\WINDOWS\System32\ if(isSearch2){
O4 - HKCU\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKCU\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKCU\..\Run: [ return t] c:\WINDOWS\System32\ return true;
O4 - HKCU\..\Run: [ <style type="text/c] c:\WINDOWS\System32\ <style type="text/css">
O4 - HKCU\..\Run: [ fo] c:\WINDOWS\System32\ form {
O4 - HKCU\..\Run: [ padding: ] c:\WINDOWS\System32\ padding: 0px;
O4 - HKCU\..\Run: [ </st] c:\WINDOWS\System32\ </style>
O4 - HKCU\..\Run: [function cl(t] c:\WINDOWS\System32\function cl(tx) {
O4 - HKCU\..\Run: [window.status] c:\WINDOWS\System32\window.status=tx;
O4 - HKCU\..\Run: [<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid] c:\WINDOWS\System32\<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/">
O4 - HKCU\..\Run: [Brain Fitness Program] c:\WINDOWS\System32\Brain Fitness Program</a>
O4 - HKCU\..\Run: [Brain Health] c:\WINDOWS\System32\Brain Health</a>
O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKCU\..\Run: [<tr valign="bott] c:\WINDOWS\System32\<tr valign="bottom">
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [2] c:\WINDOWS\System32\2007,
O4 - HKCU\..\Run: [Copyright 1997-2007 Omniture, Inc. More info availabl] c:\WINDOWS\System32\Copyright 1997-2007 Omniture, Inc. More info available at
O4 - HKCU\..\Run: [#GENQuery {width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:b] c:\WINDOWS\System32\#GENQuery {width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bold}
O4 - HKCU\..\Run: [#GENQuery .GENresultsinfo {color:#000; font-size:12px; font-weight:nor] c:\WINDOWS\System32\#GENQuery .GENresultsinfo {color:#000; font-size:12px; font-weight:normal}
O4 - HKCU\..\Run: [#GENQuery .GENKeyWord {color:#000; font-weight:bold; text-decoration:no] c:\WINDOWS\System32\#GENQuery .GENKeyWord {color:#000; font-weight:bold; text-decoration:none;}
O4 - HKCU\..\Run: [#GENQuerybot {width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:b] c:\WINDOWS\System32\#GENQuerybot {width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:both}
O4 - HKCU\..\Run: [#GENQuerybot .GENKeyWord {color:#000; font-weight:bold; text-decoration:no] c:\WINDOWS\System32\#GENQuerybot .GENKeyWord {color:#000; font-weight:bold; text-decoration:none;}
O4 - HKCU\..\Run: [#GENContainer {WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%] c:\WINDOWS\System32\#GENContainer {WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%');}
O4 - HKCU\..\Run: [#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cen] c:\WINDOWS\System32\#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center}
O4 - HKCU\..\Run: [#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 10] c:\WINDOWS\System32\#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%;}
O4 - HKCU\..\Run: [#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px ] c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0}
O4 - HKCU\..\Run: [#GENResults h1 {padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:nor] c:\WINDOWS\System32\#GENResults h1 {padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:normal}
O4 - HKCU\..\Run: [#GENResults h3 {padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e] c:\WINDOWS\System32\#GENResults h3 {padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6c1}
O4 - HKCU\..\Run: [#GENResults ul {margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:no] c:\WINDOWS\System32\#GENResults ul {margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:none;}
O4 - HKCU\..\Run: [#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKCU\..\Run: [#GENResults a.Title {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000] c:\WINDOWS\System32\#GENResults a.Title {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000cc;}
O4 - HKCU\..\Run: [#GENResults a.Title:hover {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff66] c:\WINDOWS\System32\#GENResults a.Title:hover {font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff6600;}
O4 - HKCU\..\Run: [#GENResults .Description {font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:1] c:\WINDOWS\System32\#GENResults .Description {font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16px}
O4 - HKCU\..\Run: [#GENResults a.URL {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margi] c:\WINDOWS\System32\#GENResults a.URL {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin:0}
O4 - HKCU\..\Run: [#GENResults a.URL:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b] c:\WINDOWS\System32\#GENResults a.URL:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00;}
O4 - HKCU\..\Run: [#lander_container {border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:blo] c:\WINDOWS\System32\#lander_container {border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:block;}
O4 - HKCU\..\Run: [#lander_container li {list-style-type:disc; padding:0; margin:0 0 0 1] c:\WINDOWS\System32\#lander_container li {list-style-type:disc; padding:0; margin:0 0 0 10px}
O4 - HKCU\..\Run: [#GENSpnsrRslt {margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e] c:\WINDOWS\System32\#GENSpnsrRslt {margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6c1}
O4 - HKCU\..\Run: [#GENSpnsrRslt h2 {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:upperc] c:\WINDOWS\System32\#GENSpnsrRslt h2 {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:uppercase}
O4 - HKCU\..\Run: [#GENSpnsrRslt .SRBlock {margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .SRBlock {margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:none}
O4 - HKCU\..\Run: [#GENSpnsrRslt .sr {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .sr {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKCU\..\Run: [#GENSpnsrRslt .srlast {margin:0 0 0 0; padding:0 0 5px 0; list-style-type:n] c:\WINDOWS\System32\#GENSpnsrRslt .srlast {margin:0 0 0 0; padding:0 0 5px 0; list-style-type:none}
O4 - HKCU\..\Run: [#GENRelateds {FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 1] c:\WINDOWS\System32\#GENRelateds {FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15px}
O4 - HKCU\..\Run: [#GENRelateds h1 {font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capital] c:\WINDOWS\System32\#GENRelateds h1 {font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitalize}
O4 - HKCU\..\Run: [#GENRelateds ul {margin:0 0 0 0px; paddin] c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0px; padding:0}
O4 - HKCU\..\Run: [#GENRelateds li {list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:1] c:\WINDOWS\System32\#GENRelateds li {list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12px}
O4 - HKCU\..\Run: [#GENRelateds a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitali] c:\WINDOWS\System32\#GENRelateds a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitalize;}
O4 - HKCU\..\Run: [#GENRelateds a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff66] c:\WINDOWS\System32\#GENRelateds a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff6600;}
O4 - HKCU\..\Run: [#GENBtmPages {width:100%; text-align:center; margin:-20px 0 10px 0; padding-bottom:24px; float:le] c:\WINDOWS\System32\#GENBtmPages {width:100%; text-align:center; margin:-20px 0 10px 0; padding-bottom:24px; float:left;}
O4 - HKCU\..\Run: [#GENBtmPages img {vertical-align:mid] c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}
O4 - HKCU\..\Run: [#GENBtmPages a {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-se] c:\WINDOWS\System32\#GENBtmPages a {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-serif}
O4 - HKCU\..\Run: [#GENBtmPages a:hover {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-se] c:\WINDOWS\System32\#GENBtmPages a:hover {color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-serif}
O4 - HKCU\..\Run: [#GENbotlinks {clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:cen] c:\WINDOWS\System32\#GENbotlinks {clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:center}
O4 - HKCU\..\Run: [#GENbotlinks ul {margin:0; padding:0; list-style-type:n] c:\WINDOWS\System32\#GENbotlinks ul {margin:0; padding:0; list-style-type:none}
O4 - HKCU\..\Run: [#GENbotlinks .list {list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #0] c:\WINDOWS\System32\#GENbotlinks .list {list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #000;}
O4 - HKCU\..\Run: [#GENbotlinks .end {list-style-type:none; display:inline; margin:0; padding:0 7px 0 7] c:\WINDOWS\System32\#GENbotlinks .end {list-style-type:none; display:inline; margin:0; padding:0 7px 0 7px;}
O4 - HKCU\..\Run: [#GENbotlinks a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitali] c:\WINDOWS\System32\#GENbotlinks a {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitalize }
O4 - HKCU\..\Run: [#GENbotlinks a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#000] c:\WINDOWS\System32\#GENbotlinks a:hover {font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc}
O4 - HKCU\..\Run: [#GENBtmForm {font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #] c:\WINDOWS\System32\#GENBtmForm {font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #999}
O4 - HKCU\..\Run: [#GENBtmForm form {margin:0 0 0 0; paddin] c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0; padding:0}
O4 - HKCU\..\Run: [#GENFooter {text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:1] c:\WINDOWS\System32\#GENFooter {text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18px}
O4 - HKCU\..\Run: [#GENFooter a {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:n] c:\WINDOWS\System32\#GENFooter a {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:none}
O4 - HKCU\..\Run: [#GENFooter a:hover {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underl] c:\WINDOWS\System32\#GENFooter a:hover {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underline}
O4 - HKCU\..\Run: [#GENFooter span {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#] c:\WINDOWS\System32\#GENFooter span {font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#999}
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ p
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ font-size: 1] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKCU\..\Run: [ font-family: arial, helvetica, sans se] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKCU\..\Run: [ color: #000] c:\WINDOWS\System32\ color: #000000;
O4 - HKCU\..\Run: [ font-weight: nor] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKCU\..\Run: [ .dom] c:\WINDOWS\System32\ .domain
O4 - HKCU\..\Run: [ font-size: 2] c:\WINDOWS\System32\ font-size: 22px;
O4 - HKCU\..\Run: [ color: #394] c:\WINDOWS\System32\ color: #394958;
O4 - HKCU\..\Run: [ font-weight: b] c:\WINDOWS\System32\ font-weight: bold;
O4 - HKCU\..\Run: [ .cour] c:\WINDOWS\System32\ .courtesy
O4 - HKCU\..\Run: [ font-family: arial,helvetica,sanse] c:\WINDOWS\System32\ font-family: arial,helvetica,sanserif;
O4 - HKCU\..\Run: [ color: #424] c:\WINDOWS\System32\ color: #424242;
O4 - HKCU\..\Run: [ line-height: 1] c:\WINDOWS\System32\ line-height: 14px;
O4 - HKCU\..\Run: [ font-weight:b] c:\WINDOWS\System32\ font-weight:bold;
O4 - HKCU\..\Run: [ .loo] c:\WINDOWS\System32\ .looking
O4 - HKCU\..\Run: [ font-weight:nor] c:\WINDOWS\System32\ font-weight:normal;
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ .try
O4 - HKCU\..\Run: [ color: wh] c:\WINDOWS\System32\ color: white;
O4 - HKCU\..\Run: [ .copyr] c:\WINDOWS\System32\ .copyright
O4 - HKCU\..\Run: [ .rel] c:\WINDOWS\System32\ .related
O4 - HKCU\..\Run: [ color: #343] c:\WINDOWS\System32\ color: #343D46;
O4 - HKCU\..\Run: [ .relse] c:\WINDOWS\System32\ .relsearch
O4 - HKCU\..\Run: [ color: #0B0] c:\WINDOWS\System32\ color: #0B0085;
O4 - HKCU\..\Run: [ .checkp] c:\WINDOWS\System32\ .checkprice
O4 - HKCU\..\Run: [ .li] c:\WINDOWS\System32\ .linkhd
O4 - HKCU\..\Run: [ color: #464] c:\WINDOWS\System32\ color: #464646;
O4 - HKCU\..\Run: [ .sponsor] c:\WINDOWS\System32\ .sponsorinfo
O4 - HKCU\..\Run: [ .sponso] c:\WINDOWS\System32\ .sponsorurl
O4 - HKCU\..\Run: [ color: #030] c:\WINDOWS\System32\ color: #03007A;
O4 - HKCU\..\Run: [ text-decoration: n] c:\WINDOWS\System32\ text-decoration: none;
O4 - HKCU\..\Run: [ a:] c:\WINDOWS\System32\ a:link
O4 - HKCU\..\Run: [ text-decoration: underl] c:\WINDOWS\System32\ text-decoration: underline;
O4 - HKCU\..\Run: [ a:vis] c:\WINDOWS\System32\ a:visited
O4 - HKCU\..\Run: [Cuto] "C:\WINDOWS\FNTS~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [Ardfv] C:\WINDOWS\system32\s?stem32\n?tdde.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [#blank { display:non] c:\WINDOWS\System32\#blank { display:none; }
O4 - HKCU\..\Run: [#GENHeader { width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px ] c:\WINDOWS\System32\#GENHeader { width:auto; height:66px; background: url("/custom/images/gen_logo2.gif") top right no-repeat; padding:5px 0 0 20px; color:#000; font-size:18px; font-weight:normal; margin:0 0 12px 0; }
O4 - HKCU\..\Run: [#GENHeader .GENurl { color:#366a] c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }
O4 - HKCU\..\Run: [#GENHeader form { margin:0; padding:10px 0 0 0] c:\WINDOWS\System32\#GENHeader form { margin:0; padding:10px 0 0 0px }
O4 - HKCU\..\Run: [#GENQuery { width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bo] c:\WINDOWS\System32\#GENQuery { width:auto; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:18px; padding:0px 0 2px 20px; margin-bottom:13px; font-weight:bold }
O4 - HKCU\..\Run: [#GENQuery .GENresultsinfo { color:#000; font-size:12px; font-weight:norm] c:\WINDOWS\System32\#GENQuery .GENresultsinfo { color:#000; font-size:12px; font-weight:normal }
O4 - HKCU\..\Run: [#GENQuery .GENKeyWord { color:#000; font-weight:bold; text-decoration:non] c:\WINDOWS\System32\#GENQuery .GENKeyWord { color:#000; font-weight:bold; text-decoration:none; }
O4 - HKCU\..\Run: [#GENQuerybot { width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:bo] c:\WINDOWS\System32\#GENQuerybot { width:auto; height:17px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:16px; padding:0px 0 10px 20px; margin-bottom:10px; float:left; clear:both }
O4 - HKCU\..\Run: [#GENQuerybot .GENKeyWord { color:#000; font-weight:bold; text-decoration:non] c:\WINDOWS\System32\#GENQuerybot .GENKeyWord { color:#000; font-weight:bold; text-decoration:none; }
O4 - HKCU\..\Run: [#GENContainer { WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100] c:\WINDOWS\System32\#GENContainer { WIDTH: 100%; margin:2px 0 0 0px; WIDTH: expression((document.all('GEN') )?document.all('GEN').offsetWidth:'100%');
O4 - HKCU\..\Run: [#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cent] c:\WINDOWS\System32\#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center }
O4 - HKCU\..\Run: [#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100] c:\WINDOWS\System32\#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%; }
O4 - HKCU\..\Run: [#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0] c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0 }
O4 - HKCU\..\Run: [#GENResults h1 { padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:norm] c:\WINDOWS\System32\#GENResults h1 { padding:0 0 0 px; color:#ff6600; font-family:Arial, Helvetica, sans-serif; font-size:16px; margin:0; font-weight:normal }
O4 - HKCU\..\Run: [#GENResults h2 { padding-left:5p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px; }
O4 - HKCU\..\Run: [#GENResults h3 { padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6] c:\WINDOWS\System32\#GENResults h3 { padding:2px 0 3px 10px; color:#000; font-family:Arial, Helvetica, sans-serif; font-size:13px; margin:0 0 10px 0; font-weight:bold; background-color:#f7fef4; border-bottom:1px solid #c1e6c1 }
O4 - HKCU\..\Run: [#GENResults ul { margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:non] c:\WINDOWS\System32\#GENResults ul { margin:0px 0 0 0; padding:5px 5px 0 18px; list-style-type:none; }
O4 - HKCU\..\Run: [#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKCU\..\Run: [#GENResults a.Title { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000c] c:\WINDOWS\System32\#GENResults a.Title { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#0000cc; }
O4 - HKCU\..\Run: [#GENResults a.Title:hover { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff660] c:\WINDOWS\System32\#GENResults a.Title:hover { font-family:Arial, Helvetica, sans-serif; font-size:17px; color:#ff6600; }
O4 - HKCU\..\Run: [#GENResults h2 { padding-left:5px;font-size:13p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px; }
O4 - HKCU\..\Run: [#GENResults h3 a{color:#0000cc;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:norm] c:\WINDOWS\System32\#GENResults h3 a{color:#0000cc;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:normal;}
O4 - HKCU\..\Run: [#GENResults h3 a:hover{color:#ff6600;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:norm] c:\WINDOWS\System32\#GENResults h3 a:hover{color:#ff6600;font-family:Arial,Helvetica,sans-serif;font-size:17px;padding:0; margin:0;font-weight:normal;}
O4 - HKCU\..\Run: [#GENResults .Description { font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16] c:\WINDOWS\System32\#GENResults .Description { font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:16px }
O4 - HKCU\..\Run: [#GENResults a.URL { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin] c:\WINDOWS\System32\#GENResults a.URL { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; text-decoration:none; padding:0; margin:0 }
O4 - HKCU\..\Run: [#GENResults a.URL:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b0] c:\WINDOWS\System32\#GENResults a.URL:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#008b00; }
O4 - HKCU\..\Run: [#lander_container { border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:bloc] c:\WINDOWS\System32\#lander_container { border:1px solid #c1e6c1; padding:0 0 10px 0; margin:0 0 20px 0; display:block; }
O4 - HKCU\..\Run: [#lander_container li { list-style-type:disc; padding:0; margin:0 0 0 10] c:\WINDOWS\System32\#lander_container li { list-style-type:disc; padding:0; margin:0 0 0 10px }
O4 - HKCU\..\Run: [#GENSpnsrRslt { margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6] c:\WINDOWS\System32\#GENSpnsrRslt { margin:0 0 5px 10px; padding:0 3px 5px 0px; background-color:#f7fef4; border:1px solid #c1e6c1 }
O4 - HKCU\..\Run: [#GENSpnsrRslt h2 { font-family:Arial, Helvetica, sans-serif; font-size:8px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:upperca] c:\WINDOWS\System32\#GENSpnsrRslt h2 { font-family:Arial, Helvetica, sans-serif; font-size:8px; color:#999; font-weight:normal; margin:0; padding:2px; text-align:right; z-index:3; float:right; text-transform:uppercase }
O4 - HKCU\..\Run: [#GENSpnsrRslt .SRBlock { margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .SRBlock { margin:0px 0 0 0; padding:5px 5px 0 10px; list-style-type:none }
O4 - HKCU\..\Run: [#GENSpnsrRslt .sr { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .sr { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKCU\..\Run: [#GENSpnsrRslt .srlast { margin:0 0 0 0; padding:0 0 5px 0; list-style-type:no] c:\WINDOWS\System32\#GENSpnsrRslt .srlast { margin:0 0 0 0; padding:0 0 5px 0; list-style-type:none }
O4 - HKCU\..\Run: [#GENRelateds { FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15] c:\WINDOWS\System32\#GENRelateds { FLOAT: right; WIDTH: 180px; border-left:1px solid #c1e6c1; padding:0 3px 0 15px }
O4 - HKCU\..\Run: [#GENRelateds h1 { font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitali] c:\WINDOWS\System32\#GENRelateds h1 { font-family:Arial, Helvetica, sans-serif; font-size:18px; color:#ff6600; margin:5px 0 5px 0; padding:0 0 0px 0; font-weight:bold; text-align:left; text-transform:capitalize }
O4 - HKCU\..\Run: [#GENRelateds ul { margin:0 0 0 0px; padding] c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0px; padding:0 }
O4 - HKCU\..\Run: [#GENRelateds li { list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12] c:\WINDOWS\System32\#GENRelateds li { list-style-type: none; margin:0 0 0 0; padding:0; line-height:24px; color:#ccc; font-size:12px }
O4 - HKCU\..\Run: [#GENRelateds a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitaliz] c:\WINDOWS\System32\#GENRelateds a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-decoration:underline; text-transform: capitalize; }
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [#GENRelateds a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff660] c:\WINDOWS\System32\#GENRelateds a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#ff6600; }
O4 - HKCU\..\Run: [#GENBtmPages img { vertical-align:midd] c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }
O4 - HKCU\..\Run: [#GENBtmPages a { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-ser] c:\WINDOWS\System32\#GENBtmPages a { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:underline; font-family:Arial, Helvetica, sans-serif }
O4 - HKCU\..\Run: [#GENBtmPages a:hover { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-ser] c:\WINDOWS\System32\#GENBtmPages a:hover { color:#015DBA; font-size:105%; font-weight:bold; text-decoration:none; font-family:Arial, Helvetica, sans-serif }
O4 - HKCU\..\Run: [#GENbotlinks { clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:cent] c:\WINDOWS\System32\#GENbotlinks { clear:both; margin:0; padding:0 0 15px 0; font-family:Arial, Helvetica, sans-serif; font-size:12px; white-space:nowrap; width:auto; text-align:center }
O4 - HKCU\..\Run: [#GENbotlinks ul { margin:0; padding:0; list-style-type:no] c:\WINDOWS\System32\#GENbotlinks ul { margin:0; padding:0; list-style-type:none }
O4 - HKCU\..\Run: [#GENbotlinks .list { list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #00] c:\WINDOWS\System32\#GENbotlinks .list { list-style-type:none; display:inline; margin:0; padding:0 4px 0 7px; border-right:1px solid #000; }
O4 - HKCU\..\Run: [#GENbotlinks .end { list-style-type:none; display:inline; margin:0; padding:0 7px 0 7p] c:\WINDOWS\System32\#GENbotlinks .end { list-style-type:none; display:inline; margin:0; padding:0 7px 0 7px; }
O4 - HKCU\..\Run: [#GENbotlinks a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitali] c:\WINDOWS\System32\#GENbotlinks a { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc; text-transform: capitalize }
O4 - HKCU\..\Run: [#GENbotlinks a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000] c:\WINDOWS\System32\#GENbotlinks a:hover { font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#0000cc }
O4 - HKCU\..\Run: [#GENBtmForm { font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #9] c:\WINDOWS\System32\#GENBtmForm { font-size:12px; margin:0; padding:20px 20px 0 20px; clear:left; width:auto; border-top:1px solid #999 }
O4 - HKCU\..\Run: [#GENBtmForm form { margin:0 0 0 0; padding] c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0; padding:0 }
O4 - HKCU\..\Run: [#GENFooter { text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18] c:\WINDOWS\System32\#GENFooter { text-align:left; margin:0; padding:20px 0 0 20px; clear:both; font-family:Arial, Helvetica, sans-serif; font-size:14px; line-height:18px }
O4 - HKCU\..\Run: [#GENFooter a { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:no] c:\WINDOWS\System32\#GENFooter a { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:none }
O4 - HKCU\..\Run: [#GENFooter a:hover { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underli] c:\WINDOWS\System32\#GENFooter a:hover { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#0000cc; text-decoration:underline }
O4 - HKCU\..\Run: [#GENFooter span { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#9] c:\WINDOWS\System32\#GENFooter span { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#999 }
O4 - HKCU\..\Run: [#wrapper {/*border:1px solid #859eab;*/ margin:0 auto; padding:0; width:800px; border:10px #fff solid; background-color:#fff; min-height:475p] c:\WINDOWS\System32\#wrapper {/*border:1px solid #859eab;*/ margin:0 auto; padding:0; width:800px; border:10px #fff solid; background-color:#fff; min-height:475px; }
O4 - HKCU\..\Run: [#header { height: 50px; position:relative; width:100%; background:url(custom/images/newreg_top_bg_b.gif) repeat-] c:\WINDOWS\System32\#header { height: 50px; position:relative; width:100%; background:url(custom/images/newreg_top_bg_b.gif) repeat-x; }
O4 - HKCU\..\Run: [#greybar { height: 7px; width:100%; background-color:#68c4f0; margin:1px 0 0 ] c:\WINDOWS\System32\#greybar { height: 7px; width:100%; background-color:#68c4f0; margin:1px 0 0 0; }
O4 - HKCU\..\Run: [#left_col { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:380px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#left_col { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:380px; border-top:4px solid #c0d731; }
O4 - HKCU\..\Run: [#right_col { float:right; padding:10px; margin:15px 0 0 0; width:390px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#right_col { float:right; padding:10px; margin:15px 0 0 0; width:390px; border-top:4px solid #c0d731; }
O4 - HKCU\..\Run: [#nav_search_holder { border-top:2px solid #d7eaee; clear:bot] c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaee; clear:both; }
O4 - HKCU\..\Run: [#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:lef] c:\WINDOWS\System32\#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:left; }
O4 - HKCU\..\Run: [#nav_bottom h1 { padding:0 0 5px 0; margin:0; font-family:Verdana, Arial, Helvetica; font-size:12px; text-align:left; color:#cc] c:\WINDOWS\System32\#nav_bottom h1 { padding:0 0 5px 0; margin:0; font-family:Verdana, Arial, Helvetica; font-size:12px; text-align:left; color:#ccc; }
O4 - HKCU\..\Run: [#search_area { height: 30px; width:50%; margin:10px 0 5px 0; border:1px solid #d7eaee; float:right; text-align:righ] c:\WINDOWS\System32\#search_area { height: 30px; width:50%; margin:10px 0 5px 0; border:1px solid #d7eaee; float:right; text-align:right; }
O4 - HKCU\..\Run: [#footer { margin:0; padding:0; width:100%; clear:bot] c:\WINDOWS\System32\#footer { margin:0; padding:0; width:100%; clear:both; }
O4 - HKCU\..\Run: [#brand h1 { font-family:Georgia; color:#fff; font-size:22px; font-weight:70] c:\WINDOWS\System32\#brand h1 { font-family:Georgia; color:#fff; font-size:22px; font-weight:700; }
O4 - HKCU\..\Run: [#date { position:absolute; right:10px; top:25px; width:137px; color:#d1d1d1; text-align:right;margin:0; padding:2px; height:14px; vertical-align:middle; font-size:12p] c:\WINDOWS\System32\#date { position:absolute; right:10px; top:25px; width:137px; color:#d1d1d1; text-align:right;margin:0; padding:2px; height:14px; vertical-align:middle; font-size:12px; }
O4 - HKCU\..\Run: [#vert_nav { margin:0pt; padding:5px 0 2px 0; width:100%; background:#e8f8f] c:\WINDOWS\System32\#vert_nav { margin:0pt; padding:5px 0 2px 0; width:100%; background:#e8f8ff; }
O4 - HKCU\..\Run: [#navlist { margin:0pt; padding:0pt; height:10] c:\WINDOWS\System32\#navlist { margin:0pt; padding:0pt; height:100% }
O4 - HKCU\..\Run: [#vert_nav ul { font-family:Arial, Helvetica, sans-serif; font-size:14px; font-weight:bold; list-style-type:none; margin:0pt; padding:0p] c:\WINDOWS\System32\#vert_nav ul { font-family:Arial, Helvetica, sans-serif; font-size:14px; font-weight:bold; list-style-type:none; margin:0pt; padding:0pt; }
O4 - HKCU\..\Run: [#vert_nav li { border-bottom:1px solid #fff; margin:0pt; padding:0; width:100%; text-align:lef] c:\WINDOWS\System32\#vert_nav li { border-bottom:1px solid #fff; margin:0pt; padding:0; width:100%; text-align:left; }
O4 - HKCU\..\Run: [#vert_nav a:link, #navlist a:visited { color:#1178a9; margin:0pt; padding:6px 0pt 6px 27px; text-decoration:non] c:\WINDOWS\System32\#vert_nav a:link, #navlist a:visited { color:#1178a9; margin:0pt; padding:6px 0pt 6px 27px; text-decoration:none; }
O4 - HKCU\..\Run: [#vert_nav a { background-image:url(custom/images/newreg_bullet_b.gif); background-position:10px 8px; background-repeat:no-repeat; display:block; margin:0pt; text-transform:capitalize; width:aut] c:\WINDOWS\System32\#vert_nav a { background-image:url(custom/images/newreg_bullet_b.gif); background-position:10px 8px; background-repeat:no-repeat; display:block; margin:0pt; text-transform:capitalize; width:auto; }
O4 - HKCU\..\Run: [#vert_nav a:hover { background-color:#c0d731; background-image:url(custom/images/newreg_bullet_over.gif); background-position:13px 8px; color:#ff] c:\WINDOWS\System32\#vert_nav a:hover { background-color:#c0d731; background-image:url(custom/images/newreg_bullet_over.gif); background-position:13px 8px; color:#fff; }
O4 - HKCU\..\Run: [#bottom_navlist { margin: 0; padding:0; text-align:lef] c:\WINDOWS\System32\#bottom_navlist { margin: 0; padding:0; text-align:left; }
O4 - HKCU\..\Run: [#bottom_navlist ul, #bottom_navlist li { margin: 0; padding: 0; display: inline; list-style-type: none; font-family:Arial, Helvetica, sans-serif; font-size: 12p] c:\WINDOWS\System32\#bottom_navlist ul, #bottom_navlist li { margin: 0; padding: 0; display: inline; list-style-type: none; font-family:Arial, Helvetica, sans-serif; font-size: 12px; }
O4 - HKCU\..\Run: [#bottom_navlist a { line-height: 25px; font-weight: bold; margin: 2px 8px 10px 0px; text-decoration: underline; color: #1178a9; padding: 2p] c:\WINDOWS\System32\#bottom_navlist a { line-height: 25px; font-weight: bold; margin: 2px 8px 10px 0px; text-decoration: underline; color: #1178a9; padding: 2px; }
O4 - HKCU\..\Run: [#bottom_navlist a:hover {/*border-bottom: 4px solid #e4601a;*/ padding: 2px;/*bottom-moving block */ background:#c0d731; text-decoration:non] c:\WINDOWS\System32\#bottom_navlist a:hover {/*border-bottom: 4px solid #e4601a;*/ padding: 2px;/*bottom-moving block */ background:#c0d731; text-decoration:none; }
O4 - HKCU\..\Run: [#bottom_navlist a:hover { color: #ff] c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff; }
O4 - HKCU\..\Run: [#results_left { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:600p] c:\WINDOWS\System32\#results_left { float:left; padding:0pt 0px 0px 0pt; margin:15px 0 10px 0; width:600px; }
O4 - HKCU\..\Run: [#results_rightnav { float:right; padding:10px; margin:15px 0 0 0; width:160px; border-top:4px solid #c0d73] c:\WINDOWS\System32\#results_rightnav { float:right; padding:10px; margin:15px 0 0 0; width:160px; border-top:4px solid #c0d731; }
O4 - HKCU\..\Run: [#results_rightnav h1 { padding:0 0 10px 3px; margin:0; font-family:Verdana, Arial, Helvetica; font-size:13px; text-align:left; color:#99] c:\WINDOWS\System32\#results_rightnav h1 { padding:0 0 10px 3px; margin:0; font-family:Verdana, Arial, Helvetica; font-size:13px; text-align:left; color:#999; }
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter hijack: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O20 - AppInit_DLLs:
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\japjbbs.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

--
End of file - 145914 bytes

Edited by bmreid, 22 February 2008 - 06:21 PM.


BC AdBot (Login to Remove)

 


m

#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 24 February 2008 - 02:17 PM

Hi Bmreid!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 28 February 2008 - 01:02 AM

Hi Bmreid!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
It's highly recommend to format your computer.
Posted Image

#4 bmreid

bmreid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 28 February 2008 - 09:03 AM

Hi,

OK. That was worse news than I had imagined.

I've had this computer for about 5 years and basically only use it for music and internet. I don't use it for online banking and haven't purchased anything online for about 6 months, because I feared something like this.

Because of its' limited use, would the best strategy still be to reinstall and reformat the OS? I only plan to keep this computer for about one more year, so If I can just clean the computer the best that I can and refrain from doing any online banking or purchasing in the future, that would be ideal.

Knowing how I use this computer, do you still make the same recommendation? Let Me Know.


Thanks,

bmreid

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 28 February 2008 - 01:22 PM

Hi!

That's ok if you use your computer for playing music and using internet. ;) Let's start cleaning:

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Posted Image

#6 bmreid

bmreid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 28 February 2008 - 03:27 PM

Hi,


Here is my Combo Fix info followed by my HijackThis Log


ComboFix 08-02-25.3 - brooks 2008-02-28 14:15:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.16 [GMT -5:00]
Running from: C:\Documents and Settings\brooks\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\brooks\Application Data\ICROSO~1
C:\Documents and Settings\brooks\Application Data\macromedia\Flash Player\#SharedObjects\WUJWWCJT\www.broadcaster.com
C:\Documents and Settings\brooks\Application Data\macromedia\Flash Player\#SharedObjects\WUJWWCJT\www.broadcaster.com\played_list.sol
C:\Documents and Settings\brooks\Application Data\macromedia\Flash Player\#SharedObjects\WUJWWCJT\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\brooks\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\brooks\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\brooks\Application Data\Sskknwrd.dll
C:\Documents and Settings\brooks\My Documents\CURITY~1
C:\Documents and Settings\brooks\My Documents\SMANTE~1
C:\Documents and Settings\brooks\Start Menu\Programs\Outerinfo
C:\Documents and Settings\brooks\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\brooks\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\cmapp
C:\Program Files\cmapp\Client\cmappmf.dll
C:\Program Files\cmapp\Client\Uninstall.exe
C:\Program Files\cmsystem
C:\Program Files\cmsystem\Uninstall.exe
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\internet optimizer
C:\Program Files\internet optimizer\bak\optimize.exe
C:\Program Files\internet optimizer\install.exe
C:\Program Files\internet optimizer\update\install.exe
C:\Program Files\internet optimizer\update\optimize.exe
C:\Program Files\internet optimizer\update\optimize304.exe
C:\Program Files\internet optimizer\update\optimize310.exe
C:\Program Files\internet optimizer\update\optimize313.exe
C:\Program Files\internet optimizer\update\optimize314.exe
C:\Program Files\internet optimizer\update\rogue.exe
C:\Program Files\Messenger\guhake89104.dll
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\myBar\Settings\settings.dat
C:\Program Files\MyWay\myBar\Settings\settings.dat.bak
C:\Program Files\MyWay\myBar\Settings\settings.htm
C:\Program Files\MyWay\myBar\Settings\settings.htm.bak
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\surfsidekick 3
C:\Program Files\surfsidekick 3\bak\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll
C:\Program Files\TBONAS
C:\Program Files\TBONAS\bestoffers_icon_01.ico
C:\Program Files\TBONAS\grb12.rtk
C:\Program Files\TBONAS\TBONcomp.dll
C:\Program Files\TBONAS\TBONlchr.dll
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\wincmapp
C:\Program Files\wincmapp\Uninstall.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\bar.exe
C:\WINDOWS\biprep.exe
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\logonui.exe
C:\WINDOWS\fnts~1\s?mbols\
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\a1\tliamdll2.exe
C:\WINDOWS\system32\aqtkvoot.ini
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\bjenaaye.ini
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\cdjfwmvt.ini
C:\WINDOWS\system32\cdrnsnql.ini
C:\WINDOWS\system32\coewaysa.ini
C:\WINDOWS\system32\crgramwy.ini
C:\WINDOWS\system32\dqzqrsrg.dllbox
C:\WINDOWS\system32\ecibuoac.dll
C:\WINDOWS\system32\ehkgmamh.dll
C:\WINDOWS\system32\extlcvdy.dll
C:\WINDOWS\system32\fjliykmv.dll
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\foeqsmni.dll
C:\WINDOWS\system32\fqdnvprj.ini
C:\WINDOWS\system32\fxaeuwjy.ini
C:\WINDOWS\system32\gfcuwaeh.ini
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\hcgadjru.dll
C:\WINDOWS\system32\hcshjmgj.ini
C:\WINDOWS\system32\hmamgkhe.ini
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\jao.dll
C:\WINDOWS\system32\jdfypxrb.dll
C:\WINDOWS\system32\jjucsuab.ini
C:\WINDOWS\system32\jrpvndqf.dll
C:\WINDOWS\system32\jtanbaaf.dll
C:\WINDOWS\system32\k5
C:\WINDOWS\system32\k5\thgd2241dll.exe
C:\WINDOWS\system32\kbxgwpfs.dll
C:\WINDOWS\system32\kemgvmaf.dll
C:\WINDOWS\system32\kencvxii.dll
C:\WINDOWS\system32\kgylsdax.ini
C:\WINDOWS\system32\kivpclks.dll
C:\WINDOWS\system32\kvknugje.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mpmlxnsm.dll
C:\WINDOWS\system32\ncase.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nidsxuvc.ini
C:\WINDOWS\system32\nmcqdymc.ini
C:\WINDOWS\system32\nnnlmlk.dll
C:\WINDOWS\system32\nwxhoaye.dll
C:\WINDOWS\system32\omobtsny.dll
C:\WINDOWS\system32\osmim.dll
C:\WINDOWS\system32\p9
C:\WINDOWS\system32\p9\liopud89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pqwlmeig.ini
C:\WINDOWS\system32\pstyhrkk.dll
C:\WINDOWS\system32\qjqwjilx.ini
C:\WINDOWS\system32\qnybywpw.ini
C:\WINDOWS\system32\qpxmqyof.ini
C:\WINDOWS\system32\rdjadxbw.dll
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\sstem3~1\n?tdde.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\urjdagch.ini
C:\WINDOWS\system32\vcbhhowu.dll
C:\WINDOWS\system32\vedpinxk.ini
C:\WINDOWS\system32\vlqeqgev.ini
C:\WINDOWS\system32\vojhtqnl.ini
C:\WINDOWS\system32\w11
C:\WINDOWS\system32\w11\hiba3133.exe
C:\WINDOWS\system32\ydvcltxe.ini
C:\WINDOWS\system32\yuigicgl.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 13:32 . 2008-02-28 13:32 <DIR> d-------- C:\Program Files\JavaCore
2008-02-26 14:19 . 2008-02-26 14:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-26 14:19 . 2008-02-26 14:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 14:25 . 2008-02-22 14:25 0 --a------ C:\WINDOWS\kwv2.dat
2008-02-22 14:22 . 2008-02-22 14:22 52 --a------ C:\WINDOWS\lu.dat
2008-02-22 13:07 . 2008-02-22 13:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 12:35 . 2008-02-22 12:35 <DIR> d-------- C:\WINDOWS\F34D9A5F484A4E31A9D3908CB265B289.TMP
2008-02-22 10:47 . 2008-02-27 11:09 70,838 --a------ C:\WINDOWS\BM3f405b1b.xml
2008-02-22 10:46 . 2008-02-28 11:43 22 --a------ C:\WINDOWS\pskt.ini
2008-02-22 10:31 . 2008-02-22 10:31 47 --a------ C:\hWaitEventRetryInstall
2008-02-21 21:50 . 2008-02-21 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-21 10:58 . 2008-02-28 13:27 14,260 --a------ C:\WINDOWS\system32\MSFXDB32.SRG
2008-02-20 23:21 . 2008-02-20 23:21 <DIR> d--hs---- C:\WINDOWS\YnJvb2tzIG1pY2hhZWwgcmVpZA
2008-02-13 12:58 . 2008-02-13 12:58 294 --ahs---- C:\WINDOWS\system32\tjvaqbql.ini
2008-01-31 21:05 . 2008-01-31 21:05 163,904 --------- C:\WINDOWS\system32\dqzqrsrg.dll
2008-01-29 19:18 . 2008-01-29 19:18 2,238 --a------ C:\WINDOWS\system32\GClogo_32x32.ico
2008-01-29 19:08 . 2008-02-18 12:27 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-29 19:01 . 2008-01-29 19:01 <DIR> d-------- C:\temp\cXzz9
2008-01-28 22:04 . 2008-01-28 22:05 <DIR> d-------- C:\Program Files\iTunes
2008-01-28 20:08 . 2008-01-28 20:58 <DIR> d-------- C:\WINDOWS\LastGood(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 19:44 --------- d-----w C:\Program Files\Toolbar
2008-02-28 19:44 --------- d-----w C:\Program Files\Common Files\WinTools
2008-02-28 15:10 --------- d-----w C:\Documents and Settings\brooks\Application Data\uTorrent
2008-02-23 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-22 17:38 --------- d-----w C:\Program Files\DivX
2008-02-22 15:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-22 15:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 15:23 --------- d-----w C:\Program Files\AIM Toolbar
2008-02-02 22:04 --------- d-----w C:\Program Files\BearShare
2008-02-02 22:02 --------- d-----w C:\Documents and Settings\brooks\Application Data\Aim
2008-01-29 03:04 --------- d-----w C:\Program Files\iPod
2005-04-29 05:49 48,212 -c--a-w C:\Documents and Settings\brooks\windns.exe
2005-04-21 06:48 144,666 -c--a-w C:\Documents and Settings\brooks\cpdef3.exe
2005-04-06 00:40 81,399 -c--a-w C:\Documents and Settings\brooks\idInst5020.exe
2005-04-06 00:40 127,033 -c--a-w C:\Documents and Settings\brooks\cpdef2.exe
2005-03-01 03:41 17,144 -c--a-w C:\Documents and Settings\brooks\Application Data\GDIPFONTCACHEV1.DAT
2005-02-05 00:59 81,444 -c--a-w C:\Documents and Settings\brooks\idInst.exe
2005-01-26 01:48 406,249 -c--a-w C:\Documents and Settings\brooks\pcscan3inst.exe
2004-12-13 18:04 27 -c--a-w C:\Documents and Settings\brooks\Application Data\tvmcwrd.dll
2004-03-30 03:48 252,650 -c--a-w C:\Program Files\pup.exe
2003-12-05 06:11 169,984 ----a-w C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
2004-07-23 22:13 57,344 --sha-w C:\WINDOWS\lbbho.dll
1989-12-12 14:10 580,000 -csh--r C:\WINDOWS\mnxeruc.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}]
2005-07-05 10:58 286720 --a------ C:\WINDOWS\dsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07129488-cd45-4510-970a-07cad2fa0264}]
C:\WINDOWS\System32\rdjadxbw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AD4BDCA-A01D-A328-E289-CDC5EB400EA9}]
2001-08-23 07:00 106496 --a------ C:\WINDOWS\system32\libgycyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}]
2007-08-06 05:35 77824 --a------ C:\WINDOWS\System32\nsj234F.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D9BE4F6-3F55-454B-9615-AE908FF0DAE8}]
2004-07-23 17:13 57344 --ahs---- C:\WINDOWS\lbbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}]
C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{302A3240-4805-4a34-97D7-1645A0B08410}]
2000-07-01 12:27 172032 --a------ C:\WINDOWS\Bolger.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3660BFC6-5C2C-23A1-0215-5D00BECD8DCF}]
C:\WINDOWS\System32\hka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4865F155-CE00-4E93-A414-147844D7C81A}]
2006-10-17 22:27 409600 --a------ C:\WINDOWS\System32\tcblmoma.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777}]
2004-08-13 12:35 135168 --a------ C:\WINDOWS\System32\winb2s32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59F4F380-01A0-4083-9FA4-E3B827319F7E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
C:\WINDOWS\isrvs\sysupd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D60FF48-95BE-4956-B4C6-6BB168A70310}]
C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6333BCC1-5A2D-22FB-0615-5D00BECDD8C8}]
C:\WINDOWS\System32\kiu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70230839-555C-4862-8D42-BB1E2352502C}]
2005-10-09 20:46 229376 --a------ C:\WINDOWS\System32\italaxsj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70F6A776-579A-4C95-BA88-134253907752}]
2006-08-27 15:27 405504 --a------ C:\WINDOWS\System32\irsmqymf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71ED4FBA-4024-4bbe-91DC-9704C93F453E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
2004-08-16 14:44 59904 --a------ C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]
2005-02-06 17:38 218182 --a------ C:\WINDOWS\2_0_1browserhelper2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}]
2005-03-07 04:06 191488 --a------ C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}]
2005-07-26 06:22 623616 --a------ C:\PROGRA~1\Toolbar\toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}]
2005-01-30 22:37 63232 --a------ C:\WINDOWS\wsem303.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}]
2005-11-08 14:48 151552 --a------ C:\WINDOWS\System32\nsw145.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]
C:\WINDOWS\System32\bridge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-01-31 21:05 163904 --------- C:\WINDOWS\system32\dqzqrsrg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-01-07 13:56 421888 --a------ C:\WINDOWS\System32\asclkynx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}]
2004-12-08 16:59 151552 -rah----- C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
2005-01-12 11:22 147456 --a------ C:\WINDOWS\System32\dsktrf1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]
2004-08-12 14:13 38400 --a------ C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D591234F-AD4B-4152-A7BF-37FD4D026503}]
C:\WINDOWS\System32\mljgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D80C4E21-C346-4E21-8E64-20746AA20AEB}]
2005-02-07 02:04 331776 --a------ C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED120D76-BF31-412C-A99B-783C6676E128}]
C:\WINDOWS\System32\nnnlmlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8}]
C:\Program Files\TBONAS\TBONlchr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7F808F0-6F7D-442C-93E3-4A4827C2E4C8}]
2004-06-04 21:11 34560 --a------ C:\WINDOWS\nem218.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{52FE5233-367C-4EFB-BDD7-0BE4D212C107}
{5AA06644-BC46-4220-A460-47A6EB47C96D}
{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}
{339BB23F-A864-48C0-A59F-29EA915965EC}
{8E718888-423F-11D2-876E-00A0C9082467}
{7FD44536-9DF0-4034-939F-5BD4D98E3187}

[HKEY_CLASSES_ROOT\clsid\{52fe5233-367c-4efb-bdd7-0be4d212c107}]
[HKEY_CLASSES_ROOT\winb2s.dbi.1]
[HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}]
[HKEY_CLASSES_ROOT\winb2s.dbi]

[HKEY_CLASSES_ROOT\clsid\{5aa06644-bc46-4220-a460-47a6eb47c96d}]
[HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj]

[HKEY_CLASSES_ROOT\clsid\{339bb23f-a864-48c0-a59f-29ea915965ec}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{339BB23F-A864-48C0-A59F-29EA915965EC}"= C:\PROGRA~1\Toolbar\toolbar.dll [2005-07-26 06:22 623616]
"{5AA06644-BC46-4220-A460-47A6EB47C96D}"= C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll [2005-02-07 02:04 331776]

[HKEY_CLASSES_ROOT\clsid\{339bb23f-a864-48c0-a59f-29ea915965ec}]

[HKEY_CLASSES_ROOT\clsid\{5aa06644-bc46-4220-a460-47a6eb47c96d}]
[HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\NavExcelBar.NavExcelBarObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ClockSync"="C:\Program Files\ClockSync\Sync.exe" [ ]
"@"="c:\WINDOWS\System32\" [2008-02-28 14:35 0]
"function redirec"="c:\WINDOWS\System32\function redirect(){" [2001-08-23 07:00 331]
"var strT"="c:\WINDOWS\System32\var strTemp;" [2001-08-23 07:00 268]
"var strP"="c:\WINDOWS\System32\var strPort;" [2001-08-23 07:00 331]
"top.location.replace(strTemp);"="" []
"uruq"="C:\PROGRA~1\COMMON~1\uruq\uruqm.exe" [ ]
"top.location.replace(strTe"="c:\WINDOWS\System32\top.location.replace(strTemp);" [ ]
"<h"="c:\WINDOWS\System32\<head>" [ ]
"</h"="c:\WINDOWS\System32\</head>" [ ]
"</frame"="c:\WINDOWS\System32\</frameset>" [ ]
"<nofra"="c:\WINDOWS\System32\<noframes>" [ ]
"<body bgcolor=#ffffff text=#0000"="c:\WINDOWS\System32\<body bgcolor=#ffffff text=#000000>" [ ]
"</b"="c:\WINDOWS\System32\</body>" [ ]
"</nofra"="c:\WINDOWS\System32\</noframes>" [ ]
"CMAPP"="C:\Program Files\CMAPP\Client\cmappclient.exe" [ ]
"wincmap"="C:\Program Files\winCMAPP\wincmapp.exe" [ ]
"pshower"="C:\WINDOWS\System32\pshwr.exe" [ ]
"CMSystem"="C:\Program Files\CMSystem\CMSystem.exe" [ ]
"ichckupd"="C:\WINDOWS\System32\ichckupd.exe" [ ]
"SurfSideKick 3"="C:\Program Files\SurfSideKick 3\Ssk.exe" [ ]
"irssyncd"="C:\WINDOWS\System32\irssyncd.exe" [ ]
"<title> Welcome to beneditutti.com</ti"="c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>" [ ]
"<meta NAME=description CONTENT=beneditutti.c"="c:\WINDOWS\System32\<meta NAME=description CONTENT=beneditutti.com>" [ ]
"<meta NAME=keywords CONTENT=beneditutti.c"="c:\WINDOWS\System32\<meta NAME=keywords CONTENT=beneditutti.com>" [ ]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"="c:\WINDOWS\System32\<META HTTP-EQUIV=Pragma CONTENT=no-cache>" [ ]
"<META HTTP-EQUIV=Expires CONTENT="="c:\WINDOWS\System32\<META HTTP-EQUIV=Expires CONTENT=-1>" [ ]
"<!-- trafficclub.com"="c:\WINDOWS\System32\<!-- trafficclub.com -->" [ ]
"<!-- exec: 0.0452699661255"="c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->" [ ]
"<!-- domain: beneditutti.com"="c:\WINDOWS\System32\<!-- domain: beneditutti.com -->" [ ]
"<!-- ip: 65.151.55.61"="c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->" [ ]
"<!-- fingerprint: "="c:\WINDOWS\System32\<!-- fingerprint: -->" [ ]
"<!-- country: US"="c:\WINDOWS\System32\<!-- country: US -->" [ ]
"<!-- service: 1"="c:\WINDOWS\System32\<!-- service: 1 -->" [ ]
"<!-- rand: 13/100"="c:\WINDOWS\System32\<!-- rand: 13/100 -->" [ ]
"<!-- count: 1/0"="c:\WINDOWS\System32\<!-- count: 1/0 -->" [ ]
"<!-- COOKIE OVERRIDE : 1"="c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->" [ ]
"<!-- exec: 0.10525894165039"="c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->" [ ]
"<!-- ip: 74.128.245.214"="c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->" [ ]
"<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3"="c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->" [ ]
"<!-- rand: 27/100"="c:\WINDOWS\System32\<!-- rand: 27/100 -->" [ ]
"<!-- "="c:\WINDOWS\System32\<!-- -->" [ ]
"<!-- OK"="c:\WINDOWS\System32\<!-- OK -->" [ ]
"ItalU"="C:\WINDOWS\System32\italfds.exe" [ ]
"<!-- exec: 0.10721898078918"="c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->" [ ]
"<!-- service: 2"="c:\WINDOWS\System32\<!-- service: 2 -->" [ ]
"<!-- rand: 67/100"="c:\WINDOWS\System32\<!-- rand: 67/100 -->" [ ]
"Chckup"="C:\WINDOWS\System32\Netverchk.exe" [ ]
"<!-- exec: 0.10528993606567"="c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->" [ ]
"<!-- ip: 74.130.4.25"="c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->" [ ]
"<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc"="c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->" [ ]
"<!-- service: 6"="c:\WINDOWS\System32\<!-- service: 6 -->" [ ]
"<!-- rand: 82/100"="c:\WINDOWS\System32\<!-- rand: 82/100 -->" [ ]
"<frame src=http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099"="c:\WINDOWS\System32\<frame src=http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957>" [ ]
"LifeCU"="C:\WINDOWS\System32\BastaYa.exe" [ ]
"<TITLE>tool4ame.com</TI"="c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>" [ ]
"<META NAME=Keywords CONTENT"="c:\WINDOWS\System32\<meta name=keywords content=>" [ ]
"<META NAME=Description CONTENT"="c:\WINDOWS\System32\<META NAME=Description CONTENT=>" [ ]
"<st"="c:\WINDOWS\System32\<style>" [2001-08-23 07:00 0]
"margin:"="c:\WINDOWS\System32\margin:0px;" [2001-08-23 07:00 762]
"padding:"="c:\WINDOWS\System32\padding:0px;" [2001-08-23 07:00 762]
"</st"="c:\WINDOWS\System32\</style>" [ ]
"<b"="c:\WINDOWS\System32\<body>" [2001-08-23 07:00 762]
"-->"="" []
"<html><head><title>nobrainnewbie.com</title><meta name=keywords content=><meta name=description content"="c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name=keywords content=><meta name=description content=>" [ ]
"flag"="c:\WINDOWS\System32\flag = 1" [2001-08-23 07:00 47389]
"function exittraffic() { if (flag == 1) { mhppop();"="c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop()} }" [ ]
"var rm_section_id = 174"="c:\WINDOWS\System32\var rm_section_id = 174688;" [2001-08-23 07:00 586]
"var rm_banned_pop_types ="="c:\WINDOWS\System32\var rm_banned_pop_types = 29;" [2001-08-23 07:00 586]
"var rm_pop_times = "="c:\WINDOWS\System32\var rm_pop_times = 100;" [2001-08-23 07:00 586]
"var rm_pop_frequency = 86"="c:\WINDOWS\System32\var rm_pop_frequency = 86400;" [2001-08-23 07:00 586]
"rmShowPo"="c:\WINDOWS\System32\rmShowPop();" [2001-08-23 07:00 586]
"<a href=/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/ st"="" []
"<TITLE>nobrainnewbie.com</TI"="c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>" [ ]
"<script language=JavaScri"="c:\WINDOWS\System32\<script language=JavaScript>" [ ]
"var rm_host = [url="http://ad.91s.c"="c:\WINDOWS\System32\var"]http://ad.91s.c"="c:\WINDOW...stem32\var[/url] rm_host = [url="http://ad.91s.com;""]http://ad.91s.com;"[/url] [ ]
"</SCR"="c:\WINDOWS\System32\</SCRIPT>" [ ]
"<!-- END TAG"="c:\WINDOWS\System32\<!-- END TAG -->" [ ]
"<head>"="" []
"<meta http-equiv=Content-Type content=text/htmlcharset=UTF-8>"="" []
"<meta http-equiv=Content-Style-Type content=text/c"="c:\WINDOWS\System32\<meta http-equiv=Content-Style-Type content=text/css>" [ ]
"<META name=description content=beneditutti.com>"="" []
"<META name=keywords content=bender"="" []
"<title>beneditutti.com</title>"="" []
"</head>"="" []
"<body>"="" []
"<div id=siteheader> "="" []
"<div id=pageheader>"="" []
"</div>"="" []
"</div>"="" []
"<div id=nav_inquiry>"="" []
"</div>"="" []
"#blank {display:no"="c:\WINDOWS\System32\#blank {display:none;}" [2001-08-23 07:00 30979]
"#GENHeader .GENurl {color:#366"="c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}" [2001-08-23 07:00 30979]
"#GENHeader form {margin:0padding:10px 0 0 "="c:\WINDOWS\System32\#GENHeader form {margin:0padding:10px 0 0 0px}" [ ]
"<style type=text/c"="c:\WINDOWS\System32\<style type=text/css>" [ ]
"body{background-color:#FFF;color:#000;font-family:Verd"="c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana" [ ]
"a:link{color:#000;text-decoration:no"="c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}" [ ]
"a:visited{color:#000;text-decoration:no"="c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}" [ ]
"a:hover{color:#C"="c:\WINDOWS\System32\a:hover{color:#C03;}" [ ]
"a:active{color:#FF4500;text-decoration:underli"="c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}" [ ]
"a.nave"="c:\WINDOWS\System32\a.navelem{" [2001-08-23 07:00 8554]
"display:bl"="c:\WINDOWS\System32\display:block;" [2001-08-23 07:00 8555]
"font-size:1"="c:\WINDOWS\System32\font-size:11px;" [2001-08-23 07:00 8559]
"font-weight:"="c:\WINDOWS\System32\font-weight:700;" [2001-08-23 07:00 8509]
"color:#"="c:\WINDOWS\System32\color:#000;" [2001-08-23 07:00 8513]
"background-color:#D8D"="c:\WINDOWS\System32\background-color:#D8DFEE;" [2001-08-23 07:00 8547]
"background-image: url(http://63.214.247.19/_wi/bullet.g"="c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);" [ ]
"background-repeat:no-rep"="c:\WINDOWS\System32\background-repeat:no-repeat;" [2001-08-23 07:00 8507]
"width:24"="c:\WINDOWS\System32\width:241px;" [2001-08-23 07:00 8554]
"height:2"="c:\WINDOWS\System32\height:24px;" [2001-08-23 07:00 8547]
"text-indent:2"="c:\WINDOWS\System32\text-indent:28px;" [2001-08-23 07:00 8507]
"line-height:2"="c:\WINDOWS\System32\line-height:21px;" [2001-08-23 07:00 8509]
"text-decoration:n"="c:\WINDOWS\System32\text-decoration:none;" [2001-08-23 07:00 8557]
"cursor:poin"="c:\WINDOWS\System32\cursor:pointer;" [2001-08-23 07:00 8557]
"margin:0 0 "="c:\WINDOWS\System32\margin:0 0 1px;" [2001-08-23 07:00 8507]
"border-top-width: "="c:\WINDOWS\System32\border-top-width: 1px;" [2001-08-23 07:00 8554]
"border-right-width: "="c:\WINDOWS\System32\border-right-width: 1px;" [2001-08-23 07:00 8554]
"border-bottom-width: "="c:\WINDOWS\System32\border-bottom-width: 1px;" [2001-08-23 07:00 8559]
"border-left-width: "="c:\WINDOWS\System32\border-left-width: 1px;" [2001-08-23 07:00 8554]
"border-top-style: n"="c:\WINDOWS\System32\border-top-style: none;" [2001-08-23 07:00 8547]
"border-right-style: so"="c:\WINDOWS\System32\border-right-style: solid;" [2001-08-23 07:00 8555]
"border-bottom-style: so"="c:\WINDOWS\System32\border-bottom-style: solid;" [2001-08-23 07:00 8514]
"border-left-style: n"="c:\WINDOWS\System32\border-left-style: none;" [2001-08-23 07:00 8554]
"border-right-color: #FFF"="c:\WINDOWS\System32\border-right-color: #FFFFFF;" [2001-08-23 07:00 8554]
"border-bottom-color: #FFF"="c:\WINDOWS\System32\border-bottom-color: #FFFFFF;" [2001-08-23 07:00 8509]
"a.navelem:hover{background-color:#6987BC;color:#F"="c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}" [ ]
".title_text{color:#FFF;font-size:18pt;line-height:"="c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%" [ ]
".title_text a{color:#FFF;font-size:12"="c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}" [ ]
".title_sub_text{color:#FFF;font-size:8"="c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}" [ ]
".tagline_text{color:#000;font-size:12px;font-weight:7"="c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}" [ ]
".search_form{font-size:10"="c:\WINDOWS\System32\.search_form{font-size:10px;}" [2001-08-23 07:00 8529]
".description_text{color:#000;font-size:12px;line-height:20"="c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}" [ ]
"a.resultsurl:hover{text-decoration:none;color:#8997"="c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}" [ ]
".disclaimer{color:#999;font-size:10"="c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}" [ ]
".TextField{color:#000;font-size:11px;font-family:Ar"="c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial" [ ]
"Helvet"="c:\WINDOWS\System32\Helvetica" [ ]
"<script type=text/javascript>"="" []
"<!--"="" []
" top.location = self.location.href;"="" []
"}"="" []
"function sf() {"="" []
"isSearch2 = eval(document.forms[form_search2]);"="" []
"if(document.forms[form_search1].searchq1.value) {"="" []
"document.forms[form_search1].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search1].searchq1.value)+;"="" []
"if(isSearch2){"="" []
"document.forms[form_search2].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search1].searchq1.value)+;"="" []
"}"="" []
"document.forms[form_search1].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search2].searchq2.value)+;"="" []
"document.forms[form_search2].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search2].searchq2.value)+;"="" []
"return true;"="" []
"<style type=text/css>"="" []
"form {"="" []
"padding: 0px;"="" []
"</style>"="" []
"function cl(t"="c:\WINDOWS\System32\function cl(tx) {" [2001-08-23 07:00 8557]
"window.status"="c:\WINDOWS\System32\window.status=tx;" [2001-08-23 07:00 8514]
"<a class=navelem href=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid"="c:\WINDOWS\System32\<a class=navelem href=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/>" [ ]
"Brain Fitness Program"="c:\WINDOWS\System32\Brain Fitness Program</a>" [ ]
"Brain Health"="c:\WINDOWS\System32\Brain Health</a>" [ ]
"<"="c:\WINDOWS\System32\</tr>" [ ]
"<tr valign=bott"="c:\WINDOWS\System32\<tr valign=bottom>" [ ]
"</ta"="c:\WINDOWS\System32\</table>" [ ]
"2"="c:\WINDOWS\System32\2007" [ ]
"#GEN {CLEAR: bothWIDTH: 100%TEXT-ALIGN: cen"="c:\WINDOWS\System32\#GEN {CLEAR: bothWIDTH: 100%TEXT-ALIGN: center}" [ ]
"#GENMain {FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 10"="c:\WINDOWS\System32\#GENMain {FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100%;}" [ ]
"#GENResults {MARGIN: 0px 0px 0px 217pxpadding:0 0px "="c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217pxpadding:0 0px 0 0}" [ ]
"#GENResults li {margin:0padding:0 0 15px 0list-style-type:n"="c:\WINDOWS\System32\#GENResults li {margin:0padding:0 0 15px 0list-style-type:none}" [ ]
"#GENRelateds ul {margin:0 0 0 0pxpaddin"="c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0pxpadding:0}" [ ]
"#GENBtmPages img {vertical-align:mid"="c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}" [2001-08-23 07:00 30775]
"#GENbotlinks ul {margin:0padding:0list-style-type:n"="c:\WINDOWS\System32\#GENbotlinks ul {margin:0padding:0list-style-type:none}" [ ]
"#GENBtmForm form {margin:0 0 0 0paddin"="c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0padding:0}" [ ]
"c:\WINDOWS\System32\ "="" []
"c:\WINDOWS\System32\ p "="" []
"c:\WINDOWS\System32\ }"="" []
"font-size: 1"="c:\WINDOWS\System32\ font-size: 12px;" [2001-08-23 07:00 75125]
"color: #000"="c:\WINDOWS\System32\ color: #000000;" [2001-08-23 07:00 75063]
"font-weight: nor"="c:\WINDOWS\System32\ font-weight: normal;" [2001-08-23 07:00 75011]
".dom"="c:\WINDOWS\System32\ .domain " [2001-08-23 07:00 74843]
"font-size: 2"="c:\WINDOWS\System32\ font-size: 22px;" [2001-08-23 07:00 74843]
"color: #394"="c:\WINDOWS\System32\ color: #394958;" [2001-08-23 07:00 75115]
"font-weight: b"="c:\WINDOWS\System32\ font-weight: bold;" [2001-08-23 07:00 74842]
".cour"="c:\WINDOWS\System32\ .courtesy" [2001-08-23 07:00 74815]
"color: #424"="c:\WINDOWS\System32\ color: #424242;" [2001-08-23 07:00 75088]
"line-height: 1"="c:\WINDOWS\System32\ line-height: 14px;" [2001-08-23 07:00 74793]
"font-weight:b"="c:\WINDOWS\System32\ font-weight:bold;" [2001-08-23 07:00 75068]
".loo"="c:\WINDOWS\System32\ .looking" [2001-08-23 07:00 75088]
"font-weight:nor"="c:\WINDOWS\System32\ font-weight:normal;" [2001-08-23 07:00 75169]
"c:\WINDOWS\System32\ .try"="" []
"color: wh"="c:\WINDOWS\System32\ color: white;" [2001-08-23 07:00 74815]
".copyr"="c:\WINDOWS\System32\ .copyright" [2001-08-23 07:00 75113]
".rel"="c:\WINDOWS\System32\ .related" [2001-08-23 07:00 75074]
"color: #343"="c:\WINDOWS\System32\ color: #343D46;" [2001-08-23 07:00 75113]
".relse"="c:\WINDOWS\System32\ .relsearch" [2001-08-23 07:00 75094]
"color: #0B0"="c:\WINDOWS\System32\ color: #0B0085;" [2001-08-23 07:00 74825]
".checkp"="c:\WINDOWS\System32\ .checkprice" [2001-08-23 07:00 74845]
".li"="c:\WINDOWS\System32\ .linkhd" [2001-08-23 07:00 74822]
"color: #464"="c:\WINDOWS\System32\ color: #464646;" [2001-08-23 07:00 75423]
".sponsor"="c:\WINDOWS\System32\ .sponsorinfo" [2001-08-23 07:00 75111]
".sponso"="c:\WINDOWS\System32\ .sponsorurl" [2001-08-23 07:00 75420]
"color: #030"="c:\WINDOWS\System32\ color: #03007A;" [2001-08-23 07:00 75072]
"text-decoration: n"="c:\WINDOWS\System32\ text-decoration: none;" [2001-08-23 07:00 75072]
"a:"="c:\WINDOWS\System32\ a:link" [2001-08-23 07:00 75400]
"text-decoration: underl"="c:\WINDOWS\System32\ text-decoration: underline;" [2001-08-23 07:00 75111]
"a:vis"="c:\WINDOWS\System32\ a:visited" [2001-08-23 07:00 75072]
"Cuto"="C:\WINDOWS\FNTS~1\logonui.exe" [ ]
"Ardfv"="C:\WINDOWS\system32\s?stem32\n?tdde.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"#blank { display:non"="c:\WINDOWS\System32\#blank { display:none}" [ ]
"#GENHeader .GENurl { color:#366a"="c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }" [2001-08-23 07:00 32473]
"#GENHeader form { margin:0padding:10px 0 0 0"="c:\WINDOWS\System32\#GENHeader form { margin:0padding:10px 0 0 0px }" [ ]
"#GEN { CLEAR: bothWIDTH: 100%TEXT-ALIGN: cent"="c:\WINDOWS\System32\#GEN { CLEAR: bothWIDTH: 100%TEXT-ALIGN: center }" [ ]
"#GENMain { FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100"="c:\WINDOWS\System32\#GENMain { FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100%}" [ ]
"#GENResults { MARGIN: 0px 0px 0px 217pxpadding:0 0px 0"="c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217pxpadding:0 0px 0 0 }" [ ]
"#GENResults h2 { padding-left:5p"="c:\WINDOWS\System32\#GENResults h2 { padding-left:5px}" [ ]
"#GENResults li { margin:0padding:0 0 15px 0list-style-type:no"="c:\WINDOWS\System32\#GENResults li { margin:0padding:0 0 15px 0list-style-type:none }" [ ]
"#GENResults h2 { padding-left:5px;font-size:13p"="c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px}" [ ]
"#GENRelateds ul { margin:0 0 0 0pxpadding"="c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0pxpadding:0 }" [ ]
"#GENBtmPages img { vertical-align:midd"="c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }" [2001-08-23 07:00 32473]
"#GENbotlinks ul { margin:0padding:0list-style-type:no"="c:\WINDOWS\System32\#GENbotlinks ul { margin:0padding:0list-style-type:none }" [ ]
"#GENBtmForm form { margin:0 0 0 0padding"="c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0padding:0 }" [ ]
"#nav_search_holder { border-top:2px solid #d7eaeeclear:bot"="c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaeeclear:both}" [ ]
"#nav_bottom { padding:0margin:5px 0 0 0width:47%float:lef"="c:\WINDOWS\System32\#nav_bottom { padding:0margin:5px 0 0 0width:47%float:left}" [ ]
"#footer { margin:0padding:0width:100%clear:bot"="c:\WINDOWS\System32\#footer { margin:0padding:0width:100%clear:both}" [ ]
"#navlist { margin:0ptpadding:0ptheight:10"="c:\WINDOWS\System32\#navlist { margin:0ptpadding:0ptheight:100% }" [ ]
"#bottom_navlist { margin: 0padding:0text-align:lef"="c:\WINDOWS\System32\#bottom_navlist { margin: 0padding:0text-align:left}" [ ]
"#bottom_navlist a:hover { color: #ff"="c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff}" [ ]
"JavaCore"="C:\Program Files\JavaCore\JavaCore.exe" [2008-02-28 13:32 144896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPS"="C:\PROGRA~1\Toolbar\TBPS.exe" [2006-06-29 06:29 790528]
"WinTools"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [2005-05-23 22:34 521216]
"RunDLL"="C:\WINDOWS\System32\bridge.dll" [ ]
"Macafee"="LSAS.EXE" []
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [ ]
"systray"="C:\WINDOWS\System32\a.exe" [ ]
"@"="c:\WINDOWS\System32\" [2008-02-28 14:35 0]
"function redirec"="c:\WINDOWS\System32\function redirect(){" [2001-08-23 07:00 331]
"var strT"="c:\WINDOWS\System32\var strTemp;" [2001-08-23 07:00 268]
"var strP"="c:\WINDOWS\System32\var strPort;" [2001-08-23 07:00 331]
"top.location.replace(strTemp);"="" []
"} el"="c:\WINDOWS\System32\} else {" [2001-08-23 07:00 975]
"}"="c:\WINDOWS\System32\} " [2001-08-23 07:00 8547]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll" [2004-05-21 18:12 64512]
"ver4 = (NS4 || IE4plus) ? true : fa"="c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;" [ ]
"var today = new Dat"="c:\WINDOWS\System32\var today = new Date();" [2001-08-23 07:00 20381]
"var pos_top = (screen.height) + 1// window is 1 pixel below the bottom of sc"="c:\WINDOWS\System32\var pos_top = (screen.height) + 1// window is 1 pixel below the bottom of screen" [ ]
"var NN4=d.layers?"="c:\WINDOWS\System32\var NN4=d.layers?1:0;" [ ]
"var gSafeOnload = new Arra"="c:\WINDOWS\System32\var gSafeOnload = new Array();" [2001-08-23 07:00 15218]
"var expire = new Dat"="c:\WINDOWS\System32\var expire = new Date();" [2001-08-23 07:00 20381]
"var d=docum"="c:\WINDOWS\System32\var d=document;" [2001-08-23 07:00 975]
"var cookieExist = getCookie(strCookieNa"="c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);" [2001-08-23 07:00 21336]
"SafeAddOnload(PUWSta"="c:\WINDOWS\System32\SafeAddOnload(PUWStart);" [ ]
"s=screen.width;v=navigator.app"="c:\WINDOWS\System32\s=screen.width;v=navigator.appName" [ ]
"OSS"="C:\WINDOWS\System32\ossproxy.exe" [ ]
"offset = document.cookie.indexOf(search) "="c:\WINDOWS\System32\offset = document.cookie.indexOf(search) " [2001-08-23 07:00 20381]
"offset += search.leng"="c:\WINDOWS\System32\offset += search.length" [ ]
"nvid"="C:\WINDOWS\System32\zmixjb.exe" [ ]
"NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa"="c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;" [ ]
"NS4 = (document.layers) ? true : fa"="c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;" [ ]
"NS2"="c:\WINDOWS\System32\NS2Ch=0" [ ]
"mhppop()//makeusyourhomepage"="c:\WINDOWS\System32\mhppop()//makeusyourhomepage pop" [ ]
"j=navigator.javaEnabl"="c:\WINDOWS\System32\j=navigator.javaEnabled()" [ ]
"if(!NN"="{" [2001-08-23 07:00 762 C:\WINDOWS\system32\{]
"if (offset != -1) { // if cookie exists "="c:\WINDOWS\System32\if (offset != -1) { // if cookie exists " [ ]
"if (NS2Ch == "="c:\WINDOWS\System32\if (NS2Ch == 0) {" [2001-08-23 07:00 21336]
"if (IE4p"="c:\WINDOWS\System32\if (IE4plus)" [2001-08-23 07:00 15218]
"if (end == -1) "="c:\WINDOWS\System32\if (end == -1) " [2001-08-23 07:00 21336]
"if ((flag =="="c:\WINDOWS\System32\if ((flag == 1))" [2001-08-23 07:00 21336]
"IEMajor "="c:\WINDOWS\System32\IEMajor = 0;" [2001-08-23 07:00 15218]
"IEmac = ((document.all)&&(isMac)) ? true : fa"="c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;" [ ]
"IE5plus = IE5 || "="c:\WINDOWS\System32\IE5plus = IE5 || IE6;" [ ]
"IE4plus = (document.all) ? true : fa"="c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;" [ ]
"function SafeOnlo"="c:\WINDOWS\System32\function SafeOnload()" [2001-08-23 07:00 15218]
"function SafeAddOnloa"="c:\WINDOWS\System32\function SafeAddOnload(f)" [2001-08-23 07:00 15218]
"function PUW_In"="c:\WINDOWS\System32\function PUW_Init()" [2001-08-23 07:00 15218]
"function PUW_CheckFrequen"="c:\WINDOWS\System32\function PUW_CheckFrequency()" [2001-08-23 07:00 15218]
"function PUWSta"="c:\WINDOWS\System32\function PUWStart()" [2001-08-23 07:00 15218]
"function mhppo"="c:\WINDOWS\System32\function mhppop(){" [2001-08-23 07:00 21336]
"function isInt(nu"="c:\WINDOWS\System32\function isInt(numIn)" [2001-08-23 07:00 15218]
"function getCookie(Name) "="c:\WINDOWS\System32\function getCookie(Name) { " [2001-08-23 07:00 20381]
"function FormFocu"="c:\WINDOWS\System32\function FormFocus(){" [2001-08-23 07:00 21336]
"function exittraff"="c:\WINDOWS\System32\function exittraffic()" [2001-08-23 07:00 21336]
"flag"="c:\WINDOWS\System32\flag = 1" [2001-08-23 07:00 47389]
"expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3"="c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);" [ ]
"end = document.cookie.length "="c:\WINDOWS\System32\end = document.cookie.length " [2001-08-23 07:00 21336]
"else {c=screen.pixelDe"="c:\WINDOWS\System32\else {c=screen.pixelDepth}" [2001-08-23 07:00 21336]
"document.frmSearch.KeyWords.focu"="c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();" [ ]
"com_dmi3"="C:\WINDOWS\System32\com_dmi3.exe" [ ]
"A:hover {background: #FFCC00color: bla"="c:\WINDOWS\System32\A:hover {background: #FFCC00color: black;}" [ ]
"<script language=javascript type=text/javascri"="c:\WINDOWS\System32\<script language=javascript type=text/javascript>" [ ]
"<META HTTP-EQUIV=Pragma CONTENT=no-cac"="c:\WINDOWS\System32\<META HTTP-EQUIV=Pragma CONTENT=no-cache>" [ ]
"<h"="c:\WINDOWS\System32\<head>" [ ]
"<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffff"="c:\WINDOWS\System32\<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffffff>" [ ]
"</scr"="c:\WINDOWS\System32\</SCRIPT>" [ ]
"</h"="c:\WINDOWS\System32\</head>" [ ]
"</b"="c:\WINDOWS\System32\</body>" [ ]
"// set index of end of cookie value "="c:\WINDOWS\System32\// set index of end of cookie value " [2001-08-23 07:00 21336]
"// set index of beginning of value "="c:\WINDOWS\System32\// set index of beginning of value " [2001-08-23 07:00 21336]
"// Browser Detec"="c:\WINDOWS\System32\// Browser Detection" [2001-08-23 07:00 16610]
"// Body onload utility (supports multiple onload functi"="c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)" [2001-08-23 07:00 15218]
"var shouldShow = this.frequency != 0;"="" []
"var newWin = window.open(this.url"="" []
"var checknum = parseInt(numIn);"="" []
"this.width = width;"="" []
"this.url = url;"="" []
"this.top = screen.availHeight/2 - height/2// center"="" []
"this.toolbar= false;"="" []
"this.statusbar= false;"="" []
"this.showDelay = 2000;"="" []
"this.Show = PUW_Show;"="" []
"this.scrollbars= false;"="" []
"this.resizable = false;"="" []
"this.renew = 1// renew showing every x hours"="" []
"this.ontop = false;"="" []
"this.menubar = false;"="" []
"this.locationbar = false;"="" []
"this.left = screen.availWidth/2 - width/2// center"="" []
"this.Init = PUW_Init;"="" []
"this.height = height;"="" []
"this.frequency = 1// how many times show per renewal time period"="" []
"this.CheckFrequency = PUW_CheckFrequency;"="" []
"return shouldShow;"="" []
"return !isNaN(checknum);"="" []
"if (IEmac && IE4) // IE 4.5 blows out on testing window.onload"="" []
"if (! this.ontop)"="" []
"IEMajor = parseInt(navigator.appVersion.substring(start+5"="" []
"else if (window.onload)"="" []
"window.onload = SafeOnload;"="" []
"window.onload = f;"="" []
"window.focus();"="" []
"var exp = new Date();"="" []
"var allCookies = document.cookie;"="" []
"if (window.onload != SafeOnload)"="" []
"gSafeOnload[i]();"="" []
"gSafeOnload[gSafeOnload.length] = f;"="" []
"exp.setTime(exp.getTime()+this.renew*60*6000);"="" []
"window.onload = SafeOnload;"="" []
"var freqStr = allCookies.substring(start+9"="" []
"this.frequency--;"="" []
"shouldShow = false;"="" []
"if (isInt(freqStr))"="" []
"gSafeOnload[0] = window.onload;"="" []
"this.frequency = parseInt(freqStr);"="" []
"end = allCookies.length;"="" []
"Search:"="" []
"s=screen.width;v=navigator.appName"="" []
"NS2Ch=0"="" []
"j=navigator.javaEnabled()"="" []
"if (NS2Ch == 0) {"="" []
"else {c=screen.pixelDepth}"="" []
"}"="" []
"-->"="" []
"navapp"="C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe" [ ]
"gPopupWindow.toolbar = fa"="c:\WINDOWS\System32\gPopupWindow.toolbar = false;" [2001-08-23 07:00 15218]
"gPopupWindow.statusbar = fa"="c:\WINDOWS\System32\gPopupWindow.statusbar = false;" [2001-08-23 07:00 15218]
"gPopupWindow.resizable = fa"="c:\WINDOWS\System32\gPopupWindow.resizable = false;" [2001-08-23 07:00 15218]
"gPopupWindow.ontop = fa"="c:\WINDOWS\System32\gPopupWindow.ontop = false;" [2001-08-23 07:00 15218]
"function PUW_Sh"="c:\WINDOWS\System32\function PUW_Show()" [2001-08-23 07:00 15218]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [ ]
"<title>advertisement</ti"="c:\WINDOWS\System32\<title>advertisement</title>" [ ]
"if (gPopupWindow.CheckFrequency())"="" []
"gPopupWindow.Init();"="" []
"Desktop Search"="C:\WINDOWS\isrvs\desktop.exe" [ ]
"ffis"="C:\WINDOWS\isrvs\ffisearch.exe" [ ]
"Internet Optimizer"="C:\Program Files\Internet Optimizer\optimize.exe" [ ]
"salm"="c:\temp\salm.exe" [ ]
"yxkzef"="C:\WINDOWS\yxkzef.exe" [ ]
"Fqfeu"="C:\Program Files\Avllun\Owdl.exe" [ ]
"farmmext"="C:\WINDOWS\farmmext.exe" [ ]
"EbatesMoeMoneyMaker0"="C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe" [ ]
"top.location.replace(strTe"="c:\WINDOWS\System32\top.location.replace(strTemp);" [ ]
"Dinst"="C:\WINDOWS\dinst.exe" [ ]
"</frame"="c:\WINDOWS\System32\</frameset>" [ ]
"<nofra"="c:\WINDOWS\System32\<noframes>" [ ]
"<body bgcolor=#ffffff text=#0000"="c:\WINDOWS\System32\<body bgcolor=#ffffff text=#000000>" [ ]
"</nofra"="c:\WINDOWS\System32\</noframes>" [ ]
"agynfba"="C:\WINDOWS\agynfba.EXE" [ ]
"laikecj"="C:\WINDOWS\laikecj.exe" [ ]
"SurfSideKick 3"="C:\Program Files\SurfSideKick 3\Ssk.exe" [ ]
"vshlsin"="C:\WINDOWS\vshlsin.exe" [ ]
"pofkteo"="C:\WINDOWS\pofkteo.exe" [ ]
"eivvfbq"="C:\WINDOWS\eivvfbq.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"mqltarr"="C:\WINDOWS\mqltarr.exe" [ ]
"kodwzne"="C:\WINDOWS\kodwzne.exe" [ ]
"ddjzhvh"="C:\WINDOWS\ddjzhvh.exe" [ ]
"<title> Welcome to beneditutti.com</ti"="c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>" [ ]
"<meta NAME=description CONTENT=beneditutti.c"="c:\WINDOWS\System32\<meta NAME=description CONTENT=beneditutti.com>" [ ]
"<meta NAME=keywords CONTENT=beneditutti.c"="c:\WINDOWS\System32\<meta NAME=keywords CONTENT=beneditutti.com>" [ ]
"<META HTTP-EQUIV=Expires CONTENT="="c:\WINDOWS\System32\<META HTTP-EQUIV=Expires CONTENT=-1>" [ ]
"<!-- trafficclub.com"="c:\WINDOWS\System32\<!-- trafficclub.com -->" [ ]
"<!-- exec: 0.0452699661255"="c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->" [ ]
"<!-- domain: beneditutti.com"="c:\WINDOWS\System32\<!-- domain: beneditutti.com -->" [ ]
"<!-- ip: 65.151.55.61"="c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->" [ ]
"<!-- fingerprint: "="c:\WINDOWS\System32\<!-- fingerprint: -->" [ ]
"<!-- country: US"="c:\WINDOWS\System32\<!-- country: US -->" [ ]
"<!-- service: 1"="c:\WINDOWS\System32\<!-- service: 1 -->" [ ]
"<!-- rand: 13/100"="c:\WINDOWS\System32\<!-- rand: 13/100 -->" [ ]
"<!-- count: 1/0"="c:\WINDOWS\System32\<!-- count: 1/0 -->" [ ]
"<!-- COOKIE OVERRIDE : 1"="c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->" [ ]
"<!-- exec: 0.10525894165039"="c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->" [ ]
"<!-- ip: 74.128.245.214"="c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->" [ ]
"<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3"="c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->" [ ]
"<!-- rand: 27/100"="c:\WINDOWS\System32\<!-- rand: 27/100 -->" [ ]
"<!-- "="c:\WINDOWS\System32\<!-- -->" [ ]
"<!-- OK"="c:\WINDOWS\System32\<!-- OK -->" [ ]
"<!-- exec: 0.10721898078918"="c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->" [ ]
"<!-- service: 2"="c:\WINDOWS\System32\<!-- service: 2 -->" [ ]
"<!-- rand: 67/100"="c:\WINDOWS\System32\<!-- rand: 67/100 -->" [ ]
"ItalU"="C:\WINDOWS\System32\italfds.exe" [ ]
"<!-- exec: 0.10528993606567"="c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->" [ ]
"<!-- ip: 74.130.4.25"="c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->" [ ]
"<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc"="c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->" [ ]
"<!-- service: 6"="c:\WINDOWS\System32\<!-- service: 6 -->" [ ]
"<!-- rand: 82/100"="c:\WINDOWS\System32\<!-- rand: 82/100 -->" [ ]
"<frame src=http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099"="c:\WINDOWS\System32\<frame src=http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957>" [ ]
"<TITLE>tool4ame.com</TI"="c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>" [ ]
"<META NAME=Keywords CONTENT"="c:\WINDOWS\System32\<meta name=keywords content=>" [ ]
"<META NAME=Description CONTENT"="c:\WINDOWS\System32\<META NAME=Description CONTENT=>" [ ]
"<st"="c:\WINDOWS\System32\<style>" [2001-08-23 07:00 0]
"margin:"="c:\WINDOWS\System32\margin:0px;" [2001-08-23 07:00 762]
"padding:"="c:\WINDOWS\System32\padding:0px;" [2001-08-23 07:00 762]
"</st"="c:\WINDOWS\System32\</style>" [ ]
"<b"="c:\WINDOWS\System32\<body>" [2001-08-23 07:00 762]
"<html><head><title>nobrainnewbie.com</title><meta name=keywords content=><meta name=description content"="c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name=keywords content=><meta name=description content=>" [ ]
"function exittraffic() { if (flag == 1) { mhppop();"="c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop()} }" [ ]
"var rm_section_id = 174"="c:\WINDOWS\System32\var rm_section_id = 174688;" [2001-08-23 07:00 586]
"var rm_banned_pop_types ="="c:\WINDOWS\System32\var rm_banned_pop_types = 29;" [2001-08-23 07:00 586]
"var rm_pop_times = "="c:\WINDOWS\System32\var rm_pop_times = 100;" [2001-08-23 07:00 586]
"var rm_pop_frequency = 86"="c:\WINDOWS\System32\var rm_pop_frequency = 86400;" [2001-08-23 07:00 586]
"rmShowPo"="c:\WINDOWS\System32\rmShowPop();" [2001-08-23 07:00 586]
"<a href=/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/ st"="" []
"a.catTitleP{font-weight: bold;font-size: 10"="c:\WINDOWS\System32\a.catTitleP{font-weight: bold;font-size: 10pt;}" [ ]
"<TITLE>nobrainnewbie.com</TI"="c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>" [ ]
"<script language=JavaScri"="c:\WINDOWS\System32\<script language=JavaScript>" [ ]
"var rm_host = [url="http://ad.91s.c"="c:\WINDOWS\System32\var"]http://ad.91s.c"="c:\WINDOW...stem32\var[/url] rm_host = [url="http://ad.91s.com;""]http://ad.91s.com;"[/url] [ ]
"<!-- END TAG"="c:\WINDOWS\System32\<!-- END TAG -->" [ ]
"<head>"="" []
"<meta http-equiv=Content-Type content=text/htmlcharset=UTF-8>"="" []
"<meta http-equiv=Content-Style-Type content=text/c"="c:\WINDOWS\System32\<meta http-equiv=Content-Style-Type content=text/css>" [ ]
"<META name=description content=beneditutti.com>"="" []
"<META name=keywords content=bender"="" []
"<title>beneditutti.com</title>"="" []
"</head>"="" []
"<body>"="" []
"<div id=siteheader> "="" []
"<div id=pageheader>"="" []
"</div>"="" []
"</div>"="" []
"<div id=nav_inquiry>"="" []
"</div>"="" []
"#blank {display:no"="c:\WINDOWS\System32\#blank {display:none;}" [2001-08-23 07:00 30979]
"#GENHeader .GENurl {color:#366"="c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}" [2001-08-23 07:00 30979]
"#GENHeader form {margin:0padding:10px 0 0 "="c:\WINDOWS\System32\#GENHeader form {margin:0padding:10px 0 0 0px}" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"<style type=text/c"="c:\WINDOWS\System32\<style type=text/css>" [ ]
"body{background-color:#FFF;color:#000;font-family:Verd"="c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana" [ ]
"a:link{color:#000;text-decoration:no"="c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}" [ ]
"a:visited{color:#000;text-decoration:no"="c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}" [ ]
"a:hover{color:#C"="c:\WINDOWS\System32\a:hover{color:#C03;}" [ ]
"a:active{color:#FF4500;text-decoration:underli"="c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}" [ ]
"a.nave"="c:\WINDOWS\System32\a.navelem{" [2001-08-23 07:00 8554]
"display:bl"="c:\WINDOWS\System32\display:block;" [2001-08-23 07:00 8555]
"font-size:1"="c:\WINDOWS\System32\font-size:11px;" [2001-08-23 07:00 8559]
"font-weight:"="c:\WINDOWS\System32\font-weight:700;" [2001-08-23 07:00 8509]
"color:#"="c:\WINDOWS\System32\color:#000;" [2001-08-23 07:00 8513]
"background-color:#D8D"="c:\WINDOWS\System32\background-color:#D8DFEE;" [2001-08-23 07:00 8547]
"background-image: url(http://63.214.247.19/_wi/bullet.g"="c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);" [ ]
"background-repeat:no-rep"="c:\WINDOWS\System32\background-repeat:no-repeat;" [2001-08-23 07:00 8507]
"width:24"="c:\WINDOWS\System32\width:241px;" [2001-08-23 07:00 8554]
"height:2"="c:\WINDOWS\System32\height:24px;" [2001-08-23 07:00 8547]
"text-indent:2"="c:\WINDOWS\System32\text-indent:28px;" [2001-08-23 07:00 8507]
"line-height:2"="c:\WINDOWS\System32\line-height:21px;" [2001-08-23 07:00 8509]
"text-decoration:n"="c:\WINDOWS\System32\text-decoration:none;" [2001-08-23 07:00 8557]
"cursor:poin"="c:\WINDOWS\System32\cursor:pointer;" [2001-08-23 07:00 8557]
"margin:0 0 "="c:\WINDOWS\System32\margin:0 0 1px;" [2001-08-23 07:00 8507]
"border-top-width: "="c:\WINDOWS\System32\border-top-width: 1px;" [2001-08-23 07:00 8554]
"border-right-width: "="c:\WINDOWS\System32\border-right-width: 1px;" [2001-08-23 07:00 8554]
"border-bottom-width: "="c:\WINDOWS\System32\border-bottom-width: 1px;" [2001-08-23 07:00 8559]
"border-left-width: "="c:\WINDOWS\System32\border-left-width: 1px;" [2001-08-23 07:00 8554]
"border-top-style: n"="c:\WINDOWS\System32\border-top-style: none;" [2001-08-23 07:00 8547]
"border-right-style: so"="c:\WINDOWS\System32\border-right-style: solid;" [2001-08-23 07:00 8555]
"border-bottom-style: so"="c:\WINDOWS\System32\border-bottom-style: solid;" [2001-08-23 07:00 8514]
"border-left-style: n"="c:\WINDOWS\System32\border-left-style: none;" [2001-08-23 07:00 8554]
"border-right-color: #FFF"="c:\WINDOWS\System32\border-right-color: #FFFFFF;" [2001-08-23 07:00 8554]
"border-bottom-color: #FFF"="c:\WINDOWS\System32\border-bottom-color: #FFFFFF;" [2001-08-23 07:00 8509]
"a.navelem:hover{background-color:#6987BC;color:#F"="c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}" [ ]
".title_text{color:#FFF;font-size:18pt;line-height:"="c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%" [ ]
".title_text a{color:#FFF;font-size:12"="c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}" [ ]
".title_sub_text{color:#FFF;font-size:8"="c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}" [ ]
".tagline_text{color:#000;font-size:12px;font-weight:7"="c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}" [ ]
".search_form{font-size:10"="c:\WINDOWS\System32\.search_form{font-size:10px;}" [2001-08-23 07:00 8529]
".description_text{color:#000;font-size:12px;line-height:20"="c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}" [ ]
"a.resultsurl:hover{text-decoration:none;color:#8997"="c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}" [ ]
".disclaimer{color:#999;font-size:10"="c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}" [ ]
".TextField{color:#000;font-size:11px;font-family:Ar"="c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial" [ ]
"Helvet"="c:\WINDOWS\System32\Helvetica" [ ]
"<script type=text/javascript>"="" []
"<!--"="" []
" top.location = self.location.href;"="" []
"}"="" []
"function sf() {"="" []
"isSearch2 = eval(document.forms[form_search2]);"="" []
"if(document.forms[form_search1].searchq1.value) {"="" []
"document.forms[form_search1].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search1].searchq1.value)+;"="" []
"if(isSearch2){"="" []
"document.forms[form_search2].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search1].searchq1.value)+;"="" []
"document.forms[form_search1].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search2].searchq2.value)+;"="" []
"document.forms[form_search2].action=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/+(document.forms[form_search2].searchq2.value)+;"="" []
"return true;"="" []
"<style type=text/css>"="" []
"form {"="" []
"padding: 0px;"="" []
"</style>"="" []
"function cl(t"="c:\WINDOWS\System32\function cl(tx) {" [2001-08-23 07:00 8557]
"window.status"="c:\WINDOWS\System32\window.status=tx;" [2001-08-23 07:00 8514]
"<a class=navelem href=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid"="c:\WINDOWS\System32\<a class=navelem href=/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/>" [ ]
"Brain Fitness Program"="c:\WINDOWS\System32\Brain Fitness Program</a>" [ ]
"Brain Health"="c:\WINDOWS\System32\Brain Health</a>" [ ]
"<"="c:\WINDOWS\System32\</tr>" [ ]
"<tr valign=bott"="c:\WINDOWS\System32\<tr valign=bottom>" [ ]
"</ta"="c:\WINDOWS\System32\</table>" [ ]
"2"="c:\WINDOWS\System32\2007" [ ]
"#GEN {CLEAR: bothWIDTH: 100%TEXT-ALIGN: cen"="c:\WINDOWS\System32\#GEN {CLEAR: bothWIDTH: 100%TEXT-ALIGN: center}" [ ]
"#GENMain {FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 10"="c:\WINDOWS\System32\#GENMain {FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100%;}" [ ]
"#GENResults {MARGIN: 0px 0px 0px 217pxpadding:0 0px "="c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217pxpadding:0 0px 0 0}" [ ]
"#GENResults li {margin:0padding:0 0 15px 0list-style-type:n"="c:\WINDOWS\System32\#GENResults li {margin:0padding:0 0 15px 0list-style-type:none}" [ ]
"#GENRelateds ul {margin:0 0 0 0pxpaddin"="c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0pxpadding:0}" [ ]
"#GENBtmPages img {vertical-align:mid"="c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}" [2001-08-23 07:00 30775]
"#GENbotlinks ul {margin:0padding:0list-style-type:n"="c:\WINDOWS\System32\#GENbotlinks ul {margin:0padding:0list-style-type:none}" [ ]
"#GENBtmForm form {margin:0 0 0 0paddin"="c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0padding:0}" [ ]
"c:\WINDOWS\System32\ "="" []
"c:\WINDOWS\System32\ p "="" []
"c:\WINDOWS\System32\ }"="" []
"font-size: 1"="c:\WINDOWS\System32\ font-size: 12px;" [2001-08-23 07:00 75125]
"color: #000"="c:\WINDOWS\System32\ color: #000000;" [2001-08-23 07:00 75063]
"font-weight: nor"="c:\WINDOWS\System32\ font-weight: normal;" [2001-08-23 07:00 75011]
".dom"="c:\WINDOWS\System32\ .domain " [2001-08-23 07:00 74843]
"font-size: 2"="c:\WINDOWS\System32\ font-size: 22px;" [2001-08-23 07:00 74843]
"color: #394"="c:\WINDOWS\System32\ color: #394958;" [2001-08-23 07:00 75115]
"font-weight: b"="c:\WINDOWS\System32\ font-weight: bold;" [2001-08-23 07:00 74842]
".cour"="c:\WINDOWS\System32\ .courtesy" [2001-08-23 07:00 74815]
"color: #424"="c:\WINDOWS\System32\ color: #424242;" [2001-08-23 07:00 75088]
"line-height: 1"="c:\WINDOWS\System32\ line-height: 14px;" [2001-08-23 07:00 74793]
"font-weight:b"="c:\WINDOWS\System32\ font-weight:bold;" [2001-08-23 07:00 75068]
".loo"="c:\WINDOWS\System32\ .looking" [2001-08-23 07:00 75088]
"font-weight:nor"="c:\WINDOWS\System32\ font-weight:normal;" [2001-08-23 07:00 75169]
"c:\WINDOWS\System32\ .try"="" []
"color: wh"="c:\WINDOWS\System32\ color: white;" [2001-08-23 07:00 74815]
".copyr"="c:\WINDOWS\System32\ .copyright" [2001-08-23 07:00 75113]
".rel"="c:\WINDOWS\System32\ .related" [2001-08-23 07:00 75074]
"color: #343"="c:\WINDOWS\System32\ color: #343D46;" [2001-08-23 07:00 75113]
".relse"="c:\WINDOWS\System32\ .relsearch" [2001-08-23 07:00 75094]
"color: #0B0"="c:\WINDOWS\System32\ color: #0B0085;" [2001-08-23 07:00 74825]
".checkp"="c:\WINDOWS\System32\ .checkprice" [2001-08-23 07:00 74845]
".li"="c:\WINDOWS\System32\ .linkhd" [2001-08-23 07:00 74822]
"color: #464"="c:\WINDOWS\System32\ color: #464646;" [2001-08-23 07:00 75423]
".sponsor"="c:\WINDOWS\System32\ .sponsorinfo" [2001-08-23 07:00 75111]
".sponso"="c:\WINDOWS\System32\ .sponsorurl" [2001-08-23 07:00 75420]
"color: #030"="c:\WINDOWS\System32\ color: #03007A;" [2001-08-23 07:00 75072]
"text-decoration: n"="c:\WINDOWS\System32\ text-decoration: none;" [2001-08-23 07:00 75072]
"a:"="c:\WINDOWS\System32\ a:link" [2001-08-23 07:00 75400]
"text-decoration: underl"="c:\WINDOWS\System32\ text-decoration: underline;" [2001-08-23 07:00 75111]
"a:vis"="c:\WINDOWS\System32\ a:visited" [2001-08-23 07:00 75072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]
"runner1"="C:\WINDOWS\mrofinu572.exe" [ ]
"#blank { display:non"="c:\WINDOWS\System32\#blank { display:none}" [ ]
"#GENHeader .GENurl { color:#366a"="c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }" [2001-08-23 07:00 32473]
"#GENHeader form { margin:0padding:10px 0 0 0"="c:\WINDOWS\System32\#GENHeader form { margin:0padding:10px 0 0 0px }" [ ]
"#GEN { CLEAR: bothWIDTH: 100%TEXT-ALIGN: cent"="c:\WINDOWS\System32\#GEN { CLEAR: bothWIDTH: 100%TEXT-ALIGN: center }" [ ]
"#GENMain { FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100"="c:\WINDOWS\System32\#GENMain { FLOAT: leftMARGIN-LEFT:-217pxWIDTH: 100%}" [ ]
"#GENResults { MARGIN: 0px 0px 0px 217pxpadding:0 0px 0"="c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217pxpadding:0 0px 0 0 }" [ ]
"#GENResults h2 { padding-left:5p"="c:\WINDOWS\System32\#GENResults h2 { padding-left:5px}" [ ]
"#GENResults li { margin:0padding:0 0 15px 0list-style-type:no"="c:\WINDOWS\System32\#GENResults li { margin:0padding:0 0 15px 0list-style-type:none }" [ ]
"#GENResults h2 { padding-left:5px;font-size:13p"="c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px}" [ ]
"#GENRelateds ul { margin:0 0 0 0pxpadding"="c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0pxpadding:0 }" [ ]
"#GENBtmPages img { vertical-align:midd"="c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }" [2001-08-23 07:00 32473]
"#GENbotlinks ul { margin:0padding:0list-style-type:no"="c:\WINDOWS\System32\#GENbotlinks ul { margin:0padding:0list-style-type:none }" [ ]
"#GENBtmForm form { margin:0 0 0 0padding"="c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0padding:0 }" [ ]
"#nav_search_holder { border-top:2px solid #d7eaeeclear:bot"="c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaeeclear:both}" [ ]
"#nav_bottom { padding:0margin:5px 0 0 0width:47%float:lef"="c:\WINDOWS\System32\#nav_bottom { padding:0margin:5px 0 0 0width:47%float:left}" [ ]
"#footer { margin:0padding:0width:100%clear:bot"="c:\WINDOWS\System32\#footer { margin:0padding:0width:100%clear:both}" [ ]
"#navlist { margin:0ptpadding:0ptheight:10"="c:\WINDOWS\System32\#navlist { margin:0ptpadding:0ptheight:100% }" [ ]
"#bottom_navlist { margin: 0padding:0text-align:lef"="c:\WINDOWS\System32\#bottom_navlist { margin: 0padding:0text-align:left}" [ ]
"#bottom_navlist a:hover { color: #ff"="c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff}" [ ]
"3c736887"="C:\WINDOWS\System32\ehkgmamh.dll" [ ]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2001-08-23 07:00 375808]

C:\Documents and Settings\brooks\Start Menu\Programs\Startup\
Download Plus.lnk - C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe [2003-12-05 01:12:10 169984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED120D76-BF31-412C-A99B-783C6676E128}"= C:\WINDOWS\System32\nnnlmlk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\Nail.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dqzqrsrg]
dqzqrsrg.dll 2008-01-31 21:05 163904 C:\WINDOWS\system32\dqzqrsrg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgdbc]
ljjgdbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlmlk]
nnnlmlk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpmji]
ssqpmji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOW
--a------ 2001-08-23 07:00 8547 c:\WINDOWS\System32\}

R2 TBPSSvc;WebSeach Toolbar support NT service;C:\PROGRA~1\Toolbar\TBPSSvc.exe [2005-07-26 06:22]
R2 WinToolsSvc;WinTools for IE service;C:\Program Files\Common Files\WinTools\WToolsS.exe [2005-03-31 00:46]
R3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2002-12-23 08:36]
S2 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe [2004-11-12 16:16]
S2 SvcProc;System Startup Service ;C:\WINDOWS\svcproc.exe [2003-05-18 00:52]
S2 ZESOFT;ZESOFT;C:\WINDOWS\zeta.exe [2004-11-12 16:16]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\System32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 14:45:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
c:\PROGRA~1\Toolbar\WSG.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\PROGRA~1\Toolbar\radio.exe
.
**************************************************************************
.
Completion time: 2008-02-28 14:52:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 19:52:17
.
2008-02-23 04:24:32 --- E O F ---











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:51 PM, on 2/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
c:\PROGRA~1\Toolbar\WSG.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Begin2Search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD4BDCA-A01D-A328-E289-CDC5EB400EA9} - C:\WINDOWS\system32\libgycyt.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\System32\nsj234F.dll
O2 - BHO: - {0D9BE4F6-3F55-454B-9615-AE908FF0DAE8} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {3660BFC6-5C2C-23A1-0215-5D00BECD8DCF} - C:\WINDOWS\System32\hka.dll (file missing)
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\System32\tcblmoma.dll
O2 - BHO: ohb Class - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {6333BCC1-5A2D-22FB-0615-5D00BECDD8C8} - C:\WINDOWS\System32\kiu.dll (file missing)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italaxsj.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmqymf.dll
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsw145.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dqzqrsrg.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\System32\asclkynx.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\System32\dsktrf1.dll
O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Macafee] LSAS.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\WINDOWS\System32\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\System32\ossproxy.exe -boot
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\zmixjb.exe
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [function SafeOnlo] c:\WINDOWS\System32\function SafeOnload()
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\WINDOWS\System32\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [function PUWSta] c:\WINDOWS\System32\function PUWStart()
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [function isInt(nu] c:\WINDOWS\System32\function isInt(numIn)
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [com_dmi3] C:\WINDOWS\System32\com_dmi3.exe
O4 - HKLM\..\Run: [A:hover {background: #FFCC00; color: bla] c:\WINDOWS\System32\A:hover {background: #FFCC00; color: black;}
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</SCRIPT>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [ this.width = wi] c:\WINDOWS\System32\ this.width = width;
O4 - HKLM\..\Run: [ this.url = ] c:\WINDOWS\System32\ this.url = url;
O4 - HKLM\..\Run: [ this.top = screen.availHeight/2 - height/2; // ce] c:\WINDOWS\System32\ this.top = screen.availHeight/2 - height/2; // center
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.statusbar= fa] c:\WINDOWS\System32\ this.statusbar= false;
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.Show = PUW_S] c:\WINDOWS\System32\ this.Show = PUW_Show;
O4 - HKLM\..\Run: [ this.scrollbars= fa] c:\WINDOWS\System32\ this.scrollbars= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.ontop = fa] c:\WINDOWS\System32\ this.ontop = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.locationbar = fa] c:\WINDOWS\System32\ this.locationbar = false;
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.frequency = 1; // how many times show per renewal time pe] c:\WINDOWS\System32\ this.frequency = 1; // how many times show per renewal time period
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [ return shouldS] c:\WINDOWS\System32\ return shouldShow;
O4 - HKLM\..\Run: [ return !isNaN(checkn] c:\WINDOWS\System32\ return !isNaN(checknum);
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ if (! this.on] c:\WINDOWS\System32\ if (! this.ontop)
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [ else if (window.onl] c:\WINDOWS\System32\ else if (window.onload)
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [ var exp = new Dat] c:\WINDOWS\System32\ var exp = new Date();
O4 - HKLM\..\Run: [ var allCookies = document.coo] c:\WINDOWS\System32\ var allCookies = document.cookie;
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ var freqStr = allCookies.substring(start+9,e] c:\WINDOWS\System32\ var freqStr = allCookies.substring(start+9,end);
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ this.frequency = parseInt(freqS] c:\WINDOWS\System32\ this.frequency = parseInt(freqStr);
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ -->
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\WINDOWS\System32\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\WINDOWS\System32\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\WINDOWS\System32\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [function PUW_Sh] c:\WINDOWS\System32\function PUW_Show()
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKLM\..\Run: [ if (gPopupWindow.CheckFrequenc] c:\WINDOWS\System32\ if (gPopupWindow.CheckFrequency())
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [yxkzef] C:\WINDOWS\yxkzef.exe
O4 - HKLM\..\Run: [Fqfeu] C:\Program Files\Avllun\Owdl.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [agynfba] C:\WINDOWS\agynfba.EXE
O4 - HKLM\..\Run: [laikecj] C:\WINDOWS\laikecj.exe
O4 - HKLM\..\Run: [vshlsin] C:\WINDOWS\vshlsin.exe
O4 - HKLM\..\Run: [pofkteo] C:\WINDOWS\pofkteo.exe
O4 - HKLM\..\Run: [eivvfbq] C:\WINDOWS\eivvfbq.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mqltarr] C:\WINDOWS\mqltarr.exe
O4 - HKLM\..\Run: [kodwzne] C:\WINDOWS\kodwzne.exe
O4 - HKLM\..\Run: [ddjzhvh] C:\WINDOWS\ddjzhvh.exe
O4 - HKLM\..\Run: [<title> Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>
O4 - HKLM\..\Run: [<meta NAME="description" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="description" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<meta NAME="keywords" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="keywords" CONTENT="beneditutti.com">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Expires" CONTENT="] c:\WINDOWS\System32\<META HTTP-EQUIV="Expires" CONTENT="-1">
O4 - HKLM\..\Run: [<!-- trafficclub.com] c:\WINDOWS\System32\<!-- trafficclub.com -->
O4 - HKLM\..\Run: [<!-- exec: 0.0452699661255] c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->
O4 - HKLM\..\Run: [<!-- domain: beneditutti.com] c:\WINDOWS\System32\<!-- domain: beneditutti.com -->
O4 - HKLM\..\Run: [<!-- ip: 65.151.55.61] c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->
O4 - HKLM\..\Run: [<!-- fingerprint: ] c:\WINDOWS\System32\<!-- fingerprint: -->
O4 - HKLM\..\Run: [<!-- country: US] c:\WINDOWS\System32\<!-- country: US -->
O4 - HKLM\..\Run: [<!-- service: 1] c:\WINDOWS\System32\<!-- service: 1 -->
O4 - HKLM\..\Run: [<!-- rand: 13/100] c:\WINDOWS\System32\<!-- rand: 13/100 -->
O4 - HKLM\..\Run: [<!-- count: 1/0] c:\WINDOWS\System32\<!-- count: 1/0 -->
O4 - HKLM\..\Run: [<!-- COOKIE OVERRIDE : 1] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->
O4 - HKLM\..\Run: [<!-- exec: 0.10525894165039] c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->
O4 - HKLM\..\Run: [<!-- ip: 74.128.245.214] c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->
O4 - HKLM\..\Run: [<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3] c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->
O4 - HKLM\..\Run: [<!-- rand: 27/100] c:\WINDOWS\System32\<!-- rand: 27/100 -->
O4 - HKLM\..\Run: [<!-- ] c:\WINDOWS\System32\<!-- -->
O4 - HKLM\..\Run: [<!-- OK] c:\WINDOWS\System32\<!-- OK -->
O4 - HKLM\..\Run: [<!-- exec: 0.10721898078918] c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->
O4 - HKLM\..\Run: [<!-- service: 2] c:\WINDOWS\System32\<!-- service: 2 -->
O4 - HKLM\..\Run: [<!-- rand: 67/100] c:\WINDOWS\System32\<!-- rand: 67/100 -->
O4 - HKLM\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKLM\..\Run: [<!-- exec: 0.10528993606567] c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->
O4 - HKLM\..\Run: [<!-- ip: 74.130.4.25] c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->
O4 - HKLM\..\Run: [<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc] c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->
O4 - HKLM\..\Run: [<!-- service: 6] c:\WINDOWS\System32\<!-- service: 6 -->
O4 - HKLM\..\Run: [<!-- rand: 82/100] c:\WINDOWS\System32\<!-- rand: 82/100 -->
O4 - HKLM\..\Run: [<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099] c:\WINDOWS\System32\<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">
O4 - HKLM\..\Run: [<TITLE>tool4ame.com</TI] c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>
O4 - HKLM\..\Run: [<META NAME="Keywords" CONTENT] c:\WINDOWS\System32\<meta name="keywords" content="">
O4 - HKLM\..\Run: [<META NAME="Description" CONTENT] c:\WINDOWS\System32\<META NAME="Description" CONTENT="">
O4 - HKLM\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKLM\..\Run: [html,] c:\WINDOWS\System32\html,body
O4 - HKLM\..\Run: [margin:] c:\WINDOWS\System32\margin:0px;
O4 - HKLM\..\Run: [padding:] c:\WINDOWS\System32\padding:0px;
O4 - HKLM\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKLM\..\Run: [<b] c:\WINDOWS\System32\<body>
O4 - HKLM\..\Run: [body,td,div,.p,a{font-family:arial,sans-seri] c:\WINDOWS\System32\body,td,div,.p,a{font-family:arial,sans-serif; }
O4 - HKLM\..\Run: [<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content] c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content="">
O4 - HKLM\..\Run: [div,td{color:#0] c:\WINDOWS\System32\div,td{color:#000;}
O4 - HKLM\..\Run: [function exittraffic() { if (flag == 1) { mhppop();] c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop(); } }
O4 - HKLM\..\Run: [var rm_section_id = 174] c:\WINDOWS\System32\var rm_section_id = 174688;
O4 - HKLM\..\Run: [var rm_banned_pop_types =] c:\WINDOWS\System32\var rm_banned_pop_types = 29;
O4 - HKLM\..\Run: [var rm_pop_times = ] c:\WINDOWS\System32\var rm_pop_times = 100;
O4 - HKLM\..\Run: [var rm_pop_frequency = 86] c:\WINDOWS\System32\var rm_pop_frequency = 86400;
O4 - HKLM\..\Run: [rmShowPo] c:\WINDOWS\System32\rmShowPop();
O4 - HKLM\..\Run: [ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/] c:\WINDOWS\System32\ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp1
O4 - HKLM\..\Run: [a.catTitleP{font-weight: bold;font-size: 10] c:\WINDOWS\System32\a.catTitleP{font-weight: bold;font-size: 10pt;}
O4 - HKLM\..\Run: [<TITLE>nobrainnewbie.com</TI] c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>
O4 - HKLM\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKLM\..\Run: [var rm_host = "http://ad.91s.c] c:\WINDOWS\System32\var rm_host = "http://ad.91s.com";
O4 - HKLM\..\Run: [<!-- END TAG] c:\WINDOWS\System32\<!-- END TAG -->
O4 - HKLM\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKLM\..\Run: [ <meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Style-Type" content="text/c] c:\WINDOWS\System32\<meta http-equiv="Content-Style-Type" content="text/css">
O4 - HKLM\..\Run: [ <META name="description" content="beneditutti.c] c:\WINDOWS\System32\ <META name="description" content="beneditutti.com">
O4 - HKLM\..\Run: [ <META name="keywords" content="bender, nedi, tutti] c:\WINDOWS\System32\ <META name="keywords" content="bender, nedi, tutti">
O4 - HKLM\..\Run: [ <title>beneditutti.com</ti] c:\WINDOWS\System32\ <title>beneditutti.com</title>
O4 - HKLM\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <div id="siteheade] c:\WINDOWS\System32\ <div id="siteheader">
O4 - HKLM\..\Run: [ <div id="pagehead] c:\WINDOWS\System32\ <div id="pageheader">
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [ <div id="nav_inqui] c:\WINDOWS\System32\ <div id="nav_inquiry">
O4 - HKLM\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKLM\..\Run: [#blank {display:no] c:\WINDOWS\System32\#blank {display:none;}
O4 - HKLM\..\Run: [#GENHeader .GENurl {color:#366] c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}
O4 - HKLM\..\Run: [#GENHeader form {margin:0; padding:10px 0 0 ] c:\WINDOWS\System32\#GENHeader form {margin:0; padding:10px 0 0 0px}
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [body{background-color:#FFF;color:#000;font-family:Verd] c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana,
O4 - HKLM\..\Run: [Geneva, Arial, Helvet] c:\WINDOWS\System32\Geneva, Arial, Helvetica,
O4 - HKLM\..\Run: [a:link{color:#000;text-decoration:no] c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}
O4 - HKLM\..\Run: [a:visited{color:#000;text-decoration:no] c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}
O4 - HKLM\..\Run: [a:hover{color:#C] c:\WINDOWS\System32\a:hover{color:#C03;}
O4 - HKLM\..\Run: [a:active{color:#FF4500;text-decoration:underli] c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}
O4 - HKLM\..\Run: [a.nave] c:\WINDOWS\System32\a.navelem{
O4 - HKLM\..\Run: [display:bl] c:\WINDOWS\System32\display:block;
O4 - HKLM\..\Run: [font-family:Verdana, Arial, Helvetica, sans-se] c:\WINDOWS\System32\font-family:Verdana, Arial, Helvetica, sans-serif;
O4 - HKLM\..\Run: [font-size:1] c:\WINDOWS\System32\font-size:11px;
O4 - HKLM\..\Run: [font-weight:] c:\WINDOWS\System32\font-weight:700;
O4 - HKLM\..\Run: [color:#] c:\WINDOWS\System32\color:#000;
O4 - HKLM\..\Run: [background-color:#D8D] c:\WINDOWS\System32\background-color:#D8DFEE;
O4 - HKLM\..\Run: [background-image: url(http://63.214.247.19/_wi/bullet.g] c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);
O4 - HKLM\..\Run: [background-repeat:no-rep] c:\WINDOWS\System32\background-repeat:no-repeat;
O4 - HKLM\..\Run: [width:24] c:\WINDOWS\System32\width:241px;
O4 - HKLM\..\Run: [height:2] c:\WINDOWS\System32\height:24px;
O4 - HKLM\..\Run: [text-indent:2] c:\WINDOWS\System32\text-indent:28px;
O4 - HKLM\..\Run: [line-height:2] c:\WINDOWS\System32\line-height:21px;
O4 - HKLM\..\Run: [text-decoration:n] c:\WINDOWS\System32\text-decoration:none;
O4 - HKLM\..\Run: [cursor:poin] c:\WINDOWS\System32\cursor:pointer;
O4 - HKLM\..\Run: [margin:0 0 ] c:\WINDOWS\System32\margin:0 0 1px;
O4 - HKLM\..\Run: [border-top-width: ] c:\WINDOWS\System32\border-top-width: 1px;
O4 - HKLM\..\Run: [border-right-width: ] c:\WINDOWS\System32\border-right-width: 1px;
O4 - HKLM\..\Run: [border-bottom-width: ] c:\WINDOWS\System32\border-bottom-width: 1px;
O4 - HKLM\..\Run: [border-left-width: ] c:\WINDOWS\System32\border-left-width: 1px;
O4 - HKLM\..\Run: [border-top-style: n] c:\WINDOWS\System32\border-top-style: none;
O4 - HKLM\..\Run: [border-right-style: so] c:\WINDOWS\System32\border-right-style: solid;
O4 - HKLM\..\Run: [border-bottom-style: so] c:\WINDOWS\System32\border-bottom-style: solid;
O4 - HKLM\..\Run: [border-left-style: n] c:\WINDOWS\System32\border-left-style: none;
O4 - HKLM\..\Run: [border-right-color: #FFF] c:\WINDOWS\System32\border-right-color: #FFFFFF;
O4 - HKLM\..\Run: [border-bottom-color: #FFF] c:\WINDOWS\System32\border-bottom-color: #FFFFFF;
O4 - HKLM\..\Run: [a.navelem:hover{background-color:#6987BC;color:#F] c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}
O4 - HKLM\..\Run: [.title_text{color:#FFF;font-size:18pt;line-height:] c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%
O4 - HKLM\..\Run: [.title_text a{color:#FFF;font-size:12] c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}
O4 - HKLM\..\Run: [.title_sub_text{color:#FFF;font-size:8] c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}
O4 - HKLM\..\Run: [.tagline_text{color:#000;font-size:12px;font-weight:7] c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}
O4 - HKLM\..\Run: [.search_form{font-size:10] c:\WINDOWS\System32\.search_form{font-size:10px;}
O4 - HKLM\..\Run: [.description_text{color:#000;font-size:12px;line-height:20] c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}
O4 - HKLM\..\Run: [a.resultsurl:hover{text-decoration:none;color:#8997] c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}
O4 - HKLM\..\Run: [.disclaimer{color:#999;font-size:10] c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}
O4 - HKLM\..\Run: [.TextField{color:#000;font-size:11px;font-family:Ar] c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial,
O4 - HKLM\..\Run: [Helvet] c:\WINDOWS\System32\Helvetica,
O4 - HKLM\..\Run: [.title_sub_text a:hover,#relatedterms a:hover{color:#D8DF] c:\WINDOWS\System32\.title_sub_text a:hover,#relatedterms a:hover{color:#D8DFEE;}
O4 - HKLM\..\Run: [ <script type="text/javascri] c:\WINDOWS\System32\ <script type="text/javascript">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ top.location = self.location.h] c:\WINDOWS\System32\ top.location = self.location.href;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ function sf] c:\WINDOWS\System32\ function sf() {
O4 - HKLM\..\Run: [ isSearch2 = eval(document.forms["form_search2] c:\WINDOWS\System32\ isSearch2 = eval(document.forms["form_search2"]);
O4 - HKLM\..\Run: [ if(document.forms["form_search1"].searchq1.valu] c:\WINDOWS\System32\ if(document.forms["form_search1"].searchq1.value) {
O4 - HKLM\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKLM\..\Run: [ if(isSearc] c:\WINDOWS\System32\ if(isSearch2){
O4 - HKLM\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKLM\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKLM\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKLM\..\Run: [ return t] c:\WINDOWS\System32\ return true;
O4 - HKLM\..\Run: [ <style type="text/c] c:\WINDOWS\System32\ <style type="text/css">
O4 - HKLM\..\Run: [ fo] c:\WINDOWS\System32\ form {
O4 - HKLM\..\Run: [ padding: ] c:\WINDOWS\System32\ padding: 0px;
O4 - HKLM\..\Run: [ </st] c:\WINDOWS\System32\ </style>
O4 - HKLM\..\Run: [function cl(t] c:\WINDOWS\System32\function cl(tx) {
O4 - HKLM\..\Run: [window.status] c:\WINDOWS\System32\window.status=tx;
O4 - HKLM\..\Run: [<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid] c:\WINDOWS\System32\<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/">
O4 - HKLM\..\Run: [Brain Fitness Program] c:\WINDOWS\System32\Brain Fitness Program</a>
O4 - HKLM\..\Run: [Brain Health] c:\WINDOWS\System32\Brain Health</a>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [<tr valign="bott] c:\WINDOWS\System32\<tr valign="bottom">
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [2] c:\WINDOWS\System32\2007,
O4 - HKLM\..\Run: [Copyright 1997-2007 Omniture, Inc. More info availabl] c:\WINDOWS\System32\Copyright 1997-2007 Omniture, Inc. More info available at
O4 - HKLM\..\Run: [#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cen] c:\WINDOWS\System32\#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center}
O4 - HKLM\..\Run: [#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 10] c:\WINDOWS\System32\#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%;}
O4 - HKLM\..\Run: [#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px ] c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0}
O4 - HKLM\..\Run: [#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKLM\..\Run: [#GENRelateds ul {margin:0 0 0 0px; paddin] c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0px; padding:0}
O4 - HKLM\..\Run: [#GENBtmPages img {vertical-align:mid] c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}
O4 - HKLM\..\Run: [#GENbotlinks ul {margin:0; padding:0; list-style-type:n] c:\WINDOWS\System32\#GENbotlinks ul {margin:0; padding:0; list-style-type:none}
O4 - HKLM\..\Run: [#GENBtmForm form {margin:0 0 0 0; paddin] c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0; padding:0}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ p
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ font-size: 1] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKLM\..\Run: [ font-family: arial, helvetica, sans se] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKLM\..\Run: [ color: #000] c:\WINDOWS\System32\ color: #000000;
O4 - HKLM\..\Run: [ font-weight: nor] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKLM\..\Run: [ .dom] c:\WINDOWS\System32\ .domain
O4 - HKLM\..\Run: [ font-size: 2] c:\WINDOWS\System32\ font-size: 22px;
O4 - HKLM\..\Run: [ color: #394] c:\WINDOWS\System32\ color: #394958;
O4 - HKLM\..\Run: [ font-weight: b] c:\WINDOWS\System32\ font-weight: bold;
O4 - HKLM\..\Run: [ .cour] c:\WINDOWS\System32\ .courtesy
O4 - HKLM\..\Run: [ font-family: arial,helvetica,sanse] c:\WINDOWS\System32\ font-family: arial,helvetica,sanserif;
O4 - HKLM\..\Run: [ color: #424] c:\WINDOWS\System32\ color: #424242;
O4 - HKLM\..\Run: [ line-height: 1] c:\WINDOWS\System32\ line-height: 14px;
O4 - HKLM\..\Run: [ font-weight:b] c:\WINDOWS\System32\ font-weight:bold;
O4 - HKLM\..\Run: [ .loo] c:\WINDOWS\System32\ .looking
O4 - HKLM\..\Run: [ font-weight:nor] c:\WINDOWS\System32\ font-weight:normal;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ .try
O4 - HKLM\..\Run: [ color: wh] c:\WINDOWS\System32\ color: white;
O4 - HKLM\..\Run: [ .copyr] c:\WINDOWS\System32\ .copyright
O4 - HKLM\..\Run: [ .rel] c:\WINDOWS\System32\ .related
O4 - HKLM\..\Run: [ color: #343] c:\WINDOWS\System32\ color: #343D46;
O4 - HKLM\..\Run: [ .relse] c:\WINDOWS\System32\ .relsearch
O4 - HKLM\..\Run: [ color: #0B0] c:\WINDOWS\System32\ color: #0B0085;
O4 - HKLM\..\Run: [ .checkp] c:\WINDOWS\System32\ .checkprice
O4 - HKLM\..\Run: [ .li] c:\WINDOWS\System32\ .linkhd
O4 - HKLM\..\Run: [ color: #464] c:\WINDOWS\System32\ color: #464646;
O4 - HKLM\..\Run: [ .sponsor] c:\WINDOWS\System32\ .sponsorinfo
O4 - HKLM\..\Run: [ .sponso] c:\WINDOWS\System32\ .sponsorurl
O4 - HKLM\..\Run: [ color: #030] c:\WINDOWS\System32\ color: #03007A;
O4 - HKLM\..\Run: [ text-decoration: n] c:\WINDOWS\System32\ text-decoration: none;
O4 - HKLM\..\Run: [ a:] c:\WINDOWS\System32\ a:link
O4 - HKLM\..\Run: [ text-decoration: underl] c:\WINDOWS\System32\ text-decoration: underline;
O4 - HKLM\..\Run: [ a:vis] c:\WINDOWS\System32\ a:visited
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [#blank { display:non] c:\WINDOWS\System32\#blank { display:none; }
O4 - HKLM\..\Run: [#GENHeader .GENurl { color:#366a] c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }
O4 - HKLM\..\Run: [#GENHeader form { margin:0; padding:10px 0 0 0] c:\WINDOWS\System32\#GENHeader form { margin:0; padding:10px 0 0 0px }
O4 - HKLM\..\Run: [#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cent] c:\WINDOWS\System32\#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center }
O4 - HKLM\..\Run: [#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100] c:\WINDOWS\System32\#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%; }
O4 - HKLM\..\Run: [#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0] c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0 }
O4 - HKLM\..\Run: [#GENResults h2 { padding-left:5p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px; }
O4 - HKLM\..\Run: [#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKLM\..\Run: [#GENResults h2 { padding-left:5px;font-size:13p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px; }
O4 - HKLM\..\Run: [#GENRelateds ul { margin:0 0 0 0px; padding] c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0px; padding:0 }
O4 - HKLM\..\Run: [#GENBtmPages img { vertical-align:midd] c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }
O4 - HKLM\..\Run: [#GENbotlinks ul { margin:0; padding:0; list-style-type:no] c:\WINDOWS\System32\#GENbotlinks ul { margin:0; padding:0; list-style-type:none }
O4 - HKLM\..\Run: [#GENBtmForm form { margin:0 0 0 0; padding] c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0; padding:0 }
O4 - HKLM\..\Run: [#nav_search_holder { border-top:2px solid #d7eaee; clear:bot] c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaee; clear:both; }
O4 - HKLM\..\Run: [#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:lef] c:\WINDOWS\System32\#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:left; }
O4 - HKLM\..\Run: [#footer { margin:0; padding:0; width:100%; clear:bot] c:\WINDOWS\System32\#footer { margin:0; padding:0; width:100%; clear:both; }
O4 - HKLM\..\Run: [#navlist { margin:0pt; padding:0pt; height:10] c:\WINDOWS\System32\#navlist { margin:0pt; padding:0pt; height:100% }
O4 - HKLM\..\Run: [#bottom_navlist { margin: 0; padding:0; text-align:lef] c:\WINDOWS\System32\#bottom_navlist { margin: 0; padding:0; text-align:left; }
O4 - HKLM\..\Run: [#bottom_navlist a:hover { color: #ff] c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff; }
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [uruq] C:\PROGRA~1\COMMON~1\uruq\uruqm.exe
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="ContentXC ] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [<title> Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com</title>
O4 - HKCU\..\Run: [<meta NAME="description" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="description" CONTENT="beneditutti.com">
O4 - HKCU\..\Run: [<meta NAME="keywords" CONTENT="beneditutti.c] c:\WINDOWS\System32\<meta NAME="keywords" CONTENT="beneditutti.com">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Expires" CONTENT="] c:\WINDOWS\System32\<META HTTP-EQUIV="Expires" CONTENT="-1">
O4 - HKCU\..\Run: [<!-- trafficclub.com] c:\WINDOWS\System32\<!-- trafficclub.com -->
O4 - HKCU\..\Run: [<!-- exec: 0.0452699661255] c:\WINDOWS\System32\<!-- exec: 0.0452699661255 -->
O4 - HKCU\..\Run: [<!-- domain: beneditutti.com] c:\WINDOWS\System32\<!-- domain: beneditutti.com -->
O4 - HKCU\..\Run: [<!-- ip: 65.151.55.61] c:\WINDOWS\System32\<!-- ip: 65.151.55.61 -->
O4 - HKCU\..\Run: [<!-- fingerprint: ] c:\WINDOWS\System32\<!-- fingerprint: -->
O4 - HKCU\..\Run: [<!-- country: US] c:\WINDOWS\System32\<!-- country: US -->
O4 - HKCU\..\Run: [<!-- service: 1] c:\WINDOWS\System32\<!-- service: 1 -->
O4 - HKCU\..\Run: [<!-- rand: 13/100] c:\WINDOWS\System32\<!-- rand: 13/100 -->
O4 - HKCU\..\Run: [<!-- count: 1/0] c:\WINDOWS\System32\<!-- count: 1/0 -->
O4 - HKCU\..\Run: [<!-- COOKIE OVERRIDE : 1] c:\WINDOWS\System32\<!-- COOKIE OVERRIDE : 1 -->
O4 - HKCU\..\Run: [<!-- exec: 0.10525894165039] c:\WINDOWS\System32\<!-- exec: 0.10525894165039 -->
O4 - HKCU\..\Run: [<!-- ip: 74.128.245.214] c:\WINDOWS\System32\<!-- ip: 74.128.245.214 -->
O4 - HKCU\..\Run: [<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3] c:\WINDOWS\System32\<!-- fingerprint: eab03eddd290aacdd1f44eeeb41270e3 -->
O4 - HKCU\..\Run: [<!-- rand: 27/100] c:\WINDOWS\System32\<!-- rand: 27/100 -->
O4 - HKCU\..\Run: [<!-- ] c:\WINDOWS\System32\<!-- -->
O4 - HKCU\..\Run: [<!-- OK] c:\WINDOWS\System32\<!-- OK -->
O4 - HKCU\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKCU\..\Run: [<!-- exec: 0.10721898078918] c:\WINDOWS\System32\<!-- exec: 0.10721898078918 -->
O4 - HKCU\..\Run: [<!-- service: 2] c:\WINDOWS\System32\<!-- service: 2 -->
O4 - HKCU\..\Run: [<!-- rand: 67/100] c:\WINDOWS\System32\<!-- rand: 67/100 -->
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\System32\Netverchk.exe
O4 - HKCU\..\Run: [<!-- exec: 0.10528993606567] c:\WINDOWS\System32\<!-- exec: 0.10528993606567 -->
O4 - HKCU\..\Run: [<!-- ip: 74.130.4.25] c:\WINDOWS\System32\<!-- ip: 74.130.4.25 -->
O4 - HKCU\..\Run: [<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc] c:\WINDOWS\System32\<!-- fingerprint: f7801570d59ce51a933b90d42a7a3fbc -->
O4 - HKCU\..\Run: [<!-- service: 6] c:\WINDOWS\System32\<!-- service: 6 -->
O4 - HKCU\..\Run: [<!-- rand: 82/100] c:\WINDOWS\System32\<!-- rand: 82/100 -->
O4 - HKCU\..\Run: [<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d099] c:\WINDOWS\System32\<frame src="http://www.bnmq.com/?dn=beneditutti.com&cid=6484d09957">
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\System32\BastaYa.exe
O4 - HKCU\..\Run: [<TITLE>tool4ame.com</TI] c:\WINDOWS\System32\<TITLE>tool4ame.com</TITLE>
O4 - HKCU\..\Run: [<META NAME="Keywords" CONTENT] c:\WINDOWS\System32\<meta name="keywords" content="">
O4 - HKCU\..\Run: [<META NAME="Description" CONTENT] c:\WINDOWS\System32\<META NAME="Description" CONTENT="">
O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKCU\..\Run: [html,] c:\WINDOWS\System32\html,body
O4 - HKCU\..\Run: [margin:] c:\WINDOWS\System32\margin:0px;
O4 - HKCU\..\Run: [padding:] c:\WINDOWS\System32\padding:0px;
O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKCU\..\Run: [<b] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [body,td,div,.p,a{font-family:arial,sans-seri] c:\WINDOWS\System32\body,td,div,.p,a{font-family:arial,sans-serif; }
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ -->
O4 - HKCU\..\Run: [<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content] c:\WINDOWS\System32\<html><head><title>nobrainnewbie.com</title><meta name="keywords" content=""><meta name="description" content="">
O4 - HKCU\..\Run: [div,td{color:#0] c:\WINDOWS\System32\div,td{color:#000;}
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraffic() { if (flag == 1) { mhppop();] c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop(); } }
O4 - HKCU\..\Run: [var rm_section_id = 174] c:\WINDOWS\System32\var rm_section_id = 174688;
O4 - HKCU\..\Run: [var rm_banned_pop_types =] c:\WINDOWS\System32\var rm_banned_pop_types = 29;
O4 - HKCU\..\Run: [var rm_pop_times = ] c:\WINDOWS\System32\var rm_pop_times = 100;
O4 - HKCU\..\Run: [var rm_pop_frequency = 86] c:\WINDOWS\System32\var rm_pop_frequency = 86400;
O4 - HKCU\..\Run: [rmShowPo] c:\WINDOWS\System32\rmShowPop();
O4 - HKCU\..\Run: [ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nz€q ] c:\WINDOWS\System32\ <a href="/click/nUE0pQbiY3OuM2IuMQVhM29iM2kyp3yhMTywLKEco24hL29gY3OuM2IuMP9cL2keC3AuCJjzLJx9DwVmZ01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0AdDHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVlZ0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1bqUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIlAS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp19vpzScozyhnaIlrF5up3O8sQA8sQN=/" st
O4 - HKCU\..\Run: [<TITLE>nobrainnewbie.com</TI] c:\WINDOWS\System32\<TITLE>nobrainnewbie.com</TITLE>
O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKCU\..\Run: [var rm_host = "http://ad.91s.c] c:\WINDOWS\System32\var rm_host = "http://ad.91s.com";
O4 - HKCU\..\Run: [</SCR] c:\WINDOWS\System32\</SCRIPT>
O4 - HKCU\..\Run: [<!-- END TAG] c:\WINDOWS\System32\<!-- END TAG -->
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Style-Type" content="text/c] c:\WINDOWS\System32\<meta http-equiv="Content-Style-Type" content="text/css">
O4 - HKCU\..\Run: [ <META name="description" content="beneditutti.c] c:\WINDOWS\System32\ <META name="description" content="beneditutti.com">
O4 - HKCU\..\Run: [ <META name="keywords" content="bender, nedi, tutti] c:\WINDOWS\System32\ <META name="keywords" content="bender, nedi, tutti">
O4 - HKCU\..\Run: [ <title>beneditutti.com</ti] c:\WINDOWS\System32\ <title>beneditutti.com</title>
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <div id="siteheade] c:\WINDOWS\System32\ <div id="siteheader">
O4 - HKCU\..\Run: [ <div id="pagehead] c:\WINDOWS\System32\ <div id="pageheader">
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [ <div id="nav_inqui] c:\WINDOWS\System32\ <div id="nav_inquiry">
O4 - HKCU\..\Run: [ </] c:\WINDOWS\System32\ </div>
O4 - HKCU\..\Run: [#blank {display:no] c:\WINDOWS\System32\#blank {display:none;}
O4 - HKCU\..\Run: [#GENHeader .GENurl {color:#366] c:\WINDOWS\System32\#GENHeader .GENurl {color:#366ab3}
O4 - HKCU\..\Run: [#GENHeader form {margin:0; padding:10px 0 0 ] c:\WINDOWS\System32\#GENHeader form {margin:0; padding:10px 0 0 0px}
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [body{background-color:#FFF;color:#000;font-family:Verd] c:\WINDOWS\System32\body{background-color:#FFF;color:#000;font-family:Verdana,
O4 - HKCU\..\Run: [Geneva, Arial, Helvet] c:\WINDOWS\System32\Geneva, Arial, Helvetica,
O4 - HKCU\..\Run: [a:link{color:#000;text-decoration:no] c:\WINDOWS\System32\a:link{color:#000;text-decoration:none;}
O4 - HKCU\..\Run: [a:visited{color:#000;text-decoration:no] c:\WINDOWS\System32\a:visited{color:#000;text-decoration:none;}
O4 - HKCU\..\Run: [a:hover{color:#C] c:\WINDOWS\System32\a:hover{color:#C03;}
O4 - HKCU\..\Run: [a:active{color:#FF4500;text-decoration:underli] c:\WINDOWS\System32\a:active{color:#FF4500;text-decoration:underline;}
O4 - HKCU\..\Run: [a.nave] c:\WINDOWS\System32\a.navelem{
O4 - HKCU\..\Run: [display:bl] c:\WINDOWS\System32\display:block;
O4 - HKCU\..\Run: [font-family:Verdana, Arial, Helvetica, sans-se] c:\WINDOWS\System32\font-family:Verdana, Arial, Helvetica, sans-serif;
O4 - HKCU\..\Run: [font-size:1] c:\WINDOWS\System32\font-size:11px;
O4 - HKCU\..\Run: [font-weight:] c:\WINDOWS\System32\font-weight:700;
O4 - HKCU\..\Run: [color:#] c:\WINDOWS\System32\color:#000;
O4 - HKCU\..\Run: [background-color:#D8D] c:\WINDOWS\System32\background-color:#D8DFEE;
O4 - HKCU\..\Run: [background-image: url(http://63.214.247.19/_wi/bullet.g] c:\WINDOWS\System32\background-image: url(http://63.214.247.19/_wi/bullet.gif);
O4 - HKCU\..\Run: [background-repeat:no-rep] c:\WINDOWS\System32\background-repeat:no-repeat;
O4 - HKCU\..\Run: [width:24] c:\WINDOWS\System32\width:241px;
O4 - HKCU\..\Run: [height:2] c:\WINDOWS\System32\height:24px;
O4 - HKCU\..\Run: [text-indent:2] c:\WINDOWS\System32\text-indent:28px;
O4 - HKCU\..\Run: [line-height:2] c:\WINDOWS\System32\line-height:21px;
O4 - HKCU\..\Run: [text-decoration:n] c:\WINDOWS\System32\text-decoration:none;
O4 - HKCU\..\Run: [cursor:poin] c:\WINDOWS\System32\cursor:pointer;
O4 - HKCU\..\Run: [margin:0 0 ] c:\WINDOWS\System32\margin:0 0 1px;
O4 - HKCU\..\Run: [border-top-width: ] c:\WINDOWS\System32\border-top-width: 1px;
O4 - HKCU\..\Run: [border-right-width: ] c:\WINDOWS\System32\border-right-width: 1px;
O4 - HKCU\..\Run: [border-bottom-width: ] c:\WINDOWS\System32\border-bottom-width: 1px;
O4 - HKCU\..\Run: [border-left-width: ] c:\WINDOWS\System32\border-left-width: 1px;
O4 - HKCU\..\Run: [border-top-style: n] c:\WINDOWS\System32\border-top-style: none;
O4 - HKCU\..\Run: [border-right-style: so] c:\WINDOWS\System32\border-right-style: solid;
O4 - HKCU\..\Run: [border-bottom-style: so] c:\WINDOWS\System32\border-bottom-style: solid;
O4 - HKCU\..\Run: [border-left-style: n] c:\WINDOWS\System32\border-left-style: none;
O4 - HKCU\..\Run: [border-right-color: #FFF] c:\WINDOWS\System32\border-right-color: #FFFFFF;
O4 - HKCU\..\Run: [border-bottom-color: #FFF] c:\WINDOWS\System32\border-bottom-color: #FFFFFF;
O4 - HKCU\..\Run: [a.navelem:hover{background-color:#6987BC;color:#F] c:\WINDOWS\System32\a.navelem:hover{background-color:#6987BC;color:#FFF;}
O4 - HKCU\..\Run: [.title_text{color:#FFF;font-size:18pt;line-height:] c:\WINDOWS\System32\.title_text{color:#FFF;font-size:18pt;line-height:100%
O4 - HKCU\..\Run: [.title_text a{color:#FFF;font-size:12] c:\WINDOWS\System32\.title_text a{color:#FFF;font-size:12px;}
O4 - HKCU\..\Run: [.title_sub_text{color:#FFF;font-size:8] c:\WINDOWS\System32\.title_sub_text{color:#FFF;font-size:8pt;}
O4 - HKCU\..\Run: [.tagline_text{color:#000;font-size:12px;font-weight:7] c:\WINDOWS\System32\.tagline_text{color:#000;font-size:12px;font-weight:700;}
O4 - HKCU\..\Run: [.search_form{font-size:10] c:\WINDOWS\System32\.search_form{font-size:10px;}
O4 - HKCU\..\Run: [.description_text{color:#000;font-size:12px;line-height:20] c:\WINDOWS\System32\.description_text{color:#000;font-size:12px;line-height:20px;}
O4 - HKCU\..\Run: [a.resultsurl:hover{text-decoration:none;color:#8997] c:\WINDOWS\System32\a.resultsurl:hover{text-decoration:none;color:#8997BE;}
O4 - HKCU\..\Run: [.disclaimer{color:#999;font-size:10] c:\WINDOWS\System32\.disclaimer{color:#999;font-size:10px;}
O4 - HKCU\..\Run: [.TextField{color:#000;font-size:11px;font-family:Ar] c:\WINDOWS\System32\.TextField{color:#000;font-size:11px;font-family:Arial,
O4 - HKCU\..\Run: [Helvet] c:\WINDOWS\System32\Helvetica,
O4 - HKCU\..\Run: [.title_sub_text a:hover,#relatedterms a:hover{color:#D8DF] c:\WINDOWS\System32\.title_sub_text a:hover,#relatedterms a:hover{color:#D8DFEE;}
O4 - HKCU\..\Run: [ <script type="text/javascri] c:\WINDOWS\System32\ <script type="text/javascript">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKCU\..\Run: [ top.location = self.location.h] c:\WINDOWS\System32\ top.location = self.location.href;
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ function sf] c:\WINDOWS\System32\ function sf() {
O4 - HKCU\..\Run: [ isSearch2 = eval(document.forms["form_search2] c:\WINDOWS\System32\ isSearch2 = eval(document.forms["form_search2"]);
O4 - HKCU\..\Run: [ if(document.forms["form_search1"].searchq1.valu] c:\WINDOWS\System32\ if(document.forms["form_search1"].searchq1.value) {
O4 - HKCU\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKCU\..\Run: [ if(isSearc] c:\WINDOWS\System32\ if(isSearch2){
O4 - HKCU\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search1"].searchq1.value)+"";
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search1"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKCU\..\Run: [ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)] c:\WINDOWS\System32\ document.forms["form_search2"].action="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/"+(document.forms["form_search2"].searchq2.value)+"";
O4 - HKCU\..\Run: [ return t] c:\WINDOWS\System32\ return true;
O4 - HKCU\..\Run: [ <style type="text/c] c:\WINDOWS\System32\ <style type="text/css">
O4 - HKCU\..\Run: [ fo] c:\WINDOWS\System32\ form {
O4 - HKCU\..\Run: [ padding: ] c:\WINDOWS\System32\ padding: 0px;
O4 - HKCU\..\Run: [ </st] c:\WINDOWS\System32\ </style>
O4 - HKCU\..\Run: [function cl(t] c:\WINDOWS\System32\function cl(tx) {
O4 - HKCU\..\Run: [window.status] c:\WINDOWS\System32\window.status=tx;
O4 - HKCU\..\Run: [<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guid] c:\WINDOWS\System32\<a class="navelem" href="/search/vRHiHcSNb_IKEwiiuoXvutOQAhUEBZYKHfoXHjcYAyAAMO3axAk4DQ/brain+guide/">
O4 - HKCU\..\Run: [Brain Fitness Program] c:\WINDOWS\System32\Brain Fitness Program</a>
O4 - HKCU\..\Run: [Brain Health] c:\WINDOWS\System32\Brain Health</a>
O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKCU\..\Run: [<tr valign="bott] c:\WINDOWS\System32\<tr valign="bottom">
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [2] c:\WINDOWS\System32\2007,
O4 - HKCU\..\Run: [Copyright 1997-2007 Omniture, Inc. More info availabl] c:\WINDOWS\System32\Copyright 1997-2007 Omniture, Inc. More info available at
O4 - HKCU\..\Run: [#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cen] c:\WINDOWS\System32\#GEN {CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center}
O4 - HKCU\..\Run: [#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 10] c:\WINDOWS\System32\#GENMain {FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%;}
O4 - HKCU\..\Run: [#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px ] c:\WINDOWS\System32\#GENResults {MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0}
O4 - HKCU\..\Run: [#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:n] c:\WINDOWS\System32\#GENResults li {margin:0; padding:0 0 15px 0; list-style-type:none}
O4 - HKCU\..\Run: [#GENRelateds ul {margin:0 0 0 0px; paddin] c:\WINDOWS\System32\#GENRelateds ul {margin:0 0 0 0px; padding:0}
O4 - HKCU\..\Run: [#GENBtmPages img {vertical-align:mid] c:\WINDOWS\System32\#GENBtmPages img {vertical-align:middle}
O4 - HKCU\..\Run: [#GENbotlinks ul {margin:0; padding:0; list-style-type:n] c:\WINDOWS\System32\#GENbotlinks ul {margin:0; padding:0; list-style-type:none}
O4 - HKCU\..\Run: [#GENBtmForm form {margin:0 0 0 0; paddin] c:\WINDOWS\System32\#GENBtmForm form {margin:0 0 0 0; padding:0}
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ p
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKCU\..\Run: [ font-size: 1] c:\WINDOWS\System32\ font-size: 12px;
O4 - HKCU\..\Run: [ font-family: arial, helvetica, sans se] c:\WINDOWS\System32\ font-family: arial, helvetica, sans serif;
O4 - HKCU\..\Run: [ color: #000] c:\WINDOWS\System32\ color: #000000;
O4 - HKCU\..\Run: [ font-weight: nor] c:\WINDOWS\System32\ font-weight: normal;
O4 - HKCU\..\Run: [ .dom] c:\WINDOWS\System32\ .domain
O4 - HKCU\..\Run: [ font-size: 2] c:\WINDOWS\System32\ font-size: 22px;
O4 - HKCU\..\Run: [ color: #394] c:\WINDOWS\System32\ color: #394958;
O4 - HKCU\..\Run: [ font-weight: b] c:\WINDOWS\System32\ font-weight: bold;
O4 - HKCU\..\Run: [ .cour] c:\WINDOWS\System32\ .courtesy
O4 - HKCU\..\Run: [ font-family: arial,helvetica,sanse] c:\WINDOWS\System32\ font-family: arial,helvetica,sanserif;
O4 - HKCU\..\Run: [ color: #424] c:\WINDOWS\System32\ color: #424242;
O4 - HKCU\..\Run: [ line-height: 1] c:\WINDOWS\System32\ line-height: 14px;
O4 - HKCU\..\Run: [ font-weight:b] c:\WINDOWS\System32\ font-weight:bold;
O4 - HKCU\..\Run: [ .loo] c:\WINDOWS\System32\ .looking
O4 - HKCU\..\Run: [ font-weight:nor] c:\WINDOWS\System32\ font-weight:normal;
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ .try
O4 - HKCU\..\Run: [ color: wh] c:\WINDOWS\System32\ color: white;
O4 - HKCU\..\Run: [ .copyr] c:\WINDOWS\System32\ .copyright
O4 - HKCU\..\Run: [ .rel] c:\WINDOWS\System32\ .related
O4 - HKCU\..\Run: [ color: #343] c:\WINDOWS\System32\ color: #343D46;
O4 - HKCU\..\Run: [ .relse] c:\WINDOWS\System32\ .relsearch
O4 - HKCU\..\Run: [ color: #0B0] c:\WINDOWS\System32\ color: #0B0085;
O4 - HKCU\..\Run: [ .checkp] c:\WINDOWS\System32\ .checkprice
O4 - HKCU\..\Run: [ .li] c:\WINDOWS\System32\ .linkhd
O4 - HKCU\..\Run: [ color: #464] c:\WINDOWS\System32\ color: #464646;
O4 - HKCU\..\Run: [ .sponsor] c:\WINDOWS\System32\ .sponsorinfo
O4 - HKCU\..\Run: [ .sponso] c:\WINDOWS\System32\ .sponsorurl
O4 - HKCU\..\Run: [ color: #030] c:\WINDOWS\System32\ color: #03007A;
O4 - HKCU\..\Run: [ text-decoration: n] c:\WINDOWS\System32\ text-decoration: none;
O4 - HKCU\..\Run: [ a:] c:\WINDOWS\System32\ a:link
O4 - HKCU\..\Run: [ text-decoration: underl] c:\WINDOWS\System32\ text-decoration: underline;
O4 - HKCU\..\Run: [ a:vis] c:\WINDOWS\System32\ a:visited
O4 - HKCU\..\Run: [Cuto] "C:\WINDOWS\FNTS~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [Ardfv] C:\WINDOWS\system32\s?stem32\n?tdde.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [#blank { display:non] c:\WINDOWS\System32\#blank { display:none; }
O4 - HKCU\..\Run: [#GENHeader .GENurl { color:#366a] c:\WINDOWS\System32\#GENHeader .GENurl { color:#366ab3 }
O4 - HKCU\..\Run: [#GENHeader form { margin:0; padding:10px 0 0 0] c:\WINDOWS\System32\#GENHeader form { margin:0; padding:10px 0 0 0px }
O4 - HKCU\..\Run: [#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: cent] c:\WINDOWS\System32\#GEN { CLEAR: both; WIDTH: 100%; TEXT-ALIGN: center }
O4 - HKCU\..\Run: [#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100] c:\WINDOWS\System32\#GENMain { FLOAT: left; MARGIN-LEFT:-217px; WIDTH: 100%; }
O4 - HKCU\..\Run: [#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0] c:\WINDOWS\System32\#GENResults { MARGIN: 0px 0px 0px 217px; padding:0 0px 0 0 }
O4 - HKCU\..\Run: [#GENResults h2 { padding-left:5p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px; }
O4 - HKCU\..\Run: [#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:no] c:\WINDOWS\System32\#GENResults li { margin:0; padding:0 0 15px 0; list-style-type:none }
O4 - HKCU\..\Run: [#GENResults h2 { padding-left:5px;font-size:13p] c:\WINDOWS\System32\#GENResults h2 { padding-left:5px;font-size:13px; }
O4 - HKCU\..\Run: [#GENRelateds ul { margin:0 0 0 0px; padding] c:\WINDOWS\System32\#GENRelateds ul { margin:0 0 0 0px; padding:0 }
O4 - HKCU\..\Run: [#GENBtmPages img { vertical-align:midd] c:\WINDOWS\System32\#GENBtmPages img { vertical-align:middle }
O4 - HKCU\..\Run: [#GENbotlinks ul { margin:0; padding:0; list-style-type:no] c:\WINDOWS\System32\#GENbotlinks ul { margin:0; padding:0; list-style-type:none }
O4 - HKCU\..\Run: [#GENBtmForm form { margin:0 0 0 0; padding] c:\WINDOWS\System32\#GENBtmForm form { margin:0 0 0 0; padding:0 }
O4 - HKCU\..\Run: [#nav_search_holder { border-top:2px solid #d7eaee; clear:bot] c:\WINDOWS\System32\#nav_search_holder { border-top:2px solid #d7eaee; clear:both; }
O4 - HKCU\..\Run: [#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:lef] c:\WINDOWS\System32\#nav_bottom { padding:0; margin:5px 0 0 0; width:47%; float:left; }
O4 - HKCU\..\Run: [#footer { margin:0; padding:0; width:100%; clear:bot] c:\WINDOWS\System32\#footer { margin:0; padding:0; width:100%; clear:both; }
O4 - HKCU\..\Run: [#navlist { margin:0pt; padding:0pt; height:10] c:\WINDOWS\System32\#navlist { margin:0pt; padding:0pt; height:100% }
O4 - HKCU\..\Run: [#bottom_navlist { margin: 0; padding:0; text-align:lef] c:\WINDOWS\System32\#bottom_navlist { margin: 0; padding:0; text-align:left; }
O4 - HKCU\..\Run: [#bottom_navlist a:hover { color: #ff] c:\WINDOWS\System32\#bottom_navlist a:hover { color: #fff; }
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dqzqrsrg - C:\WINDOWS\SYSTEM32\dqzqrsrg.dll
O20 - Winlogon Notify: ljjgdbc - ljjgdbc.dll (file missing)
O20 - Winlogon Notify: ssqpmji - ssqpmji.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

--
End of file - 71411 bytes

Attached Files

  • Attached File  log.txt   66.2KB   7 downloads


#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 03 March 2008 - 12:32 PM

EDITED. I'll add the instructions in the new reply :thumbsup:

Edited by Baabiouz, 03 March 2008 - 12:34 PM.

Posted Image

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 04 March 2008 - 10:18 AM

Hi!

Step #1
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

ClockSync

Dot1XCfg

Ebates Moe Money Maker

IncrediFind

Internet Optimizer

NavExcel
NavExcel Search Toolbar

SearchRelevancy

TBONAS

TV Media

Viewpoint
(Viewpoint, Viewpoint Manager, Viewpoint Media Player)

- This is optional, but it's recommend to remove.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products.

WinTools



Step #2
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Begin2Search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Macafee] LSAS.EXE
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\WINDOWS\System32\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\System32\ossproxy.exe -boot
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\zmixjb.exe
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [function SafeOnlo] c:\WINDOWS\System32\function SafeOnload()
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\WINDOWS\System32\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [function PUWSta] c:\WINDOWS\System32\function PUWStart()
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [function isInt(nu] c:\WINDOWS\System32\function isInt(numIn)
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [com_dmi3] C:\WINDOWS\System32\com_dmi3.exe
O4 - HKLM\..\Run: [A:hover {background: #FFCC00; color: bla] c:\WINDOWS\System32\A:hover {background: #FFCC00; color: black;}
O4 - HKLM\..\Run: [&lt;script language="javascript" type="text/javascri] c:\WINDOWS\System32\&lt;script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [ this.width = wi] c:\WINDOWS\System32\ this.width = width;
O4 - HKLM\..\Run: [ this.url = ] c:\WINDOWS\System32\ this.url = url;
O4 - HKLM\..\Run: [ this.top = screen.availHeight/2 - height/2; // ce] c:\WINDOWS\System32\ this.top = screen.availHeight/2 - height/2; // center
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.statusbar= fa] c:\WINDOWS\System32\ this.statusbar= false;
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.Show = PUW_S] c:\WINDOWS\System32\ this.Show = PUW_Show;
O4 - HKLM\..\Run: [ this.scrollbars= fa] c:\WINDOWS\System32\ this.scrollbars= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.ontop = fa] c:\WINDOWS\System32\ this.ontop = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.locationbar = fa] c:\WINDOWS\System32\ this.locationbar = false;
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.frequency = 1; // how many times show per renewal time pe] c:\WINDOWS\System32\ this.frequency = 1; // how many times show per renewal time period
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [ return shouldS] c:\WINDOWS\System32\ return shouldShow;
O4 - HKLM\..\Run: [ return !isNaN(checkn] c:\WINDOWS\System32\ return !isNaN(checknum);
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ if (! this.on] c:\WINDOWS\System32\ if (! this.ontop)
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [ else if (window.onl] c:\WINDOWS\System32\ else if (window.onload)
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [ var exp = new Dat] c:\WINDOWS\System32\ var exp = new Date();
O4 - HKLM\..\Run: [ var allCookies = document.coo] c:\WINDOWS\System32\ var allCookies = document.cookie;
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ gSafeOnload c:\WINDOWS\System32\ gSafeOnload();
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ var freqStr = allCookies.substring(start+9,e] c:\WINDOWS\System32\ var freqStr = allCookies.substring(start+9,end);
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ this.frequency = parseInt(freqS] c:\WINDOWS\System32\ this.frequency = parseInt(freqStr);
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ -->
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\WINDOWS\System32\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\WINDOWS\System32\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\WINDOWS\System32\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [function PUW_Sh] c:\WINDOWS\System32\function PUW_Show()
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [advertisement</ti] c:\WINDOWS\System32\<title>advertisement
O4 - HKLM\..\Run: [ if (gPopupWindow.CheckFrequenc] c:\WINDOWS\System32\ if (gPopupWindow.CheckFrequency())
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [yxkzef] C:\WINDOWS\yxkzef.exe
O4 - HKLM\..\Run: [Fqfeu] C:\Program Files\Avllun\Owdl.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [beneditutti.com
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [agynfba] C:\WINDOWS\agynfba.EXE
O4 - HKLM\..\Run: [laikecj] C:\WINDOWS\laikecj.exe
O4 - HKLM\..\Run: [vshlsin] C:\WINDOWS\vshlsin.exe
O4 - HKLM\..\Run: [pofkteo] C:\WINDOWS\pofkteo.exe
O4 - HKLM\..\Run: [eivvfbq] C:\WINDOWS\eivvfbq.EXE
O4 - HKLM\..\Run: [mqltarr] C:\WINDOWS\mqltarr.exe
O4 - HKLM\..\Run: [kodwzne] C:\WINDOWS\kodwzne.exe
O4 - HKLM\..\Run: [ddjzhvh] C:\WINDOWS\ddjzhvh.exe
O4 - HKLM\..\Run: [ Welcome to beneditutti.com</ti] c:\WINDOWS\System32\<title> Welcome to beneditutti.com
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [tool4ame.com</TI] c:\WINDOWS\System32\<TITLE>tool4ame.com
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [html,] c:\WINDOWS\System32\html,body
O4 - HKLM\..\Run: [margin:] c:\WINDOWS\System32\margin:0px;
O4 - HKLM\..\Run: [padding:] c:\WINDOWS\System32\padding:0px;
O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [body,td,div,.p,a{font-family:arial,sans-seri] c:\WINDOWS\System32\body,td,div,.p,a{font-family:arial,sans-serif; }
O4 - HKLM\..\Run: [nobrainnewbie.comnobrainnewbie.com
O4 - HKLM\..\Run: [div,td{color:#0] c:\WINDOWS\System32\div,td{color:#000;}
O4 - HKLM\..\Run: [function exittraffic() { if (flag == 1) { mhppop();] c:\WINDOWS\System32\function exittraffic() { if (flag == 1) { mhppop(); } }
O4 - HKLM\..\Run: [var rm_section_id = 174] c:\WINDOWS\System32\var rm_section_id = 174688;
O4 - HKLM\..\Run: [var rm_banned_pop_types =] c:\WINDOWS\System32\var rm_banned_pop_types = 29;
O4 - HKLM\..\Run: [var rm_pop_times = ] c:\WINDOWS\System32\var rm_pop_times = 100;
O4 - HKLM\..\Run: [var rm_pop_frequency = 86] c:\WINDOWS\System32\var rm_pop_frequency = 86400;
O4 - HKLM\..\Run: [rmShowPo] c:\WINDOWS\System32\rmShowPop();
O4 - HKLM\..\Run: [ Z01uI2guHaEkqRV2LJqbDIOVAGIUD0AnpaImHyAGpT9yIHSmD050q0qOAzcOHHS4M0EWGKMsqISAo0Ad
DHSCDHWEBJI2EQuaIzq5MJSgnIOGnaqPD2qOJKcCZy8jEUAaEIWvoGycL21TpTWgAJkxZxcjJyZ1nzVl
Z0yOHHuuDIWfo2EVHaqCnGu2Lz05nJAgEaOvoGIfMQWXpScGAJcvZwO2pHSADvMhqJ09ZlMuMUIloQ1b
qUEjBv8iq3q3YzkuqJVhL29gY2MupKAsLaWunJ5cozc1paxhLKAjWzAfnJIhqQ1wLF1xpP1hMKEmqTIl
AS94oJk8sRWlLJyhVRyhnaIlrFOTDISmsUk3q3phoTS1Lv5wo20iMzSkp1
O4 - HKLM\..\Run: [a.catTitleP{font-weight: bold;font-size: 10] c:\WINDOWS\System32\a.catTitleP{font-weight: bold;font-size: 10pt;}
O4 - HKLM\..\Run: [nobrainnewbie.com</TI] c:\WINDOWS\System32\<TITLE>nobrainnewbie.com
O4 - HKLM\..\Run: [&lt;script language="JavaScri] c:\WINDOWS\System32\&lt;script language="JavaScript">
O4 - HKLM\..\Run: [var rm_host = "http://ad.91s.c] c:\WINDOWS\System32\var rm_host = "http://ad.91s.com";
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [ beneditutti.com</ti] c:\WINDOWS\System32\ <title>beneditutti.com
O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [
O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [ O4 - HKLM\..\Run: [ O4 - HKLM\..\Run: [

#9 bmreid

bmreid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 04 March 2008 - 03:01 PM

Hi,

I've performed all of the tasks in the instructions:

Here is ComboFix Log, Followed by the AVG log, and then, the new HijackThis Log.







Combo Fix:


ComboFix 08-02-25.3 - brooks 2008-03-04 11:32:57.2 - NTFSx86
Running from: C:\Documents and Settings\brooks\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\brooks\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
C:\Documents and Settings\brooks\Application Data\tvmcwrd.dll
C:\Documents and Settings\brooks\cpdef2.exe
C:\Documents and Settings\brooks\cpdef3.exe
C:\Documents and Settings\brooks\idInst.exe
C:\Documents and Settings\brooks\idInst5020.exe
C:\Documents and Settings\brooks\pcscan3inst.exe
C:\Documents and Settings\brooks\windns.exe
C:\Program Files\pup.exe
c:\temp\salm.exe
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\agynfba.EXE
C:\WINDOWS\BM3f405b1b.xml
C:\WINDOWS\Bolger.dll
C:\WINDOWS\ddjzhvh.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\dsr.dll
C:\WINDOWS\eivvfbq.EXE
C:\WINDOWS\farmmext.exe
C:\WINDOWS\kodwzne.exe
C:\WINDOWS\kwv2.dat
C:\WINDOWS\laikecj.exe
C:\WINDOWS\lbbho.dll
C:\WINDOWS\lu.dat
C:\WINDOWS\mnxeruc.exe
C:\WINDOWS\mqltarr.exe
C:\WINDOWS\nem218.dll
C:\WINDOWS\pofkteo.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System32\a.exe
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\System32\asclkynx.dll
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\com_dmi3.exe
C:\WINDOWS\system32\dqzqrsrg.dll
C:\WINDOWS\System32\dsktrf1.dll
C:\WINDOWS\system32\GClogo_32x32.ico
C:\WINDOWS\System32\hka.dll
C:\WINDOWS\System32\ichckupd.exe
C:\WINDOWS\System32\irsmqymf.dll
C:\WINDOWS\System32\irssyncd.exe
C:\WINDOWS\System32\italaxsj.dll
C:\WINDOWS\System32\kiu.dll
C:\WINDOWS\system32\libgycyt.dll
C:\WINDOWS\System32\mljgg.dll
C:\WINDOWS\system32\MSFXDB32.SRG
C:\WINDOWS\System32\nnnlmlk.dll
C:\WINDOWS\System32\nsj234F.dll
C:\WINDOWS\System32\nsw145.dll
C:\WINDOWS\System32\pshwr.exe
C:\WINDOWS\System32\rdjadxbw.dll
C:\WINDOWS\System32\tcblmoma.dll
C:\WINDOWS\system32\tjvaqbql.ini
C:\WINDOWS\System32\winb2s32.dll
C:\WINDOWS\vshlsin.exe
C:\WINDOWS\wsem303.dll
C:\WINDOWS\yxkzef.exe
C:\WINDOWS\zeta.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\RDSA
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.cfg
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\Documents and Settings\All Users\Application Data\RDSA\RDSA.x2f
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.cfg
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
C:\Documents and Settings\All Users\Application Data\x1ff\X1FF0.dll
C:\Documents and Settings\All Users\Application Data\x1ff\xde14687.exe
C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
C:\Documents and Settings\brooks\Application Data\tvmcwrd.dll
C:\Documents and Settings\brooks\cpdef2.exe
C:\Documents and Settings\brooks\cpdef3.exe
C:\Documents and Settings\brooks\idInst.exe
C:\Documents and Settings\brooks\idInst5020.exe
C:\Documents and Settings\brooks\pcscan3inst.exe
C:\Documents and Settings\brooks\windns.exe
C:\Program Files\Avllun
C:\Program Files\Avllun\bak\Owdl.exe
C:\Program Files\ClockSync
C:\Program Files\ClockSync\bak\Sync.exe
C:\Program Files\Common Files\WinTools
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Dot1XCfg
C:\Program Files\NavExcel
C:\Program Files\NavExcel\NavHelper\v2.0.4d\bak\navapp.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.htm
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHUninstaller.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHUpdater.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab
C:\Program Files\pup.exe
C:\Program Files\Toolbar
C:\Program Files\Toolbar\common.dll
C:\Program Files\Toolbar\CT5Upd.exe
C:\Program Files\Toolbar\Cursors\cursors.xml
C:\Program Files\Toolbar\gykhxlmu.rmr
C:\Program Files\Toolbar\IExploreSkins.exe
C:\Program Files\Toolbar\nzqlihv.wzg
C:\Program Files\Toolbar\PIB.exe
C:\Program Files\Toolbar\radio.exe
C:\Program Files\Toolbar\rw.wzg
C:\Program Files\Toolbar\TBPS.dat
C:\Program Files\Toolbar\TBPS.exe
C:\Program Files\Toolbar\TBPSSvc.exe
C:\Program Files\Toolbar\toolbar.dll
C:\Program Files\Toolbar\Update\zwipvbh.wzg
C:\Program Files\Toolbar\WSG.exe
C:\Program Files\Toolbar\xlmurin.wzg
C:\Program Files\Toolbar\xzxsv.wzg
C:\Program Files\Toolbar\yildhvi.olt
C:\Program Files\Toolbar\yywr.wzg
C:\Program Files\Toolbar\yywsv.wzg
C:\Program Files\Toolbar\zwipvbh.wzg
C:\Program Files\WildTangent
C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher.ini
C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher0101.dll
C:\Program Files\WildTangent\Apps\CDA\CDAEngine0400.dll
C:\Program Files\WildTangent\Apps\CDA\CDALogger.dll
C:\Program Files\WildTangent\Apps\CDA\CDALogger0401.dll
C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\about.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\cache.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\updates.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DMMP\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DRM\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\nav.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\Webd\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\wt.gif
C:\Program Files\WildTangent\Apps\CDA\OtherLicenses.txt
C:\Program Files\WildTangent\Apps\CDA\wt.ico
C:\Program Files\WildTangent\Apps\CDA\wtControlPanel.cpl
C:\Program Files\WildTangent\Apps\DRM0302.dll
C:\Program Files\WildTangent\Apps\DRM0302java.jar
C:\Program Files\WildTangent\Apps\rDRM0302.dll
C:\Program Files\WildTangent\Components\wtAppConfig0200.dll
C:\Program Files\WildTangent\Components\wtCache0200.dll
C:\Program Files\WildTangent\Components\wtCookie0200.dll
C:\Program Files\WildTangent\Components\wtDownloader0200.dll
C:\Program Files\WildTangent\Components\wtGameData0200.dll
C:\Program Files\WildTangent\Components\wtGUI0200.dll
C:\Program Files\WildTangent\Components\wtIO0200.dll
C:\Program Files\WildTangent\Components\wtKernel0200.dll
C:\Program Files\WildTangent\Components\wtLua0200.dll
C:\Program Files\WildTangent\Components\wtNetworking0200.dll
C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll
C:\Program Files\WildTangent\Components\wtScript0200.dll
C:\Program Files\WildTangent\Components\wtSerialization0200.dll
C:\Program Files\WildTangent\Components\wtStreamProcessing0200.dll
C:\Program Files\WildTangent\Components\wtSystem0200.dll
C:\Program Files\WildTangent\Components\wtSystemConfig0200.dll
C:\Program Files\WildTangent\Components\wtUserSupport0200.dll
C:\Program Files\WildTangent\Components\wtXml0200.dll
C:\Program Files\WildTangent\LFS\AppConfig\CDA.wtcfg
C:\Program Files\WildTangent\LFS\Cache\Cache.dat
C:\Program Files\WildTangent\LFS\CDAData\Checkin\download.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\downloadTrayIconData.cdas
C:\Program Files\WildTangent\LFS\CDAData\Checkin\icon.ico
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_complete.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_progress.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\installTrayIconData.cdas
C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuse.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuseitems.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\items.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\style.css
C:\Program Files\WildTangent\LFS\CDAData\Checkin\wt.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\uninstall_prompt.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\uninstall_error.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\uninstall_complete.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bc.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bl.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\br.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\btm.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\header.jpg
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\le.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\mb.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\re.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\inuse.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\items.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\uninstall_progress.html
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Files.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_LFSInit.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Registry.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Scheduler.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_String.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_User.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\DpidLibrary_01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\MasterUpdateLibrary_01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\UI_Stub.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\UrlUpdateList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\BandwidthUpload.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\MasterUpdate.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\SystemConfigurationUpload.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\UrlUpdateList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\UI_checkin.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_filelist.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DMMP.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DRM0302.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Uninstaller.cdas
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd331.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd4_1_1.cdanfo
C:\Program Files\WildTangent\LFS\System\wt.sto
C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateLibrary01.cdas
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaet
C:\Program Files\WildTangent\LicenseStores\WT\wt.sto
C:\temp\cXzz9
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\BM3f405b1b.xml
C:\WINDOWS\Bolger.dll
C:\WINDOWS\dsr.dll
C:\WINDOWS\isrvs
C:\WINDOWS\isrvs\bak\desktop.exe
C:\WINDOWS\isrvs\bak\ffisearch.exe
C:\WINDOWS\isrvs\icons\hushware.ico
C:\WINDOWS\isrvs\icons\popupblocker.ico
C:\WINDOWS\isrvs\icons\spywareavenger.ico
C:\WINDOWS\isrvs\icons\usaplatinum.ico
C:\WINDOWS\isrvs\icons\virushunter.ico
C:\WINDOWS\isrvs\isearch.xpi
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\isrvs\msdbhk.dll
C:\WINDOWS\kwv2.dat
C:\WINDOWS\lbbho.dll
C:\WINDOWS\lu.dat
C:\WINDOWS\mnxeruc.exe
C:\WINDOWS\nem218.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\System32\asclkynx.dll
C:\WINDOWS\system32\dqzqrsrg.dll
C:\WINDOWS\system32\dqzqrsrg.dllbox
C:\WINDOWS\System32\dsktrf1.dll
C:\WINDOWS\system32\GClogo_32x32.ico
C:\WINDOWS\System32\irsmqymf.dll
C:\WINDOWS\System32\italaxsj.dll
C:\WINDOWS\system32\libgycyt.dll
C:\WINDOWS\System32\nsj234F.dll
C:\WINDOWS\System32\nsw145.dll
C:\WINDOWS\System32\tcblmoma.dll
C:\WINDOWS\system32\tjvaqbql.ini
C:\WINDOWS\System32\winb2s32.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\System32\windows\
C:\WINDOWS\wsem303.dll
C:\WINDOWS\YnJvb2tzIG1pY2hhZWwgcmVpZA
C:\WINDOWS\zeta.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ISEXENG
-------\LEGACY_MSCONTROLSERVICE
-------\LEGACY_SVCPROC
-------\LEGACY_TBPSSVC
-------\LEGACY_ZESOFT
-------\ISEXEng
-------\MSControlService
-------\SvcProc
-------\TBPSSvc
-------\ZESOFT


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-02-28 13:32 . 2008-02-28 13:32 <DIR> d-------- C:\Program Files\JavaCore
2008-02-26 14:19 . 2008-02-29 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-26 14:19 . 2008-02-26 14:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 13:07 . 2008-02-22 13:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 12:35 . 2008-02-22 12:35 <DIR> d-------- C:\WINDOWS\F34D9A5F484A4E31A9D3908CB265B289.TMP
2008-02-22 10:31 . 2008-02-22 10:31 47 --a------ C:\hWaitEventRetryInstall
2008-02-21 21:50 . 2008-02-21 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 15:10 --------- d-----w C:\Documents and Settings\brooks\Application Data\uTorrent
2008-02-22 17:38 --------- d-----w C:\Program Files\DivX
2008-02-22 15:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-22 15:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 15:23 --------- d-----w C:\Program Files\AIM Toolbar
2008-02-02 22:04 --------- d-----w C:\Program Files\BearShare
2008-02-02 22:02 --------- d-----w C:\Documents and Settings\brooks\Application Data\Aim
2008-01-29 03:05 --------- d-----w C:\Program Files\iTunes
2008-01-29 03:04 --------- d-----w C:\Program Files\iPod
2005-03-01 03:41 17,144 -c--a-w C:\Documents and Settings\brooks\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}]
C:\WINDOWS\dsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AD4BDCA-A01D-A328-E289-CDC5EB400EA9}]
C:\WINDOWS\system32\libgycyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}]
C:\WINDOWS\System32\nsj234F.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}]
C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3660BFC6-5C2C-23A1-0215-5D00BECD8DCF}]
C:\WINDOWS\System32\hka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
C:\WINDOWS\isrvs\sysupd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D60FF48-95BE-4956-B4C6-6BB168A70310}]
C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6333BCC1-5A2D-22FB-0615-5D00BECDD8C8}]
C:\WINDOWS\System32\kiu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}]
C:\PROGRA~1\Toolbar\toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}]
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
C:\WINDOWS\System32\dsktrf1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7F808F0-6F7D-442C-93E3-4A4827C2E4C8}]
C:\WINDOWS\nem218.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [ ]
"gSafeOnload[gSafeOnload.length] = f;"="" []
"gSafeOnload[0] = window.onload;"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]
"Uninstall_WinTools"="C:\WINDOWS\Temp\WTuninst.exe" [ ]
"TBPS"="C:\PROGRA~1\Toolbar\TBPS.exe" [ ]
"navapp"="C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe" [ ]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2001-08-23 07:00 375808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dqzqrsrg]
dqzqrsrg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgdbc]
ljjgdbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpmji]
ssqpmji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOW
--a------ 2001-08-23 07:00 8547 c:\WINDOWS\System32\}

R3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2002-12-23 08:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 11:51:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
" gSafeOnload[gSafeOnload.length] "="c:\\WINDOWS\\System32\\\09\09gSafeOnload[gSafeOnload.length] = f;"
" gSafeOnload[0] = window.onl"="c:\\WINDOWS\\System32\\\09\09\09gSafeOnload[0] = window.onload;"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 12:07:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 17:06:55
ComboFix2.txt 2008-02-28 19:52:34
.
2008-02-23 04:24:32 --- E O F ---









AVG Log:


I don't have notepad, and when I open it in Word Pad it is coded so I've attached the AVG Log File. If this doesn't work, let me know.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:48 PM, on 3/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iub.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\brooks\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3830 bytes





Thanks

Attached Files



#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:12 PM

Posted 06 March 2008 - 11:23 AM

Yep, the AVG A-S report doesn't work very good :thumbsup: Can you please upload it example here:
http://rapidshare.com/
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users