Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser re-direct to "wsearch"


  • This topic is locked This topic is locked
64 replies to this topic

#1 AnnaZed

AnnaZed

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 16 October 2008 - 06:47 PM

Hi, thanks for reading this. I read your "Use Before Posting A Hijackthis Log" page, and I did all of that.

For about a month our browser keeps getting re-directed to something called wsearch.net (which is a dud/fake search engine page. It also pops this up (everytime):

<hxxp://www.wsearch.net/toolbar.htm>

At first it was just if you failed to type exact urls into the box, now even saved links, links from other sites or favorites often get this re-direct. It's pretty bad. AVG didn't get rid of it, Spybot, Ad-Aware, Housecall, Panda and BitDefender ~ it's still happening.

So, I am posting my Hijackthis Log here (hope that is ok to do now):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:47 PM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 7107 bytes

Edited by Orange Blossom, 11 February 2013 - 02:21 AM.
Deactivate link to protect readers. ~ OB


BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:32 AM

Posted 21 October 2008 - 07:16 PM

Hello, AnnaZed.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 21 October 2008 - 07:56 PM

Thank you so much Billy for looking into this.

OK, here's the OTViewIt.Txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OTViewIt logfile created on: 10/21/2008 5:45:18 PM - Run 3
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.48 Mb Total Physical Memory | 438.36 Mb Available Physical Memory | 57.19% Memory free
1.83 Gb Paging File | 1.56 Gb Available in Paging File | 85.27% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 128.13 Gb Free Space | 85.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FOES1
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/10/06 14:51:32 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
[2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2008/10/06 14:51:34 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
[2005/06/21 17:48:18 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2005/06/21 23:44:34 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2004/11/02 20:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2008/10/07 08:23:46 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
[2002/04/17 10:42:56 | 00,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[2006/06/01 13:32:12 | 00,094,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[2002/04/17 10:49:16 | 00,077,824 | ---- | M] () -- c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/10/06 14:39:42 | 01,234,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
[2008/10/21 17:42:17 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2008/04/13 17:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe

========== (O23) Win32 Services ==========

[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/10/06 14:51:32 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2004/08/11 01:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services ==========

[2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[2004/10/07 18:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
[2008/10/06 14:51:47 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/10/06 14:51:44 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2003/06/30 18:11:52 | 00,043,136 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2005/06/21 18:12:34 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/04/13 11:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2008/09/10 00:10:04 | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2002/12/19 17:48:48 | 00,539,008 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2001/08/17 14:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2001/08/17 14:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam [On_Demand | Running])
[2002/09/23 23:35:44 | 00,014,208 | R--- | M] (Linksys) -- C:\WINDOWS\system32\drivers\USB200M.sys -- (USB20L [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"Secondary Start Pages"=
"Start Page"=http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"Secondary Start Pages"=
"Start Page"=http://www.yahoo.com

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (266386 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com
9228 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} (HKLM) -- C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}" (HKLM) -- C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
"NWEReboot"= File not found
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"Share-to-Web Namespace Daemon"=c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (Nero AG)
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (Nero AG)
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

========== (O4) Startup Folders ==========

[2003/08/06 13:23:32 | 00,051,776 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{85d1f590-48f4-11d9-9669-0800200c9a66}: Menu: Uninstall BitDefender Online Scanner v8 -- %SystemRoot%\bdoscandel.exe [2008/01/09 15:01:48 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 17:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 17:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
46 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
45 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
45 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
45 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1993962763-1292428093-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
45 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: C:\Program Files\Yahoo!\Common\Yinsthelper.dll -- Installation Support
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}: http://download.bitdefender.com/resources/scan8/oscan8.cab -- BDSCANONLINE Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{6A313AA9-97F2-4B59-A7B3-BDF1151A1CE6} (Servers: | Description: Linksys USB 2.0 10/100 Adapter)
{DC8FFC95-DB45-4422-9F29-F7E5D937399D} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll
>[2008/10/06 14:51:52 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"={e57ce738-33e8-4c51-8354-bb4de9d215d1} (HKLM) -- CLSID or file not found.

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/10/04 09:56:08 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b942c13-72bb-11dc-a780-00106084528b}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b942c13-72bb-11dc-a780-00106084528b}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b942c13-72bb-11dc-a780-00106084528b}\Shell\AutoRun\command]
""=E:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2008/10/21 17:42:16 | 00,421,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2008/10/20 13:27:07 | 07,281,784 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb890830-v2.2.exe
[2008/10/20 13:08:43 | 00,215,928 | ---- | C] (Sysinternals) -- C:\Documents and Settings\Owner\Desktop\pagedfrg.exe
[2008/10/20 13:08:27 | 00,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2008/10/20 12:01:33 | 00,000,000 | ---D | C] -- C:\Program Files\ACW
[2008/10/20 12:01:05 | 00,135,528 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\315265.exe
[2008/10/20 11:44:27 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2008/10/20 11:44:26 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2008/10/17 17:06:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
[2008/10/17 16:01:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead
[2008/10/17 14:33:28 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/17 14:33:22 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2008/10/16 16:51:17 | 00,000,000 | ---D | C] -- C:\rsit
[2008/10/16 16:50:55 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2008/10/16 16:23:21 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2008/10/16 16:23:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/16 15:42:34 | 02,482,695 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger.exe
[2008/10/16 15:16:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2008/10/15 17:06:58 | 00,333,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008/10/15 17:06:23 | 01,846,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008/10/15 17:06:20 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/10/15 17:06:18 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/10/15 17:06:15 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/10/15 17:06:14 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/10/09 14:20:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Share-to-Web Upload Folder
[2008/10/09 14:17:26 | 00,000,000 | ---D | C] -- C:\col3927
[2008/10/08 15:20:56 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Doc4.doc
[2008/10/08 10:22:34 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Health and Life Direct.doc
[2008/10/07 15:19:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/10/07 15:19:20 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2008/10/07 15:19:18 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2008/10/07 15:19:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2008/10/07 15:16:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/10/07 15:15:37 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/10/07 12:10:04 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2008/10/06 17:14:23 | 00,000,073 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
[2008/10/06 16:29:04 | 00,000,264 | ---- | C] () -- C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
[2008/10/06 16:29:03 | 00,000,338 | ---- | C] () -- C:\WINDOWS\tasks\Uniblue SpyEraser.job
[2008/10/06 16:17:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2008/10/06 16:17:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2008/10/06 16:17:11 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2008/10/06 16:00:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2008/10/06 16:00:18 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/10/06 16:00:17 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/06 16:00:16 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/06 16:00:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/10/06 16:00:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/10/06 14:51:55 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2008/10/06 14:51:52 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2008/10/06 14:51:47 | 00,097,928 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2008/10/06 14:51:44 | 00,026,824 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2008/10/06 14:51:42 | 29,112,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/10/06 14:51:42 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2008/10/06 14:51:42 | 00,307,238 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/10/06 14:51:42 | 00,060,769 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/10/06 14:51:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2008/10/06 14:51:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
[2008/10/01 15:03:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\New Folder

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2008/10/21 17:42:17 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2008/10/21 16:59:41 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2003.lnk
[2008/10/21 08:59:58 | 29,112,848 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/10/21 08:57:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/21 08:57:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/20 13:09:29 | 00,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2008/10/20 13:08:43 | 00,215,928 | ---- | M] (Sysinternals) -- C:\Documents and Settings\Owner\Desktop\pagedfrg.exe
[2008/10/20 13:04:50 | 00,060,769 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/10/20 12:01:06 | 00,135,528 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\315265.exe
[2008/10/20 11:44:27 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2008/10/20 08:20:17 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/17 14:33:28 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/17 10:39:00 | 00,000,264 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
[2008/10/16 16:50:55 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2008/10/16 16:23:21 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2008/10/16 15:42:38 | 02,482,695 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger.exe
[2008/10/16 03:10:46 | 00,194,568 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/09 22:15:29 | 00,307,238 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/10/09 14:19:54 | 00,000,778 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/08 15:20:56 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Doc4.doc
[2008/10/08 10:34:10 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Health and Life Direct.doc
[2008/10/07 16:27:14 | 00,443,072 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/07 16:27:14 | 00,383,584 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/07 16:27:14 | 00,053,812 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/07 15:19:20 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2008/10/06 17:14:23 | 00,000,073 | ---- | M] () -- C:\WINDOWS\st_affiliate.ini
[2008/10/06 16:29:03 | 00,000,338 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpyEraser.job
[2008/10/06 16:00:18 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/10/06 14:51:55 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2008/10/06 14:51:52 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2008/10/06 14:51:47 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2008/10/06 14:51:44 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2008/10/06 14:51:42 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2008/10/03 10:41:15 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2008/10/03 10:41:15 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2008/10/02 16:00:29 | 00,266,386 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/10/02 15:43:33 | 07,281,784 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb890830-v2.2.exe
< End of report >

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the Extras.Txt (note: it says "extras" not "extra" I hope that is right)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OTViewIt Extras logfile created on: 10/21/2008 5:45:18 PM - Run 3
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.48 Mb Total Physical Memory | 438.36 Mb Available Physical Memory | 57.19% Memory free
1.83 Gb Paging File | 1.56 Gb Available in Paging File | 85.27% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 128.13 Gb Free Space | 85.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FOES1
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value does not exist or could not be read.] -- Reg Error: Key does not exist or could not be opened. File not found
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 17:12:17 | 00,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/10/06 14:51:34 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/10/06 14:51:39 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}"=OpenOffice.org Installer 1.0
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{52504CE6-E909-4113-B232-4AFEC6543A61}"=Broadcom 440x 10/100 Integrated Controller
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6CC93102-135E-49E2-99A4-C431E671C12A}"=HP Photo and Imaging 2.0 - Scanners
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{90170409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office FrontPage 2003
"{90510409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Professional 2003
"{90A10409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office OneNote 2003
"{9BB69D0F-1369-4DBD-99A9-1BC228ED1033}"=Nero 7 Essentials
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{B376402D-58EA-45EA-BD50-DD924EB67A70}"=HP Memories Disc
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"AVG8Uninstall"=AVG Free 8.0
"CCleaner"=CCleaner (remove only)
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}"=Broadcom 440x 10/100 Integrated Controller
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Malwarebytes' RogueRemover FREE_is1"=Malwarebytes' RogueRemover
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MSNINST"=MSN
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"WinAce Archiver"=WinAce Archiver
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows XP Service Pack"=Windows XP Service Pack 3
"Yahoo! Anti-Spy"=Yahoo! Anti-Spy
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! Search Defender"=Yahoo! Search Protection
"YInstHelper"=Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/6/2008 8:26:12 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/6/2008 8:26:37 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1001
Description = Fault bucket 854786114.

Error - 10/6/2008 8:26:54 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1001
Description = Fault bucket 854786114.

Error - 10/6/2008 8:28:49 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3188, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/6/2008 8:36:27 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1001
Description = Fault bucket 943649184.

Error - 10/7/2008 12:36:26 PM | Computer Name = FOES1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.5510.0, stamp 3f1380f0,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x017b90ac.

Error - 10/7/2008 12:36:39 PM | Computer Name = FOES1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.5510.0, stamp 3f1380f0,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x017990ac.

Error - 10/7/2008 12:38:43 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.5510.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/7/2008 12:39:13 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1001
Description = Fault bucket 54869149.

Error - 10/21/2008 8:44:20 PM | Computer Name = FOES1 | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.17.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/19/2007 1:15:57 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:57 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:57 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:57 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:57 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:58 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:58 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:58 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:58 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 12/19/2007 1:15:58 PM | Computer Name = FOES1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >
~~~~~~~~~~~~~~~~~~~~~

I will run the Kaspersky and post that next (I think I am supposed to close the browser to do that).

Again, thank you SO MUCH for your kind attention to this.

:thumbsup:

#4 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 21 October 2008 - 08:21 PM

Kaspersky thing will take a long time looks like. This is my work computer and the boss is closing up. I will post it tomorrow morning.

Thank you again, so very much. :thumbsup:

#5 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 22 October 2008 - 02:05 PM

Ok, I ran the kaspersky thing (twice, because I thought this must be a mistake the first time) and when I clicked on "scan report" I got an empty page, nothing, just blank ~ both times.
:thumbsup:

#6 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 22 October 2008 - 02:58 PM

BTW, maybe this is related:

:)

In addition to the wsearch problem I am always getting these things (emails) that say:

Delivery Status Notification (Failure)

Delivery to the following recipients failed.

m_r_brubaker@hotmail.com

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.8.2/1739 - Release Date: 10/22/2008 7:23 AM


with 2 attachments:

one says:

details.txt

this particular one reads:

Reporting-MTA: dns;bay0-mc12-f6.bay0.hotmail.com
Received-From-MTA: dns;smtp20.orange.fr
Arrival-Date: Wed, 22 Oct 2008 00:34:30 -0700

Final-Recipient: rfc822;m_r_brubaker@hotmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable (-715969955:3232:-2147467259)


the second attachment says:

"Who's Interested?"

and reads:


Good day

Where love lives...
I am looking for that special I wish to have by my side and a person to share my life with. I am looking for a man who is ready to leave the past behind and get on with the future. I lead a simple life and have some wonderful friends, love to get away. I like the quite times too. It is nice to cuddle up at the end of the day or all day if itís raining. If you can handle then say hi!
Let me know http://lokingforaman.net/lovelysingles

Hugs
July


Which is obviously spam :thumbsup: (and not created by me!) It says that it originates from:

Uli S [info@foesracing.com]

Needless to say, there is no Uli S here.

So, doesn't that mean that some sort of trojan is sending out this porn spam from our mailbox? If so, how do I stop that?

Thanks Again for your consideration of this matter. :)

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:32 AM

Posted 22 October 2008 - 08:17 PM

Wait a minnute... You're getting bouncebacks on a domain you own?

Those logs look clean.. but little confused now...

You own the domain foesracing.com ?

Billy3

Edited by Billy O'Neal, 22 October 2008 - 08:17 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 22 October 2008 - 11:09 PM

If "bouncebacks" are those delivery failure notices (I'm assuming that they are) then, yes, I am getting those. All are just like the one that I copied here and are spam messages sent as though from my box (info@foesracing.com), but with another name attached (unknown to us) and obviously content that we would not send. :)

Yes. we own the domain:

www.foesracing.com

The site is hosted eleswhere though.

The wsearch redirect is still there (or was when I left work a few hours ago). :)

Tell me if this is possible; could the redirect only kick in at certain times? Because I did not see it all morning or early afternoon, but it started being practically every window late in the day. I rebooted actually, it was making me crazy.

Thank you again, oh computer guy. :thumbsup:

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:32 AM

Posted 23 October 2008 - 01:35 PM

Hello, AnnaZed.
Well... wasn't sure the redirect was still in there.....

As far as the emails go, nothing says it's coming from this machine. The sender of the email sets the FROM field. Any server can send email from your domain, only your domain can receive it. All it takes is someone to target the domain. If that user account does not exist on your email system, then it's not being sent from your email system. Simple as that.

However, the redirect is still a problem....

We need to scan for rootkits with GMER
  • Please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  • Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
In your next reply, please include the following:
  • GMER's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 23 October 2008 - 02:17 PM

2008-10-23 12:03:39 gmer.sys System [4]: LoadDriver system32\DRIVERS\ipnat.sys
2008-10-23 12:03:39 gmer.sys System [4]: LoadDriver system32\DRIVERS\wanarp.sys
2008-10-23 12:03:46 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2008-10-23 12:03:46 gmer.sys smss.exe [524]: CreateProcess C:\WINDOWS\system32\autochk.exe
2008-10-23 12:03:46 gmer.sys smss.exe [524]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2008-10-23 12:03:47 gmer.sys smss.exe [524]: CreateProcess C:\WINDOWS\system32\csrss.exe
2008-10-23 12:03:47 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\ialmdnt5.dll
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\vga.dll
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\ialmdev5.DLL
2008-10-23 12:03:48 gmer.sys csrss.exe [588]: LoadDriver \SystemRoot\System32\ialmdd5.DLL
2008-10-23 12:03:48 gmer.sys smss.exe [524]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2008-10-23 12:03:48 gmer.sys winlogon.exe [612]: CreateProcess C:\Program Files\AVG\AVG8\avgrsx.exe
2008-10-23 12:03:49 gmer.sys winlogon.exe [612]: CreateProcess C:\WINDOWS\system32\services.exe
2008-10-23 12:03:49 gmer.sys winlogon.exe [612]: CreateProcess C:\WINDOWS\system32\lsass.exe
2008-10-23 12:03:50 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:03:50 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:03:51 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:03:51 gmer.sys services.exe [712]: LoadDriver system32\DRIVERS\ndisuio.sys
2008-10-23 12:03:51 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:03:51 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:03:51 gmer.sys winlogon.exe [612]: CreateProcess C:\WINDOWS\system32\logonui.exe
2008-10-23 12:03:53 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\spoolsv.exe
2008-10-23 12:03:53 gmer.sys svchost.exe [1040]: LoadDriver system32\DRIVERS\rdbss.sys
2008-10-23 12:03:53 gmer.sys svchost.exe [1040]: LoadDriver system32\DRIVERS\mrxsmb.sys
2008-10-23 12:04:00 gmer.sys services.exe [712]: LoadDriver system32\DRIVERS\mrxdav.sys
2008-10-23 12:04:01 gmer.sys services.exe [712]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2008-10-23 12:04:01 gmer.sys services.exe [712]: CreateProcess C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
2008-10-23 12:04:01 gmer.sys winlogon.exe [612]: CreateProcess C:\WINDOWS\system32\userinit.exe
2008-10-23 12:04:01 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-10-23 12:04:02 gmer.sys userinit.exe [1712]: CreateProcess C:\WINDOWS\explorer.exe
2008-10-23 12:04:02 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\wdfmgr.exe
2008-10-23 12:04:03 gmer.sys svchost.exe [1040]: LoadDriver system32\DRIVERS\srv.sys
2008-10-23 12:04:13 gmer.sys svchost.exe [1040]: LoadDriver system32\DRIVERS\ipnat.sys
2008-10-23 12:04:18 gmer.sys explorer.exe [1804]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2008-10-23 12:04:18 gmer.sys explorer.exe [1804]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2008-10-23 12:04:23 gmer.sys explorer.exe [1804]: CreateProcess C:\WINDOWS\system32\igfxtray.exe
2008-10-23 12:04:24 gmer.sys explorer.exe [1804]: CreateProcess C:\WINDOWS\system32\hkcmd.exe
2008-10-23 12:04:24 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
2008-10-23 12:04:25 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
2008-10-23 12:04:26 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
2008-10-23 12:04:26 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
2008-10-23 12:04:27 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
2008-10-23 12:04:27 gmer.sys csrss.exe [220]: LoadDriver \SystemRoot\System32\vga.dll
2008-10-23 12:04:27 gmer.sys explorer.exe [1804]: CreateProcess C:\PROGRA~1\AVG\AVG8\avgtray.exe
2008-10-23 12:04:27 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
2008-10-23 12:04:28 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
2008-10-23 12:04:29 gmer.sys explorer.exe [1804]: CreateProcess C:\WINDOWS\system32\ctfmon.exe
2008-10-23 12:04:29 gmer.sys svchost.exe [880]: CreateProcess C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
2008-10-23 12:04:29 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2008-10-23 12:04:29 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
2008-10-23 12:04:30 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
2008-10-23 12:04:32 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
2008-10-23 12:04:40 gmer.sys avgwdsvc.exe [1660]: CreateProcess C:\Program Files\AVG\AVG8\avgrsx.exe
2008-10-23 12:04:47 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\imapi.exe
2008-10-23 12:04:47 gmer.sys services.exe [712]: LoadDriver System32\Drivers\HTTP.sys
2008-10-23 12:04:48 gmer.sys services.exe [712]: CreateProcess C:\WINDOWS\system32\alg.exe
2008-10-23 12:04:49 gmer.sys explorer.exe [1804]: CreateProcess C:\Program Files\Mozilla Firefox\firefox.exe
2008-10-23 12:04:51 gmer.sys svchost.exe [880]: CreateProcess C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
2008-10-23 12:05:14 gmer.sys svchost.exe [1040]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2008-10-23 12:05:17 gmer.sys svchost.exe [880]: CreateProcess C:\WINDOWS\system32\wbem\wmiprvse.exe
2008-10-23 12:05:47 gmer.sys avgwdsvc.exe [1660]: CreateProcess C:\PROGRA~1\AVG\AVG8\avgupd.exe
2008-10-23 12:06:07 gmer.sys firefox.exe [2408]: CreateProcess C:\Program Files\WinAce\winace.exe
2008-10-23 12:06:41 gmer.sys avgupd.exe [1024]: CreateProcess C:\Program Files\AVG\AVG8\fixcfg.exe
2008-10-23 12:06:48 gmer.sys firefox.exe [2408]: CreateProcess C:\Program Files\WinAce\winace.exe
2008-10-23 12:07:55 gmer.sys firefox.exe [2408]: CreateProcess C:\Program Files\WinAce\winace.exe
2008-10-23 12:08:21 gmer.sys winace.exe [3736]: CreateProcess C:\DOCUME~1\Owner\LOCALS~1\Temp\~AceTemp\gmer\gmer.exe
2008-10-23 12:08:48 gmer.sys winace.exe [3736]: CreateProcess C:\DOCUME~1\Owner\LOCALS~1\Temp\~AceTemp\gmer\gmer.exe

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:32 AM

Posted 23 October 2008 - 08:10 PM

Hello, AnnaZed.
Hmm.. that didn't work as expected :thumbsup:

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 24 October 2008 - 02:44 PM

OK, I am not at work until Monday, so don't take me off of the active list. I will run this thing then. I am wondering about the Microsoft update thingy. Maybe I sould go over there, on my day off!

Thanks SO MUCH for your time Billy. :thumbsup:

Edited by AnnaZed, 24 October 2008 - 02:45 PM.


#13 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 28 October 2008 - 05:55 PM

Hi Billy! Had a day off (I was sick) yesterday. I came in and the computer said that it had updated itself for Microsoft Updates (I didn't even know that it did that). I hope that doesn't change things for you too much. :)

As before, thank you SO MUCH for your kind attention to this matter. :)

Here is the ComboFix log: :thumbsup:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-10-28.01 - Owner 2008-10-28 15:48:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.489 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-28 10:17 . 2008-10-28 10:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-24 01:50 . 2008-10-15 09:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 11:58 . 2008-10-23 12:08 345 --a------ C:\WINDOWS\gmer.ini
2008-10-22 10:29 . 2008-10-22 14:30 <DIR> d-------- C:\Documents and Settings\Owner\dreamcyclecache
2008-10-20 13:08 . 2008-10-20 13:09 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-10-20 12:01 . 2008-10-20 12:01 <DIR> d-------- C:\Program Files\ACW
2008-10-20 11:44 . 2008-10-20 11:44 <DIR> d-------- C:\Program Files\CCleaner
2008-10-16 16:51 . 2008-10-16 16:55 <DIR> d-------- C:\rsit
2008-10-16 16:23 . 2008-10-16 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 15:16 . 2008-10-16 15:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-16 14:26 . 2008-10-16 14:26 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-10-15 17:06 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:06 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:06 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:06 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:06 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:06 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-09 14:27 . 2008-10-09 14:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-10-09 14:21 . 2004-10-07 18:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-10-09 14:20 . 2008-10-09 14:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Share-to-Web Upload Folder
2008-10-09 14:19 . 2008-10-09 14:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-10-09 14:19 . 2008-10-09 14:19 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-10-09 14:17 . 2008-10-09 14:18 <DIR> d-------- C:\col3927
2008-10-07 15:19 . 2008-10-07 15:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-07 15:19 . 2008-10-07 15:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-07 15:19 . 2008-10-07 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-07 15:16 . 2008-10-07 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-07 15:15 . 2008-10-17 14:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-07 12:10 . 2008-10-07 12:10 <DIR> d-------- C:\VundoFix Backups
2008-10-06 17:14 . 2008-10-06 17:14 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-10-06 16:17 . 2008-10-06 16:17 <DIR> d-------- C:\Program Files\Uniblue
2008-10-06 16:17 . 2008-10-07 10:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-10-06 16:17 . 2008-10-07 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-10-06 16:00 . 2008-10-06 16:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 16:00 . 2008-10-06 16:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-06 16:00 . 2008-10-06 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-06 16:00 . 2008-09-10 00:10 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-06 16:00 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 14:51 . 2008-10-28 10:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-06 14:51 . 2008-10-06 15:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-10-06 14:51 . 2008-10-06 14:51 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-06 14:51 . 2008-10-06 14:51 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 22:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-28 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-23 19:08 --------- d-----w C:\Program Files\WinAce
2008-10-06 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 23:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\iLike
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-29 17:07 262,144 ----a-w C:\ntuser.dat
2008-08-29 17:07 --------- d-----w C:\Program Files\Yahoo!
2008-08-29 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-30 23:48 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-05-30 23:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-30 23:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat
2008-05-30 23:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 126976]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-06 1234712]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-06 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-06 231704]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
S3 USB20L;Linksys USB 2.0 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\USB200M.sys [2002-09-23 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b942c13-72bb-11dc-a780-00106084528b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-27 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []

2008-10-06 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\34bz103w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 15:49:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-28 15:50:44
ComboFix-quarantined-files.txt 2008-10-28 22:50:40

Pre-Run: 137,518,678,016 bytes free
Post-Run: 137,512,497,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

151 --- E O F --- 2008-10-24 10:00:53

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:32 AM

Posted 28 October 2008 - 06:05 PM

Do you use Outlook 2007 as your email client?

Do these emails appear in your sent items folder?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 AnnaZed

AnnaZed
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Los Angeles, CA
  • Local time:12:32 AM

Posted 28 October 2008 - 06:31 PM

Hi Billy, I just checked, the version is Outlook 2003 (that's embarrassing I guess!). No, I never see them in my sent box.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users