Search engine redirects, maybe more?

[pecosred]

My neighbor brought me his sister's computer to clean. At first I thought that MBAM had taken care of all the problems, but then I noticed that search engine results were being redirected to other sites (the redirect sites were blocked by PC-Cillin).

I ran GMER, DDS, and OTL, but I'm not sure how to interpret the results. I'm thinking maybe I should reinstall the OS.

Here are the logs. First the original Malwarebytes log (they have come up clean after this one):

Malwarebytes' Anti-Malware 1.44

Database version: 3550

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

1/12/2010 5:03:46 PM

mbam-log-2010-01-12 (17-03-46).txt

Scan type: Quick Scan

Objects scanned: 154468

Time elapsed: 1 hour(s), 24 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 73

Registry Values Infected: 8

Registry Data Items Infected: 2

Folders Infected: 22

Files Infected: 37

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\cablerouting.cablerouting (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cablerouting.cablerouting.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b96ee4ff-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dealassistant (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\sbusa (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b96ee4fe-ea06-4c92-a101-bac98f163d80} (Adware.Mirar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalsec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\winuid.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\winuid.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Program Files\CableRouting (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\PersonalSecUninstall (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\WeatherDPA (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherDPA (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\CableRouting\CableRouting.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\win6c78.dll (Adware.Mirar) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winuid.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Local Settings\Temp\ShprInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Local Settings\Temp\76993.exe (Adware.Mirar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\7S4L8ON5\install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\CCESFSSH\MediaPlayerUpgrade[1].exe (Adware.Mirar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\SAQ6K5HL\setup[1].exe (Malware.Packer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080706115709593.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707162802109.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080708163547468.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709110343421.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\DealAssistant\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\DealAssistant\DAUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons\Repair+System+Registry.ico (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Program Files\CableRouting\uninstall.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\CableRouting\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\PersonalSec\psecurity.exe (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Computer Scan.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Help.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Personal Security.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Registration.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Security Center.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Settings.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalSec\Update.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\PersonalSecUninstall\Uninstall.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\WeatherDPA\Weather\WeatherStartup.xml (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Desktop\Personal Security.lnk (Rogue.PSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\Devin\Application Data\Microsoft\Internet Explorer\Quick Launch\PersonalSec.lnk (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

==================================

DDS:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Devin at 23:14:46.01 on Tue 01/12/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1185 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcxcoms.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Devin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109

uSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo!

Attach.zip

[pecosred]

I went ahead and ran ComboFix since it seemed like you guys were pretty backed up. Unfortunately, I received a blue screen error while ComboFix was generating its log, so i have no ComboFix log to post.

The computer seems to be running fine, and ComboFix has gotten rid of the search engine redirects, but I'm not convinced that it's completely clean.

I've attached a newer set of DDS logs. I appreciate any help.

Attach2.zip

[pecosred]

Any chance of getting some help with this?

Thank you.

[pecosred]

Eh, I guess not.

[Maurice Naggar]

Hello pecosred,

Sorry that you were overlooked. Our forums are super busy.

If you still need help, please do the following.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

next, You already have DDS.

Start it and let it generate new reports.

Then, post back with copies of the MBAM scan log

DDS.txt

Attach.txt

Place them all in-line (within main body of reply box). Do not use the attachment feature.

The fresh reports will give me a better (more current) view of your system.

[pecosred]

Thanks a lot, Maurice, I appreciate it!

I also have a ComboFix log I can post if you need it. (I ran combofix /u thinking I was uninstalling it, but apparently the command has been changed to /uninstall.)

MBAM log:

Malwarebytes' Anti-Malware 1.44

Database version: 3754

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

2/17/2010 10:24:08 PM

mbam-log-2010-02-17 (22-24-08).txt

Scan type: Quick Scan

Objects scanned: 137696

Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************************

DDS:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Devin at 22:31:57.78 on Wed 02/17/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1162 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcxcoms.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\BearShare Applications\Personalization\BearSharePersonalization.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Devin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo!

[Maurice Naggar]

Do the following steps. It is best to do all in one session. Don't use your system while the tools are in progress.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".
  

Step 4

Disable your antivirus temporarily. Do not disable the firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Print out this section or even save it to your pc, for easy offline reference !

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

DDS::
mSearch Bar = http://www.mirarsearch.com/?useie5=1&q=
BHO: BearSharePersonalization: {dd1849ea-8403-4441-8dff-7575aae1dc16}
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [BearSharePersonalization]

Folder:: 
c:\program files\bearshare applications

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

• ! Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  Please wait for ComboFix to finish running
  Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
  

Step 5

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
• Enable (check) the Remove found threats option, and run the scan.
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
    

  Look at contents of this file using Notepad or Wordpad.

  The Frequently Asked Questions for ESET Online Scanner can be viewed here

  http://www.eset.com/onlinescan/cac4.php?page=faq

  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    

Step 6

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
  
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  
• When done, a message will be displayed at the bottom advising if any viruses were found.
  
• Click "Yes to all" if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

Step 7

Now, re-enable your antivirus program.

Download the HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.msi to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

Next, start HJT. Do a "Scan and Save log".

Step 8

Reply with copy of C:\combofix.txt

ESET scan log

the DrWeb log file

the HijackThis log

[pecosred]

OK, here are the requested logs. It seemed as if you wanted the Combofix log as an attachment; I apologize if I misunderstood.

It looks like the ESET log includes all the scans I have run with it for the past several weeks.

Most of the items found by Dr. Web were in the Trend Micro quarantine, so I left them there. The other item looked like a false positive, but I had it moved to quarantine anyway.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-13 01:17:35

# local_time=2010-01-12 07:17:35 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777191 100 0 62565005 62565005 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=107958

# found=6

# cleaned=6

# scan_time=2024

C:\Documents and Settings\Devin\Local Settings\Temp\p2psetup.exe Win32/Adware.P2PNet application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\IS9513AI\DAUninstaller.test.v120000.14jul2009.exe[1].90ce3ed227b7de5a62cbb2ee533dfb4

0 probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Devin\My Documents\My Music\MediaPlayerUpgrade.exe probably a variant of Win32/TrojanDownloader.Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Incomplete\Preview-T-3545428-Lostprophets - To Hell We Ride.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Incomplete\T-3877629-papa roach-hollywood ######.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Incomplete\T-3877629-sippin tha barre paul wall - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-17 05:18:24

# local_time=2010-01-16 11:18:24 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777191 100 0 62924737 62924737 0 0

# compatibility_mode=8192 67108863 100 0 277100 277100 0 0

# scanned=85227

# found=0

# cleaned=0

# scan_time=2342

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-21 04:39:26

# local_time=2010-01-20 10:39:26 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777175 100 0 63266444 63266444 0 0

# compatibility_mode=8192 67108863 100 0 618807 618807 0 0

# scanned=96582

# found=2

# cleaned=2

# scan_time=3896

C:\Documents and Settings\Nat\Local Settings\Temp\_addon.exe Win32/BHO.NEB trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nat\My Documents\LimeWire\Saved\el parajillo baranqueno bittorrent downloader.zip probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-22 05:20:41

# local_time=2010-01-22 11:20:41 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777191 100 0 63400069 63400069 0 0

# compatibility_mode=8192 67108863 100 0 752432 752432 0 0

# scanned=85552

# found=0

# cleaned=0

# scan_time=2347

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-02-13 12:41:54

# local_time=2010-02-12 06:41:54 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777175 100 0 65239129 65239129 0 0

# compatibility_mode=8192 67108863 100 0 2591492 2591492 0 0

# scanned=86298

# found=0

# cleaned=0

# scan_time=4160

# version=7

# IEXPLORE.EXE=7.00.6000.16981 (vista_gdr.091215-2244)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f020951a351f9b408bf2274acd68d70c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-02-18 11:17:49

# local_time=2010-02-18 05:17:49 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777191 100 0 65754749 65754749 0 0

# compatibility_mode=8192 67108863 100 0 3107112 3107112 0 0

# scanned=92534

# found=0

# cleaned=0

# scan_time=1895

**********************************************

Dr. Web:

gfiagent.exe;c:\program files\gfi\gfi backup 2009 - home edition;Probably DLOADER.Trojan;Incurable.Moved.;

23.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

29.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.44763;;

2A9.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

2BB.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

2C.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Packed.2936;;

2D5.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

2DF.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

2E.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.42396;;

42.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;BackDoor.Tdss.1365;;

49.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Botnetlog.11;;

5B.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Siggen.21760;;

7D.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad.42396;;

7F.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.Siggen.21760;;

80.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

81.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

82.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

83.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

84.tmp;C:\Program Files\Trend Micro\Internet Security 14\Quarantine;Trojan.DownLoad1.15619;;

************************************************

HJT:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 8:52:34 PM, on 2/18/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcxcoms.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe

C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\msiexec.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080109

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Edited February 20, 2010 by Maurice Naggar
Combofix.txt placed in-line

[Maurice Naggar]

The logs showed another peer-to-peer filesharing app: LIMEWIRE. I highly urge it's removal. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Are the search redirects altogether gone?

[pecosred]

The logs showed another peer-to-peer filesharing app: LIMEWIRE. I highly urge it's removal. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Yes, I agree. I have already uninstalled it.

Are the search redirects altogether gone?

Yes, they seem to be.

Do you think the machine is clean now?

[Maurice Naggar]

The system is a whole lot 'cleaner' than it had been. One cannot say it is 100% clean.

Go to Control Panel and Add-or-Remove programs.

Look for ESET Online

and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run. Then type in

  CMD

  and press Enter-key.
  This will open a command-prompt window.
  In the command box that opens, type or copy/paste
  c:\documents and settings\Devin\Desktop\ComboFix.exe /uninstall
  and then click OK.
  

• Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  
• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

• Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP
  http://bertk.mvps.org/html/diskclean.html
  
• Insure Pc-Cillin real-time AV monitor is back ON.
  
• Convey the following to the owner of this system:
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.

[pecosred]

• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

I did not see anything about a file being downloaded, and the cleanup seemed to only remove OTL. So I manually removed the other tools.

Thanks a lot for your help!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!