[Cookiegal]

Please run the MGA Diagnostic Tool and post back the report it creates:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

[SilverBolt]

Downloaded/ran the specified program, and here are the results of the diagnostic:

---------------------------------------------------------------------

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {5EE70314-CAA1-4D82-B53A-B8726311FFA6}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A
Version: N/A
WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 101 Not Activated
Microsoft Word 2002 - 101 Not Activated
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Prompt
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Prompt
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5EE70314-CAA1-4D82-B53A-B8726311FFA6}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-450399507-511736373-3662135532</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DM181A-ABA a305w</Model></SYSTEM><BIOS><Manufacturer> </Manufacturer><Version>3.21 </Version><SMBIOSVersion major="2" minor="31"/><Date>20030716******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>DAF23A4F01842042</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>153FC3BEC025388</Val><Hash>4AUW43fzMhh1NGLUsnsS7mafRhc=</Hash><Pid>54189-OEM-1690606-45892</Pid><PidType>4</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="101"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 12E2B:Hewlett-Packard Company|40A0:TriGem Computer Inc
Marker string from OEMBIOS.DAT: HP PAVILION
OEM Activation 2.0 Data-->
N/A

---------------------------------------------------------------------

Was this helpful?

~*SilverBolt

[Cookiegal]

Why do you not have any MS critcal updates installed?

[SilverBolt]

A couple of issues actually, to discuss. Firstly the issue of the missing upgrades, and secondly, a development that has happened in the case of the reappearing virus.

As to the upgrades, this computer is so slow that if we install all those upgrades, it will slow to an absolute crawl. I know because I have done this before. Now, I don't mean it would take a couple more seconds to pop the Start menu. I mean literally five minutes JUST to get the Start menu to appear. This is a really old computer, with very little RAM on it. It barely runs XP as it is. That's why we don't have any of them.

Secondly, as to the virus itself. Apparently, the infected "unwise_.exe" is part of a Win32/Heur virus thing. My s/o found a program through Sandboxie called "Avenger" that claims to have deleted unwise_.exe permanently. According to the site from which my s/o got this program from, the site manager had difficulties with the same virus, and made the program to fix it. He claims that by deleting unwise_, the virus was cured. However, Prevx claimed multiple times that it "cleaned" it, so I have little reason to believe that. To that end, I've been patrolling my Task Manager like a hawk since I got on about an hour ago.

After Avenger killed unwise_, we picked up a crapload of other infected files through Prevx. My s/o thinks unwise_ was blocking the picking up of those files. Some were in system files, though none were critical system files. However, Prevx also picked up Avenger as a virus so I made my s/o delete it. Did we do the right thing? Have any of you had any experience with Avenger?

Currently, I don't know the situation. Our computer is the only way we have to access the outside world, and with being on a fixed income, we have no way to buy another computer to replace this one. We have another one, but it's infected with Windows Vista (yes, I believe Vista is a disease) and we can't use it until we can put XP back on it. Which I have no clue how to do. However, I will continue to patrol my Task Manager. All we can really do now is wait and see how things go.

~*SilverBolt

[Cookiegal]

Avenger is fine. It's normal for some security programs to be detected as suspicious by other security programs due to their nature.

How much RAM do you have on this computer?

Not having the updates leaves your system very vulnerable and therefore even cleaning it up is a futile effort as you will undoubtedly get reinfected almost immediately through those holes that are left open.

I'm willing to continue to see if we can get this thing cleaned up as you depend on it and then once it's cleaned, you may be able to do a bit more with it to keep it clean.

For now, please do the following:

Go to Start - Run type in cmd then click OK. The MSDOS window will be displayed. At the prompt type the following exactly as written, including all spaces and the quotation marks:

SC Stop "Windows Hosts Controller"

Then press Enter

Then type:

SC Delete "Windows Hosts Controller"

Then press Enter

Type Exit and press Enter.

This should delete the service created by the malware (the unwise_.exe file).

After doing that, please do the following. It's a very small program and you shouldn't have any problem downloading it.

Click here to download ATF Cleaner by Atribune and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  • If you use Firefox:
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

After doing the above, please post a new HijackThis log.

[SilverBolt]

Actually, I found out what my partner did. Somehow he restored the computer to a previous point in time, to before we had the infection. He ran Prevx after that, found the crapload of weird files, and cleaned them out. He says he ran Prevx again today -- a full scan -- and it found nothing.

Regarding the instructions you gave me, I typed in SC Stop "Windows Hosts Controller" and got the following message:

---------------------------------------

[SC] ControlService FAILED 1062:

The service has not been started.

---------------------------------------

Typing in SC Delete "Windows Hosts Controller" gave me the following message:

---------------------------------------

[SC] DeleteService SUCCESS

---------------------------------------

I downloaded the ATF Cleaner and ran it. Is it like Window Washer? If so, is it any more capable? I run Window Washer every day; should I run them both from now on?

And finally, here is the HijackThis log. I hope this is what you wanted. If not, can you refresh my memory on how to obtain the log you're looking for?

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:59 AM, on 8/24/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...A&UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3A5095E-400C-4020-8247-007DF7EBB44C}: NameServer = 64.136.52.73 64.136.44.73
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 4268 bytes

[Cookiegal]

I don't know about Window Washer but if it cleans out the temp files, history, etc. then I guess they do about the same thing. You can uninstall ATFCleaner.

Evidently the bad service was still installed although inactive so we've now deleted it.

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

1. Close any open browsers.
2. If your Real protection or Antivirus interferes with OTS, allow it to run.
3. Open the OTS folder and double-click on OTS.exe to start the program.
4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
5. Now click the Run Scan button on the toolbar.
6. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
8. Save that notepad file.

Use the Reply button, scroll down to the attachments section and attach the notepad file here.

[SilverBolt]

I downloaded and ran the program you requested. I think I attached the right file to the post. I hope this is the right one, anyway.

~*SilverBolt

[Cookiegal]

You have a lot of files/folders in System32 that look like this:

C:\WINDOWS\System32\asr_qqtth

They all start with asr_ followed by different combinations of random letters and there are no file extensions so they must be folders.

Do you have any idea what these are for?

Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.

Code:

[Kill All Processes]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {31FF080D-12A3-439A-A2EF-4BA95A3148E8} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}:%SystemRoot%\web\related.htm [HKLM] -> C:\WINDOWS\web\related.htm [Button: @shdoclc.dll,-866]
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}:%SystemRoot%\web\related.htm [HKLM] -> C:\WINDOWS\web\related.htm [Menu: @shdoclc.dll,-864]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{c95fe080-8f5d-11d2-a20b-00aa003c157a}" [HKLM] -> [@shdoclc.dll,-866]
[Files/Folders - Created Within 30 Days]
NY -> 2 C:\*.tmp files -> C:\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Owner\Application Data\*.tmp files -> C:\Documents and Settings\Owner\Application Data\*.tmp
NY -> 4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

[SilverBolt]

Actually, I have no clue what all those files are for. I didn't want to delete them, because I don't know what they're for, and if they're important, I'll be screwing up the computer. I ran the fix you specified, it rebooted the computer, and opened the log. However, wmiprvse.exe, and occasionally HelpSvc.exe, have recently started running when my screen saver pops up, for some reason. Anyway, here are the logs you requested:

OST Log:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
[Files/Folders - Created Within 30 Days]
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\LastGood.Tmp\Twain_32\Lexmark\X5100 Series folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\Twain_32\Lexmark folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\Twain_32 folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\System32\drivers folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\System32 folder deleted successfully.
C:\WINDOWS\LastGood.Tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Empty Temp Folders]


User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 82378 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1609900 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 514048 bytes

Total Files Cleaned = 2.10 mb

< End of fix log >
OTS by OldTimer - Version 3.0.10.3 fix logfile created on 09012009_231303
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:03 PM, on 9/1/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...A&UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 3477 bytes

[Cookiegal]

Please navigate to one of the folders/files I asked you about and let me know if they are indeed folders or files. If they are folders, please give me the names of some files they contain.

[SilverBolt]

The "asr_files" are indeed files. But oddly enough, they have no file extensions. There are approximately 85 of these files, to my knowledge they're not doing anything, since they have no file extensions. Though like I said earlier, I have no clue if they really ARE important or not, so I'm a little reluctant to delete them. None have been modified any later than August 20th, though.

~*SilverBolt

[Cookiegal]

Please go to the link below and try uploading a few of those files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

[SilverBolt]

I uploaded a handful of files, and several of the scanners detected it as malware--downloader Bat!IK, downloader BatFTP, downloader BotFTP.gen, etc., etc. I don't want to sit here and upload every file, so I'm going to just try to delete the whole lot of them. I hope it doesn't crash anything, but if it does, you'll know why I haven't responded for a week or more.

~*SilverBolt

[Cookiegal]

I suspect they are malware but I would have liked to see a couple of those reports. We could also have one or two uploaded and analyzed by a colleague if necessary.