[solotekk]

here is the superantispyware log. can you tell me what you find?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/18/2008 at 09:49 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 02:32:53

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 7152
Registry threats detected : 38
File items scanned : 77031
File threats detected : 60

Adware.OneStepSearch
HKLM\Software\OneStepSearch
HKLM\Software\OneStepSearch#Primary
HKLM\Software\OneStepSearch#DllPath
HKLM\Software\OneStepSearch#Version
HKLM\Software\OneStepSearch#Cid
HKLM\Software\OneStepSearch#Partner
HKLM\Software\OneStepSearch#Src
HKLM\Software\OneStepSearch#ShowToolbarButton
HKLM\Software\OneStepSearch#ShowBarSign
HKLM\Software\OneStepSearch#UpdateTimeH
HKLM\Software\OneStepSearch#UpdateTimeL
HKLM\Software\OneStepSearch#Retries
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONE STEP_SEARCH_SERVICE\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\OneStepSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\OneStepSearch#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\OneStepSearch#UninstallString
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#Type
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#Start
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service#Description
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Security
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Enum
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\OneStep Search Service\Enum#NextInstance
C:\Program Files\OneStepSearch\home.js
C:\Program Files\OneStepSearch\onestep.dll
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\OneStepSearch\osopt.exe
C:\Program Files\OneStepSearch\readme.html
C:\Program Files\OneStepSearch\uninstall.exe
C:\Program Files\OneStepSearch
C:\WINDOWS\Prefetch\ONESTEP.EXE-35B04EDE.pf

Adware.Tracking Cookie
C:\Documents and Settings\habatha\Cookies\habatha@ad.greenmarquee[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@ad.yieldmanager[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@adecn[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@adinterax[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@adlegend[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@adopt.euroclick[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@adprofile[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@ads.realtechnetwo rk[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@adserver.linktoad s[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@adserver[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@apmebf[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@atwola[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@azjmp[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@cf-db01.clickfacts[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@cz3.clickzs[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@cz6.clickzs[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@dealtime[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@interclick[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@media.adrevolver[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@media.mtvnservice s[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@media6degrees[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@mediaface[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@mywebsearch[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@optimize.indiecli ck[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@optimost[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@qnsr[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@register.screensa ver[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@revsci[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@richmedia.yahoo[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@sales.liveperson[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@screensaver[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@smileycentral[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@stat.dealtime[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@tacoda[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@track.bestbuy[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@traffic.buyservic es[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@us.adserver.yahoo[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.burstbeacon[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.clickchevy[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.clickmanage[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.mediaface[2].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.screensaver[1].txt
C:\Documents and Settings\habatha\Cookies\habatha@www.strackandvant il[2].txt

Trace.Known Threat Sources
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\1EOJWR1B\logo[2].gif
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\IJKLMNOP\existing_customers[1].jpg
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\O7NF4ZXD\button_i-am-a-customer[1].gif
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\1EOJWR1B\new_customers[1].jpg
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\O7NF4ZXD\h-welcome[2].gif
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\IJKLMNOP\wg[2].css
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\Z0G8O7HL\header-back[2].gif
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\8HKIB4XB\b[1].htm
C:\Documents and Settings\habatha\Local Settings\Temporary Internet Files\Content.IE5\KEJEEC91\b[1].htm

[evilfantasy]

That took care of the onestep search that I mentioned in post #3. Then cookies and Temporary files. Nothing pointing to a Vundo infection.

I would run the BitDefender scan next then post that log, see what it turns up.

[solotekk]

I have specific instructions to keep this laptop off the internet because of the sensitive data that is on the drive. Is there an alternative way or does bitdefender offer an offline scan that i can perform?

[evilfantasy]

No but I would suggest downloading Clamwin portable and transferring it over to the computer and running a scan with it. Make sure it is updated. http://portableapps.com/apps/utilities/clamwin_portable

[solotekk]

thank you my friend.

[evilfantasy]

No problem, let me know if there is anything else. I can usually think of something to substitute the normal procedures.

Good luck!!

[evilfantasy]

A few more portable goodies for you.

If you're working on an unknown computer, and you save a file to its hard drive, you want to be sure it's really gone and cannot be recovered after you're gone. Use this secure file deletion tool. The file is deleted, and the spot on the drive where it was located is overwritten seven times with random data.CyberShredder

If you are worried about leaving tracks on a visited computer, run Restoration to see what files may be undeleted after you leave.
Restoration

For deleting stubborn malicious files, or just normal locked files. KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.
www.killbox.net
IMPORTANT! Every time the program is run, it writes a folder ("!KillBox") with a log file in C:/ so it must be deleted/removed from the PC.

Dr Web CureIt is also portable (one of my favorites) and does well on a portable drive.
http://www.freedrweb.com/

Be sure to look in C:\vundofix.txt and delete that log also.

[evilfantasy]

OOOOOHHHH

Can't forget CCleaner Portable

[solotekk]

here is the clamwin log file. it looks like onestep is still in the system.

[solotekk]

This is totally off the subject of Vundo, but I feel the need to share this with you.

Are you in to guns and all that jazz? My friend showed me this link last night and i was (rotfl). It is sooooo funny. So if you are in need of a good laugh, check this out.
: laugh:
http://www.thegunzone.com/glock/glock-gag.html