First page of Google results hijacked?

[m3avrck]

Hello all! I'm working on my parents computer trying to fix Google. Anytime you search in Google (FF or IE) you get hijacked results. While the titles to results look ok, all of the links take you to advertising pages. The second page of results seems to be ok.

I've usually been successful at cleaning trojans/spyware in the past but after a few hours I'm puzzled.

Here is the output of hjt, thanks!

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:50 AM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] "C:\WINDOWS\system32\CTHELPER.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" /P24 "EPSON PictureMate Deluxe" /O6 "USB002" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121522823359
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

--
End of file - 6758 bytes

Thanks guys for any help!

[m3avrck]

Sorry, forgot to include the required info!

DDS.txt output:


DDS (Version 1.1.0) - NTFSx86
Run by Dad at 1:47:07.26 on Sat 12/27/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dad\Desktop\dds.com
C:\Documents and Settings\Dad\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PeerGuardian] "c:\program files\peerguardian2\pg2.exe"
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [EPSON PictureMate Deluxe] "c:\windows\system32\spool\drivers\w32x86\3\E_FATI9TA.EXE" /P24 "EPSON PictureMate Deluxe" /O6 "USB002" /M "PictureMate Deluxe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\yizfoz63.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-1 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-3 26824]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-1 76040]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\SpySweeper.exe" [2008-11-12 3667312]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-3-13 372816]

=============== Created Last 30 ================

2008-12-27 00:35 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 00:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2008-12-27 00:15 <DIR> --d----- C:\ComboFix
2008-12-26 23:50 <DIR> --d----- c:\program files\Webroot
2008-12-26 23:17 <DIR> --d----- C:\!KillBox
2008-12-26 23:14 <DIR> --d----- C:\fixwareout
2008-12-26 23:12 164 a------- C:\install.dat
2008-12-26 21:53 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-26 21:52 <DIR> --d----- c:\windows\ERUNT
2008-12-26 21:52 <DIR> --d----- C:\SDFix
2008-12-26 21:48 <DIR> a-dshr-- C:\cmdcons
2008-12-26 21:46 161,792 a------- c:\windows\SWREG.exe
2008-12-26 21:46 98,816 a------- c:\windows\sed.exe
2008-12-26 21:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 21:01 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-26 21:01 <DIR> --d----- c:\docume~1\dad\applic~1\SUPERAntiSpyware.com
2008-12-26 20:46 <DIR> --d----- C:\VundoFix Backups
2008-12-26 17:43 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2008-12-26 17:42 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 17:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 17:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 17:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-10 19:54 <DIR> --d----- c:\program files\AutoCAD 2009
2008-12-10 19:53 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2008-12-10 19:50 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-10 19:50 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-10 19:41 <DIR> --d----- C:\install

==================== Find3M ====================

2008-11-12 16:02 170,608 a------- c:\windows\system32\drivers\ssidrv.sys
2008-11-12 16:02 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 16:02 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 1:47:24.73 ===============

[Ried]

Hello m3avrck,

A reminder from Post #2 of our sticky topic...

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

That being said, post the C:\ComboFix.txt

[m3avrck]

Thanks Ried! I actually was playing with it before I found this forum :) Oddly enough, if I google "combofix" it takes me to maxim.com/girls -- not quite what I was looking for, but not too shabby, haha.

Results of ComboFix:
ComboFix 08-12-26.03 - Dad 2008-12-27 2:19:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-27 01:47 . 2008-12-27 01:47 250 --a------ c:\windows\gmer.ini
2008-12-27 00:35 . 2008-12-27 00:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 00:26 . 2008-12-27 01:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-12-26 23:50 . 2008-12-26 23:50 <DIR> d-------- c:\program files\Webroot
2008-12-26 23:17 . 2008-12-26 23:17 <DIR> d-------- C:\!KillBox
2008-12-26 23:14 . 2008-12-26 23:16 <DIR> d-------- C:\fixwareout
2008-12-26 23:12 . 2008-12-26 23:50 164 --a------ C:\install.dat
2008-12-26 21:53 . 2008-12-26 21:53 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\windows\ERUNT
2008-12-26 21:52 . 2008-12-26 22:13 <DIR> d-------- C:\SDFix
2008-12-26 21:01 . 2008-12-27 00:29 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-26 21:01 . 2008-12-27 00:29 <DIR> d-------- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2008-12-26 21:01 . 2008-12-26 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-26 20:56 . 2008-12-26 20:56 <DIR> d-------- c:\documents and settings\Administrator
2008-12-26 20:46 . 2008-12-26 20:46 <DIR> d-------- C:\VundoFix Backups
2008-12-26 17:43 . 2008-12-26 17:43 <DIR> d-------- c:\documents and settings\Dad\Application Data\Malwarebytes
2008-12-26 17:42 . 2008-12-26 17:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 17:42 . 2008-12-26 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 17:42 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 17:42 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 19:54 . 2008-12-25 14:30 <DIR> d-------- c:\program files\AutoCAD 2009
2008-12-10 19:54 . 2008-12-25 14:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-12-10 19:53 . 2008-12-10 19:53 <DIR> d-------- c:\program files\MSBuild
2008-12-10 19:53 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-12-10 19:50 . 2008-12-10 19:50 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-10 19:50 . 2008-12-10 19:50 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-10 19:50 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-10 19:48 . 2008-12-25 14:31 <DIR> d-------- c:\documents and settings\James\Application Data\Autodesk
2008-12-10 19:41 . 2008-12-10 19:41 <DIR> d-------- C:\install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 05:38 --------- d-----w c:\program files\Java
2008-12-27 04:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 04:49 --------- d-----w c:\program files\CCleaner
2008-12-25 19:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-16 02:36 --------- d-----w c:\documents and settings\Dad\Application Data\U3
2008-11-12 21:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-08 01:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 01:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 01:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 01:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 01:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 01:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 01:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 21:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 21:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 21:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 16:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 01:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
2005-09-15 22:26 44,153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-26_21.51.20.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-27 02:52:51 8,417,280 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-12-27 02:52:51 421,888 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-27 02:52:49 8,417,280 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-12-27 02:52:49 421,888 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-12-27 06:47:54 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-27 04:51:04 10,134 ----a-r c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
+ 2008-12-27 04:50:57 10,134 ----a-r c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
- 2006-02-23 16:41:02 466,944 ----a-w c:\windows\system32\capicom.dll
+ 2008-11-13 22:04:24 511,328 ----a-w c:\windows\system32\capicom.dll
- 2008-09-01 21:08:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-27 04:52:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-01 21:08:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 04:52:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-01 21:08:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 04:52:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 06:47:54 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-11-12 21:02:12 16,240 ----a-w c:\windows\system32\SsiEfr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2004-03-10 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"nwiz"="c:\windows\system32\nwiz.exe" [2005-08-02 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"EPSON PictureMate Deluxe"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE" [2004-10-17 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\jamesserbinski\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-01 97928]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-01 76040]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-03 875288]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcf372cc-ac2e-11dc-a41b-001111cb63af}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - GMER
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\yizfoz63.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 02:20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-27 2:21:00
ComboFix-quarantined-files.txt 2008-12-27 07:20:58
ComboFix2.txt 2008-12-27 05:18:49
ComboFix3.txt 2008-12-27 02:51:44

Pre-Run: 14,084,378,624 bytes free
Post-Run: 14,072,619,008 bytes free

215 --- E O F --- 2008-12-17 19:00:30

[Ried]

You also ran it more than once.

I need to see the chain of events here. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please attach it in your next reply.

Also, please provide an update on system behavior.

[m3avrck]

Searching for any term in Google still shows ad links on first page of results.

C:\Qoobox\ComboFix-quarantined-files.txt

2004-08-10 07:00:00 A------- 325 C:\Qoobox\Quarantine\C\WINDOWS\system32\ntnet.drv.vir
2008-12-26 21:46:34 A------- 228 C:\Qoobox\Quarantine\catchme.log
2008-12-26 21:50:39 A------- 6,007 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

[Ried]

I'm not seeing anything active in the logs you posted. Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[m3avrck]

Attached is a screenshot. I googled "bmw" and you can see in the results that the titles appear correct but the green text is linking to some strange sites. Something is still running and that's been the puzzling part -- hence why I turned to you guys :) I did notice the hosts file was corrupt and reverted that but this appears to happen to any google search result.

[Ried]

I understand entirely what you're experiencing. The trouble lies in the fact that I cannot remove what I cannot see. Please run the online scan and post the results for me.

[m3avrck]

Oddly enough, Yahoo is hijacked too.

[m3avrck]

Yes sorry the scan is still running so I thought I'd post some extra info :)

[Ried]

I appreciate that. Trouble is, I'm not seeing the usual files that cause this redirect, nor do I see them removed by ComboFix. Something must still be there, but out of reach of the time frame scannned by our tools.

[m3avrck]

Hmm not the most helpful :(

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 15:36:34
Records in database: 1520967
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 107231
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:42:53

No malware has been detected. The scan area is clean.

The selected area was scanned.

[m3avrck]

I though this might be a hijacked router/ISP but I tested on my Macbook and Google/Yahoo all working fine. Something specific (and hidden) to this computer. Very baffling. I even get bad Google results when in *safe mode* too.

Hmm...

[Ried]

Try this...

Please go to Start -> Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

• Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.
• Select the Networking Tab
• Double click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.

Click OK twice, and restart your computer.

--------------------------------------------------------------------

Click Start>Run type cmd and hit OK

Next, type in the following text:

ipconfig /flushdns

(**Note: that space between g and / is needed)

Press Enter
Type Exit.

[m3avrck]

Nope :(

Code:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Dad>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Dad>

I noticed when Google is loading is downloading something from 7.7.7.0... not sure where that IP is but that isn't a Google one...

[m3avrck]

I ran Firebug and noted that Google is returning the proper HTML, but somewhere as the page is rendered it is being altered by something.

Google is returning:

Code:

<!doctype html><head><script src=//7.7.7.0/></script>  <style>body{background:#fff;color:#000;margin

:3px 8px}#gbar{height:22px;padding-left:2px}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh

{height:0;position:absolute;top:24px;width:100%}#gbi,#gbs{background:#fff;left:0;position:absolute;top

:24px;visibility:hidden;z-index:1000}#gbi{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z-index

:1001}#guser{padding-bottom:7px !important}#gbar,#guser{font-size:13px;padding-top:1px !important}@media

 all{.gb1,.gb3{height:22px;margin-right:.73em;vertical-align:top}#gbar{float:left}}.gb2{display:block

;padding:.2em .5em}a.gb1,a.gb2,a.gb3{color:#00c !important}.gb2,.gb3{text-decoration:none}a.gb2:hover

{background:#36c;color:#fff !important}.ts{border-collapse:collapse}.ts td{padding:0}.ti,.bl,form,#res

 h3{display:inline}.ti{display:inline-table}.fl:link,.gl a:link{color:#77c}a:link,.w,#prs a:visited,

#prs a:active,.q:active,.q:visited{color:#00c}.mblink:visited,a:visited{color:#551a8b}a:active{color

:red}.cur{color:#a90a08;font-weight:bold}.b{font-weight:bold}.j{width:42em;font-size:82%}.s{max-width

:42em}.j font[size="-1"]  ,.e .j{font-size:100%}.sl,.e .j font[size="-1"]  {font-size:82%}#gb{text-align

:right;padding:1px 0 7px;margin:0}.hd{position:absolute;width:1px;height:1px;top:-1000em;overflow:hidden

}.f,.m,#tads h2,#mbEnd h2{color:#676767}.a,cite,.cite,.cite:link{color:green;font-style:normal}#mbEnd

{float:right}h1,ol{margin:0;padding:0}li.g,body,html,.std,#tads h2,#mbEnd h2,h1{font-size:small;font-family

:arial,sans-serif}#tads h2,#mbEnd h2,h1{font-weight:normal}#ssb,.clr{clear:both}#nav a,#nav a:visited

,.blk a{color:#000}#nav .b a,#nav .b a:visited{color:#00c;font-size:medium}#nav .i{color:#a90a08;font-weight

:bold}.csb,.ss{background:url(/images/nav_logo3.png) no-repeat;height:26px;display:block}.ss{background-position

:0 -87px;position:absolute;left:0;top:0}.cps{overflow:hidden;height:18px;width:114px}.mbi{width:12px

;height:12px;background-position:-114px -78px;margin-right:2px}#nav td{padding:0;text-align:center}#logo

{display:block;overflow:hidden;position:relative;width:150px;height:52px;margin:14px 0 7px}#logo img

{border:none;position:absolute;left:0;top:-26px}#logo span,.ch{cursor:pointer}h3,.med{font-size:medium

;font-weight:normal;padding:0;margin:0}.e{margin:.75em 0}.slk td{padding-left:40px;padding-top:5px;vertical-align

:top}.slk div{padding-left:10px;text-indent:-10px}#mbEnd cite{display:block;text-align:left}#mbEnd p

{margin:-.5em 0 0 .5em;text-align:center}#bsf,#ssb,.blk{border-top:1px solid #6b90da;background:#f0f7f9

}#bsf,#ssb{margin:11px 0}#bsf{border-bottom:1px solid #6b90da}#ssb div{float:left;padding:4px 0 0;padding-left

:4px;padding-right:.5em}#prs a,#prs b{margin-right:.6em}#ssb p{text-align:right;white-space:nowrap;margin

:.1em 0;padding:.2em}#ssb{margin-top:0;padding:.1em}#mbEnd{background:#fff;padding:0;border-left:10px

 solid #fff;border-spacing:0;white-space:nowrap}#res{padding-right:1em}#tads{background:#fff8dd}#tads

 li{padding:0 3px 0 5px;margin:0}#tads .tam,#tads .tal{padding-top:12px}#mbEnd li{margin:1em 0;padding

:0}.xsm{font-size:x-small}.sm{margin:0 0 0 40px;padding:0}ol li{list-style:none}.sm li{margin:0}.gl,

#bsf a,.nobr,#brs a{white-space:nowrap}#mbEnd .med{white-space:normal}.sl,.r{display:inline;font-weight

:normal;margin:0}.r{font-size:medium}h4.r{font-size:small}.g{margin:1em 0}em{font-weight:bold;font-style

:normal}em,b{text-decoration:inherit}</style><script>window.google={kEI:"tJ1WSY6JBoqhtwevl8mxDg",kEXPI

:"17259,17291,18169",kHL:"en"};

google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return false};window.clk=function(b,c,d,e,f,g

){if(document.images){var a=encodeURIComponent||escape;(new Image).src="/url?sa=T\x26source\x3dweb"+

(c?"&oi="+a(c):"")+(d?"&cad="+a(d):"")+"&ct="+a(e)+"&cd="+a(f)+(b?"&url="+a(b.replace(/#.*/,"")).replace

(/\+/g,"%2B"):"")+"&ei=tJ1WSY6JBoqhtwevl8mxDg"+g}return true};

window.gbar={};(function(){var b=window.gbar,f,h;b.qs=function(a){var c=window.encodeURIComponent&&(document

.forms[0].q||"").value;if(c)a.href=a.href.replace(/([?&])q=[^&]*|$/,function(i,g){return(g||"&")+"q="

+encodeURIComponent(c)})};function j(a,c){a.visibility=h?"hidden":"visible";a.left=c+"px"}b.tg=function

(a){a=a||window.event;var c=0,i,g=window.navExtra,d=document.getElementById("gbi"),e=a.target||a.srcElement

;a.cancelBubble=true;if(!f){f=document.createElement(Array.every||window.createPopup?"iframe":"div")

;f.frameBorder="0";f.src="#";d.parentNode.appendChild(f).id="gbs";if(g)for(i in g)d.insertBefore(g[i

],d.firstChild).className="gb2";document.onclick=b.close}if(e.className!="gb3")e=e.parentNode;do c+=e

.offsetLeft;while(e=e.offsetParent);j(d.style,c);f.style.width=d.offsetWidth+"px";f.style.height=d.offsetHeight

+"px";j(f.style,c);h=!h};b.close=function(a){h&&b.tg(a)}})();</script></head><body id=gsr topmargin=3

 marginheight=3><div id=header><div id=gbar><nobr><b class=gb1>Web</b> <a href="http://images.google

.com/images?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wi" onclick=gbar.qs(this) class=gb1>Images</a> <a href

="http://maps.google.com/maps?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wl" onclick=gbar.qs(this) class=gb1

>Maps</a> <a href="http://news.google.com/news?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wn" onclick=gbar.qs

(this) class=gb1>News</a> <a href="http://www.google.com/products?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab

=wf" onclick=gbar.qs(this) class=gb1>Shopping</a> <a href="http://mail.google.com/mail/?um=1&ie=UTF-8

&sa=N&tab=wm" class=gb1>Gmail</a> <a href="http://www.google.com/intl/en/options/" onclick="this.blur

();gbar.tg(event);return !1" class=gb3><u>more</u> <small>▼</small></a><div id=gbi> <a href="http

://video.google.com/videosearch?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wv" onclick=gbar.qs(this) class=gb2

>Video</a> <a href="http://groups.google.com/groups?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wg" onclick=gbar

.qs(this) class=gb2>Groups</a> <a href="http://books.google.com/books?hl=en&q=bmw&um=1&ie=UTF-8&sa=N

&tab=wp" onclick=gbar.qs(this) class=gb2>Books</a> <a href="http://scholar.google.com/scholar?hl=en&q

=bmw&um=1&ie=UTF-8&sa=N&tab=ws" onclick=gbar.qs(this) class=gb2>Scholar</a> <a href="http://finance.google

.com/finance?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=we" onclick=gbar.qs(this) class=gb2>Finance</a> <a href

="http://blogsearch.google.com/blogsearch?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wb" onclick=gbar.qs(this

) class=gb2>Blogs</a> <div class=gb2><div class=gbd></div></div> <a href="http://www.youtube.com/results

?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=w1" onclick=gbar.qs(this) class=gb2>YouTube</a> <a href="http://www

.google.com/calendar/render?um=1&ie=UTF-8&sa=N&tab=wc" class=gb2>Calendar</a> <a href="http://picasaweb

.google.com/lh/searchbrowse?hl=en&q=bmw&um=1&ie=UTF-8&sa=N&tab=wq" onclick=gbar.qs(this) class=gb2>Photos

</a> <a href="http://docs.google.com/?um=1&ie=UTF-8&sa=N&tab=wo" class=gb2>Documents</a> <a href="http

://www.google.com/reader/view/?um=1&ie=UTF-8&sa=N&tab=wy" class=gb2>Reader</a> <a href="http://sites

.google.com/?um=1&ie=UTF-8&sa=N&tab=w3" class=gb2>Sites</a> <div class=gb2><div class=gbd></div></div

> <a href="http://www.google.com/intl/en/options/" class=gb2>even more &raquo;</a></div> </nobr></div

><div class=gbh style=left:0></div><div class=gbh style=right:0></div><p id=gb><nobr><a href="https:

//www.google.com/accounts/Login?continue=http://www.google.com/search%3Fhl%3Den%26q%3Dbmw%26btnG%3DGoogle

%2BSearch%26aq%3Df%26oq%3D&amp;hl=en">Sign in</a></nobr></p><form id=tsf name=gs method=GET action="

/search"><table id=sft cellpadding=0 cellspacing=0 style=clear:both><tr valign=top><td style="padding-right

:8px"><h1><a id=logo href="http://www.google.com/webhp?hl=en" title="Go to Google Home">Google<img width

=150 height=105 src="/images/nav_logo3.png" alt=""></a></h1><td style="padding:1px 0 7px;width:100%"

><table cellspacing=0 cellpadding=0 style="margin-top:25px"><tr><td nowrap><input type=hidden name=hl

 value="en"><input type=text name=q size=41 maxlength=2048 value="bmw" title="Search"> <input type=submit

 name="btnG" value="Search"></td><td style="padding:0 6px" class="nobr xsm"><a href="/advanced_search

?q=bmw&amp;hl=en">Advanced Search</a><br><a href="/preferences?q=bmw&amp;hl=en">Preferences</a></table

></table></form></div><div id=ssb><div id=prs><b>Web</b>&nbsp;<a href="http://news.google.com/news?hl

=en&q=bmw&oe=UTF-8&um=1&ie=UTF-8&sa=N&tab=wn&oi=property_suggestions&resnum=0&ct=property-revision&cd

=1">News</a> </div><p>&nbsp;Results <b>1</b> - <b>10</b> of about <b>235,000,000</b> for <b>bmw</b>.

  (<b>0.08</b> seconds)&nbsp;</div><table id=mbEnd  width=30%><tr><td id=rhsline style="padding-left

:10px;border-left:1px solid #c9d7f1" class=std><h2 style="text-align:center;margin:0;padding:0">Sponsored

 Links</h2><ol onmouseover="return true" class=nobr><li><h3><a id=an1 href="/aclk?sa=l&amp;ai=CtWONt

J1WSbOzBtuotgeQt_SBBsvG5IcBn6b59gr60YwOEAEoCFC_4Pax-v____8BYMneqY3spIAQoAGl_-fvA8gBAaoEHE_QyNXRdHpobO_QO3eLZY50K0VHoIGxfW4MjKE

&amp;num=2&amp;sig=AGiWqtx7PDZmY7hWx2AkUqKyYAACdVImVg&amp;q=http://www.passportbmw.com/lease_offers.htm"

>Premium <b>BMW</b> Dealership</a></h3>New <b>BMW</b>'s 0.9% APR &amp; $349 Leasing<br>View are large

 Inventory Online.<br><cite>www.Passport<b>BMW</b>.com</cite><li><h3><a id=an2 href="/aclk?sa=L&amp;ai

=CLWv5tJ1WSbOzBtuotgeQt_SBBvnh8HvPuNvxCazw5wQQAigIUMnaqaMFYMneqY3spIAQyAEBqgQaT9C4l_F3emlk7yA4DlaeUa5oPamMfBziiT4

&amp;num=3&amp;sig=AGiWqtyoRGEbqBJyAKEQqczfY1yZDcSodA&amp;q=http://clickserve.dartsearch.net/link/click

%3Flid%3D43000000152488823%26ds_s_kwgid%3D58000000003560823%26ds_e_adid%3D2563390891%26ds_e_matchtype

%3Dsearch%26ds_url_v%3D2">Porsche - Official Site</a></h3>Learn About Affordable Leasing<br>Options 

&amp; More Today.<br><cite>www.Porsche.com</cite><li><h3><a id=an3 href="/aclk?sa=l&amp;ai=CEdCytJ1W

SbOzBtuotgeQt_SBBp2K513NitKLBdW70xUQAygIUJ-SlOr7_____wFgyd6pjeykgBCgAd_DlP8DyAEBqgQZT9DonnVtZlJdJurvCTxljnQrRUeggbF9bg

&amp;num=4&amp;sig=AGiWqtw2ffCB5X2s1n43yqzP47VmuOkUrA&amp;q=http://www.carmax.com/enus/landingpage/bmw

.html%3Fadcode%3DGOOAW100283P%26CMP%3DKNL-3N7X55145686%26HBX_PK%3Dbmw%26HBX_OU%3D50%26s%3D0"><b>BMW<

/b> at CarMax</a></h3>Actual Prices &amp; Photos of Over<br>25,000 New &amp; Used Vehicles Online<br

><cite>www.CarMax.com</cite><li><h3><a id=an4 href="/aclk?sa=L&amp;ai=CgW_dtJ1WSbOzBtuotgeQt_SBBuq0n0He2fCdBKzw5wQQBCgIUKfX-t3______wFgyd6pjeykgBDIAQGqBBRP0PjGh3R6b2TvMTm3sbKtcMFIQw

&amp;num=5&amp;sig=AGiWqtxFTcSEqbzZvoS1L-I9W122R6uAPw&amp;q=http://LenStolerLuxuryCollection.com">Largest

 Pre-Owned Luxury</a></h3>Inventory in region. View all top<br>brands. Extraordinary savings.<br><cite

>LuxuryAutos4Less.com</cite>Washington, DC (Hagerstown, MD)<li><h3><a id=an5 href="/aclk?sa=L&amp;ai

=Caz97tJ1WSbOzBtuotgeQt_SBBoyJnD6sj_ewBK3CkAcQBSgIUKeHv4sEYMneqY3spIAQyAEBqgQaT9Domfx3emxk7yA4P1fZVq5oPamMfBziiT4

&amp;num=6&amp;ggladgrp=14447705553317441431&amp;gglcreat=554467662488277691&amp;sig=AGiWqtzUJrzd0X_w9jrZwRH5BPnfiKB4sQ

&amp;q=http://ad.doubleclick.net/clk%3B96526150%3B18289301%3Bj%3Fhttp://www.infiniti.com/%3Fdcp%3Dppi

.%2525epid!.%26dcc%3D%2525ecid!.%2525eaid!">Infiniti Official Site</a></h3>Explore the New Infiniti Vehicles

.<br>G37 Coupe &amp; Sedan, M, FX, &amp; QX.<br><cite>www.Infiniti.com</cite><li><h3><a id=an6 href="

/aclk?sa=L&amp;ai=CKmjCtJ1WSbOzBtuotgeQt_SBBubs25sB5sn3qQbl4YIIEAYoCFCE0fem-f____8BYMneqY3spIAQyAEBqgQcT9DojgdtZVJdbuo7P4vixJdipJIavs2yu0a6YQ

&amp;num=7&amp;sig=AGiWqtwaPqu-2x42QDtA6MSDOC1rHu_WoA&amp;q=http://www.edmunds.com/bmw/index.html%3Fmktcat

%3Dbmw-make-misspelling-proper%26kw%3Dbmw%26mktid%3Dga25427844"><b>BMW</b> Pricing &amp; Info</a></h3

><b>BMW</b> Info, Photos, More!<br>Get Local Dealer Invoice Prices.<br><cite>www.<b>BMW</b>.Edmunds.com

</cite><li><h3><a id=an7 href="/aclk?sa=L&amp;ai=Ci3wftJ1WSbOzBtuotgeQt_SBBuORomz5-ffNCLnY2REQBygIUMux2qr6_____wFgyd6pjeykgBDIAQGqBBpP0Oj023Z6YmTvIDhkKqFRrmg9qYx8HOKJPg

&amp;num=8&amp;sig=AGiWqtx3qy-ZyJN7exPxCd40UJmaJ_8xlA&amp;q=http://clickserve.dartsearch.net/link/click

%3Flid%3D43000000154348755%26ds_s_kwgid%3D58000000003596879%26ds_e_adid%3D2191587947%26ds_e_matchtype

%3Dsearch%26ds_url_v%3D2">Compare to the Saab 9-5</a></h3>See the Advantages the Saab 9-5<br>Sedan Has

 on the Competition.<br><cite>www.SaabUSA.com/9-5Compare</cite><li><h3><a id=an8 href="/aclk?sa=L&amp

;ai=CwTSEtJ1WSbOzBtuotgeQt_SBBoOFoXLDgMSnAbnY2REQCCgIUM76-OAGYMneqY3spIAQyAEBqgQcT9C4oidta1Jdbuo7P4uF2sVqpJIavs2yu0a6YQ

&amp;num=9&amp;sig=AGiWqtypoBkkrJHiCSPeI2ciSuMbmDDtLA&amp;q=http://www.carpricesecrets.com/L.php%3Fx

%3D7200824">Top <b>BMW</b> Prices</a></h3>Find out our Lowest Possible Price<br>on a new <b>BMW</b> Purchase

 or Lease!<br><cite>www.CarPriceSecrets.com</cite></ol><p><a href="http://www.google.com/sponsoredlinks

?q=bmw&amp;hl=en&amp;um=1&amp;ie=UTF-8" class=fl>More Sponsored Links &raquo;</a>&nbsp;<tr><td id=rhspad

></table><div id=tads><h2 style="float:right;margin:3px 3px 0">Sponsored Link</h2><ol onmouseover="return

 true" style="padding:3px 0"><li class=tas><h3><a id=pa1 href="/aclk?sa=L&amp;ai=CFT3BtJ1WSbOzBtuotgeQt_SBBpaZzXPYuPmKBazw5wQIABABUM7KvooFYMneqY3spIAQyAEBqgQZT9DYmj5tY1JdJuqkD2ZsjnQrRUeggbF9bg

&amp;sig=AGiWqtx4zFV1gppiuuA00hPyR9B53oy9Zw&amp;q=http://clk.atdmt.com/AST/go/gglxx8es0080000034ast/direct

/01/">Official <b>BMW</b> Site</a></h3><cite>www.washingtondc<b>bmw</b>.com</cite>&nbsp; &nbsp; &nbsp

; Find Out What You've Been Missing - Learn More at <b>BMW</b>'s DC Site!</ol></div><div id=res

 class=med><!--a--><h2 class=hd>Search Results</h2><div><ol><!--m--><link rel="prefetch" href="http:

//www.bmw.com/"><li class=g><h3 class=r><a href="http://www.bmw.com/" class=l onmousedown="return clk

(this.href,'','','res','1','')"><em>BMW</em> automobiles - website of the <em>BMW</em> AG</a></h3><div

 class="s">The official <em>BMW</em> AG website: <em>BMW</em> automobiles, services, technologies and

 all about <em>BMW's</em> sheer driving pleasure.<br><cite>www.<b>bmw</b>.com/ - 46k - </cite><span

 class=gl><a href="http://74.125.47.132/search?q=cache:ys7v8m0j3LMJ:www.bmw.com/+bmw&amp;hl=en&amp;ct

=clnk&amp;cd=1&amp;gl=us" onmousedown="return clk(this.href,'','','clnk','1','')">Cached</a> - <a href

="/search?hl=en&amp;q=related:www.bmw.com/">Similar pages</a></span></div><!--n--><!--m--><li class=g

 style="margin-left:3em"><h3 class=r><a href="http://www.bmw.com/com/en/" class=l onmousedown="return

 clk(this.href,'','','res','2','')"><em>BMW</em> automobiles - website of the <em>BMW</em> AG</a></h3

><div class="s hc"><em>BMW</em> EfficientDynamics technologies worldwide. And that's just the start

. <b>...</b> <em>BMW</em> Shops Explore the world of exclusive online shopping with <em>BMW</em> quality

 shops <b>...</b><br><cite>www.<b>bmw</b>.com/com/en/ - 106k - </cite><span class=gl><a href="http:/

/74.125.47.132/search?q=cache:Re38ckTqsMMJ:www.bmw.com/com/en/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=2&amp

;gl=us" onmousedown="return clk(this.href,'','','clnk','2','')">Cached</a> - <a href="/search?hl=en&amp

;q=related:www.bmw.com/com/en/">Similar pages</a></span></div><!--n--><!--m--><li class=g><h3 class=r

><a href="http://www.bmwusa.com/" class=l onmousedown="return clk(this.href,'','','res','3','')"><em

>BMW</em> of North America, LLC</a></h3><div class="s">The official <em>BMW</em> of North America Web

 site. Learn about all <em>BMW</em> Series and models and find out where to find the closest <em>BMW

</em> center.<br><cite>www.<b>bmw</b>usa.com/ - 67k - </cite><span class=gl><a href="http://74.125.47

.132/search?q=cache:W59Q9fpm9PkJ:www.bmwusa.com/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=3&amp;gl=us" onmousedown

="return clk(this.href,'','','clnk','3','')">Cached</a> - <a href="/search?hl=en&amp;q=related:www.bmwusa

.com/">Similar pages</a></span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.bmwmotorcycles

.com/" class=l onmousedown="return clk(this.href,'','','res','4','')"><em>BMW</em> Motorcycles: Home

</a></h3><div class="s">While <em>BMW</em> Motorrad USA will do everything possible to ensure the accuracy

 and timeliness of information on this website, we will not be responsible for <b>...</b><br><cite>www

.<b>bmw</b>motorcycles.com/ - 9k - </cite><span class=gl><a href="http://74.125.47.132/search?q=cache

:bhpoJyCmY2sJ:www.bmwmotorcycles.com/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=4&amp;gl=us" onmousedown="return

 clk(this.href,'','','clnk','4','')">Cached</a> - <a href="/search?hl=en&amp;q=related:www.bmwmotorcycles

.com/">Similar pages</a></span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.answers

.com/topic/bmw-2006" class=l onmousedown="return clk(this.href,'','','res','5','')"><em>BMW</em>: Definition

 from Answers.com</a></h3><div class="s"><em>BMW</em> German automaker. Founded as an aircraft engine

 manufacturer in 1916, the company assumed the name Bayerische Motoren Werke and became known  for.<br

><cite>www.answers.com/topic/<b>bmw</b>-2006 - 286k - </cite><span class=gl><a href="http://74.125.47

.132/search?q=cache:sTPHqkskDwUJ:www.answers.com/topic/bmw-2006+bmw&amp;hl=en&amp;ct=clnk&amp;cd=5&amp

;gl=us" onmousedown="return clk(this.href,'','','clnk','5','')">Cached</a> - <a href="/search?hl=en&amp

;q=related:www.answers.com/topic/bmw-2006">Similar pages</a></span></div><!--n--><!--m--><li class=g

><h3 class=r><a href="http://www.motortrend.com/new_cars/01/bmw/index.html" class=l onmousedown="return

 clk(this.href,'','','res','6','')"><em>BMW</em> Cars | New 2008 2009 <em>BMW</em> Car Models - Motor

 Trend Magazine</a></h3><div class="s">MotorTrend.com is your online guide to all new <em>BMW</em>; research

 by category or use our new car search to find prices, read reviews, or buy a new <em>BMW</em> online

 <b>...</b><br><cite>www.motortrend.com/new_cars/01/<b>bmw</b>/index.html - 95k - </cite><span class

=gl><a href="http://74.125.47.132/search?q=cache:2pNEk0p57sUJ:www.motortrend.com/new_cars/01/bmw/index

.html+bmw&amp;hl=en&amp;ct=clnk&amp;cd=6&amp;gl=us" onmousedown="return clk(this.href,'','','clnk','6'

,'')">Cached</a> - <a href="/search?hl=en&amp;q=related:www.motortrend.com/new_cars/01/bmw/index.html"

>Similar pages</a></span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.bmwusfactory

.com/" class=l onmousedown="return clk(this.href,'','','res','7','')"><em>BMW</em> Manufacturing Official

 Site</a></h3><div class="s">Virtual plant tour features panorama views of the Z3 and X5 manufacturing

 process. Video  clips, press releases and photography library.<br><cite>www.<b>bmw</b>usfactory.com

/ - 4k - </cite><span class=gl><a href="http://74.125.47.132/search?q=cache:zC8QbloEMgQJ:www.bmwusfactory

.com/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=7&amp;gl=us" onmousedown="return clk(this.href,'','','clnk','7'

,'')">Cached</a> - <a href="/search?hl=en&amp;q=related:www.bmwusfactory.com/">Similar pages</a></span

></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://en.wikipedia.org/wiki/BMW" class=l onmousedown

="return clk(this.href,'','','res','8','')"><em>BMW</em> - Wikipedia, the free encyclopedia</a></h3>

<div class="s">Bayerische Motoren Werke AG (info) (<em>BMW</em>), (English: Bavarian Motor Works) is

 an independent German automobile manufacturer founded in 1916. <b>...</b><br><cite>en.wikipedia.org

/wiki/<b>BMW</b> - 226k - </cite><span class=gl><a href="http://74.125.47.132/search?q=cache:9GozWwIBpTwJ

:en.wikipedia.org/wiki/BMW+bmw&amp;hl=en&amp;ct=clnk&amp;cd=8&amp;gl=us" onmousedown="return clk(this

.href,'','','clnk','8','')">Cached</a> - <a href="/search?hl=en&amp;q=related:en.wikipedia.org/wiki/BMW"

>Similar pages</a></span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://autos.yahoo.com

/bmw/" class=l onmousedown="return clk(this.href,'','','res','9','')"><em>BMW</em> Cars | New 2008 &amp

; 2009 <em>BMW</em> Car Models — Yahoo! Autos</a></h3><div class="s">Yahoo! Autos — <em>BMW</em> Cars

. Research all <em>BMW</em> 2009 &amp; 2008 car models, such as the 2009 <em>BMW</em> 3 Series. Compare

 new <em>BMW</em> vehicles &amp; buy used <em>BMWs</em> for sale.<br><cite>autos.yahoo.com/<b>bmw</b

>/ - 107k - </cite><span class=gl><a href="http://74.125.47.132/search?q=cache:yjHBrdiQI5UJ:autos.yahoo

.com/bmw/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=9&amp;gl=us" onmousedown="return clk(this.href,'','','clnk'

,'9','')">Cached</a> - <a href="/search?hl=en&amp;q=related:autos.yahoo.com/bmw/">Similar pages</a><

/span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.ibmwr.org/" class=l onmousedown

="return clk(this.href,'','','res','10','')">IBMWR - <em>BMW</em> Motorcycle Mailing List</a></h3><div

 class="s">Nov 18, 2008 <b>...</b> Welcome to the Internet <em>BMW</em> Riders' home on the web.

 The IBMWR has been around since 1992 and is made up of the IBMWR mail list (better <b>...</b><br><cite

>www.i<b>bmw</b>r.org/ - 9k - </cite><span class=gl><a href="http://74.125.47.132/search?q=cache:bBlVAcSbhp0J

:www.ibmwr.org/+bmw&amp;hl=en&amp;ct=clnk&amp;cd=10&amp;gl=us" onmousedown="return clk(this.href,'',''

,'clnk','10','')">Cached</a> - <a href="/search?hl=en&amp;q=related:www.ibmwr.org/">Similar pages</a

></span></div><!--n--><li class=g><h3 class=r><a href="http://news.google.com/news?hl=en&amp;q=bmw&amp

;um=1&amp;ie=UTF-8&amp;sa=X&amp;oi=news_group&amp;resnum=11&amp;ct=title">News results for <em>bmw</em

></a></h3><table class=ts><tr><td valign=top style="padding-top:5px;padding-right:10px;font-size:78%

;line-height:normal;width:80px;text-align:center"><a href="/url?q=http://www.chron.com/disp/story.mpl

/ap/nation/6182759.html&amp;sa=X&amp;oi=news_group&amp;resnum=11&amp;ct=image&amp;usg=AFQjCNFWhdlgWLiJcDtkQbFJRFMHIaEYoA"

 style="text-decoration:none" ><img src="http://news.google.com/news?hl=en&amp;q=bmw&amp;um=1&amp;ie

=UTF-8&amp;imgefp=jDHEp6VJdHUJ&amp;imgurl=images.chron.com/photos/2008/12/26/14556645/1225dv_hanukkah_crash

.jpg" alt="" border=1 width=80 height=60><br><span style="text-decoration:underline">Houston Chronicle

</span></a><td valign=top style="padding-top:3px"><!--m--><a href="http://www.newsday.com/news/local

/ny-licar2712306623dec27,0,3631884.story" class=l onmousedown="return clk(this.href,'','','res','11'

,'')">Cops: Car floor mat may be cause of crash into party</a> - <nobr><span class=f>18 hours ago</span

></nobr><br><div class=s>A floor mat that slipped out of position may have led a <em>BMW</em> sport utility

 <b>...</b> His 2007 <em>BMW</em> X3 approached a red light, then veered to the left into a parked <b

>...</b></div><span class=gl><cite>Newsday</cite> - <a href="http://news.google.com/news?hl=en&amp;q

=bmw&amp;um=1&amp;ie=UTF-8&amp;ncl=1283607119&amp;sa=X&amp;oi=news_result&amp;resnum=11&amp;ct=more-results

&amp;cd=1">854 related articles&nbsp;&raquo;</a></span><br><!--n--><!--m--><div class=s><a href="http

://uk.reuters.com/article/rbssConsumerGoodsAndRetailNews/idUKLR18873820081227" class=l onmousedown="return

 clk(this.href,'','','res','12','')"><em>BMW's</em> Mini to grow in '09, Skoda cuts targets -report

</a> - <span class=gl><cite>Reuters</cite> - <a href="http://news.google.com/news?hl=en&amp;q=bmw&amp

;um=1&amp;ie=UTF-8&amp;ncl=1284393056&amp;sa=X&amp;oi=news_result&amp;resnum=12&amp;ct=more-results&amp

;cd=1" >8 related articles&nbsp;&raquo;</a></span></div><!--n--></table></ol></div><!--z--><div class

=e><table class="ts std" id=brs style="padding:0 0 1em"><caption class="med nobr" style="padding-bottom

:6px;text-align:left">Searches related to: <b>bmw</b></caption><tr><td style="padding:0 0 7px;padding-right

:34px;vertical-align:top"><a href="/search?hl=en&q=bmw+x6&revid=864057116&sa=X&oi=revisions_inline&resnum

=0&ct=broad-revision&cd=1">bmw <b>x6</b></a><td style="padding:0 0 7px;padding-right:34px;vertical-align

:top"><a href="/search?hl=en&q=bmw+forum&revid=864057116&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision

&cd=2">bmw <b>forum</b></a><td style="padding:0 0 7px;padding-right:34px;vertical-align:top"><a href

="/search?hl=en&q=bmw+135i&revid=864057116&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision&cd=3"

>bmw <b>135i</b></a><td style="padding:0 0 7px;padding-right:34px;vertical-align:top"><a href="/search

?hl=en&q=bmw+india&revid=864057116&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision&cd=4">bmw <b>india

</b></a><tr><td style="padding:0 0 7px;padding-right:34px;vertical-align:top"><a href="/search?hl=en

&q=bmw+135&revid=864057116&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision&cd=5">bmw <b>135</b><

/a><td style="padding:0 0 7px;padding-right:34px;vertical-align:top"><a href="/search?hl=en&q=bmw+motorrad

&revid=864057116&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision&cd=6">bmw <b>motorrad</b></a><td

 style="padding:0 0 7px;padding-right:34px;vertical-align:top"><a href="/search?hl=en&q=bmw+1&revid=864057116

&sa=X&oi=revisions_inline&resnum=0&ct=broad-revision&cd=7">bmw <b>1</b></a><td style="padding:0 0 7px

;padding-right:34px;vertical-align:top"><a href="/search?hl=en&q=bmw+f800gs&revid=864057116&sa=X&oi=revisions_inline

&resnum=0&ct=broad-revision&cd=8">bmw <b>f800gs</b></a></table></div></div><br clear="all"/><table id

=nav align=center style="border-collapse:collapse;margin:auto;text-align:center;direction:ltr;margin-bottom

:1.4em"><tr valign=top><td class=b><span class="csb" style="background-position:-26px 0;width:18px">

</span><td class=cur><span class="csb" style="background-position:-44px 0;width:16px"></span>1<td><a

 href="/search?hl=en&amp;q=bmw&amp;start=10&amp;sa=N"><span class="csb ch" style="background-position

:-60px 0;width:16px"></span>2</a><td><a href="/search?hl=en&amp;q=bmw&amp;start=20&amp;sa=N"><span class

="csb ch" style="background-position:-60px 0;width:16px"></span>3</a><td><a href="/search?hl=en&amp;q

=bmw&amp;start=30&amp;sa=N"><span class="csb ch" style="background-position:-60px 0;width:16px"></span

>4</a><td><a href="/search?hl=en&amp;q=bmw&amp;start=40&amp;sa=N"><span class="csb ch" style="background-position

:-60px 0;width:16px"></span>5</a><td><a href="/search?hl=en&amp;q=bmw&amp;start=50&amp;sa=N"><span class

="csb ch" style="background-position:-60px 0;width:16px"></span>6</a><td><a href="/search?hl=en&amp;q

=bmw&amp;start=60&amp;sa=N"><span class="csb ch" style="background-position:-60px 0;width:16px"></span

>7</a><td><a href="/search?hl=en&amp;q=bmw&amp;start=70&amp;sa=N"><span class="csb ch" style="background-position

:-60px 0;width:16px"></span>8</a><td><a href="/search?hl=en&amp;q=bmw&amp;start=80&amp;sa=N"><span class

="csb ch" style="background-position:-60px 0;width:16px"></span>9</a><td><a href="/search?hl=en&amp;q

=bmw&amp;start=90&amp;sa=N"><span class="csb ch" style="background-position:-60px 0;width:16px"></span

>10</a><td class=b><a href="/search?hl=en&amp;q=bmw&amp;start=10&amp;sa=N"><span class="csb ch" style

="background-position:-76px 0;margin-right:34px;width:66px"></span>Next</a></table><div style="height

:1px;line-height:0"></div><div style="text-align:center;margin-top:1.4em" class=clr><div id=bsf style

="padding:1.8em 0;margin-top:0"><form method=get action="/search"><div><input type=text name=q size=41

 maxlength=2048 value="bmw" title="Search"> <input type=submit name="btnG" value="Search"><input type

=hidden name=hl value="en"><input type=hidden name=sa value="2"></div></form><p style="margin:1.2em 0

 0"><a href="/swr?q=bmw&amp;hl=en&amp;swrnum=235000000">Search&nbsp;within&nbsp;results</a> | <a href

="/language_tools?q=bmw&amp;hl=en">Language Tools</a> | <a href="/intl/en/help.html">Search&nbsp;Tips

</a> | <a href="/quality_form?q=bmw&amp;hl=en" target=_blank>Dissatisfied? Help us improve</a> | <a href

="/experimental/">Try Google Experimental</a></div><p><a href="/">Google&nbsp;Home</a> - <a href="/intl

/en/ads/">Advertising&nbsp;Programs</a> - <a href="/services/">Business Solutions</a> - <a href="/intl

/en/privacy.html">Privacy</a> - <a href="/intl/en/about.html">About Google</a></p></div>

Which doesn't match up with what I see in the browser. Hmm...

[m3avrck]

Actually what is that first line???

Code:

//7.7.7.0/

hmm... running that in my browser returns:

Code:

document.write("<div id=_p_></div>");window.onload=function(){try{var u=document.body.getAttribute("unload");if(u)eval(u);}catch(e){}};//

[m3avrck]

Confirmed that Yahoo has this same string at the top of it's doc too -- but only on search pages for both Google and Yahoo.

[m3avrck]

And for the record: C:\WINDOWS\system32\drivers\etc shows:

Code:

127.0.0.1  localhost

I already reset that earlier. So seems like whatever is on here is running it's own web server or something.