Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Is My Hjt Log


  • Please log in to reply
19 replies to this topic

#1 ashton_r

ashton_r

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 18 January 2007 - 06:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:41:55 PM, on 1/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168148838070
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168150530953
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 18 January 2007 - 07:47 PM

Add remove programs remove Morpheus - P2P programs will get you into trouble.

Click on http://noahdfear.geekstogo.com/FindAWF.exe to download FindAWF.exe and save it to your desktop.
· Double-click on the FindAWF.exe file to run it.
· It will open a command prompt and ask you to "Press any key to continue".
· Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
· It may take a few minutes to complete so be patient.
· When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
· Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
======================

Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 25 January 2007 - 11:16 AM

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~

21504 "C:\WINDOWS\ServicePackFiles\i386\rcp.exe"
21504 "C:\WINDOWS\ServicePackFiles\i386\spupdwxp.exe"
21504 "C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\rcp.exe"
21504 "C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\spupdwxp.exe"


21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\WINDOWS\system32\verclsid.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

12/11/2006 09:52 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\SAVE\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

12/11/2006 09:59 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

12/11/2006 10:00 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

12/18/2006 06:10 PM 118,784 hkcmd.exe
12/12/2006 09:01 PM 98,304 ps2.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

12/11/2006 09:54 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 06:29 PM 303,104 mcagent.exe
12/12/2006 05:48 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\WILDTA~1\APPS\BAK

10/09/2003 01:31 PM 184,784 GameChannel.exe
1 File(s) 184,784 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

07/31/2006 02:54 PM 4,617,720 YAHOOM~1.EXE
1 File(s) 4,617,720 bytes

Directory of C:\WINDOWS\WT\UPDATER\BAK

12/11/2006 10:00 PM 20,480 wcmdmgrl.exe
1 File(s) 20,480 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/11/2006 09:53 PM 151,552 realsched.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

12/11/2006 09:53 PM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

12/11/2006 09:54 PM 36,864 jusched.exe
1 File(s) 36,864 bytes

Directory of C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\BAK

12/11/2006 09:54 PM 28,672 mwsoemon.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BACKUP\BO\BOOKMA~1.BAK

08/02/2006 11:17 AM 4,685 15073_5a205ee3c_
1 File(s) 4,685 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Jan 6 2007 "C:\hp\KBD\kbd.exe"
61440 Dec 11 2006 "C:\hp\KBD\bak\KBD.EXE"
69632 Dec 19 2006 "C:\WINDOWS\SMINST\RECGUARD.EXE"
221184 Dec 11 2006 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
69632 Dec 18 2006 "C:\WINDOWS\system\hpsysdrv.exe"
52736 Dec 11 2006 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Dec 11 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Dec 18 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
110592 Dec 20 2006 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
69632 Dec 18 2006 "C:\WINDOWS\system32\ps2.exe"
98304 Dec 11 2006 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Dec 12 2006 "C:\WINDOWS\system32\bak\ps2.exe"
69632 Jan 6 2007 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Dec 11 2006 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
69632 Dec 18 2006 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
69632 Dec 18 2006 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Dec 12 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
184784 Oct 9 2003 "C:\Program Files\WildTangent\Apps\GameChannel.exe1166494235"
184784 Oct 9 2003 "C:\Program Files\WildTangent\Apps\bak\GameChannel.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4617720 Jul 31 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
20480 Sep 27 2002 "C:\WINDOWS\wt\updater\wcmdmgrl.exe"
20480 Sep 27 2002 "C:\WINDOWS\wt\backup\1.6.0.037\wcmdmgrl.exe"
20480 Dec 11 2006 "C:\WINDOWS\wt\updater\bak\wcmdmgrl.exe"
69632 Dec 19 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151552 Dec 11 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
69632 Dec 20 2006 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Dec 11 2006 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32768 Dec 12 2006 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
36864 Dec 11 2006 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
28672 Dec 11 2006 "C:\Program Files\MyWebSearch\bar\3.bin\bak\mwsoemon.exe"
4697 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks-2006-07-23.html\15073_5d0b0fcd1_"
4685 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks.bak\15073_5a205ee3c_"
4686 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks.html\15073_5a205ee3c_"


end of report

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 25 January 2007 - 02:49 PM

Need for you do do the second halg of the post - also do this

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 25 January 2007 - 09:16 PM

SUPERAntiSpyware Scan Log
Generated 01/25/2007 at 01:11 PM

Application Version : 3.5.1016

Core Rules Database Version : 3172
Trace Rules Database Version: 1182

Scan type : Complete Scan
Total Scan Time : 04:49:40

Memory items scanned : 379
Memory threats detected : 1
Registry items scanned : 5202
Registry threats detected : 11
File items scanned : 145747
File threats detected : 437

Trojan.Downloader-YAY
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
[hpsysdrv] C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
[HPHUPD05] C:\PROGRAM FILES\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\HPHUPD05.EXE
C:\PROGRAM FILES\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\HPHUPD05.EXE
[UpdateManager] C:\PROGRAM FILES\COMMON FILES\SONIC\UPDATE MANAGER\SGTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SONIC\UPDATE MANAGER\SGTRAY.EXE
[TkBellExe] C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
[Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
[PS2] C:\WINDOWS\SYSTEM32\PS2.EXE
C:\WINDOWS\SYSTEM32\PS2.EXE
[WT GameChannel] C:\PROGRAM FILES\WILDTANGENT\APPS\GAMECHANNEL.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\GAMECHANNEL.EXE
[MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
[MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\SGTRAY.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\YAHOO!\MAIL\ATTACH\MCMNHDLR.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDATE.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP104\A0043756.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP104\A0043838.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP120\A0064509.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP120\A0064529.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP120\A0064533.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0016385.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0016386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0016387.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0016388.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0016389.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0017387.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0017388.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0017389.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0018386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0018387.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0019386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0019387.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0021401.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0023403.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0023404.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0023417.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0023418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP14\A0023420.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP15\A0023469.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP19\A0023531.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP20\A0024418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP26\A0025418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP30\A0027418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP30\A0027419.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0029421.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0029423.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0030418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0030420.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0031418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0031419.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0032418.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP32\A0032419.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP91\A0042781.EXE
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0003\DRIVERFILES\HKCMD.EXE
C:\WINDOWS\Prefetch\MCUPDATE.EXE-32479339.pf

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@pro-market[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.morpheus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[3].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banners.pictures.sprintpcs[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@kanoodle[2].txt
C:\Documents and Settings\Owner\Cookies\owner@1063852926[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-legacy.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[3].txt
C:\Documents and Settings\Owner\Cookies\owner@inteletrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cc.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[3].txt
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
C:\Documents and Settings\Owner\Cookies\owner@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[3].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@click.cashengines[1].txt
C:\Documents and Settings\Owner\Cookies\owner@geo.precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tracker.myspacemaps[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nandomedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cbs.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[3].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[5].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad[4].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[4].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[3].txt
C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gostats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaservices.myspace[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[3].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[1].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@2o7[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@2o7[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@adrevolver[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@adrevolver[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@advertising[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@apmebf[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@atdmt[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@atwola[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@casalemedia[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@doubleclick[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@doubleclick[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@doubleclick[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@doubleclick[4].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[10].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[11].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[12].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[13].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[14].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[15].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[16].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[17].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[18].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[19].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[20].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[21].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[22].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[23].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[24].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[25].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[26].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[27].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[28].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[29].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[30].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[31].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[32].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[33].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[34].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[35].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[36].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[37].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[38].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[39].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[40].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[41].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[42].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[43].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[44].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[45].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[46].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[47].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[48].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[49].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[4].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[50].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[51].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[52].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[53].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[54].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[55].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[56].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[57].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[58].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[59].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[5].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[60].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[61].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[62].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[63].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[64].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[65].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[66].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[67].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[68].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[69].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[6].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[70].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[7].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[8].txt
C:\Documents and Settings\ashton\Cookies\ashton@exitexchange[9].txt
C:\Documents and Settings\ashton\Cookies\ashton@fastclick[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@freepicssex[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@hitbox[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@hitbox[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@mediaplex[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@msnportal.112.2o7[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@mywebsearch[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@questionmarket[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@realmedia[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@realmedia[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[4].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[5].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[6].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[7].txt
C:\Documents and Settings\ashton\Cookies\ashton@statcounter[8].txt
C:\Documents and Settings\ashton\Cookies\ashton@tradedoubler[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[10].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[11].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[12].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[13].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[14].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[15].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[16].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[17].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[18].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[19].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[20].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[21].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[22].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[23].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[24].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[25].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[26].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[27].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[28].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[29].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[30].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[31].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[32].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[33].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[34].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[35].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[36].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[37].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[38].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[39].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[40].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[41].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[43].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[4].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[5].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[6].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[7].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[8].txt
C:\Documents and Settings\ashton\Cookies\ashton@trafficmp[9].txt
C:\Documents and Settings\ashton\Cookies\ashton@tribalfusion[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@tribalfusion[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[10].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[11].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[12].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[13].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[14].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[15].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[16].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[1].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[2].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[3].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[4].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[5].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[6].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[7].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[8].txt
C:\Documents and Settings\ashton\Cookies\ashton@zedo[9].txt
C:\Documents and Settings\LocalService\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserve.webtoolcafe[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-hollywoodmedia.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@geo.precisionclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mywebsearch[2].txt
C:\Documents and Settings\Owner\Cookies\owner@partygaming.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@partypoker[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@regalinteractive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[3].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@as.casalemedia[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ehg-nestleusainc.hitbox[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaservices.myspace[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@microsoftoffice.112.2o7[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@roiservice[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ticketsnow[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.ticketsnow[1].txt

Adware.SurfSideKick
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\Program Files\SurfSideKick 3
C:\DOCUMENTS AND SETTINGS\ASHTON\APPLICATION DATA\SSKKNWRD.DLL
C:\DOCUMENTS AND SETTINGS\ASHTON\LOCAL SETTINGS\TEMP\U10.BAT
C:\DOCUMENTS AND SETTINGS\ASHTON\LOCAL SETTINGS\TEMP\U26.BAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002680.EXE

Adware.WhenU
C:\Program Files\Save\ACM.dll
C:\Program Files\Save\bak
C:\Program Files\Save\ffext.mod
C:\Program Files\Save\save.db
C:\Program Files\Save\Save.exe
C:\Program Files\Save\save.htm
C:\Program Files\Save\SaveUninst.exe
C:\Program Files\Save\store.db
C:\Program Files\Save
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VVSNI_LOFS120501INST.EXE
C:\DOWNLOADS\VVSNI_LOFS120501INST(1).EXE
C:\DOWNLOADS\VVSNI_LOFS120501INST(2).EXE
C:\DOWNLOADS\VVSNI_LOFS120501INST.EXE
C:\PROGRAM FILES\VVSN\VVSN.EXE
C:\RECYCLER\S-1-5-21-1123551040-3712035855-669497741-500\DC117\S3.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000408.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000436.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000437.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000438.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001245.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001246.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP7\A0003363.EXE

Adware.180solutions/Search Assistant
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001332.EXE

Trojan.NetMon/DNSChange
C:\Program Files\Network Monitor

Adware.MediaMotor
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\Downloaded Program Files\amm06.ocx
C:\WINDOWS\mm06y.ini
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001939.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002690.EXE
C:\WINDOWS\MEDIA_MOTOR_BUNDLE.EXE

Trojan.PestTrap
HKU\S-1-5-21-745109517-1202517728-641081814-1003\Software\SNO2

Adware.Elite Media
C:\WINDOWS\em06y.ini

Adware.Mirar/NetNucleus
C:\WINDOWS\Downloaded Program Files\WinATS.inf
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001840.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001963.EXE

Malware.DriveCleaner
C:\DOCUMENTS AND SETTINGS\ASHTON\DESKTOP\INSTALLDRIVECLEANERSTART.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP10\A0007353.EXE

Trojan.Freeprod
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\BIT17.TMP

Trojan.SpySheriff
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\1169587746P5RVA.EXE

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NDR160.TMP.XML
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002702.EXE
C:\WINDOWS\YOINSI.EXE

Adware.ClickSpring
C:\Documents and Settings\Owner\My Documents\TSKS~1\ANREGW~1.EXE
C:\Program Files\RACLE~1\WNLOGO~1.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001372.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001373.EXE

Adware.MyGlobalSearchBar
C:\PROGRAM FILES\MYGLOBALSEARCH\BAR\1.BIN\MGSBAR.DLL

Adware.MyWebSearch
C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\BAK\MWSOEMON.EXE

BearShare File Sharing Client
C:\RECYCLER\S-1-5-21-1123551040-3712035855-669497741-500\DC55\BAK\BEARSHARE.EXE

Trojan.URLBrowserNew
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000248.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002692.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000250.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001986.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP7\A0003205.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP9\A0005370.EXE
C:\WINDOWS\IA\KE.VBS
C:\WINDOWS\TEMPF.TXT
C:\WINDOWS\UNINST2.HTM
C:\WINDOWS\UNINSTALL_NMON.VBS
C:\WINDOWS\UNIST1.HTM

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000297.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0000376.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP10\A0007352.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP7\A0003252.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP7\A0003331.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP9\A0005371.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP9\A0005372.EXE

Adware.Adservs
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0001871.EXE
C:\WINDOWS\IA\ASAPPSRV.DLL
C:\WINDOWS\IDLEMG.EXE

Trojan.Saggy
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002681.EXE

Trojan.MrFindAlot
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002682.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002684.EXE

Trojan.YourEnhancement
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002688.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002689.EXE
C:\WINDOWS\UNI_EHHH.EXE

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP1\A0002693.EXE
C:\WINDOWS\WHCC-GIANT.EXE

Trojan.ZQuest
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ADWERKZ.INF

Trojan.Smitfraud Variant
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWA6P_0001_N85M0307NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWA6P_0001_N91M1807NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWA6P_0001_N91M1807NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA6P_0001_N85M0307NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA6P_0001_N91M1807NETINSTALLER.EXE

Trojan.TagASaurus
C:\WINDOWS\TAGASUARUS2.EXE

Adware.ClickSpring/Yazzle
C:\WINDOWS\YAZZLEBUNDLE-1304.EXE

#6 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 25 January 2007 - 09:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:16:09 PM, on 1/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168148838070
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168150530953
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

#7 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 25 January 2007 - 09:19 PM

it says page cannot be displayed for the panda thing

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:29 PM

Posted 27 January 2007 - 03:57 AM

Hi there :thumbsup:

Your origional helper is away so I will be helping you.

Few things we need to do.
You likely can't get to Panda because your hosts file is blocking you.

Let me review your logs and I'll be back shortly.
We have a fair bit of repairs to do.

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:29 PM

Posted 27 January 2007 - 04:49 AM

Me again...:thumbsup:

Shut down Morpheous then:

Please go to add/remove programs and Uninstall MorpheusToolbar. You don't need the toolbar to run Morpheous.
I generally caution against p2p apps because the content one downloads can never be determined as safe. You don't know who you are downloading from and the downloads can be bundled with anything nasty!

Once the toolbar is uninstalled reboot.

Download these files & save them someplace handy but don't run them yet. Just have em ready for next step:

http://www.mvps.org/winhelp2002/DelDomains.inf

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

I have attached a file called remtrawf.zip
Download the file> save it> unzip it someplace handy. Don't run it yet.

Reboot to SAfe mode. (tap f8 at boot> choose safe> hit enter)
Log into your normal account.

Double click Fix.bat you saved earlier.
A dos box flashes up quick then dissapears. This is normal.

Locate "DelDomains.inf" you saved earlier> right click> choose "install". You won't see much happening.
Give it a few seconds to finish.

Locate "ResetProtocolDefaults.reg" you saved earlier.
Right click it> choose "merge"
Answer yes to the prompt.
You should get success messege.

Find and delete these folders if they still exist:

C:\Program Files\MyWebSearch

Delete this file:

C:\Windows\system32\drivers\etc\hosts <-- this file has no extension. Simply called "Hosts"

Start Hijackthis
Run systemscan only and check the following entries if they exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O20 - AppInit_DLLs:


Close ALL other open windows except hijackthis> Click "Fix checked" and answer Yes.

In Hijackthis window click "config" at right> click "misc tools" at top.
Click "open Hoasts file manager"
When told "hosts file missing" and asked if you want to create one say Yes!
A new hosts file will be created to replace the bad one we deleted.

Exit Hijackthis

Boot back up to normal mode.
If you had SpywareBlaster installed you will need to re-enable its protection
If you had IE-Spyad or similar apps that install URLs to IE restricted zone you will need to re-install it.
If you had a special hosts file (like MVPHosts) installed you will need to re-install it.


Download the newest java from here and save it:

http://java.sun.com/javase/downloads/index.jsp

If you don't need to develop java programs

You want this one:

Java Runtime Environment (JRE) 6

If you do develop programs then you will want one of the JDK downloads.

Next page that comes up you need to accept the agreement to download it.
First in list is the offline installation
This is the one to download. Save it to your desktop or your normal download folder.

1. Close any open programs you may have running, especially your web browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start > Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list
5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
7. Reboot your PC once all Java components have been removed
8. Proceed with reinstalling Java using the file you just saved.

Please post me:

Fresh Hijackthis log
Run FindAWF again and post results
See if you can get to Panda site again to do its scan. Post results as your origional helper asked.

Let me know how system is running.
Let me know if you had any problems doing the above.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 30 January 2007 - 10:56 AM

61440 Jan 6 2007 "C:\hp\KBD\kbd.exe"
61440 Dec 11 2006 "C:\hp\KBD\bak\KBD.EXE"
221184 Dec 11 2006 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 Dec 11 2006 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Dec 11 2006 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Dec 18 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
98304 Dec 11 2006 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Dec 12 2006 "C:\WINDOWS\system32\bak\ps2.exe"
49152 Dec 11 2006 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Dec 12 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
184784 Oct 9 2003 "C:\Program Files\WildTangent\Apps\GameChannel.exe1166494235"
184784 Oct 9 2003 "C:\Program Files\WildTangent\Apps\bak\GameChannel.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4617720 Jul 31 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
20480 Sep 27 2002 "C:\WINDOWS\wt\updater\wcmdmgrl.exe"
20480 Sep 27 2002 "C:\WINDOWS\wt\backup\1.6.0.037\wcmdmgrl.exe"
20480 Dec 11 2006 "C:\WINDOWS\wt\updater\bak\wcmdmgrl.exe"
151552 Dec 11 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Dec 11 2006 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32768 Dec 12 2006 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
77824 Jan 30 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
77824 Jan 30 2007 "C:\Program Files\Java\jdk1.6.0\jre\bin\jusched.exe"
36864 Dec 11 2006 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
4697 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks-2006-07-23.html\15073_5d0b0fcd1_"
4685 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks.bak\15073_5a205ee3c_"
4686 Aug 2 2006 "C:\Program Files\support.com\backup\bo\bookmarks.html\15073_5a205ee3c_"


end of report

#11 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 30 January 2007 - 11:07 AM

i've noticed that evrytime i scan the computer theres always files of items and stuff from games... how do i delete those even though i deletted the game a long time ago?

#12 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 30 January 2007 - 11:10 AM

i am currently scanning on panda

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:29 PM

Posted 30 January 2007 - 11:19 AM

Hi

Are you talking about that WildTangent stuff? If you uninstalled this we'll finish removing it.

Can you post a hijackthis log please once done with Panda?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:03:29 PM

Posted 30 January 2007 - 11:20 AM

i didnt know it was the wildtangent, its taking up alot of space ill delete it

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:29 PM

Posted 30 January 2007 - 11:29 AM

I was asking you...

If you don't use WildTangent...might as well get rid of it.

There will be 2 entries in add/remove programs for it. Look for both of them.
You will have to reboot to finish the uninstalls.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users