PDA

View Full Version : Google searches hijacked by daytotals.com



waveslayer
2008-01-29, 09:04
First off... You guys rock!
I've seen what you've done for others and you deserve your props!!

As stated in the title... Google search results, when clicked, result in a redirection by daytotals.com. This isn't a security risk, just a complete hassle- after several clicks, the links work, totally destroying any productivity or flow. Any help you could give to resolve this would be awesome.

I've read through the posts and have run S&D, Kaspersky's and HJT.

Here are the reports:

1.) Kaspersky AV
(I've limited the report to "detected" items. If "Events" are needed, let me know.)


Total scanned: 370474
Detected: 72
Untreated: 69
Start time: 1/28/2008 4:37:59 PM
Duration: 00:00:00
Finish time: 1/28/2008 4:37:59 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.JS.Fav.a File: c:\winlog.html
deleted: Trojan program Trojan-Downloader.Win32.QDown.d File: c:\NULL
deleted: Trojan program Trojan-Dropper.Win32.Small.ls File: c:\counter.cab/counter.exe//PECompact
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0004
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0006
detected: Trojan program Trojan.Win32.Scapur.g File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0002//UPX
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0003
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0004
detected: Trojan program Trojan-Downloader.Win32.Agent.ec File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0004
detected: adware not-a-virus:AdWare.Win32.SaveNow.t File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/Save.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.af File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/SaveUninst.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Sync.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Uninst.exe
detected: adware not-a-virus:AdWare.Win32.EZula File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0006
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0007
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0002//data0120
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0003
detected: adware not-a-virus:AdWare.Win32.SideSearch.l File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0004//data0004
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0005
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649889.CPY
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649890.CPY
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649891.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS196.CAB/A0665253.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.brq File: c:\_Restore\ARCHIVE\FS196.CAB/A0665254.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS216.CAB/A0670491.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS216.CAB/A0670492.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.bqc File: c:\_Restore\ARCHIVE\FS277.CAB/A0681042.CPY//data0006
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: c:\_Restore\ARCHIVE\FS277.CAB/A0681043.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.bnw File: c:\_Restore\ARCHIVE\FS265.CAB/A0679702.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS265.CAB/A0679703.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS265.CAB/A0679704.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.gvh File: c:\_Restore\ARCHIVE\FS321.CAB/A0686506.CPY
detected: Trojan program Trojan.Win32.DNSChanger.akt File: c:\_Restore\ARCHIVE\FS321.CAB/A0686507.CPY//data0001
detected: pornware not-a-virus:Porn-Dialer.Win32.PluginAccess.s File: c:\_Restore\ARCHIVE\FS369.CAB/A0695606.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS369.CAB/A0695607.CPY//ASPack
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\_Restore\ARCHIVE\FS369.CAB/A0695611.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS372.CAB/A0695884.CPY//ASPack
detected: adware not-a-virus:AdWare.Win32.WindowEnhancer.d File: c:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
detected: adware not-a-virus:AdWare.Win32.BetterInternet.be File: c:\WINDOWS\Downloaded Program Files\flash.inf
detected: adware not-a-virus:AdWare.Win32.SaveNow.ab File: c:\WINDOWS\Downloaded Program Files\WUInst.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.3\ISTactivex.dll
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/BlackBox.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/VerifierBug.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/Beyond.class
detected: Trojan program Trojan.Java.ClassLoader.c File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/GetAccess.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/InsecureClassLoader.class
detected: Trojan program Trojan.Java.ClassLoader.Dummy.a File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Dummy.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Installer.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip/javainstaller/InstallerApplet.class
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-144ca893.zip/vlocal.class
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-6b26dca8-2a1061f1.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-5931f3b4-500750e4.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7a9a83a2.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7702597a.zip
detected: adware not-a-virus:AdWare.Win32.Gator.3210 File: c:\My Download Files\Morph20.exe//WISE0015.BIN
detected: Trojan program Trojan-Downloader.Win32.Stubby.b File: c:\My Download Files\Morph20.exe//WISE0016.BIN//WISE0007.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.d File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0012.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.a File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0014.BIN
detected: virus Email-Worm.Win32.Hybris.b File: c:\Caleb's C\Cookie Cop2\CookieCop2.zip/SETUP.EXE
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\rundll32.exe
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\run32.exe
detected: Trojan program Trojan-Downloader.JS.Cobase.a File: c:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm



2.) HJT Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:13 PM, on 1/28/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0FA5BD58-2C7D-439D-8837-9F48DB1F582E} - C:\WINDOWS\SYSTEM\NFA.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES 2\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/esp/install/1.02.0069/esp-install.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB

--
End of file - 6108 bytes


thanks again!!

:bigthumb:

little eagle
2008-02-03, 18:40
Be sure to keep SunJava, updated new version is 6.4
In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE
It is important to remove older versions as these are the ones with the holes in them.
You will be surprised when you go to add/remove to see all of the versions sitting there.
Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test (http://www.java.com/en/download/installed.jsp)

---------------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

----------------------------

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

waveslayer
2008-02-05, 09:21
little eagle,
thanks so much for offering assistance.
I've performed the tasks and below is the report from Panda ActiveScan.
BTW, this computer is using Windows ME.
Thanks again!
WS

********************************************

Incident Status Location

Adware:adware/savenow Not disinfected c:\windows\downloaded program files\WUInst.dll
Adware:adware/ist.istbar Not disinfected c:\windows\downloaded program files\ISTactivex.dl
Virus:trj/downloader.aee Disinfected Operating system
Adware:adware/ipinsight Not disinfected c:\windows\inf\POLALL1R.INF
Spyware:spyware/betterinet Not disinfected c:\windows\inf\SATMAT.INF
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Adware:adware/toprebates Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP\bin\KillWind.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\HP\bin\Terminator.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\WINDOWS\OPTIONS\CABS\Terminator.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\MMAKER2.INF
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWinet.dll
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\Application
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/onestat.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.enhance.com/]
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Comclick Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[fl01.ct2.comclick.com/]
Virus:Generic Malware Disinfected C:\WINDOWS\Application Data\casino.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\ISTactivex.dll
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\istactivex.inf

***********************************************************************************************************************************************************
Note - The following cookie location names were edited for security purposes:

Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@ccbill[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@gammae[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@www.myaffiliateprogram[1].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@outster[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@www.web-stat[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@www.toplist[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@webpower[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@ccbill[3].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\@webpower[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@ccbill[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@gammae[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Profiles\twins000\Cookies@www.myaffiliateprogram[1].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@outster[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@www.web-stat[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@www.toplist[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\@webpower[2].txt

*************************************************************************************************************************************************************
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[Installer.class]
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip[javainstaller/InstallerApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[Beyond.class]
Virus:Generic Malware Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP Internet\Surfboard\KillWind.exe
Virus:W32/Sircam Disinfected C:\Caleb's C\WINDOWS\rundll32.exe
Virus:W32/Sircam Disinfected C:\Caleb's C\WINDOWS\run32.exe
Adware:Adware/PortalScan Not disinfected C:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm
Spyware:Cookie/Abetterinternet Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@abetterinternet[2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@smni[1].txt
Spyware:Cookie/Preferences Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@preferences[1].txt
Virus:Generic Malware Disinfected Personal Folders\Deleted Items\Israel Just Have Started World War III\Read More.exe
Virus:W32/Nuwar.BB.worm Disinfected Personal Folders\Deleted Items\Our Love is Strong\flash postcard.exe
Virus:W32/Mydoom.DN.worm Disinfected Personal Folders\Inbox\Christopher\afg\Status\attachment.zip[attachment.html

little eagle
2008-02-05, 14:36
Download Pocket Killbox (http://www.bleepingcomputer.com/files/killbox.php) and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot.

For each of the files you could not delete,

Paste these files one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in then answer Yes.
and let the system reboot.

c:\windows\downloaded program files\WUInst.dll
c:\windows\downloaded program files\ISTactivex.dl
c:\windows\inf\POLALL1R.INF
c:\windows\inf\SATMAT.INF
c:\windows\kwv2.dat
c:\windows\system\SBUtils
C:\WINDOWS\INF\MMAKER2.INF
C:\WINDOWS\SYSTEM\SBUtils\SBWinet.dll
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\ISTactivex.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\istactivex.inf

-----------------------------------------------

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

waveslayer
2008-02-05, 22:35
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:22 PM, on 2/5/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0FA5BD58-2C7D-439D-8837-9F48DB1F582E} - C:\WINDOWS\SYSTEM\NFA.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/esp/install/1.02.0069/esp-install.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB

--
End of file - 4374 bytes


I performed a Google search within Firefox.
Upon clicking on one of the results at random, the link was hijacked by daytotals.com and redirected.

However, performing the same task in IE did not result in the hijacking!

little eagle
2008-02-05, 23:05
Close all programs leaving only HijackThis running. Place a check against each of the following,
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {0FA5BD58-2C7D-439D-8837-9F48DB1F582E} - C:\WINDOWS\SYSTEM\NFA.DLL (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/esp/install...sp-install.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRAM FILES\EBATES_MOEMONEYMAKER
Exit Explorer, and reboot as normal afterwards.

---------------------------------------

Download and run CWShredder here (http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe)
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.


--------------------------------------------------

Rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

waveslayer
2008-02-05, 23:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:46 PM, on 2/5/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB

--
End of file - 3353 bytes


Current performance is same as above:

I performed a Google search within Firefox.
Upon clicking on one of the results at random, the link was hijacked by daytotals.com and redirected.

However, performing the same task in IE did not result in the hijacking!

little eagle
2008-02-05, 23:42
Can you run panda scan again please post the log here when done.

waveslayer
2008-02-06, 04:18
Here you go... thanks again for working with me:





Incident Status Location

Adware:adware/ist.istbar Not disinfected c:\windows\downloaded program files\ISTactivex.dll
Adware:adware/savenow Not disinfected c:\windows\downloaded program files\WUInst.inf
Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/toprebates Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP\bin\KillWind.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\HP\bin\Terminator.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\WINDOWS\OPTIONS\CABS\Terminator.exe
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/onestat.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.enhance.com/]
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Comclick Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\wzr4za5g.default\cookies.txt[fl01.ct2.comclick.com/]
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@ccbill[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@gammae[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@www.myaffiliateprogram[1].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@outster[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@www.web-stat[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@www.toplist[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@webpower[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@ccbill[3].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\Twinson\Cookies\robert farro@webpower[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@ccbill[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@gammae[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@www.myaffiliateprogram[1].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@outster[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@www.web-stat[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@www.toplist[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\twins000\Cookies\robert farro@webpower[2].txt
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip[Installer.class]
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip[javainstaller/InstallerApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip[Beyond.class]
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP Internet\Surfboard\KillWind.exe
Adware:Adware/SaveNow Not disinfected C:\!KillBox\WUInst.dll
Adware:Adware/Transponder Not disinfected C:\!KillBox\POLALL1R.INF
Spyware:Spyware/BetterInet Not disinfected C:\!KillBox\SATMAT.INF
Spyware:Spyware/BetterInet Not disinfected C:\!KillBox\MMAKER2.INF
Adware:Adware/WindowEnhancer Not disinfected C:\!KillBox\SBWinet.dll
Adware:Adware/WindowEnhancer Not disinfected C:\!KillBox\SBWebCtl.dll
Adware:Adware/IST.ISTBar Not disinfected C:\!KillBox\ISTactivex.dll
Adware:Adware/IST.ISTBar Not disinfected C:\!KillBox\ISTactivex.dll( 2)
Adware:Adware/IST.ISTBar Not disinfected C:\!KillBox\ISTactivex.dll( 3)
Adware:Adware/IST.ISTBar Not disinfected C:\!KillBox\istactivex.inf
Adware:Adware/SaveNow Not disinfected C:\!KillBox\WUInst.dll( 4)
Adware:Adware/PortalScan Not disinfected C:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm
Spyware:Cookie/Abetterinternet Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@abetterinternet[2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@smni[1].txt
Spyware:Cookie/Preferences Not disinfected C:\Christopher's C Drive\WINDOWS\Cookies\christopher@preferences[1].txt

little eagle
2008-02-06, 04:25
Run ATF Cleaner before running this scan
Instructions here. (http://forums.security-central.us/showthread.php?t=1925)

Run this online scan from ESET (http://www.eset.eu/online-scanner) it will remove the malware also.

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt

waveslayer
2008-02-06, 10:20
Too large for one post ( 1. The text that you have entered is too long (26604 characters). Please shorten it to 20000 characters long.)

Part one follows:



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2851 (20080205)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=3f0d459050a1bf4b8657162e5f14b245
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-06 08:05:39
# local_time=2008-02-06 12:05:39 (-0800, Pacific Standard Time)
# country="United States"
# osver=4.90.73010104 9x
# scanned=356839
# found=100
# scan_time=3842
c:\_Restore\ARCHIVE\FS277.CAB multiple infiltrations (deleted (after the next restart)) 1C48714FDCE832524B2703C1239CE803
c:\_Restore\ARCHIVE\FS277.CAB »CAB »A0681042.CPY a variant of Win32/TrojanDownloader.VB.AW trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS277.CAB »CAB »A0681042.CPY »NSIS »Mz17r2314.exe a variant of Win32/TrojanDownloader.VB.AW trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS277.CAB »CAB »A0681043.CPY a variant of Win32/Adware.Virtumonde application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS316.CAB probably a variant of Win32/TrojanDownloader.Agent trojan (deleted (after the next restart)) 4A8BF8A1CF22F6651F976C6A3981CE81
c:\_Restore\ARCHIVE\FS316.CAB »CAB »A0685453.CPY probably a variant of Win32/TrojanDownloader.Agent trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS321.CAB probably a variant of Win32/TrojanDownloader.Obfuscated trojan (deleted (after the next restart)) 6E7E48FAB662F1A783420CAF9CABF27C
c:\_Restore\ARCHIVE\FS321.CAB »CAB »A0686507.CPY probably a variant of Win32/TrojanDownloader.Obfuscated trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS321.CAB »CAB »A0686507.CPY »NSIS »Uninstall.exe probably a variant of Win32/TrojanDownloader.Obfuscated trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS369.CAB multiple infiltrations (deleted (after the next restart)) 7614B1A2AF7E82852D23457C3C56C5DB
c:\_Restore\ARCHIVE\FS369.CAB »CAB »A0695606.CPY a variant of Win32/Dialer.DialHub application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS369.CAB »CAB »A0695607.CPY Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS369.CAB »CAB »A0695611.CPY a variant of Win32/TrojanDownloader.IstBar trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS372.CAB Win32/Adware.180Solutions application (deleted (after the next restart)) F4A77AA0FDDC5F9FC21DF6B544E3BB72
c:\_Restore\ARCHIVE\FS372.CAB »CAB »A0695884.CPY Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB multiple infiltrations (deleted (after the next restart)) 28DF5A6311AD4D0E48F18031BC0DFA3E
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697252.CPY multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697252.CPY »WISE »IPinsight.EXE Win32/TrojanDownloader.Stubby.B trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697252.CPY »WISE »IPinsight.EXE »WISE »Sentry.exe Win32/TrojanDownloader.Stubby.B trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697252.CPY »WISE »msc.exe a variant of Win32/Adware.WurldMedia application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697252.CPY »WISE »msc.exe »WISE »mbho.dll a variant of Win32/Adware.WurldMedia application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697253.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697254.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697257.CPY multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697257.CPY »WISE »IPinsight.EXE Win32/TrojanDownloader.Stubby.B trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697257.CPY »WISE »IPinsight.EXE »WISE »Sentry.exe Win32/TrojanDownloader.Stubby.B trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697257.CPY »WISE »msc.exe a variant of Win32/Adware.WurldMedia application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS383.CAB »CAB »A0697257.CPY »WISE »msc.exe »WISE »mbho.dll a variant of Win32/Adware.WurldMedia application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB multiple infiltrations (deleted (after the next restart)) D934964293187EACFC8B4EE001A4860B
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697258.CPY multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697258.CPY »WISE »IPinsight.EXE Win32/TrojanDownloader.Stubby.B trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697258.CPY »WISE »IPinsight.EXE »WISE »Sentry.exe Win32/TrojanDownloader.Stubby.B trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697258.CPY »WISE »msc.exe a variant of Win32/Adware.WurldMedia application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697258.CPY »WISE »msc.exe »WISE »mbho.dll a variant of Win32/Adware.WurldMedia application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697259.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697260.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697261.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS384.CAB »CAB »A0697262.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS395.CAB multiple infiltrations (deleted (after the next restart)) 15228E3D120C3C1D7886A745074ABCFC
c:\_Restore\ARCHIVE\FS395.CAB »CAB »A0697708.CPY Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS395.CAB »CAB »A0697710.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\_Restore\ARCHIVE\FS395.CAB »CAB »A0697712.CPY Win32/Sircam worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

waveslayer
2008-02-06, 10:21
Part 2 (of 2):


c:\WINDOWS\Downloaded Program Files\ISTactivex.dll Win32/TrojanDownloader.IstBar.S trojan (unable to clean - deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip Java/ClassLoader.AA trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip multiple infiltrations (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip »ZIP »Dummy.class JS/IEStart trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip »ZIP »Installer.class Java/OpenConnection.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip multiple infiltrations (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip »ZIP »Dummy.class JS/IEStart trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip »ZIP »Installer.class Java/OpenConnection.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip multiple infiltrations (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip »ZIP »Dummy.class JS/IEStart trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip »ZIP »Installer.class Java/OpenConnection.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip multiple infiltrations (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip »ZIP »Dummy.class JS/IEStart trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip »ZIP »Installer.class Java/OpenConnection.F trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip Java/TrojanDownloader.OpenStream.W trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip »ZIP »javainstaller/InstallerApplet.class Java/TrojanDownloader.OpenStream.W trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip Java/TrojanDownloader.OpenStream.W trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip »ZIP »javainstaller/InstallerApplet.class Java/TrojanDownloader.OpenStream.W trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip Java/ClassLoader.AA trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip Java/ClassLoader.AA trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip Java/ClassLoader.AA trojan (deleted) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\Program Files 2\AIM95\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
c:\Program Files 2\AIM95\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\My Download Files\Morph20.exe multiple infiltrations (deleted) 00000000000000000000000000000000
c:\My Download Files\Morph20.exe »WISE »IPinsight.EXE Win32/TrojanDownloader.Stubby.B trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\My Download Files\Morph20.exe »WISE »IPinsight.EXE »WISE »Sentry.exe Win32/TrojanDownloader.Stubby.B trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\My Download Files\Morph20.exe »WISE »msc.exe a variant of Win32/Adware.WurldMedia application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\My Download Files\Morph20.exe »WISE »msc.exe »WISE »mbho.dll a variant of Win32/Adware.WurldMedia application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\Caleb's C\Cookie Cop2\CookieCop2.zip Win32/Hybris worm (deleted) 00000000000000000000000000000000
c:\Caleb's C\Cookie Cop2\CookieCop2.zip »ZIP »SETUP.EXE Win32/Hybris worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
c:\!KillBox\ISTactivex.dll Win32/TrojanDownloader.IstBar.S trojan (unable to clean - deleted) 00000000000000000000000000000000
c:\!KillBox\ISTactivex.dll( 2) Win32/TrojanDownloader.IstBar.S trojan (unable to clean - deleted) 00000000000000000000000000000000
c:\!KillBox\ISTactivex.dll( 3) Win32/TrojanDownloader.IstBar.S trojan (unable to clean - deleted) 00000000000000000000000000000000
c:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm JScript/TrojanDownloader.Cobase.A trojan (unable to clean - deleted) 00000000000000000000000000000000

waveslayer
2008-02-06, 10:24
And for what it's worth:

The problem of Firefox Hijacked is still present when using Google search.

little eagle
2008-02-07, 00:41
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

waveslayer
2008-02-07, 06:20
I'm having trouble running the batch program.
A DOS prompt window opens and gives an error:
"Bad command or file name
Bad command or file name
Syntax error"

Does SDFix not like Windows ME?

Waiting for your advice,

thanks again

WS

little eagle
2008-02-08, 04:59
Did you try to run it in safe mode?

If so delete that copy and download it again.

waveslayer
2008-02-08, 05:44
I've tried it several times.

The ReadMe file states that:
"SDFix v1.138

Updated 7th Febuary 4pm SDFix will only run on Windows 2000 and Windows XP in Safe Mode ! ( Requires Administrator Account Privileges )"

at this link : http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

Is there another that runs with WindowsME?

little eagle
2008-02-08, 06:07
I'm sorry I thought it was able to.
One of the things with running older versions of windows is that the file system is that it used fat32 not NTFS.

How ever a-squared still runs on ME

http://www.emsisoft.com/en/software/free/

Can you download and update and scan a-squared.
Do not delete any files use quarantine.

waveslayer
2008-02-09, 19:37
This is the scan results.
I don't know why there's spacing in the font.
This is simply a copy/paste of the text report.
Thanks again!

ÿþa - s q u a r e d A n t i - M a l w a r e - V e r s i o n 3 . 1

L a s t u p d a t e : 2 / 7 / 2 0 0 8 1 1 : 1 1 : 5 0 P M



S c a n s e t t i n g s :



O b j e c t s : M e m o r y , T r a c e s , C o o k i e s , C : \ W I N D O W S \ , C : \ P r o g r a m F i l e s

S c a n a r c h i v e s : O n

H e u r i s t i c s : O n

A D S S c a n : O f f



S c a n s t a r t : 2 / 7 / 2 0 0 8 1 1 : 1 3 : 1 6 P M



c : \ p r o g r a m f i l e s \ p a s s w a r e d e t e c t e d : T r a c e . D i r e c t o r y . B a c k u p K e y

c : \ p r o g r a m f i l e s \ p a s s w a r e \ d e m o s d e t e c t e d : T r a c e . D i r e c t o r y . B a c k u p K e y

c : \ w i n d o w s \ s t a r t m e n u \ p r o g r a m s \ m o r p h e u s d e t e c t e d : T r a c e . D i r e c t o r y . M o r p h e u s

c : \ p r o g r a m f i l e s \ a w s \ w e a t h e r b u g d e t e c t e d : T r a c e . D i r e c t o r y . W e a t h e r B u g

c : \ w i n d o w s \ i n f \ b t g r a b . i n f d e t e c t e d : T r a c e . F i l e . B T G r a b

c : \ w i n d o w s \ f a v o r i t e s \ s p o r t s \ h o c k e y . u r l d e t e c t e d : T r a c e . F i l e . G o H i p

c : \ w i n d o w s \ f a v o r i t e s \ t r a v e l \ c r u i s e s . u r l d e t e c t e d : T r a c e . F i l e . G o H i p

c : \ w i n d o w s \ i n f \ p o l m x . i n f d e t e c t e d : T r a c e . F i l e . M X - T a r g e t i n g

c : \ w i n d o w s \ d o w n l o a d e d p r o g r a m f i l e s \ i n s t a l l e r . i n f d e t e c t e d : T r a c e . F i l e . S u s p i c i o u s

c : \ w i n d o w s \ c n t r s . d l l d e t e c t e d : T r a c e . F i l e . W i n L o g o n E X E

c : \ w i n d o w s \ v l r s . d l l d e t e c t e d : T r a c e . F i l e . W i n L o g o n E X E

K e y : H K E Y _ C L A S S E S _ R O O T \ c l s i d \ { d 3 b 7 d 8 e 1 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } d e t e c t e d : T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ i n t e r f a c e \ { d 3 b 7 d 8 e 2 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } d e t e c t e d : T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ t y p e l i b \ { d 3 b 7 d 8 e 0 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } \ 1 . 0 d e t e c t e d : T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ t y p e l i b \ { d 3 b 7 d 8 e 0 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } d e t e c t e d : T r a c e . R e g i s t r y . N e t z i p

c : \ p r o g r a m f i l e s \ p a s s w a r e d e t e c t e d : T r a c e . D i r e c t o r y . M e s s e n g e r K e y

c : \ w i n d o w s \ s t a r t m e n u \ p r o g r a m s \ p a s s w a r e d e t e c t e d : T r a c e . D i r e c t o r y . M e s s e n g e r K e y

c : \ w i n d o w s \ m a t r i x c o d e . s c r d e t e c t e d : T r a c e . F i l e . M a t r i x C o d e S c r e e n s a v e r

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B B - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B C - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B D - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 3 8 9 B 1 9 B 9 - 9 A 8 7 - 1 1 D 1 - B 7 7 F - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 6 E 2 9 B 9 8 1 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 8 5 5 C 4 9 A 7 - 9 C 3 C - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B B - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B C - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B D - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 3 8 9 B 1 9 B 9 - 9 A 8 7 - 1 1 D 1 - B 7 7 F - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 6 E 2 9 B 9 8 1 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 6 E 2 9 B 9 8 2 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 8 5 5 C 4 9 A 7 - 9 C 3 C - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 3 3 3 3 7 1 7 0 - F 7 8 9 - 1 1 C E - 8 6 F 8 - 0 0 2 0 A F D 8 C 6 D B } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l d e t e c t e d : T r a c e . R e g i s t r y . S G O O P E

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > S e a r c h B a r d e t e c t e d : T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w b a r I n s t a l l e r d e t e c t e d : T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w p o i n t M a n a g e r d e t e c t e d : T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w p o i n t M a n a g e r I n s t a l l e r d e t e c t e d : T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

C : \ W I N D O W S \ D e s k t o p \ S D F i x . e x e / P r o c e s s . e x e d e t e c t e d : R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ W I N D O W S \ D e s k t o p \ S D F i x ( 2 ) . e x e / P r o c e s s . e x e d e t e c t e d : R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ W I N D O W S \ D e s k t o p \ s d f i x \ S D F i x \ a p p s \ P r o c e s s . e x e d e t e c t e d : R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ P r o g r a m F i l e s \ % s y s t e m d r i v e % \ S D F i x \ a p p s \ P r o c e s s . e x e d e t e c t e d : R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0



S c a n n e d



F i l e s : 5 0 2 7 4

T r a c e s : 1 6 1 3 6 7

C o o k i e s : 1 0 1

P r o c e s s e s : 1 5



F o u n d



F i l e s : 4

T r a c e s : 3 6

C o o k i e s : 0

P r o c e s s e s : 0

R e g i s t r y k e y s : 0



S c a n e n d : 2 / 7 / 2 0 0 8 1 1 : 3 8 : 2 2 P M

S c a n t i m e : 0 : 2 5 : 0 6



C : \ W I N D O W S \ D e s k t o p \ S D F i x . e x e / P r o c e s s . e x e Q u a r a n t i n e d R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ W I N D O W S \ D e s k t o p \ S D F i x ( 2 ) . e x e / P r o c e s s . e x e Q u a r a n t i n e d R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ W I N D O W S \ D e s k t o p \ s d f i x \ S D F i x \ a p p s \ P r o c e s s . e x e Q u a r a n t i n e d R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

C : \ P r o g r a m F i l e s \ % s y s t e m d r i v e % \ S D F i x \ a p p s \ P r o c e s s . e x e Q u a r a n t i n e d R i s k w a r e . R i s k T o o l . W i n 3 2 . P r o c e s s o r . 2 0

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > S e a r c h B a r Q u a r a n t i n e d T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w b a r I n s t a l l e r Q u a r a n t i n e d T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w p o i n t M a n a g e r Q u a r a n t i n e d T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ V i e w p o i n t \ C o n t e n t D e b u g g e r - - > V i e w p o i n t M a n a g e r I n s t a l l e r Q u a r a n t i n e d T r a c e . R e g i s t r y . V i e w p o i n t M e d i a T o o l b a r

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 3 3 3 3 7 1 7 0 - F 7 8 9 - 1 1 C E - 8 6 F 8 - 0 0 2 0 A F D 8 C 6 D B } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . S G O O P E

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B B - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B C - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 C 7 0 4 D B D - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 3 8 9 B 1 9 B 9 - 9 A 8 7 - 1 1 D 1 - B 7 7 F - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 6 E 2 9 B 9 8 1 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 8 5 5 C 4 9 A 7 - 9 C 3 C - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B B - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B C - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 2 C 7 0 4 D B D - 9 C 4 6 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 3 8 9 B 1 9 B 9 - 9 A 8 7 - 1 1 D 1 - B 7 7 F - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 6 E 2 9 B 9 8 1 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 6 E 2 9 B 9 8 2 - 9 C 5 0 - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

V a l u e : H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 8 5 5 C 4 9 A 7 - 9 C 3 C - 1 1 D 1 - B 7 8 4 - 0 0 0 0 1 C 1 A D 1 F 8 } \ I n p r o c S e r v e r 3 2 - - > T h r e a d i n g M o d e l Q u a r a n t i n e d T r a c e . R e g i s t r y . F i n d O u t N o w S p y S o f t w a r e

c : \ w i n d o w s \ m a t r i x c o d e . s c r Q u a r a n t i n e d T r a c e . F i l e . M a t r i x C o d e S c r e e n s a v e r

c : \ p r o g r a m f i l e s \ p a s s w a r e Q u a r a n t i n e d T r a c e . D i r e c t o r y . M e s s e n g e r K e y

c : \ w i n d o w s \ s t a r t m e n u \ p r o g r a m s \ p a s s w a r e Q u a r a n t i n e d T r a c e . D i r e c t o r y . M e s s e n g e r K e y

K e y : H K E Y _ C L A S S E S _ R O O T \ c l s i d \ { d 3 b 7 d 8 e 1 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } Q u a r a n t i n e d T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ i n t e r f a c e \ { d 3 b 7 d 8 e 2 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } Q u a r a n t i n e d T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ t y p e l i b \ { d 3 b 7 d 8 e 0 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } \ 1 . 0 Q u a r a n t i n e d T r a c e . R e g i s t r y . N e t z i p

K e y : H K E Y _ C L A S S E S _ R O O T \ t y p e l i b \ { d 3 b 7 d 8 e 0 - 9 2 d b - 1 1 d 2 - 8 5 5 1 - 0 0 6 0 0 8 3 c f b 9 c } Q u a r a n t i n e d T r a c e . R e g i s t r y . N e t z i p

c : \ w i n d o w s \ c n t r s . d l l Q u a r a n t i n e d T r a c e . F i l e . W i n L o g o n E X E

c : \ w i n d o w s \ v l r s . d l l Q u a r a n t i n e d T r a c e . F i l e . W i n L o g o n E X E

c : \ w i n d o w s \ d o w n l o a d e d p r o g r a m f i l e s \ i n s t a l l e r . i n f Q u a r a n t i n e d T r a c e . F i l e . S u s p i c i o u s

c : \ w i n d o w s \ i n f \ p o l m x . i n f Q u a r a n t i n e d T r a c e . F i l e . M X - T a r g e t i n g

c : \ w i n d o w s \ f a v o r i t e s \ s p o r t s \ h o c k e y . u r l Q u a r a n t i n e d T r a c e . F i l e . G o H i p

c : \ w i n d o w s \ f a v o r i t e s \ t r a v e l \ c r u i s e s . u r l
Q u a r a n t i n e d T r a c e . F i l e . G o H i p

c : \ w i n d o w s \ i n f \ b t g r a b . i n f
Q u a r a n t i n e d T r a c e . F i l e . B T G r a b

c : \ p r o g r a m f i l e s \ a w s \ w e a t h e r b u g Q u a r a n t i n e d T r a c e . D i r e c t o r y . W e a t h e r B u g

c : \ w i n d o w s \ s t a r t m e n u \ p r o g r a m s \ m o r p h e u s
Q u a r a n t i n e d T r a c e . D i r e c t o r y . M o r p h e u s

c : \ p r o g r a m f i l e s \ p a s s w a r e Q u a r a n t i n e d T r a c e . D i r e c t o r y . B a c k u p K e y

c : \ p r o g r a m f i l e s \ p a s s w a r e \ d e m o s
Q u a r a n t i n e d T r a c e . D i r e c t o r y . B a c k u p K e y



Q u a r a n t i n e d



F i l e s :
4

T r a c e s : 3 6

C o o k i e s : 0

little eagle
2008-02-11, 04:56
Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

waveslayer
2008-02-11, 10:31
Hi Little Eagle,

Google search results, using Firefox, are still getting hijacked. I thought we had it taken care of when the first four attempts were successful. But then, daytotals.com snagged the next ones after that.
I have seen other computer users with the same issue get resolved, much in the same way as you are having me go about it. So I have faith.

thanks again
WS





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:26 AM, on 2/11/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 4048 bytes

little eagle
2008-02-11, 13:45
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

* Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.

waveslayer
2008-02-11, 19:24
There was no "report.txt" file to post.
I ran Fixwareout.exe twice, with no file generated.
here is the HJT log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:17 AM, on 2/11/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 3137 bytes

waveslayer
2008-02-11, 19:34
found the report.txt
It was in the C:\fixwareout\ directory:



Fixwareout Last edited 9/01/2007
Post this report in the forums please

Random Runs removed from HKLM


We recommend getting a free online scan
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx

Hosts file was reset, If you use a custom hosts file please replace it.

little eagle
2008-02-12, 03:42
Well the report was cleaned out when it was run the second time ;)

Hope this cleared the infection.

We may need to change the DNS Configuration if this did not stop the redirects.

waveslayer
2008-02-14, 15:38
So far so good!
No more redirects within Firefox.
Thanks so much for your help.
I don't understand how this all worked, but it did and I really appreciate all of your help!!

A fan forever!
WaveSlayer

little eagle
2008-02-14, 21:49
Glad we could help.

One of the best features of Windows ME is the System Restore option, however if a virus or spyware infection.
There can be backups made in the System Restore folder.
Therefore, clearing the restore points is necessary after a virus or spyware removal.

To reset your restore points, please note that you will need to log into your computer with an account,
which has full administrator access. You will know if the account has
administrator access because you will be able to see the System Restore tab.
If the tab is missing, you are logged in under a limited account.

Win ME
To disable System Restore:

1. Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3. On the Troubleshooting tab, click to select the Disable System Restore check box.
4. Click OK twice, and then click Yes when you are prompted to restart the computer.
5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.