waveslayer
2008-02-02, 19:47
First off... You guys rock!
I've seen what you've done for others and you deserve your props!!
As stated in the title... Google search results, when clicked, result in a redirection by daytotals.com. This isn't a security risk, just a complete hassle- after several clicks, the links work, totally destroying any productivity or flow. Any help you could give to resolve this would be awesome.
I've read through the posts and have run S&D, Kaspersky's and HJT.
Here are the reports:
1.) Kaspersky AV
(I've limited the report to "detected" items. If "Events" are needed, let me know.)
Total scanned: 370474
Detected: 72
Untreated: 69
Start time: 1/28/2008 4:37:59 PM
Duration: 00:00:00
Finish time: 1/28/2008 4:37:59 PM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.JS.Fav.a File: c:\winlog.html
deleted: Trojan program Trojan-Downloader.Win32.QDown.d File: c:\NULL
deleted: Trojan program Trojan-Dropper.Win32.Small.ls File: c:\counter.cab/counter.exe//PECompact
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0004
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0006
detected: Trojan program Trojan.Win32.Scapur.g File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0002//UPX
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0003
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0004
detected: Trojan program Trojan-Downloader.Win32.Agent.ec File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0004
detected: adware not-a-virus:AdWare.Win32.SaveNow.t File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/Save.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.af File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/SaveUninst.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Sync.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Uninst.exe
detected: adware not-a-virus:AdWare.Win32.EZula File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0006
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0007
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0002//data0120
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0003
detected: adware not-a-virus:AdWare.Win32.SideSearch.l File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0004//data0004
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0005
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649889.CPY
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649890.CPY
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649891.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS196.CAB/A0665253.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.brq File: c:\_Restore\ARCHIVE\FS196.CAB/A0665254.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS216.CAB/A0670491.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS216.CAB/A0670492.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.bqc File: c:\_Restore\ARCHIVE\FS277.CAB/A0681042.CPY//data0006
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: c:\_Restore\ARCHIVE\FS277.CAB/A0681043.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.bnw File: c:\_Restore\ARCHIVE\FS265.CAB/A0679702.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS265.CAB/A0679703.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS265.CAB/A0679704.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.gvh File: c:\_Restore\ARCHIVE\FS321.CAB/A0686506.CPY
detected: Trojan program Trojan.Win32.DNSChanger.akt File: c:\_Restore\ARCHIVE\FS321.CAB/A0686507.CPY//data0001
detected: pornware not-a-virus:Porn-Dialer.Win32.PluginAccess.s File: c:\_Restore\ARCHIVE\FS369.CAB/A0695606.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS369.CAB/A0695607.CPY//ASPack
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\_Restore\ARCHIVE\FS369.CAB/A0695611.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS372.CAB/A0695884.CPY//ASPack
detected: adware not-a-virus:AdWare.Win32.WindowEnhancer.d File: c:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
detected: adware not-a-virus:AdWare.Win32.BetterInternet.be File: c:\WINDOWS\Downloaded Program Files\flash.inf
detected: adware not-a-virus:AdWare.Win32.SaveNow.ab File: c:\WINDOWS\Downloaded Program Files\WUInst.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.3\ISTactivex.dll
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/BlackBox.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/VerifierBug.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/Beyond.class
detected: Trojan program Trojan.Java.ClassLoader.c File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/GetAccess.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/InsecureClassLoader.class
detected: Trojan program Trojan.Java.ClassLoader.Dummy.a File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Dummy.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Installer.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip/javainstaller/InstallerApplet.class
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-144ca893.zip/vlocal.class
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-6b26dca8-2a1061f1.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-5931f3b4-500750e4.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7a9a83a2.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7702597a.zip
detected: adware not-a-virus:AdWare.Win32.Gator.3210 File: c:\My Download Files\Morph20.exe//WISE0015.BIN
detected: Trojan program Trojan-Downloader.Win32.Stubby.b File: c:\My Download Files\Morph20.exe//WISE0016.BIN//WISE0007.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.d File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0012.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.a File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0014.BIN
detected: virus Email-Worm.Win32.Hybris.b File: c:\Caleb's C\Cookie Cop2\CookieCop2.zip/SETUP.EXE
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\rundll32.exe
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\run32.exe
detected: Trojan program Trojan-Downloader.JS.Cobase.a File: c:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm
2.) HJT Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:13 PM, on 1/28/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0FA5BD58-2C7D-439D-8837-9F48DB1F582E} - C:\WINDOWS\SYSTEM\NFA.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES 2\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/esp/install...sp-install.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
--
End of file - 6108 bytes
thanks again!!
I've seen what you've done for others and you deserve your props!!
As stated in the title... Google search results, when clicked, result in a redirection by daytotals.com. This isn't a security risk, just a complete hassle- after several clicks, the links work, totally destroying any productivity or flow. Any help you could give to resolve this would be awesome.
I've read through the posts and have run S&D, Kaspersky's and HJT.
Here are the reports:
1.) Kaspersky AV
(I've limited the report to "detected" items. If "Events" are needed, let me know.)
Total scanned: 370474
Detected: 72
Untreated: 69
Start time: 1/28/2008 4:37:59 PM
Duration: 00:00:00
Finish time: 1/28/2008 4:37:59 PM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.JS.Fav.a File: c:\winlog.html
deleted: Trojan program Trojan-Downloader.Win32.QDown.d File: c:\NULL
deleted: Trojan program Trojan-Dropper.Win32.Small.ls File: c:\counter.cab/counter.exe//PECompact
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0004
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649886.CPY//data0006
detected: Trojan program Trojan.Win32.Scapur.g File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0002//UPX
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0003
detected: adware not-a-virus:AdWare.Win32.Connector File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0003//data0004
detected: Trojan program Trojan-Downloader.Win32.Agent.ec File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0004
detected: adware not-a-virus:AdWare.Win32.SaveNow.t File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/Save.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.af File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0001.cab/SaveUninst.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Sync.exe
detected: adware not-a-virus:AdWare.Win32.SaveNow.v File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0005//data0002.cab/Uninst.exe
detected: adware not-a-virus:AdWare.Win32.EZula File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0006
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649887.CPY//data0007
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0002//data0120
detected: adware not-a-virus:AdWare.Win32.HelpExpress File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0003
detected: adware not-a-virus:AdWare.Win32.SideSearch.l File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0004//data0004
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649888.CPY//data0005
detected: Trojan program Backdoor.Win32.VB.nb File: c:\_Restore\ARCHIVE\FS68.CAB/A0649889.CPY
detected: Trojan program Trojan.Win32.Qhost.ap File: c:\_Restore\ARCHIVE\FS68.CAB/A0649890.CPY
detected: adware not-a-virus:AdWare.Win32.IGetNet File: c:\_Restore\ARCHIVE\FS68.CAB/A0649891.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS196.CAB/A0665253.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.brq File: c:\_Restore\ARCHIVE\FS196.CAB/A0665254.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS216.CAB/A0670491.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS216.CAB/A0670492.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.bqc File: c:\_Restore\ARCHIVE\FS277.CAB/A0681042.CPY//data0006
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: c:\_Restore\ARCHIVE\FS277.CAB/A0681043.CPY
detected: Trojan program Trojan-Downloader.Win32.VB.bnw File: c:\_Restore\ARCHIVE\FS265.CAB/A0679702.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.dxj File: c:\_Restore\ARCHIVE\FS265.CAB/A0679703.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: c:\_Restore\ARCHIVE\FS265.CAB/A0679704.CPY//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.gvh File: c:\_Restore\ARCHIVE\FS321.CAB/A0686506.CPY
detected: Trojan program Trojan.Win32.DNSChanger.akt File: c:\_Restore\ARCHIVE\FS321.CAB/A0686507.CPY//data0001
detected: pornware not-a-virus:Porn-Dialer.Win32.PluginAccess.s File: c:\_Restore\ARCHIVE\FS369.CAB/A0695606.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS369.CAB/A0695607.CPY//ASPack
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\_Restore\ARCHIVE\FS369.CAB/A0695611.CPY//UPX
detected: adware not-a-virus:AdWare.Win32.BetterInternet File: c:\_Restore\ARCHIVE\FS372.CAB/A0695884.CPY//ASPack
detected: adware not-a-virus:AdWare.Win32.WindowEnhancer.d File: c:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
detected: adware not-a-virus:AdWare.Win32.BetterInternet.be File: c:\WINDOWS\Downloaded Program Files\flash.inf
detected: adware not-a-virus:AdWare.Win32.SaveNow.ab File: c:\WINDOWS\Downloaded Program Files\WUInst.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
detected: Trojan program Trojan-Downloader.Win32.IstBar.gen File: c:\WINDOWS\Downloaded Program Files\CONFLICT.3\ISTactivex.dll
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/BlackBox.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/VerifierBug.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-5980c178-4d61aa37.zip/Beyond.class
detected: Trojan program Trojan.Java.ClassLoader.c File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/GetAccess.class
detected: malware Exploit.Java.ByteVerify File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/InsecureClassLoader.class
detected: Trojan program Trojan.Java.ClassLoader.Dummy.a File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Dummy.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-7eb4d059-43e7d39f.zip/Installer.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-2e5c728c-7fda480e.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-663d17d7-60135bec.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: c:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-d4c1d6-781f8fad.zip
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31efef57-4bfcb168.zip/javainstaller/InstallerApplet.class
detected: Trojan program Trojan-Downloader.Java.OpenStream.w File: c:\WINDOWS\.jpi_cache\jar\1.0\javainstaller.jar-31f09a69-6d7156b4.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-358b10e4-4c51cab3.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-2dd052c1-74136986.zip
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: c:\WINDOWS\.jpi_cache\jar\1.0\count.jar-7b11336d-270c9654.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-144ca893.zip/vlocal.class
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-6b26dca8-2a1061f1.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-5931f3b4-500750e4.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7a9a83a2.zip
detected: Trojan program Trojan-Downloader.Java.Agent.f File: c:\WINDOWS\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0dc0-7702597a.zip
detected: adware not-a-virus:AdWare.Win32.Gator.3210 File: c:\My Download Files\Morph20.exe//WISE0015.BIN
detected: Trojan program Trojan-Downloader.Win32.Stubby.b File: c:\My Download Files\Morph20.exe//WISE0016.BIN//WISE0007.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.d File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0012.BIN
detected: adware not-a-virus:AdWare.Win32.WurldMedia.a File: c:\My Download Files\Morph20.exe//WISE0017.BIN//WISE0014.BIN
detected: virus Email-Worm.Win32.Hybris.b File: c:\Caleb's C\Cookie Cop2\CookieCop2.zip/SETUP.EXE
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\rundll32.exe
detected: virus Email-Worm.Win32.Sircam.c File: c:\Caleb's C\WINDOWS\run32.exe
detected: Trojan program Trojan-Downloader.JS.Cobase.a File: c:\Christopher's C Drive\WINDOWS\Temporary Internet Files\Content.IE5\MBVN4G5K\fsc2k[1].htm
2.) HJT Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:13 PM, on 1/28/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES 2\HP CAMERA\DIGITAL IMAGING\BIN\HPQNRS08.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0 SOS\AVP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0FA5BD58-2C7D-439D-8837-9F48DB1F582E} - C:\WINDOWS\SYSTEM\NFA.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\GOOGLE BROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES 2\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES 2\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra 'Tools' menuitem: &Lock folders - {EA8C8581-8CD8-11d5-A181-0050DA0E0131} - C:\DOWNLOADS\PC MAGAZINE ULILITIES\FAVELOCK\FaveUnlock.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .wmv: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asf: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wax: c:\downloads\netscape\Program\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/esp/install...sp-install.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
--
End of file - 6108 bytes
thanks again!!