1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT Log, Please review and advise

Discussion in 'Virus & Other Malware Removal' started by Deseroka, Feb 15, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    I'm trying to help out a friend who is having computer trouble. Her teen daughter downloads and goes crazy. I can see alot of stuff that I know needs to be removed, but I don't wanna miss anything, and a more knowledgable eye is always appreciated.


    Logfile of HijackThis v1.99.1
    Scan saved at 5:56:05 PM, on 2/15/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\YAHOO!\YOP\yop.exe
    C:\WINDOWS\System32\svchost.exe
    D:\iPod\iTunesHelper.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\PPATCH~1\ati2evxx.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\WINDOWS\M?crosoft.NET\??rvices.exe
    D:\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    D:\iPod\iTunes.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\lydia\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {DB4DCA3C-51A7-5C5C-DB4F-5B909FD93AE8} - C:\WINDOWS\System32\fquqv.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "D:\iPod\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Ctwr] "C:\WINDOWS\System32\PPATCH~1\ati2evxx.exe" -vt yazb
    O4 - HKCU\..\Run: [Cphri] C:\WINDOWS\M?crosoft.NET\??rvices.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://E:\GAMES\msjavx86_3805.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871152178
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167871311688
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
    O20 - AppInit_DLLs:
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\lydia\LOCALS~1\Temp\hpdj.exe (file missing)
    O23 - Service: iPod Service - Apple Computer, Inc. - D:\iPod\bin\iPodService.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Look in your Control Panel under Add/Remove programs for the following:

    PuritySCAN By OIN,
    Snowballwars by OIN,
    OuterInfo or anything similar ,

    If found, click on it and click remove.

    If not listed, download and run this uninstaller:

    http://www.outerinfo.com/OiUninstaller.exe
    ====================
    Download Superantispyware (SAS)

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
    =====================
    Click on http://noahdfear.geekstogo.com/FindAWF.exe to download FindAWF.exe and save it to your desktop.
    · Double-click on the FindAWF.exe file to run it.
    · It will open a command prompt and ask you to "Press any key to continue".
    · Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    · It may take a few minutes to complete so be patient.
    · When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
    · Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
     
  3. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    I got her running Ewido scan right now, I'll have her do this as soon as that finishes
     
  4. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    There was only OIN in the add remove programs, she has removed it thru the add remove programs after doing an Ewido scan. Which found 113 items and fixed what it could. They are running the SuperAntiSpy now and I'll post those results as soon as I see them along with a new HJT log. Just for the sake of having it, here is the results from Ewido scan



    __________________________________________________
    ewido anti-spyware online scanner
    http://www.ewido.net
    __________________________________________________


    Name: TrackingCookie.Ru4
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Overture
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Falkag
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Serving-sys
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Doubleclick
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Casalemedia
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Zedo
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Fastclick
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Atdmt
    Path: C:\Documents and Settings\lydia\Cookies\[email protected]dmt[2].txt
    Risk: Medium

    Name: TrackingCookie.Hitbox
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Reliablestats
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Realmedia
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Trafficmp
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Tacoda
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Cpvfeed
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Adjuggler
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Burstnet
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Overture
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Burstnet
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Advertising
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Euroclick
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Mediaplex
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Adrevolver
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][3].txt
    Risk: Medium

    Name: TrackingCookie.Serving-sys
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Adbrite
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Questionmarket
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Tribalfusion
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Pointroll
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    Risk: Medium

    Name: TrackingCookie.Valuead
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Yieldmanager
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: TrackingCookie.Hitbox
    Path: C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    Risk: Medium

    Name: Adware.PurityScan
    Path: C:\WINDOWS\SYSTEM32\fquqv.dll
    Risk: Medium

    Name: Trojan.Kolweb.j
    Path: C:\WINDOWS\SYSTEM32\drivera.dll
    Risk: High

    Name: Trojan.Kolweb.j
    Path: C:\WINDOWS\SYSTEM32\drivera.exe
    Risk: High

    Name: Trojan.Kolweb.j
    Path: C:\WINDOWS\SYSTEM32\monterreya_redux.exe
    Risk: High

    Name: Downloader.Agent.axh
    Path: C:\WINDOWS\SYSTEM32\regapi.exe
    Risk: High

    Name: Adware.ValueAd
    Path: C:\WINDOWS\Mіcrosoft.NET\ѕеrvices.exe
    Risk: Medium

    Name: Trojan.Kolweb.j
    Path: C:\WINDOWS\monterreya_redux.exe
    Risk: High

    Name: Trojan.Small
    Path: C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0117200700289645549.asw
    Risk: High

    Name: Trojan.Small
    Path: C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle01232007142292419131.asw
    Risk: High

    Name: Trojan.Small
    Path: C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0205200720265220596.asw
    Risk: High

    Name: Trojan.Small
    Path: C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0211200720296432869.asw
    Risk: High

    Name: Adware.MaxSearch
    Path: C:\Program Files\Common Files\{34000000-031C-1033-0105-010011070001}\Bar888.dll
    Risk: Medium

    Name: TrackingCookie.Atdmt
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp
    Risk: Medium

    Name: TrackingCookie.Falkag
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp
    Risk: Medium

    Name: TrackingCookie.Tacoda
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp
    Risk: Medium

    Name: TrackingCookie.Advertising
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB8.tmp
    Risk: Medium

    Name: TrackingCookie.Casalemedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB9.tmp
    Risk: Medium

    Name: TrackingCookie.Doubleclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBA.tmp
    Risk: Medium

    Name: TrackingCookie.Fastclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp
    Risk: Medium

    Name: TrackingCookie.Trafficmp
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp
    Risk: Medium

    Name: TrackingCookie.Tribalfusion
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBE.tmp
    Risk: Medium

    Name: TrackingCookie.Casalemedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq87.tmp
    Risk: Medium

    Name: TrackingCookie.Falkag
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq88.tmp
    Risk: Medium

    Name: TrackingCookie.Fastclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89.tmp
    Risk: Medium

    Name: TrackingCookie.Findwhat
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8A.tmp
    Risk: Medium

    Name: TrackingCookie.Mediaplex
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8B.tmp
    Risk: Medium

    Name: TrackingCookie.Pointroll
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8C.tmp
    Risk: Medium

    Name: TrackingCookie.Realmedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8D.tmp
    Risk: Medium

    Name: TrackingCookie.Trafficmp
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8E.tmp
    Risk: Medium

    Name: TrackingCookie.Doubleclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C.tmp
    Risk: Medium

    Name: TrackingCookie.Statcounter
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7D.tmp
    Risk: Medium

    Name: TrackingCookie.247realmedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq190.tmp
    Risk: Medium

    Name: TrackingCookie.2o7
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq191.tmp
    Risk: Medium

    Name: TrackingCookie.Bluestreak
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq195.tmp
    Risk: Medium

    Name: TrackingCookie.Ru4
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq197.tmp
    Risk: Medium

    Name: TrackingCookie.Questionmarket
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq198.tmp
    Risk: Medium

    Name: TrackingCookie.Realmedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq199.tmp
    Risk: Medium

    Name: TrackingCookie.Statcounter
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19A.tmp
    Risk: Medium

    Name: TrackingCookie.Tacoda
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19B.tmp
    Risk: Medium

    Name: TrackingCookie.Valueclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19C.tmp
    Risk: Medium

    Name: TrackingCookie.Zedo
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19D.tmp
    Risk: Medium

    Name: TrackingCookie.Hitslink
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1DF.tmp
    Risk: Medium

    Name: TrackingCookie.Zedo
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E0.tmp
    Risk: Medium

    Name: TrackingCookie.Serving-sys
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq132.tmp
    Risk: Medium

    Name: TrackingCookie.Linksynergy
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq133.tmp
    Risk: Medium

    Name: TrackingCookie.Mediaplex
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq134.tmp
    Risk: Medium

    Name: TrackingCookie.Serving-sys
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq135.tmp
    Risk: Medium

    Name: TrackingCookie.247realmedia
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq92.tmp
    Risk: Medium

    Name: TrackingCookie.2o7
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp
    Risk: Medium

    Name: TrackingCookie.Pointroll
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp
    Risk: Medium

    Name: TrackingCookie.Atdmt
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF4.tmp
    Risk: Medium

    Name: TrackingCookie.Tradedoubler
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF5.tmp
    Risk: Medium

    Name: TrackingCookie.Ru4
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq85.tmp
    Risk: Medium

    Name: TrackingCookie.Hitbox
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp
    Risk: Medium

    Name: TrackingCookie.Clickbank
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1DC.tmp
    Risk: Medium

    Name: TrackingCookie.Revenue
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1DE.tmp
    Risk: Medium

    Name: TrackingCookie.Directnetadvertising
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF6.tmp
    Risk: Medium

    Name: TrackingCookie.Revenue
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
    Risk: Medium

    Name: TrackingCookie.Bluestreak
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20E.tmp
    Risk: Medium

    Name: TrackingCookie.Bridgetrack
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20F.tmp
    Risk: Medium

    Name: TrackingCookie.Hitbox
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq216.tmp
    Risk: Medium

    Name: TrackingCookie.Burstnet
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq266.tmp
    Risk: Medium

    Name: TrackingCookie.Questionmarket
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq267.tmp
    Risk: Medium

    Name: TrackingCookie.Targetnet
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq268.tmp
    Risk: Medium

    Name: TrackingCookie.Specificclick
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA8.tmp
    Risk: Medium

    Name: TrackingCookie.Bridgetrack
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp
    Risk: Medium

    Name: TrackingCookie.Pro-market
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp
    Risk: Medium

    Name: TrackingCookie.Realtracker
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq91.tmp
    Risk: Medium

    Name: Adware.180Solution
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp
    Risk: Medium

    Name: TrackingCookie.Pro-market
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp
    Risk: Medium

    Name: TrackingCookie.Clickzs
    Path: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp
    Risk: Medium

    Name: Trojan.Kolweb.j
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP314\A0075879.exe
    Risk: High

    Name: Trojan.Kolweb.j
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP314\A0075880.EXE
    Risk: High

    Name: Trojan.Small
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077090.exe
    Risk: High

    Name: Adware.PurityScan
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077103.dll
    Risk: Medium

    Name: Adware.ValueAd
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077104.exe
    Risk: Medium

    Name: Adware.PurityScan
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077105.exe
    Risk: Medium

    Name: Adware.PurityScan
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077107.exe
    Risk: Medium

    Name: Trojan.Small
    Path: C:\System Volume Information\_restore{BC0860B6-010C-405C-BEEE-B4AF8CD61892}\RP318\A0077108.exe
    Risk: High

    Name: Trojan.Kolweb.j
    Path: C:\Documents and Settings\lydia\Local Settings\Temp\~ds39990.tmp
    Risk: High

    Name: Trojan.Small
    Path: C:\Documents and Settings\lydia\Local Settings\Temp\temp.frF917
    Risk: High

    Name: Trojan.Wimad.a
    Path: C:\Documents and Settings\lydia\Shared\yea yea yea 2\01 Track 1.wma
    Risk: High
     
  5. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    Here are the results from SAS. I'll post the new HJT log as a new post since it will be too many characters for one post.

    SUPERAntiSpyware Scan Log
    Generated 02/15/2007 at 10:38 PM
    Application Version : 3.5.1016
    Core Rules Database Version : 3184
    Trace Rules Database Version: 1194
    Scan type : Complete Scan
    Total Scan Time : 02:41:18
    Memory items scanned : 340
    Memory threats detected : 0
    Registry items scanned : 5339
    Registry threats detected : 1
    File items scanned : 76804
    File threats detected : 100
    Worm.Sober Variant
    [Ctwr] C:\WINDOWS\SYSTEM32\PPATCH~1\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM32\PPATCH~1\ATI2EVXX.EXE
    Adware.Tracking Cookie
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][3].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][1].txt
    C:\Documents and Settings\lydia\Cookies\[email protected][2].txt
    C:\Documents and Settings\Nancy Dearinger\Cookies\nancy [email protected][1].txt
    C:\Documents and Settings\Nancy Dearinger\Cookies\nancy [email protected][2].txt
    C:\Documents and Settings\Nancy Dearinger\Cookies\nancy [email protected][1].txt
    C:\Documents and Settings\Nancy Dearinger\Cookies\nancy [email protected][3].txt
    C:\Documents and Settings\Nancy Dearinger\Cookies\nancy [email protected][2].txt
    C:\Documents and Settings\FUglyseep\Cookies\[email protected][1].txt
    Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
    C:\WINDOWS\system32\stera.job
    Adware.ClickSpring/Outer Info Network
    C:\Program Files\Outerinfo\outerinfo.ico
    C:\Program Files\Outerinfo\Terms.rtf
    C:\Program Files\Outerinfo
    C:\Documents and Settings\lydia\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Documents and Settings\lydia\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\lydia\Start Menu\Programs\Outerinfo
    C:\DOCUMENTS AND SETTINGS\LYDIA\LOCAL SETTINGS\TEMP\NDR31.TMP.XML
    Trojan.Downloader-Gen/Win
    C:\WINDOWS\SYSTEM32\UNSVCHOSTS.LZMA
    Adware.ClickSpring
    C:\WINDOWS\SYSTEM32\__DELETE_ON_REBOOT__F_Q_U_Q_V_._D_L_L_
    Adware.ClickSpring/Yazzle
    C:\WINDOWS\PREFETCH\YAZZLE1122OINUNINSTALLER.EXE-1863686E.PF
    C:\WINDOWS\PREFETCH\YAZZLE1122OINADMIN.EXE-0A0C4823.PF
    Browser Hijacker.Favorites
    C:\DOCUMENTS AND SETTINGS\LYDIA\DESKTOP\CLICK TO FIND AND FIX ERRORS.URL
    Trace.Known Threat Sources
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\Q5CKEQQV\campaigns7[1].txt
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\85URGDMB\client_settings_3[1].bin
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\KSA05WOH\page.screenshot[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\HVFRQZC5\firewall_protection[1].jpg
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\FDJNB4JX\gr_hrt[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\KDIBWT6R\index3[1].htm
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\85URGDMB\styler[1].css
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\IA3WRGFD\main.shadow.top[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\FDJNB4JX\icon.arrow[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\CDERS567\download[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\O9YNSHAV\topvirustextsan_2[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\90XG3YXI\get-now2[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\OXAB4127\win_logo1[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\N7OZQKFX\main.shadow.btm[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\59F8FI7V\scan.bg[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\KSA05WOH\gr_vert[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\VMUOA3CP\solution.2[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\K9U78T6V\visa_img[1].jpg
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\CDERS567\button.download[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\O9YNSHAV\win_logo2[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\VMUOA3CP\scan.bar[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\STQNKHEF\CA51ZJN7.gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\N7OZQKFX\popup[1].js
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\FES0XR4J\secure[1].jpg
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\59F8FI7V\bg[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\OXAB4127\scan.txt[1].gif
    C:\Documents and Settings\lydia\Local Settings\Temporary Internet Files\Content.IE5\N7OZQKFX\wav_nav1[1].htm
     
  6. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    HJT log below. I'll have the AWF log for you sometime tomorrow. It got late and we hadda give it a break. Thanks for your help and patience.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:54:20 PM, on 2/15/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\YAHOO!\YOP\yop.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\highjackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {DB4DCA3C-51A7-5C5C-DB4F-5B909FD93AE8} - C:\WINDOWS\System32\fquqv.dll (file missing)
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "D:\iPod\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://E:\GAMES\msjavx86_3805.exe
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871152178
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167871311688
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\lydia\LOCALS~1\Temp\hpdj.exe (file missing)
    O23 - Service: iPod Service - Apple Computer, Inc. - D:\iPod\bin\iPodService.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HiJackThis – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll (file missing)

    O2 - BHO: (no name) - {DB4DCA3C-51A7-5C5C-DB4F-5B909FD93AE8} - C:\WINDOWS\System32\fquqv.dll (file missing)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab

    O20 - AppInit_DLLs:

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)

    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\lydia\LOCALS~1\Temp\hpdj.exe (file missing)
    ===============
    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find this exact name

    COM+ Messages

    Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

    Repeat for - hpdj
    =================

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  8. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    This morning we have fixed the items you specified in HJT, as well as ran the AWF. I will post the newest HJT log here and the AWF in the next post for size requirements.
    I am helping them with this long distance, but they tell me that all pop ups seem to be gone and the computer seems to be more responsive. Please let me know if you see anything else that needs attention.


    Logfile of HijackThis v1.99.1
    Scan saved at 10:27:57 PM, on 2/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\PROGRA~1\YAHOO!\YOP\yop.exe
    D:\iPod\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\DOCUME~1\lydia\LOCALS~1\Temp\SSUPDATE.EXE
    C:\highjackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "D:\iPod\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://E:\GAMES\msjavx86_3805.exe
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871152178
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167871311688
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - D:\iPod\bin\iPodService.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
     
  9. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    AWF file, and as a side note, in case you need this info, the most recent HJT log was ran before AWF. Please let me know if you need one following the AWF scan.



    Find AWF report by noahdfear ©2006


    21504 byte files found
    ~~~~~~~~~~~~~



    21504 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    25600 byte files found
    ~~~~~~~~~~~~~



    25600 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    26450 byte files found
    ~~~~~~~~~~~~~



    26450 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    bak folders found
    ~~~~~~~~~~~


    Directory of C:\WINDOWS\BAK

    10/10/1999 08:00 PM 41,984 CTRegRun.EXE
    1 File(s) 41,984 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    03/31/2003 12:00 PM 13,312 ctfmon.exe
    1 File(s) 13,312 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    09/27/2004 09:30 AM 98,304 qttask.exe
    1 File(s) 98,304 bytes

    Directory of C:\WINDOWS\WT\UPDATER\BAK

    05/07/2002 07:45 PM 20,480 wcmdmgrl.exe
    1 File(s) 20,480 bytes

    Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

    09/27/2004 09:28 AM 26,112 RealPlay.exe
    1 File(s) 26,112 bytes

    Directory of C:\PROGRA~1\D-LINK\AIRUTI~1\BAK

    11/04/2003 09:33 AM 2,502,656 AirCFG.exe
    1 File(s) 2,502,656 bytes

    Directory of C:\PROGRA~1\ALPHAN~1\ANIWZC~1\BAK

    08/21/2003 04:12 PM 32,768 WZCSLDR.exe
    1 File(s) 32,768 bytes

    Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

    05/07/2004 04:54 PM 99,480 PortAOL.exe
    1 File(s) 99,480 bytes

    Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

    09/13/2006 02:17 PM 4,621,816 YAHOOM~1.EXE
    1 File(s) 4,621,816 bytes

    Directory of C:\PROGRA~1\MYSPACE\IM\BAK

    08/23/2006 12:22 PM 1,191,936 MySpaceIM.exe
    1 File(s) 1,191,936 bytes

    Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

    12/17/2002 11:40 AM 49,152 HPWuSchd.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK

    05/01/2003 06:44 PM 65,536 EngUtil.exe
    1 File(s) 65,536 bytes

    Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

    04/07/2004 12:07 PM 496,752 AOLDial.exe
    1 File(s) 496,752 bytes

    Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK

    06/25/2003 12:18 AM 868,352 DrgToDsc.exe
    1 File(s) 868,352 bytes

    Directory of C:\PROGRA~1\ROXIO\EASYCD~1\AUDIOC~1\BAK

    06/23/2003 09:12 PM 319,488 RxMon.exe
    1 File(s) 319,488 bytes

    Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\BIN\BAK

    12/02/2002 08:56 PM 40,960 hpotdd01.exe
    1 File(s) 40,960 bytes

    Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

    07/26/2006 03:03 AM 49,263 jusched.exe
    1 File(s) 49,263 bytes

    Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

    03/11/2003 05:08 AM 172,032 hpztsb08.exe
    1 File(s) 172,032 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    41984 Oct 10 1999 "C:\WINDOWS\bak\CTRegRun.EXE"
    13312 Mar 31 2003 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
    13312 Mar 31 2003 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
    13312 Mar 31 2003 "C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\ctfmon.exe"
    13312 Mar 31 2003 "D:\WINDOWS\system32\ctfmon.exe"
    98304 Sep 27 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
    20480 May 7 2002 "C:\WINDOWS\wt\updater\bak\wcmdmgrl.exe"
    26112 Sep 27 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
    2502656 Nov 4 2003 "C:\Program Files\D-Link\Air Utility\bak\AirCFG.exe"
    32768 Aug 21 2003 "C:\Program Files\Alpha Networks\ANIWZCS Service\bak\WZCSLDR.exe"
    99480 May 7 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
    4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
    6104568 Oct 3 2006 "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"
    4621816 Sep 13 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
    1191936 Aug 23 2006 "C:\Program Files\MySpace\IM\bak\MySpaceIM.exe"
    49152 Dec 17 2002 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe"
    65536 May 1 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
    496752 Apr 7 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
    868352 Jun 25 2003 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"
    319488 Jun 23 2003 "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe"
    40960 Dec 2 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\hpotdd01.exe"
    49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
    172032 Mar 11 2003 "C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak\hpztsb08.exe"


    end of report
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  11. Deseroka

    Deseroka Thread Starter

    Joined:
    Dec 5, 2000
    Messages:
    215
    Before I mark this solved, I'd like to thank you for hanging in there with me on this. My friend lives about 1500 miles from me, so I realize it might have been kind of annoying with me as a go between. I figured it was better to deal with me since I can find the start button on my own :)
    You guys rock!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/544436

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice