sudden noise

Problem
I had two incidents where I heard noise come blurring out of the speaker. In both times, the noise was heard after I clicked on a link in a website (NO, the link wasn't designed by the webmaster to create the noise since I am well familar with the website). Both incidents occured many months apart. Also what I heard sounded like someone talking on a walkie-talkie thing. The first time I don't remember what I heard. The last one I heard some guy saying "It's working" in a distant voice and some low static.

You know, this reminds me of something I read. Some guys created some trogen I think which left a 'back door' and this allowed these guys to spie on people using that little camera thingy people have so other chat with can see them. I think that maybe the same here.

Well, I don't know what to do about it and it only happened twice to me, both times it gave me a surprise. I have ran many virus checks in the past but not for this reason and they weren't able to be ID it.

I thinK you guys would be interesting in hearing about it. I have another thread where I have discovered something else that was weird.





-----------------------------------
(Image a time were virus script writers are able to spy on the user though their cameras and talk through their speakers. I think this is the start)

 

Hi tm6527, I've moved your post as it was in the TDS3 support forum, if it is a Trojan please go here: http://tds.diamondcs.com.au/

Download TDS3 and also the latest Radius file update shown lower down the TDS3 download page and follow the instructions on the update page.

Do a full scan with all the scan options selected and report back here please.

Pilli

 

The program found 11 possible problems, but I am unable to copy and paste any of them. So I now

 

I figured it out. nm

Scan Control Dumped @ 16:16:56 02-09-04
RegVal Trace: RAT.iSpyNow: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Tray=C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe]

Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc

Positive identification: RAT.RADS Dropper.a
File: c:\documents and settings\rolando m\local settings\temp\mw.exe

Positive identification: TrojanDownloader.Win32.WinFetch
File: c:\documents and settings\rolando m\local settings\temp\xm1.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe

Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe

Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
File: c:\windows\backup\tb040409.dat

Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe

Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll

Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe

 

delete those labelled as "positive identification"
rescan with tds-3
when a detection appears in the lower panel right click on it to see the options

you might want to check the suspicious ones with
http://virusscan.jotti.dhs.org/

 

Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll

this one, can you please zip and submit it to submit@diamondcs.com.au
Or you can rightclick it from the alerts console in TDS and submit it that way if you configured your email address in TDS.
Please report back.

The double extensions are probably files you know?

Another place you might like to test individual files online is also at www.kaspersky.com/remoteviruschk.html , always like extra second and third opinions.
I guess if there is one keylogger there can be more wrong. Like your RAT's and ISPY thing prove already unfortunately.


Found your other thread in the HJT forum, where Derek tried to help you cleaning out.
https://www.wilderssecurity.com/showthread.php?t=38191
I thought already this needs in fact a HJT and/or aAutoStartViewer log to see more going on.
Did you change anything since that other thread, finding things, deleting or installing, new kind of things happening, infections found with other scanners, etc?

 

I just figured out I didn't do complete scan, since I didn't select all the different types of scans available. Sorry I'm new to TDS-3. Here's the list though:

Scan Control Dumped @ 07:33:40 03-09-04
***RegVal Trace: RAT.iSpyNow: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Tray=C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe]
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Positive identification: RAT.RADS Dropper.a
File: c:\documents and settings\rolando m\local settings\temp\mw.exe
***Positive identification: TrojanDownloader.Win32.WinFetch
File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
File: c:\windows\backup\tb040409.dat
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Positive identification: RAT.RADS Dropper.a
File: c:\documents and settings\rolando m\local settings\temp\mw.exe
***Positive identification: TrojanDownloader.Win32.WinFetch
File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
File: c:\windows\backup\tb040409.dat
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
File: c:\windows\backup\tb040409.dat
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Positive identification: RAT.RADS Dropper.a
File: c:\documents and settings\rolando m\local settings\temp\mw.exe
***Positive identification: TrojanDownloader.Win32.WinFetch
File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
File: c:\windows\backup\tb040409.dat
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe

 

Hi tm6527, Looks like you haqve a load of problems there.

The hidden stream is OK as it is only 88 bytes.

Did you try deleing any of the positively identified ones?

Dual extensions may be OK if they are from trusted know apps.

If you can copy the files shown as positives to a .zip file and submit@diamondcs.com.au for analysis, then try cleaning by clicking on the console entry and select delete for all the positives and rescan.

After cleaning please report back here for more advice

Cheers. Pilli

 

I have ziped some files and attached them an email, but as I was about to send them, I have recieved a message 'the files to be emailed could not be found or attached, should I email anyway?'

What should I do? Is it because I have deleted these files and send them to the reclying box? I could undelete and test and see.

Hurry up, I hate the search and destroy process......
buts its gotta be done

 

sorry its taking a while, that's why I thought I annoyed the other guy that helped me before in another thread, cause my inefficiency

 

This is painful...... waiting is painful........i wither

 

Just noticed but those scanners captured a lot of same things

 

If you email and attach files and remove them to recycle bin before sending the email, your email will have problems with finding the files and can't send them.
So first send the emails before you would empty the recyclebin.
But maybe the files are innocent, so i would keep them zipped just in case till you get an answer from the TDS lab.


EDIT:
No you were not annoying Derek, he really tried to help you and we all are frustrated when there could be more the matter on a user's system.
In your case it looked like at least a keylogger and hackers, combining the story with the strange files you naver could have placed there yourself and the sounds / voices you hear, the possibility of being spied on maybe even with your webcam, whatever.
So of course the experts are prepared for the worst and always hope to be able to help you out to the best.
You do have a firewall installed, don't you? First thing is to get you clean, and what i mentioned, the Ispynow and the keylogger are for me signs which fit all in the story.
First those files, then we know more soon.

Probably are scanning all in c:\ and all logical drives and all hard drives for instance, so you do it twice or three times .

BTW: did you also see this thread?
https://www.wilderssecurity.com/showthread.php?t=44359
So be prepared we might ask for a HJT or AutoStartViewer log, but wait a moment with that, you know about making them fortunately from the past.

 

tm6527, Did you zip up the files first before trying to send them? Create a ZIP file and add the indentified files then send and it should be OK

 

Yes, I have ziped all into one file

 

and did you now succeed to send them?
You might need to close the antivirus to be able to send them.
TDS is no problem, others can be.
See in the last link i posted, instructions in that one, same kind of infection too btw.

 

Skip the email part since I have to keep clicking wait another 60 seconds for server, but I see no progress each time I do and wait.

What's next? I have deleted all torjens? except two.

***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe

The only method I know of, is using Notepad and showing all files when searching for files like those above.

Thanks for everyones help so far, I will be running another search though TDS-3.

 

i hope you dont mind me posting this link
Meet the Peeping Tom worm

 

Yes, that is what I have read in another site iceni60, and Jooske, I don't have a web cam thing, I was only siting an article I have read from memory. Sorry I was cofusing. Anyways, thanks everyone for your help and till next time.

 

I was citing from memory too WEas just an extra example, the things can look via the webcam all you're doing, so glad you're not in that problem yet.

What i like to know is how far you are at the moment with your system cleansing.
Those two files, if you can't delete them normally maybe have to kill the processes in the task manager or even have to reboot in safe mode and kill them from there.

I think when all the scanning is done, we would like to see a new fresh HiJackThis log from you to see if there is anything left. So e can compare that with your former HJT log.
How is your system behaving in the meantime? Still noises and slow and other things or is it getting better?

What i would like you to try if you haven't done so yet is to get Port Explorer too from the DiamondCS site, so with that you can look if tehre are any suspicious connections, which you can investigate and kill immediately, while you can see which application is used for that on your system.

Of course i do hope your system is brandnew and clean now finally after all these weeks!
Fingers crossed, but that IspyNow and the keylogger plus what you noticed kept me worried till we know better.

 

Just checking to see if my thread died. I guess I'll start a new one since this one is to big.

 

No the thread is not too big, we're waiting for your scan results i suppose?
And if that is done a new HJT or ASViewer log.

 

Scan Control Dumped @ 12:30:04 07-09-04
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe
***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\bbcscte.bat:summaryinformation
***Suspicious Filename: Dual extensions
File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
***Suspicious Filename: Dual extensions
File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
***Suspicious Filename: Dual extensions
File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
***Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\eghx.exe
***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\h@tkeysh@@k.dll
***Positive identification: RAT.RADS.e
File: c:\windows\system32\iuitda.exe


Here's the new big list. I deleted hotkeyshook.dll but TDS-3 still ID it.

Couldn't find these files in my search:
>>>>c:\windows\system32\iuitda.exe
>>>>c:\windows\system32\eghx.exe

Still haven't tested all suspicious files but I will do that soon.

I have read u guys have problems with people posting their HJ report thing. Why is that? because sometimes it is not neccesary?

HJ list will appear on the next post >>>>>>

 

Logfile of HijackThis v1.97.7
Scan saved at 12:55:50 PM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\Rar$EX01.849\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~1\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: BadBlue.lnk = C:\Documents and Settings\Rolando M\Desktop\badblue.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab


Here's the HJT log....
I will download the connection verify program (TDS-3)
I will look try that other one, Pepper I think?
I will try sting too by McCaffie

Hey, when I search for those positive files, I saw dozens of other files. How do I clean them up? How would I know which ones to delete and which to not? There's a lot of small files taking up space: dlls, exes and others

 

Forgot to mention a coubles of things. First the TDS-3 scan took longer then normal to finish. Also that adware.mini bug was accidently downloaded by my brother yesterday. It's deleted. I will delete whats left over.

I couldn't find Adware.minibug.

I have also checked suspicious files but that site only seems to work on small files or else ur disconected from the site. I only checked one file it that was the ... > microsoft suit/.../word chap 1 got discounted when checking media9 and zonealarm

Stringer v1000 finished, finding no virues or trojans from its' 43 v/t list.

On and forward......