sudden noise

Discussion in 'malware problems & news' started by tm6527, Sep 2, 2004.

Thread Status:
Not open for further replies.
  1. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Problem
    I had two incidents where I heard noise come blurring out of the speaker. In both times, the noise was heard after I clicked on a link in a website (NO, the link wasn't designed by the webmaster to create the noise since I am well familar with the website). Both incidents occured many months apart. Also what I heard sounded like someone talking on a walkie-talkie thing. The first time I don't remember what I heard. The last one I heard some guy saying "It's working" in a distant voice and some low static.

    You know, this reminds me of something I read. Some guys created some trogen I think which left a 'back door' and this allowed these guys to spie on people using that little camera thingy people have so other chat with can see them. I think that maybe the same here.

    Well, I don't know what to do about it and it only happened twice to me, both times it gave me a surprise. I have ran many virus checks in the past but not for this reason and they weren't able to be ID it.

    I thinK you guys would be interesting in hearing about it. I have another thread where I have discovered something else that was weird.





    -----------------------------------
    (Image a time were virus script writers are able to spy on the user though their cameras and talk through their speakers. I think this is the start)
     
    Last edited: Sep 2, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tm6527, I've moved your post as it was in the TDS3 support forum, if it is a Trojan please go here: http://tds.diamondcs.com.au/

    Download TDS3 and also the latest Radius file update shown lower down the TDS3 download page and follow the instructions on the update page.

    Do a full scan with all the scan options selected and report back here please.

    Pilli
     
  3. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    The program found 11 possible problems, but I am unable to copy and paste any of them. So I nowo_O
     
  4. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    I figured it out. nm

    Scan Control Dumped @ 16:16:56 02-09-04
    RegVal Trace: RAT.iSpyNow: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Tray=C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe]

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc

    Positive identification: RAT.RADS Dropper.a
    File: c:\documents and settings\rolando m\local settings\temp\mw.exe

    Positive identification: TrojanDownloader.Win32.WinFetch
    File: c:\documents and settings\rolando m\local settings\temp\xm1.exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe

    Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe

    Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
    File: c:\windows\backup\tb040409.dat

    Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe

    Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll

    Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    delete those labelled as "positive identification"
    rescan with tds-3
    when a detection appears in the lower panel right click on it to see the options

    you might want to check the suspicious ones with
    http://virusscan.jotti.dhs.org/
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll

    this one, can you please zip and submit it to submit@diamondcs.com.au
    Or you can rightclick it from the alerts console in TDS and submit it that way if you configured your email address in TDS.
    Please report back.

    The double extensions are probably files you know?

    Another place you might like to test individual files online is also at www.kaspersky.com/remoteviruschk.html , always like extra second and third opinions.
    I guess if there is one keylogger there can be more wrong. Like your RAT's and ISPY thing prove already unfortunately.


    Found your other thread in the HJT forum, where Derek tried to help you cleaning out.
    https://www.wilderssecurity.com/showthread.php?t=38191
    I thought already this needs in fact a HJT and/or aAutoStartViewer log to see more going on.
    Did you change anything since that other thread, finding things, deleting or installing, new kind of things happening, infections found with other scanners, etc?
     
    Last edited: Sep 3, 2004
  7. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    I just figured out I didn't do complete scan, since I didn't select all the different types of scans available. Sorry I'm new to TDS-3. Here's the list though:

    Scan Control Dumped @ 07:33:40 03-09-04
    ***RegVal Trace: RAT.iSpyNow: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Tray=C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe]
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Positive identification: RAT.RADS Dropper.a
    File: c:\documents and settings\rolando m\local settings\temp\mw.exe
    ***Positive identification: TrojanDownloader.Win32.WinFetch
    File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
    File: c:\windows\backup\tb040409.dat
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Positive identification: RAT.RADS Dropper.a
    File: c:\documents and settings\rolando m\local settings\temp\mw.exe
    ***Positive identification: TrojanDownloader.Win32.WinFetch
    File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
    File: c:\windows\backup\tb040409.dat
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
    File: c:\windows\backup\tb040409.dat
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Positive identification: RAT.RADS Dropper.a
    File: c:\documents and settings\rolando m\local settings\temp\mw.exe
    ***Positive identification: TrojanDownloader.Win32.WinFetch
    File: c:\documents and settings\rolando m\local settings\temp\xm1.exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (embedded in file): TrojanDownloader.Win32.WinPup.b
    File: c:\windows\backup\tb040409.dat
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tm6527, Looks like you haqve a load of problems there.

    The hidden stream is OK as it is only 88 bytes.

    Did you try deleing any of the positively identified ones?

    Dual extensions may be OK if they are from trusted know apps.

    If you can copy the files shown as positives to a .zip file and submit@diamondcs.com.au for analysis, then try cleaning by clicking on the console entry and select delete for all the positives and rescan.

    After cleaning please report back here for more advice

    Cheers. Pilli
     
  9. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    I have ziped some files and attached them an email, but as I was about to send them, I have recieved a message 'the files to be emailed could not be found or attached, should I email anyway?'

    What should I do? Is it because I have deleted these files and send them to the reclying box? I could undelete and test and see.

    Hurry up, I hate the search and destroy process......
    buts its gotta be done
     
    Last edited: Sep 3, 2004
  10. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    sorry its taking a while, that's why I thought I annoyed the other guy that helped me before in another thread, cause my inefficiency
     
  11. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    This is painful...... waiting is painful........i wither
     
  12. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Just noticed but those scanners captured a lot of same things
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you email and attach files and remove them to recycle bin before sending the email, your email will have problems with finding the files and can't send them.
    So first send the emails before you would empty the recyclebin.
    But maybe the files are innocent, so i would keep them zipped just in case till you get an answer from the TDS lab.


    EDIT:
    No you were not annoying Derek, he really tried to help you and we all are frustrated when there could be more the matter on a user's system.
    In your case it looked like at least a keylogger and hackers, combining the story with the strange files you naver could have placed there yourself and the sounds / voices you hear, the possibility of being spied on maybe even with your webcam, whatever.
    So of course the experts are prepared for the worst and always hope to be able to help you out to the best.
    You do have a firewall installed, don't you? First thing is to get you clean, and what i mentioned, the Ispynow and the keylogger are for me signs which fit all in the story.
    First those files, then we know more soon.

    Probably are scanning all in c:\ and all logical drives and all hard drives for instance, so you do it twice or three times . :)

    BTW: did you also see this thread?
    https://www.wilderssecurity.com/showthread.php?t=44359
    So be prepared we might ask for a HJT or AutoStartViewer log, but wait a moment with that, you know about making them fortunately from the past.
     
    Last edited: Sep 4, 2004
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    tm6527, Did you zip up the files first before trying to send them? Create a ZIP file and add the indentified files then send and it should be OK
     
  15. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Yes, I have ziped all into one file
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    and did you now succeed to send them?
    You might need to close the antivirus to be able to send them.
    TDS is no problem, others can be.
    See in the last link i posted, instructions in that one, same kind of infection too btw.
     
  17. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Skip the email part since I have to keep clicking wait another 60 seconds for server, but I see no progress each time I do and wait.

    What's next? I have deleted all torjens? except two.

    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe

    The only method I know of, is using Notepad and showing all files when searching for files like those above.

    Thanks for everyones help so far, I will be running another search though TDS-3.
     
  18. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  19. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Yes, that is what I have read in another site iceni60, and Jooske, I don't have a web cam thing, I was only siting an article I have read from memory. Sorry I was cofusing. Anyways, thanks everyone for your help and till next time.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I was citing from memory too :) WEas just an extra example, the things can look via the webcam all you're doing, so glad you're not in that problem yet.

    What i like to know is how far you are at the moment with your system cleansing.
    Those two files, if you can't delete them normally maybe have to kill the processes in the task manager or even have to reboot in safe mode and kill them from there.

    I think when all the scanning is done, we would like to see a new fresh HiJackThis log from you to see if there is anything left. So e can compare that with your former HJT log.
    How is your system behaving in the meantime? Still noises and slow and other things or is it getting better?

    What i would like you to try if you haven't done so yet is to get Port Explorer too from the DiamondCS site, so with that you can look if tehre are any suspicious connections, which you can investigate and kill immediately, while you can see which application is used for that on your system.

    Of course i do hope your system is brandnew and clean now finally after all these weeks!
    Fingers crossed, but that IspyNow and the keylogger plus what you noticed kept me worried till we know better.
     
  21. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Just checking to see if my thread died. I guess I'll start a new one since this one is to big.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No the thread is not too big, we're waiting for your scan results i suppose?
    And if that is done a new HJT or ASViewer log.
     
  23. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Scan Control Dumped @ 12:30:04 07-09-04
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe
    ***NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\bbcscte.bat:summaryinformation
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\raul\my documents\microsoft suite\assignments\word\word ch 01, ex 01.doc.doc
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\windows media 9 (02.15.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\documents and settings\rolando m\my documents\zlssetup_51_011(07.30.04).exe
    ***Suspicious Filename: Dual extensions
    File: c:\program files\windows media player\installer\windows media 9 (02.15.04).exe
    ***Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc84.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\eghx.exe
    ***Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\h@tkeysh@@k.dll
    ***Positive identification: RAT.RADS.e
    File: c:\windows\system32\iuitda.exe


    Here's the new big list. I deleted hotkeyshook.dll but TDS-3 still ID it.

    Couldn't find these files in my search:
    >>>>c:\windows\system32\iuitda.exe
    >>>>c:\windows\system32\eghx.exe

    Still haven't tested all suspicious files but I will do that soon.

    I have read u guys have problems with people posting their HJ report thing. Why is that? because sometimes it is not neccesary?

    HJ list will appear on the next post >>>>>>
     
  24. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Logfile of HijackThis v1.97.7
    Scan saved at 12:55:50 PM, on 9/7/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\S3apphk.exe
    C:\WINDOWS\system32\MMTrayLSI.exe
    C:\WINDOWS\system32\MMTray2k.exe
    C:\WINDOWS\system32\MMTray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\RUNDLL32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Paltalk\pnetaware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\Rar$EX01.849\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
    O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
    O4 - HKLM\..\Run: [MMTray] MMTray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~1\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: BadBlue.lnk = C:\Documents and Settings\Rolando M\Desktop\badblue.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab


    Here's the HJT log....
    I will download the connection verify program (TDS-3)
    I will look try that other one, Pepper I think?
    I will try sting too by McCaffie

    Hey, when I search for those positive files, I saw dozens of other files. How do I clean them up? How would I know which ones to delete and which to not? There's a lot of small files taking up space: dlls, exes and others
     
  25. tm6527

    tm6527 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    40
    Forgot to mention a coubles of things. First the TDS-3 scan took longer then normal to finish. Also that adware.mini bug was accidently downloaded by my brother yesterday. It's deleted. I will delete whats left over.

    I couldn't find Adware.minibug.

    I have also checked suspicious files but that site only seems to work on small files or else ur disconected from the site. I only checked one file it that was the ... > microsoft suit/.../word chap 1 got discounted when checking media9 and zonealarm

    Stringer v1000 finished, finding no virues or trojans from its' 43 v/t list.

    On and forward......
     
Thread Status:
Not open for further replies.