List of Trojans beginning with "Y"

**307WRC** · January 28th, 2010, 11:16 PM

It looks like my friend's XP computer is infected with a trojan. When he browses with IE 7 and tries to visit the Malwarebytes site, for example, the page changes to a "this site is unsafe" window and has a popup asking him to scan or ignore. I right-clicked this page today (to see the properties window in order to find the trojan name) and found a name that started with "Y" but I didn't have time to write it down and I have since forgotten it. I did Google the name and found a MS page that described the trojan but was unable to click-through without the "this site is unsafe" window coming up. I was able to run the free A-Squared trojan scan and it found 9 items. We tried to d/l HijackThis but were unable. I know that if I saw the name I would recognise it. Is there a list of trojan names?

I'm trying to get him to update to IE 8 at least and use Firefox for his primary browser but his wife and kids also must use the same machine (they only have this PC). I think that he probably needs to reboot in Safe Mode and then he might be able to d/l HJT to at least get a log started. If we can, which version of HJT should we get?

**307WRC** · January 28th, 2010, 11:25 PM

A-Squared has an Emergency USB Stick that contains their Free scanner and I was wondering if anyone here has experience with it? This may be easier b/c I live about 30 miles away and my machine is a desktop. I could get a memory stick (don't currently have one) and put A-Squared free on it to see if that works.

**307WRC** · January 28th, 2010, 11:30 PM

I found the name - it's Win32/Yektel.A - http://www.microsoft.com/security/po...n32%2fYektel.A

**fink** · January 29th, 2010, 03:08 AM

Try doing these scans.. use safe mode with networking to try and download them.. if that doesn't work then download them yourself onto a usb drive and try to run them on the PC. (Another option would be to make a boot cd with Bitdefender a/v scanner.. here..
http://www.bitdefender.com/KB417-en-...Rescue-CD.html but try these following scans first)
Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner4.exe

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies can be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

4. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything yet with Hijackthis!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Above layout courtesy of Broni

(It's the latest version of hijackthis)

**307WRC** · February 1st, 2010, 06:32 PM

We were able to d/l & install MBAM without going into Safe Mode. MBAM found 177 infections and we removed all. Here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3674
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010/02/01 14:26:58
mbam-log-2010-02-01 (14-26-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 230513
Time elapsed: 1 hour(s), 5 minute(s), 18 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 40
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 21
Files Infected: 109

Memory Processes Infected:
C:\WINDOWS\essledv.exe (Spyware.Passwords) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

**307WRC** · February 1st, 2010, 06:35 PM

MBAM scan cont'd

Malwarebytes' Anti-Malware 1.44
Database version: 3674
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010/02/01 14:26:58
mbam-log-2010-02-01 (14-26-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 230513
Time elapsed: 1 hour(s), 5 minute(s), 18 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 40
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 21
Files Infected: 109

Memory Processes Infected:
C:\WINDOWS\essledv.exe (Spyware.Passwords) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

**307WRC** · February 1st, 2010, 07:48 PM

Here's the SAS log (scan was run in normal mode):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/01/2010 at 03:24 PM

Application Version : 4.33.1000

Core Rules Database Version : 4544
Trace Rules Database Version: 2356

Scan type : Complete Scan
Total Scan Time : 00:37:12

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 6073
Registry threats detected : 5
File items scanned : 22720
File threats detected : 79

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mywebsearch[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@burstnet[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@chitika[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@questionmarket[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@adbrite[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][3].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@serving-sys[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@revsci[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][3].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@mediaplex[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@eyewonder[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@advertising[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@doubleclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@atdmt[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@mywebsearch[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@fastclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@specificmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@apmebf[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@media6degrees[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@lfstmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@trafficmp[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@burstbeacon[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@revenue[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@casalemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\compaq_owner@247realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\[email protected][2].txt

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Adware.MyWebSearch/FunWebProducts
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009691.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009693.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009694.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009697.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP111\A0009700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0009803.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009833.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009835.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009836.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009837.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009840.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP114\A0009843.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012721.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012722.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012723.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012724.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012725.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012728.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP145\A0012731.DLL

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP179\A0017885.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP179\A0017886.EXE

**307WRC** · February 5th, 2010, 05:49 PM

I'm back with my friend MyBot to post an HJT log. Prior to this log we ran scans with MBAM, SAS, A-Squared (free) and Avast. All items were fixed but logs have been saved. I installed SpywareBlaster, CCleaner, Auslogics Disk Defrag and CNET's TechTracker. We scanned for rootkits today with Sophos' Anti-Rootkit (it just found 3 cookies). On with the Trend Micro HJT log (atached)...

**Broni** · February 5th, 2010, 06:32 PM

Please, paste all logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:17, on 2010/02/05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Compaq_Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myspace.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: CNET TechTracker.lnk = C:\Documents and Settings\Compaq_Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate1c9d3392e756754) (gupdate1c9d3392e756754) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod ???? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 0: (no name) - http://photocache.petfinder.com/foto...40013-1-pn.jpg

--
End of file - 10018 bytes

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**307WRC** · February 5th, 2010, 06:41 PM

Broni,

Can you make a board change that will allow MyBot (my friend's computer) to post replies to this thread? He just registered today. I also installed the Auslogics Registry Cleaner but we haven't used it. I'm still at MyBot's house and will post the other logs before I leave but I would like to use his VDR ID, if possible. Thanks!

**Broni** · February 5th, 2010, 06:59 PM

You'd have to ask some of moderators. I'm not one.
DO NOT use any registry cleaners. Get rid of them.

**307WRC** · February 5th, 2010, 07:40 PM

OK, we restored the previous registry and uninstalled the program. I'm leaving MyBot's house so how can I contact a Mod. to allow MyBot to post logs in my absence? Thanks.

**Broni** · February 5th, 2010, 09:18 PM

Sure thing

PM one of mods.

Thread: List of Trojans beginning with "Y"

Thread Tools

Search Thread

Display

List of Trojans beginning with "Y"

Thread Information

Users Browsing this Thread

Posting Permissions