Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections-Rootkit.Agent--Trojan-Spy.Zbot


  • This topic is locked This topic is locked
14 replies to this topic

#1 kitzy25

kitzy25

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 21 March 2009 - 05:20 PM

I have tried scanning with Webroot Antivirus w/ Anti Spyware, Malwarebytes' Anti-Malware, Spyware Doctor, Super Anti-Spyware. I initially had several different types of infections including Trojan-Spy.Zbot, Rootkit.Agent/Rustock, Mal/EncPk-FO. I also had Trojan/Vundo. Now many of the scans are coming up clean, excpet for the rootkit. However, I am still experiencing issues. I have a Yoog Search that keeps appearing in my toolbar search, Mozilla is slow to load, most applications are slow to load.

I am running Microsoft Windows XP SP2.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 17:01:47.53 on 2009-03-21
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.125 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Matt\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227052421015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\3qy3v2fp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - component: c:\documents and settings\matt\application data\mozilla\firefox\profiles\3qy3v2fp.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayAccessService.dll
FF - component: c:\documents and settings\matt\application data\mozilla\firefox\profiles\3qy3v2fp.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayFormSubmitObserver.dll
FF - component: c:\program files\mozilla firefox 3.1 beta 1\components\3dd49e52-8d68-ee7b-ba15-5c0dddb7e3cd.dll
FF - plugin: c:\documents and settings\matt\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\matt\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - HiddenExtension: XUL Cache: {D8AA92F9-C82E-40AF-AB81-E5695D35001F} - c:\documents and settings\matt\local settings\application data\{D8AA92F9-C82E-40AF-AB81-E5695D35001F}
FF - HiddenExtension: XUL Cache: {947B740A-BB0E-4109-BC87-89AD1B77EE27} - c:\documents and settings\kate\local settings\application data\{947B740A-BB0E-4109-BC87-89AD1B77EE27}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\drivers\oodisr.sys [2008-9-24 95752]
R0 oodisrh;oodisrh;c:\windows\system32\drivers\oodisrh.sys [2008-9-24 28680]
R0 oodivd;O&O DiskImage VirtualDisk Driver;c:\windows\system32\drivers\oodivd.sys [2008-9-24 133640]
R0 oodivdh;oodivdh;c:\windows\system32\drivers\oodivdh.sys [2008-9-24 31240]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-19 130424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R0 tffsmon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-20 51520]
R0 tfsysmon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-20 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-3-19 159600]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 O&O DiskImage;O&O DiskImage;c:\program files\oo software\diskimage\oodiag.exe [2008-9-24 1934592]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-20 348752]
R2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-20 1095560]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-13 4048240]
R3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-12-25 90229]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-3-19 64392]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 tfnetmon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-20 33088]
R3 threatfire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 eopbqi;eopbqi;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

=============== Created Last 30 ================

2009-03-21 16:13 <DIR> --d----- c:\documents and settings\matt\DoctorWeb
2009-03-21 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-21 15:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-21 15:54 <DIR> --d----- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2009-03-21 15:54 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-21 15:37 <DIR> --d----- C:\VundoFix Backups
2009-03-21 11:14 48,544 a------- c:\docume~1\matt\applic~1\GDIPFONTCACHEV1.DAT
2009-03-21 08:06 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-20 18:20 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-03-20 18:20 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-03-20 18:20 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-03-20 18:20 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-03-20 16:17 <DIR> --d----- c:\program files\Trend Micro
2009-03-19 05:26 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-19 05:25 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-19 05:25 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-19 05:25 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-19 05:25 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-19 05:24 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-19 05:24 <DIR> --d----- c:\docume~1\matt\applic~1\PC Tools
2009-03-19 05:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-18 19:06 <DIR> --d----- c:\program files\WinPcap
2009-03-18 17:50 <DIR> --d----- C:\NVIDIA
2009-03-18 14:26 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-18 14:19 92,398 a------- c:\windows\system32\drivers\b77169f8.sys
2009-03-18 14:17 99,328 a------- C:\camekk.exe
2009-03-18 14:17 2 a------- C:\679051064
2009-03-18 14:17 10,240 a------- C:\ijdhhel.exe
2009-03-18 14:17 422,400 a------- C:\gc98.exe
2009-03-17 20:55 <DIR> --d----- c:\docume~1\matt\applic~1\Home Designer Suite 8.0
2009-03-17 20:11 102,400 a------- c:\windows\system32\tsccvid.dll
2009-03-17 19:55 <DIR> --d----- c:\program files\Chief Architect Inc
2009-03-17 17:22 <DIR> --d----- c:\docume~1\matt\applic~1\BitTorrent
2009-03-17 17:21 <DIR> --d----- c:\program files\DNA
2009-03-17 17:21 <DIR> --d----- c:\docume~1\matt\applic~1\DNA
2009-03-17 17:21 <DIR> --d----- c:\program files\BitTorrent
2009-03-17 16:57 85,675 a------- c:\windows\system32\e6c3b338-d6a4-fedc-4b4a-d0a0643c4258.exe
2009-03-17 16:56 48,285 a------- c:\windows\system32\xbfhbmrmfyw.exe
2009-03-17 16:56 199,191 a------- c:\windows\rcalv4356.exe
2009-03-08 09:25 41,984 -------- c:\windows\Ctregrun.exe
2009-03-08 09:24 <DIR> --d----- C:\CtDriverInstTemp
2009-03-08 09:23 <DIR> --d----- C:\Media
2009-03-08 09:21 <DIR> --d----- c:\program files\Creative
2009-03-01 14:09 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-03-01 14:01 <DIR> --d----- c:\program files\RegistryFix7
2009-02-25 18:45 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-24 17:38 <DIR> --d----- c:\program files\MSSOAP
2009-02-24 17:37 1,553,784 a------- c:\windows\WRSetup.dll
2009-02-24 17:37 <DIR> --d----- c:\program files\Webroot
2009-02-24 17:37 <DIR> --d----- c:\docume~1\matt\applic~1\Webroot
2009-02-24 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-02-24 17:36 164 a------- c:\windows\install.dat
2009-02-23 19:17 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes
2009-02-23 19:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 19:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 19:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-22 16:29 1,608,260 ---sh--- c:\windows\system32\udifuheg.ini
2009-02-22 08:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-02-22 08:34 <DIR> --d----- c:\program files\common files\iS3
2009-02-22 08:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-02-21 21:07 155,648 a------- c:\windows\system32\addurl41.DLL
2009-02-21 21:07 18,432 a------- c:\windows\system32\winwatch.DLL
2009-02-21 20:50 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-21 14:50 133,632 a------- c:\windows\onujanecatevih.dll
2009-02-21 14:00 9,446 a------- c:\windows\GnuHashes.ini
2009-02-21 13:53 1,492 a--sh--- c:\windows\system32\GroupPolicy000.dat

==================== Find3M ====================

2009-03-21 15:46 388,608 a------- c:\windows\system32\CF788.exe
2009-03-18 14:25 104,960 a------- c:\windows\system32\userinit.exe
2009-03-18 14:19 14,336 a------- c:\windows\system32\svchost.exe
2009-02-13 17:09 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-13 17:09 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 17:09 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-12 20:43 64,808 a------- c:\documents and settings\matt\GoToAssistDownloadHelper.exe
2009-01-05 17:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

============= FINISH: 17:04:43.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 21 March 2009 - 11:50 PM

Hi kitzy25

Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

I see you have P2P software ( Limewire, BitTorrent, FrostWire, uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,


Please do this.

Download RootRepeal.zip to your Desktop.
  • Extract the compressed file to it's own folder.
  • Open the folder and doubleclick on RootRepeal.exe to run it.
  • Click on the Report tab, and then click on: Scan
  • A window opens asking what to include in the scan.
  • Check the following boxes then click OK:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • You will then be asked which drive to scan.
  • Check C: (or the drive your operating system is installed on, if not C)
  • Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 kitzy25

kitzy25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 22 March 2009 - 09:53 AM

I uninstalled the P2P software and scanned with RootRepeal. Here is the scan report.

Thanks so much for your help.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/22 09:17
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF650C000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C24000 Size: 8192 File Visible: No
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF8CB1000 Size: 2560 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3E73000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matt\Local Settings\temp\etilqs_UiYBgAMQhO7BHPkDigB5
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\PC Tools\ThreatFire\Orig.db
Status: Allocation size mismatch (API: 466944, Raw: 454656)

Path: F:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Matthew Kitz\Local Settings\Apps\2.0\6RKEW2VJ.QDE\58GB3BJV.QTX\manifests\FootballDocs Draft Advisor (1980 version).cdf-ms
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Matthew Kitz\Local Settings\Apps\2.0\6RKEW2VJ.QDE\58GB3BJV.QTX\manifests\FootballDocs Draft Advisor (1980 version).manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f96e40

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf8522506

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8511240

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8511432

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82fa3948

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf8522cc8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8522f88

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf85213ec

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x82f96eb8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f96d50

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf85233ec

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82f96fa8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x82fa3d08

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82fa3a38

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x82f96020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf85227b8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x82fa39c0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x82f96f30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8510ef0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x82fa38d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f96dc8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x82bf4570 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82a9a9c8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x82a92790 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x828671c0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8284c298 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x828c8120 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b47580 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x82a8bed0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x828f9298 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a95230 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82aacdc8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82a86ce8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8285d120 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8283d810 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828a5648 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a8b450 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82d8f4e8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82bda600 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x82a5c878 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82ca2a88 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82d3d100 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8287e4d0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x82a0fa50 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828d5460 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82ad3f10 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x828cf430 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82844c60 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x82844d78 Size: -

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 22 March 2009 - 10:32 PM

Hi
OK thank you.

I will get back to you ASAP.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 24 March 2009 - 08:28 PM

Hi kitzy25

Please do the following in the order given.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Now this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Please post the Goored.txt and the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#6 kitzy25

kitzy25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 24 March 2009 - 09:27 PM

Here is the information you asked me to post.

Thanks.

Here is the GooredFix log:


GooredFix v1.92 by jpshortstuff
Log created at 20:43 on 24/03/2009 running Option #1 (Matt)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{947B740A-BB0E-4109-BC87-89AD1B77EE27}"="C:\Documents and Settings\Kate\Local Settings\Application Data\{947B740A-BB0E-4109-BC87-89AD1B77EE27}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{D8AA92F9-C82E-40AF-AB81-E5695D35001F}"="C:\Documents and Settings\Matt\Local Settings\Application Data\{D8AA92F9-C82E-40AF-AB81-E5695D35001F}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.1b1\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox 3.1 Beta 1\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.1b1\extensions]
"Components"="C:\Program Files\Mozilla Firefox 3.1 Beta 1\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{947B740A-BB0E-4109-BC87-89AD1B77EE27}"="C:\Documents and Settings\Kate\Local Settings\Application Data\{947B740A-BB0E-4109-BC87-89AD1B77EE27}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{D8AA92F9-C82E-40AF-AB81-E5695D35001F}"="C:\Documents and Settings\Matt\Local Settings\Application Data\{D8AA92F9-C82E-40AF-AB81-E5695D35001F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"




Here is the Combo Fix log


ComboFix 09-03-23.01 - Matt 2009-03-24 21:14:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.296 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kate\Application Data\0200000035bf7a40530C.manifest
c:\documents and settings\Kate\Application Data\0200000035bf7a40530O.manifest
c:\documents and settings\Kate\Application Data\0200000035bf7a40530P.manifest
c:\documents and settings\Kate\Application Data\0200000035bf7a40530S.manifest
c:\documents and settings\LocalService\Application Data\0200000035bf7a40530C.manifest
c:\documents and settings\LocalService\Application Data\0200000035bf7a40530O.manifest
c:\documents and settings\LocalService\Application Data\0200000035bf7a40530P.manifest
c:\documents and settings\LocalService\Application Data\0200000035bf7a40530S.manifest
c:\documents and settings\Matt\Application Data\0200000035bf7a40530C.manifest
c:\documents and settings\Matt\Application Data\0200000035bf7a40530O.manifest
c:\documents and settings\Matt\Application Data\0200000035bf7a40530P.manifest
c:\documents and settings\Matt\Application Data\0200000035bf7a40530S.manifest
c:\program files\Mozilla Firefox\components\3dd49e52-8d68-ee7b-ba15-5c0dddb7e3cd.dll
c:\windows\GnuHashes.ini
c:\windows\rcalv4356.exe
c:\windows\system32\e6c3b338-d6a4-fedc-4b4a-d0a0643c4258.exe
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\udifuheg.ini
c:\windows\system32\win32hlp.cnf
c:\windows\system32\xbfhbmrmfyw.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-22 19:43 . 2009-03-22 19:43 41,984 --a------ C:\mtaueu.exe
2009-03-22 19:43 . 2009-03-22 19:43 10,240 --a------ C:\wkaqjah.exe
2009-03-21 16:13 . 2009-03-21 16:13 <DIR> d-------- c:\documents and settings\Matt\DoctorWeb
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-21 15:37 . 2009-03-21 15:37 <DIR> d-------- C:\VundoFix Backups
2009-03-21 11:14 . 2009-03-21 11:14 48,544 --a------ c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 08:06 . 2009-03-21 13:46 <DIR> d-------- c:\program files\Cobian Backup 9
2009-03-20 18:20 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-03-20 16:17 . 2009-03-20 16:17 <DIR> d-------- c:\program files\Trend Micro
2009-03-19 05:26 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-19 05:25 . 2009-03-19 05:26 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-19 05:25 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-19 05:25 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-19 05:25 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-19 05:24 . 2009-03-24 21:00 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-19 05:24 . 2009-03-19 05:24 <DIR> d-------- c:\documents and settings\Matt\Application Data\PC Tools
2009-03-19 05:24 . 2009-03-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-18 19:06 . 2009-03-18 19:06 <DIR> d-------- c:\program files\WinPcap
2009-03-18 17:50 . 2009-03-18 17:50 <DIR> d-------- C:\NVIDIA
2009-03-18 14:17 . 2009-03-19 17:51 422,400 --a------ C:\gc98.exe
2009-03-18 14:17 . 2009-03-18 14:17 99,328 --a------ C:\camekk.exe
2009-03-18 14:17 . 2009-03-18 14:17 10,240 --a------ C:\ijdhhel.exe
2009-03-18 14:17 . 2009-03-18 14:17 2 --a------ C:\679051064
2009-03-17 20:55 . 2009-03-17 20:55 <DIR> d-------- c:\documents and settings\Matt\Application Data\Home Designer Suite 8.0
2009-03-17 20:11 . 2006-04-30 21:10 102,400 --a------ c:\windows\system32\tsccvid.dll
2009-03-17 19:55 . 2009-03-17 20:11 <DIR> d-------- c:\program files\Chief Architect Inc
2009-03-17 17:21 . 2009-03-20 16:50 <DIR> d-------- c:\program files\DNA
2009-03-17 17:21 . 2009-03-21 13:46 <DIR> d-------- c:\documents and settings\Matt\Application Data\DNA
2009-03-08 09:29 . 2009-03-08 09:29 <DIR> d-------- c:\documents and settings\Matt\Application Data\Creative
2009-03-08 09:25 . 1999-10-10 20:00 41,984 --------- c:\windows\Ctregrun.exe
2009-03-08 09:24 . 2009-03-08 09:24 <DIR> d-------- C:\CtDriverInstTemp
2009-03-08 09:23 . 2009-03-08 09:32 <DIR> d-------- C:\Media
2009-03-08 09:21 . 2009-03-08 09:25 <DIR> d-------- c:\program files\Creative
2009-03-01 14:09 . 2009-03-01 14:27 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2009-03-01 14:01 . 2009-03-01 14:01 <DIR> d-------- c:\program files\RegistryFix7
2009-02-25 20:23 . 2009-02-25 20:23 <DIR> d-------- c:\documents and settings\Kate\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 02:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-23 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-21 16:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-18 19:19 14,336 ----a-w c:\windows\system32\svchost.exe
2009-03-18 02:18 --------- d-----w c:\documents and settings\Matt\Application Data\FrostWire
2009-03-08 14:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-25 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-25 23:40 --------- d-----w c:\program files\Enigma Software Group
2009-02-24 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-02-24 22:38 --------- d-----w c:\program files\MSSOAP
2009-02-24 22:37 --------- d-----w c:\program files\Webroot
2009-02-24 22:37 --------- d-----w c:\documents and settings\Matt\Application Data\Webroot
2009-02-24 00:17 --------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes
2009-02-24 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 21:21 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-22 13:36 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-02-22 13:34 --------- d-----w c:\program files\Common Files\iS3
2009-02-21 22:46 --------- d-----w c:\program files\RegCure
2009-02-21 19:50 133,632 ----a-w c:\windows\onujanecatevih.dll
2009-02-18 23:57 --------- d-----w c:\documents and settings\Matt\Application Data\Lavasoft
2009-02-18 23:54 --------- d-----w c:\program files\Common Files\Adobe
2009-02-14 17:08 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-02-13 22:09 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 22:09 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-13 22:09 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-13 01:43 64,808 ----a-w c:\documents and settings\Matt\GoToAssistDownloadHelper.exe
2009-02-13 01:43 --------- d-----w c:\program files\Citrix
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 19:48 --------- d-----w c:\documents and settings\Matt\Application Data\SmartDraw
2009-02-07 18:42 --------- d-----w c:\program files\SmartDraw 2009
2009-02-07 13:51 --------- d-----w c:\program files\HP Photosmart 11
2009-02-07 13:33 --------- d-----w c:\program files\Coupons
2009-02-06 22:05 --------- d-----w c:\program files\Garmin GPS Plugin
2009-02-06 22:05 --------- d-----w c:\program files\DIFX
2009-02-06 22:05 --------- d-----w c:\documents and settings\Matt\Application Data\GARMIN
2009-02-06 22:04 --------- d-----w c:\program files\Garmin
2009-01-28 22:35 --------- d-----w c:\documents and settings\Matt\Application Data\Apple Computer
2009-01-28 22:21 --------- d-----w c:\program files\QuickTime
2009-01-28 22:20 --------- d-----w c:\program files\Apple Software Update
2009-01-28 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-28 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-28 15:16 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-28 15:16 --------- d-----w c:\program files\Windows Live
2009-01-28 15:16 --------- d-----w c:\program files\Microsoft
2009-01-28 15:12 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-01 22:20 47,008 ----a-w c:\documents and settings\Kate\Application Data\GDIPFONTCACHEV1.DAT
2007-07-18 16:05 13,928 ----a-w c:\documents and settings\My Documents\il.yahoo.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 12:00 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OODIIcon]
@="{14A94384-BBED-47ed-86C0-6BF63FD892D0}"
[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2008-09-24 12:59 111872 --a------ c:\program files\OO Software\DiskImage\oodishi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^Spyware Vaccine.lnk]
backup=c:\windows\pss\Spyware Vaccine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28797f97]
c:\windows\system32\zufajudi.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bittorrent dna]
--a------ 2009-03-17 17:21 321344 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cpm2b4a4c0b]
c:\windows\system32\meruyuva.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\golenipivi]
c:\windows\system32\yusawafa.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\google update]
--a----t- 2008-12-25 12:06 133104 c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mansxktjzcnyuymw]
c:\windows\system32\viopkxmjcghog.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\messenger (yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2004-08-04 00:56 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-12-02 22:41 3882312 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\promoreg]
c:\docume~1\Matt\LOCALS~1\Temp\s.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registrymechanic]
--a------ 2008-07-08 17:41 2828184 c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2009-02-14 12:08 6308728 c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 16:17 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\framework windows]
frmwrk32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Matt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Matt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ClamWin\\bin\\ClamTray.exe"=
"c:\\WINDOWS\\system32\\shmgrate.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:Promo
"53:UDP"= 53:UDP:Promo

R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\drivers\oodisr.sys [2008-09-24 95752]
R0 oodisrh;oodisrh;c:\windows\system32\drivers\oodisrh.sys [2008-09-24 28680]
R0 oodivd;O&O DiskImage VirtualDisk Driver;c:\windows\system32\drivers\oodivd.sys [2008-09-24 133640]
R0 oodivdh;oodivdh;c:\windows\system32\drivers\oodivdh.sys [2008-09-24 31240]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-19 130424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-02-13 29808]
R0 tffsmon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-20 51520]
R0 tfsysmon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-20 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-19 159600]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 O&O DiskImage;O&O DiskImage;c:\program files\OO Software\DiskImage\oodiag.exe [2008-09-24 1934592]
R3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-12-25 90229]
S2 eopbqi;eopbqi;c:\windows\System32\svchost.exe -k netsvcs [2001-08-23 14336]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-19 64392]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-20 348752]
S3 tfnetmon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-20 33088]
S3 threatfire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Eopbqi
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-22 13:24]

2009-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1993962763-682003330-1004.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 12:06]

2009-03-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-03-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-28 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 12:08]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 12:08]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WRConsumerService


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\3qy3v2fp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - component: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\3qy3v2fp.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\3qy3v2fp.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 21:19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODI03.00.00.01PRO"="0383DAA486E1DA66D79865153E69437E99A4E4E32E22163019B52BB79D868408CDF9700832FBCEF0EF68EE641B5C249CAB2FFB0AC7D70AC85C80C3D22D9A584F5D9E83679ACFC08365C263CB23E7EF65F8D75134923B2FA26475FC3274F0A564CEBA50A92AC120F2D6F18798917D6DA3BE82D4B43A6BC51B2FB58F4DAF77C6DB02D0F6894D2DFE2A2472876DA10488B601485A31ECFCB0280199186F9E0E37609B927F99735F1227737271BC97D64F1304F79724DCF7F9D060A817B7040A982E83E8D1BA921A347B2E5936D037C5743FD21329DAC0584CB31924F018A8B3AF9765ED3A26A213FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667BA7FD869164D67944D76C199E53194EF05CC9EB765BEECE2C06BC5E40078D81CA55C9B668AE6AD5B4BE59D45E5FC4FBEF4DEF31E828F47845CC70C487123EC120CC0C94B087A17D649C8C59F130CEB758ECD1C48952FAABE170DC7B021A92001F7449468B28811244C319DA1A948C7146FE3DA8BC549A700C45BBDEEBD2256E4177B622BE12AED6A7C494D75C8EEC711D87D396E1A65D12BE1E3F7075A74F22C3B0C5C35CF4D84C624CB3EF7761555542E0C832C01D9C21509EC44316B5F613BDCB2F15C1CB42EC8350AA03D9A2058BB7A1549364D5117087FD0325ACC710F6796BDD5A84BF54C7441E6680B814BC31869B25F2EB1CCEDC2287D18A43D90EC7CA610FBDA44F83EC102DCCA5D5BA4092DCB11DD6CC8A0EDF58FF60EE05DF5F0B9F022A060D1FEED1D53F5C3E0BC10A1B61771207C11F3BE486251721BB5AD94D07B7E40E12496C2E5345413789DC408DE632AC59DEA428DD372B7650F3018D56B71C59EB74FA6AE70C8AABBBA5BCBBC486E23B4431BDA0A27B4E8CC2B196BB5A1A1A840EEC8E9228558C204F2B604420898DA9495CC62E9C345B5D196A52FBA84FEEF70CA6CEC14DE5078781FD122202668E1D0EF0CD0E4A0E0076128EA406D16A177BDBE7B918030BFBA66F1B6AA642104DC9AE04AF1B8266A542BED6350DC4D422EF876178D6399DB8EE2D1D2FA1B683907642CDDE425B265ADA727ED631A96411638CC47EBC136F98DC459F3BFDBE2FAAB68CAFE1DEE987DB48CC8CB52BA4FA1C7D655F8092210176226D6D0FB3BE65BAD21E6CB64DF1F809FD97AA449584B096E72D57A978EA7D34EE64D0086D5441501506145D343FDDFB84F9A024A90D1C3496DC57D9D957274A4A9F27F8BCBBA042FF84C515D6AE4B25FF0B8D22A051DBFAAEDD41CF249D6DE4E5532AE08C07E2AD6636FB8C329F5B0040A996A115B5C90FB5EE2D04741B0A1C7962AD24F5B3AAB279C462A1E59C53A2E2734FCFABDB3EC36EB87FA9B98516921DBAC9209C80AD1E6"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2009-03-24 21:24:35 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2009-03-25 02:24:29

Pre-Run: 94,467,719,168 bytes free
Post-Run: 94,414,217,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

336

#7 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 26 March 2009 - 10:17 PM

Hi kitzy25
Sorry for the delay.

Please do this.

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.


Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

File::
C:\mtaueu.exe
C:\wkaqjah.exe
C:\gc98.exe
C:\camekk.exe
C:\ijdhhel.exe
C:\679051064
c:\windows\onujanecatevih.dll
c:\windows\system32\zufajudi.dll 
c:\windows\system32\meruyuva.dll 
c:\windows\system32\yusawafa.dll
c:\windows\system32\viopkxmjcghog.dll
c:\docume~1\Matt\LOCALS~1\Temp\s.exe

Folder::
c:\documents and settings\Matt\Application Data\FrostWire

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28797f97]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cpm2b4a4c0b]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\golenipivi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mansxktjzcnyuymw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\promoreg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\framework windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs]
"Eopbqi"=-

Driver::
eopbqi

Please post the Combofix log and the GooredLog.txt

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#8 kitzy25

kitzy25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 March 2009 - 04:06 PM

Here is the Combo Fix Log and the GooredFix log

Thanks.

ComboFix Log

ComboFix 09-03-26.03 - Matt 2009-03-27 15:50:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.287 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\679051064
C:\camekk.exe
c:\docume~1\Matt\LOCALS~1\Temp\s.exe
C:\gc98.exe
C:\ijdhhel.exe
C:\mtaueu.exe
c:\windows\onujanecatevih.dll
c:\windows\system32\meruyuva.dll
c:\windows\system32\viopkxmjcghog.dll
c:\windows\system32\yusawafa.dll
c:\windows\system32\zufajudi.dll
C:\wkaqjah.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\679051064
C:\camekk.exe
c:\documents and settings\Matt\Application Data\FrostWire
c:\documents and settings\Matt\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\documents and settings\Matt\Application Data\FrostWire\checkandupdate.txt
c:\documents and settings\Matt\Application Data\FrostWire\createtimes.cache
c:\documents and settings\Matt\Application Data\FrostWire\downloads.dat
c:\documents and settings\Matt\Application Data\FrostWire\fileurns.bak
c:\documents and settings\Matt\Application Data\FrostWire\fileurns.cache
c:\documents and settings\Matt\Application Data\FrostWire\filters.props
c:\documents and settings\Matt\Application Data\FrostWire\frostwire.props
c:\documents and settings\Matt\Application Data\FrostWire\gnutella.net
c:\documents and settings\Matt\Application Data\FrostWire\installation.props
c:\documents and settings\Matt\Application Data\FrostWire\intent.props
c:\documents and settings\Matt\Application Data\FrostWire\library.dat
c:\documents and settings\Matt\Application Data\FrostWire\mojito.props
c:\documents and settings\Matt\Application Data\FrostWire\questions.props
c:\documents and settings\Matt\Application Data\FrostWire\responses.cache
c:\documents and settings\Matt\Application Data\FrostWire\simpp.xml
c:\documents and settings\Matt\Application Data\FrostWire\spam.dat
c:\documents and settings\Matt\Application Data\FrostWire\tables.props
c:\documents and settings\Matt\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
c:\documents and settings\Matt\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
c:\documents and settings\Matt\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
c:\documents and settings\Matt\Application Data\FrostWire\ttrees.cache
c:\documents and settings\Matt\Application Data\FrostWire\ttroot.cache
c:\documents and settings\Matt\Application Data\FrostWire\version.xml
c:\documents and settings\Matt\Application Data\FrostWire\xml\data\audio.sxml2
C:\gc98.exe
C:\ijdhhel.exe
C:\mtaueu.exe
c:\windows\onujanecatevih.dll
C:\wkaqjah.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_eopbqi
-------\Service_eopbqi


((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-21 16:13 . 2009-03-21 16:13 <DIR> d-------- c:\documents and settings\Matt\DoctorWeb
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-03-21 15:54 . 2009-03-21 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-21 15:37 . 2009-03-21 15:37 <DIR> d-------- C:\VundoFix Backups
2009-03-21 11:14 . 2009-03-21 11:14 48,544 --a------ c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 08:06 . 2009-03-21 13:46 <DIR> d-------- c:\program files\Cobian Backup 9
2009-03-20 18:20 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-03-20 18:20 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-03-20 16:17 . 2009-03-20 16:17 <DIR> d-------- c:\program files\Trend Micro
2009-03-19 05:26 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-19 05:25 . 2009-03-19 05:26 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-19 05:25 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-19 05:25 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-19 05:25 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-19 05:24 . 2009-03-26 16:10 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-19 05:24 . 2009-03-19 05:24 <DIR> d-------- c:\documents and settings\Matt\Application Data\PC Tools
2009-03-19 05:24 . 2009-03-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-18 19:06 . 2009-03-18 19:06 <DIR> d-------- c:\program files\WinPcap
2009-03-18 17:50 . 2009-03-18 17:50 <DIR> d-------- C:\NVIDIA
2009-03-17 20:55 . 2009-03-17 20:55 <DIR> d-------- c:\documents and settings\Matt\Application Data\Home Designer Suite 8.0
2009-03-17 20:11 . 2006-04-30 21:10 102,400 --a------ c:\windows\system32\tsccvid.dll
2009-03-17 19:55 . 2009-03-17 20:11 <DIR> d-------- c:\program files\Chief Architect Inc
2009-03-17 17:21 . 2009-03-20 16:50 <DIR> d-------- c:\program files\DNA
2009-03-17 17:21 . 2009-03-21 13:46 <DIR> d-------- c:\documents and settings\Matt\Application Data\DNA
2009-03-08 09:29 . 2009-03-08 09:29 <DIR> d-------- c:\documents and settings\Matt\Application Data\Creative
2009-03-08 09:25 . 1999-10-10 20:00 41,984 --------- c:\windows\Ctregrun.exe
2009-03-08 09:24 . 2009-03-08 09:24 <DIR> d-------- C:\CtDriverInstTemp
2009-03-08 09:23 . 2009-03-08 09:32 <DIR> d-------- C:\Media
2009-03-08 09:21 . 2009-03-08 09:25 <DIR> d-------- c:\program files\Creative
2009-03-01 14:09 . 2009-03-01 14:27 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2009-03-01 14:01 . 2009-03-01 14:01 <DIR> d-------- c:\program files\RegistryFix7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 09:20 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-26 21:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-21 16:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-18 19:19 14,336 ----a-w c:\windows\system32\svchost.exe
2009-03-08 14:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 01:23 --------- d-----w c:\documents and settings\Kate\Application Data\Webroot
2009-02-25 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-25 23:40 --------- d-----w c:\program files\Enigma Software Group
2009-02-24 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-02-24 22:38 --------- d-----w c:\program files\MSSOAP
2009-02-24 22:37 --------- d-----w c:\program files\Webroot
2009-02-24 22:37 --------- d-----w c:\documents and settings\Matt\Application Data\Webroot
2009-02-24 00:17 --------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes
2009-02-24 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 21:21 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-22 13:36 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-02-22 13:34 --------- d-----w c:\program files\Common Files\iS3
2009-02-21 22:46 --------- d-----w c:\program files\RegCure
2009-02-18 23:57 --------- d-----w c:\documents and settings\Matt\Application Data\Lavasoft
2009-02-18 23:54 --------- d-----w c:\program files\Common Files\Adobe
2009-02-14 17:08 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-02-13 22:09 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 22:09 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-13 22:09 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-13 01:43 64,808 ----a-w c:\documents and settings\Matt\GoToAssistDownloadHelper.exe
2009-02-13 01:43 --------- d-----w c:\program files\Citrix
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 19:48 --------- d-----w c:\documents and settings\Matt\Application Data\SmartDraw
2009-02-07 18:42 --------- d-----w c:\program files\SmartDraw 2009
2009-02-07 13:51 --------- d-----w c:\program files\HP Photosmart 11
2009-02-07 13:33 --------- d-----w c:\program files\Coupons
2009-02-06 22:05 --------- d-----w c:\program files\Garmin GPS Plugin
2009-02-06 22:05 --------- d-----w c:\program files\DIFX
2009-02-06 22:05 --------- d-----w c:\documents and settings\Matt\Application Data\GARMIN
2009-02-06 22:04 --------- d-----w c:\program files\Garmin
2009-01-28 22:35 --------- d-----w c:\documents and settings\Matt\Application Data\Apple Computer
2009-01-28 22:21 --------- d-----w c:\program files\QuickTime
2009-01-28 22:20 --------- d-----w c:\program files\Apple Software Update
2009-01-28 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-28 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-28 15:16 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-28 15:16 --------- d-----w c:\program files\Windows Live
2009-01-28 15:16 --------- d-----w c:\program files\Microsoft
2009-01-28 15:12 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-01 22:20 47,008 ----a-w c:\documents and settings\Kate\Application Data\GDIPFONTCACHEV1.DAT
2007-07-18 16:05 13,928 ----a-w c:\documents and settings\My Documents\il.yahoo.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 12:00 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OODIIcon]
@="{14A94384-BBED-47ed-86C0-6BF63FD892D0}"
[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2008-09-24 12:59 111872 --a------ c:\program files\OO Software\DiskImage\oodishi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-02-14 6308728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^Spyware Vaccine.lnk]
backup=c:\windows\pss\Spyware Vaccine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bittorrent dna]
--a------ 2009-03-17 17:21 321344 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\google update]
--a----t- 2008-12-25 12:06 133104 c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\messenger (yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2004-08-04 00:56 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-12-02 22:41 3882312 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registrymechanic]
--a------ 2008-07-08 17:41 2828184 c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2009-02-14 12:08 6308728 c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 16:17 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Matt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Matt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ClamWin\\bin\\ClamTray.exe"=
"c:\\WINDOWS\\system32\\shmgrate.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:Promo
"53:UDP"= 53:UDP:Promo

R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\drivers\oodisr.sys [2008-09-24 95752]
R0 oodisrh;oodisrh;c:\windows\system32\drivers\oodisrh.sys [2008-09-24 28680]
R0 oodivd;O&O DiskImage VirtualDisk Driver;c:\windows\system32\drivers\oodivd.sys [2008-09-24 133640]
R0 oodivdh;oodivdh;c:\windows\system32\drivers\oodivdh.sys [2008-09-24 31240]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-19 130424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-02-13 29808]
R0 tffsmon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-20 51520]
R0 tfsysmon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-20 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-19 159600]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 O&O DiskImage;O&O DiskImage;c:\program files\OO Software\DiskImage\oodiag.exe [2008-09-24 1934592]
R3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-12-25 90229]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-19 64392]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-20 348752]
S3 tfnetmon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-20 33088]
S3 threatfire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 21:14]

2009-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1993962763-682003330-1004.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 12:06]

2009-03-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-03-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-28 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 12:08]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 12:08]

2009-03-20 c:\windows\Tasks\wrSpySweeper_L2B124C0063DA4748A915D380CDAD91FD.job
- A:\ []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\3qy3v2fp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www14.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www14.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 15:56:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODI03.00.00.01PRO"="0383DAA486E1DA66D79865153E69437E99A4E4E32E22163019B52BB79D868408CDF9700832FBCEF0EF68EE641B5C249CAB2FFB0AC7D70AC85C80C3D22D9A584F5D9E83679ACFC08365C263CB23E7EF65F8D75134923B2FA26475FC3274F0A564CEBA50A92AC120F2D6F18798917D6DA3BE82D4B43A6BC51B2FB58F4DAF77C6DB02D0F6894D2DFE2A2472876DA10488B601485A31ECFCB0280199186F9E0E37609B927F99735F1227737271BC97D64F1304F79724DCF7F9D060A817B7040A982E83E8D1BA921A347B2E5936D037C5743FD21329DAC0584CB31924F018A8B3AF9765ED3A26A213FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667BA7FD869164D67944D76C199E53194EF05CC9EB765BEECE2C06BC5E40078D81CA55C9B668AE6AD5B4BE59D45E5FC4FBEF4DEF31E828F47845CC70C487123EC120CC0C94B087A17D649C8C59F130CEB758ECD1C48952FAABE170DC7B021A92001F7449468B28811244C319DA1A948C7146FE3DA8BC549A700C45BBDEEBD2256E4177B622BE12AED6A7C494D75C8EEC711D87D396E1A65D12BE1E3F7075A74F22C3B0C5C35CF4D84C624CB3EF7761555542E0C832C01D9C21509EC44316B5F613BDCB2F15C1CB42EC8350AA03D9A2058BB7A1549364D5117087FD0325ACC710F6796BDD5A84BF54C7441E6680B814BC31869B25F2EB1CCEDC2287D18A43D90EC7CA610FBDA44F83EC102DCCA5D5BA4092DCB11DD6CC8A0EDF58FF60EE05DF5F0B9F022A060D1FEED1D53F5C3E0BC10A1B61771207C11F3BE486251721BB5AD94D07B7E40E12496C2E5345413789DC408DE632AC59DEA428DD372B7650F3018D56B71C59EB74FA6AE70C8AABBBA5BCBBC486E23B4431BDA0A27B4E8CC2B196BB5A1A1A840EEC8E9228558C204F2B604420898DA9495CC62E9C345B5D196A52FBA84FEEF70CA6CEC14DE5078781FD122202668E1D0EF0CD0E4A0E0076128EA406D16A177BDBE7B918030BFBA66F1B6AA642104DC9AE04AF1B8266A542BED6350DC4D422EF876178D6399DB8EE2D1D2FA1B683907642CDDE425B265ADA727ED631A96411638CC47EBC136F98DC459F3BFDBE2FAAB68CAFE1DEE987DB48CC8CB52BA4FA1C7D655F8092210176226D6D0FB3BE65BAD21E6CB64DF1F809FD97AA449584B096E72D57A978EA7D34EE64D0086D5441501506145D343FDDFB84F9A024A90D1C3496DC57D9D957274A4A9F27F8BCBBA042FF84C515D6AE4B25FF0B8D22A051DBFAAEDD41CF249D6DE4E5532AE08C07E2AD6636FB8C329F5B0040A996A115B5C90FB5EE2D04741B0A1C7962AD24F5B3AAB279C462A1E59C53A2E2734FCFABDB3EC36EB87FA9B98516921DBAC9209C80AD1E6"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2009-03-27 16:02:25 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2009-03-27 21:02:21
ComboFix2.txt 2009-03-25 02:24:37

Pre-Run: 95,360,901,120 bytes free
Post-Run: 95,353,430,016 bytes free

331



GooredFix Log

GooredFix v1.92 by jpshortstuff
Log created at 15:28 on 27/03/2009 running Option #2 (Matt)
Firefox version 3.0.7 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.1b1\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox 3.1 Beta 1\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.1b1\extensions]
"Components"="C:\Program Files\Mozilla Firefox 3.1 Beta 1\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#9 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 27 March 2009 - 09:00 PM

Hi
Please give me a update on how things are running.

Did you want this removed as your search engine?
browser.search.selectedEngine - Yoog Search

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#10 kitzy25

kitzy25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 March 2009 - 10:25 PM

Hey,

Things are running much smoother. I have limited the use of my PC just to be cautious but it is definitely seeming like things are OK (as far as I can tell.) However, I cannot figure out how to remove the Yoog search. It first appeared when I began having trouble, and it continuously reappears no matter what I have tried. If you could direct me how to remove it that would be great.

Thanks for all your help!

#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 28 March 2009 - 09:44 PM

Hi kitzy25

Open Firefox
Click on Tools Click on "Clear Private Data"
Make sure all boxes are checked except "Saved Passwords"
Click on "Clear Private Data Now"
OK any prompts.

Now
Click on Tools > click Options.
On the "Main" Tab under Startup Click on "Restore to Default".
Click on OK.

Close Firefox and then restart Firefox
Let me know if it starts on the Default page.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 kitzy25

kitzy25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 28 March 2009 - 10:20 PM

Firefox started on the Firefox Start Page ( I think this is the default page.) However, the Yoog Search still appears as my default search in my search window next to my navigation address bar. I change it but it keeps going back to that each time I start Firefox. I cannot get Google or any other option as my default search, much less get rid of this Yoog search altogether.
Hope this info is clear.
Thanks.

#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 29 March 2009 - 01:01 AM

Hi
OK, Click on the down arrow next to the Yoog icon, click on Manage search engines.
Click on Yoog in the list and click remove, click OK

Let me know if that worked.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:01 PM

Posted 02 April 2009 - 10:57 PM

Hi kitzy25
Are you still with me here?

Please respond or this thread will be closed.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:01 PM

Posted 08 April 2009 - 07:29 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users