Author Topic: Yoog Search (Firefox + IE) (Read 801 times)

BrotherFlounder · « **on:** January 04, 2009, 09:30:02 PM »

Here's yet another topic asking for help in getting rid of this stupid Yoog Search rootkit. Nothing I've tried seems to be working.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:51 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Documents and Settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AstSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: p2pmax.lnk = C:\Program Files\p2pmax\p2pmax.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Run BBDTMngr.exe.lnk = C:\Program Files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nick\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166716156538
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.10.224.30/activex/AMC.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: UD - Unknown owner - C:\DOCUME~1\Cynthia\LOCALS~1\Temp\UD.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11234 bytes

guestolo · « **Reply #1 on:** January 04, 2009, 10:12:25 PM »

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool[/color]
With Avira, simply right click it's icon by the clock and uncheck Enable Guard

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

Additional Note:
If you do get an error posting this log, please Upload it, but Only if you get an error

With the log from ComboFix, can you also do the following

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited to include instructions with ATF-Cleaner

BrotherFlounder · « **Reply #2 on:** January 04, 2009, 10:23:58 PM »

ComboFix 09-01-02.01 - Cynthia 2009-01-04 22:14:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1506 [GMT -5:00]
Running from: c:\documents and settings\Cynthia\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-30 11:57 . 2008-12-30 11:57 <DIR> d-------- c:\program files\Bonjour
2008-12-26 21:36 . 2008-12-26 21:38 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\vlc
2008-12-26 19:58 . 2008-12-26 21:40 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\mIRC
2008-12-25 16:59 . 2008-12-25 16:59 <DIR> d-------- c:\program files\BitTornado
2008-12-25 16:59 . 2008-12-25 16:59 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\.BitTornado
2008-12-25 09:59 . 2008-12-25 09:59 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-12-25 09:59 . 2008-12-25 10:01 <DIR> d-------- c:\documents and settings\Cynthia\logitech
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\program files\Logitech
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\InstallShield
2008-12-20 22:28 . 2008-12-20 22:28 <DIR> d-------- C:\rsit
2008-12-20 13:34 . 2009-01-04 21:27 <DIR> d-------- c:\program files\HJT
2008-12-20 11:49 . 2008-12-20 11:49 <DIR> d-------- c:\program files\Panda Security
2008-12-20 11:49 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-19 23:38 . 2008-12-19 23:38 <DIR> d-------- c:\program files\Ares
2008-12-17 21:50 . 2008-12-17 21:50 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-17 21:46 . 2008-12-17 21:46 <DIR> d-------- c:\program files\Avira
2008-12-17 21:46 . 2008-12-17 21:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-17 21:33 . 2008-12-18 16:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-17 21:33 . 2008-12-18 16:21 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\SUPERAntiSpyware.com
2008-12-17 21:33 . 2008-12-17 21:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 21:31 . 2008-12-17 21:44 14,042,553 --a------ c:\windows\system32\RAW
2008-12-17 19:46 . 2008-12-17 19:46 <DIR> d--hs---- C:\found.000
2008-12-17 18:17 . 2008-12-17 18:17 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\Malwarebytes
2008-12-17 18:17 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 18:16 . 2008-12-17 18:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 18:16 . 2008-12-17 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 18:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 08:26 . 2008-12-16 08:26 120 --a------ c:\windows\system32\afahahiy.tmp
2008-12-15 17:09 . 2008-12-15 17:09 8,192 --ahs---- c:\windows\Thumbs.db
2008-12-13 10:10 . 2008-12-13 10:10 1,589,605 ---hs---- c:\windows\system32\idufatap.tmp
2008-12-12 20:28 . 2008-12-12 20:28 <DIR> d-------- C:\Temp
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-11 19:48 . 2008-12-11 19:48 196,444 --a------ c:\windows\system32\dat32vn.exe
2008-12-11 19:48 . 2008-12-11 19:48 190,675 --a------ c:\windows\system32\dat32bn.exe
2008-12-11 19:48 . 2008-12-11 19:48 47,581 --a------ c:\windows\system32\wzdrafjdoecy.exe
2008-12-11 19:48 . 2008-12-11 19:48 39,936 ---h----- c:\windows\jmm.exe
2008-12-11 19:48 . 2008-12-11 19:48 9,728 ---h----- c:\windows\20081203051514-downloader_silent.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 16:56 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 02:02 --------- d-----w c:\documents and settings\Cynthia\Application Data\dvdcss
2008-12-27 01:48 --------- d-----w c:\program files\mIRC
2008-12-26 15:04 --------- d-----w c:\program files\SG2
2008-12-25 14:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 02:03 --------- d-----w c:\documents and settings\Andrew\Application Data\mIRC
2008-12-18 21:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-18 08:07 --------- d-----w c:\program files\Google
2008-12-18 02:35 --------- d-----w c:\documents and settings\Andrew\Application Data\Lavasoft
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-02 17:32 --------- d-----w c:\program files\QuickTime
2008-12-02 17:12 --------- d-----w c:\program files\iTunes
2008-12-02 17:12 --------- d-----w c:\program files\iPod
2008-12-02 17:12 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 17:00 --------- d-----w c:\program files\Safari
2008-11-24 01:32 --------- d-----w c:\documents and settings\Cynthia\Application Data\CopyTrans
2008-11-20 08:34 --------- d-----w c:\program files\WindSolutions
2008-11-20 08:34 --------- d-----w c:\documents and settings\Cynthia\Application Data\iCloner
2008-11-20 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\CopyTransControlCenter
2008-11-20 08:33 --------- d-----w c:\documents and settings\Cynthia\Application Data\CopyTransControlCenter
2008-11-16 17:50 --------- d-----w c:\program files\AIM6
2008-11-16 17:09 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-16 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-09 05:54 --------- d-----w c:\program files\IrfanView
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-03-05 01:24 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-09 02:24 400 ----a-w c:\documents and settings\Nick\score.dat
2008-12-02 16:50 638,976 ----a-w c:\program files\mozilla firefox\components\nsadsoftinc.dll
2007-10-03 23:34 80 --sh--r c:\windows\system32\F7EF99F7EE.dll
2008-09-30 13:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008093020081001\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-04-23 95800]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Google Update"="c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-12-22 2746104]

c:\documents and settings\Nick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Cynthia\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Run BBDTMngr.exe.lnk - c:\program files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe [2004-11-20 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Nick\\Desktop\\RedFaction\\RF.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\Cynthia\\Desktop\\Unused Desktop Shortcuts\\Ares.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiadap.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25714:TCP"= 25714:TCP:BitComet 25714 TCP
"25714:UDP"= 25714:UDP:BitComet 25714 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-20 28544]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S0 hrhkrko;hrhkrko;c:\windows\system32\drivers\grdv.sys --> c:\windows\system32\drivers\grdv.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-09-02 39048]
S3 UD;UD;c:\docume~1\Cynthia\LOCALS~1\Temp\UD.exe --> c:\docume~1\Cynthia\LOCALS~1\Temp\UD.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aecd6c4-d121-11dd-90bb-001676c7ec29}]
\Shell\Shell00\Command - J:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f61d696a-07f4-11dd-9037-001676c7ec29}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1991672920-3934449333-2286609329-1009.job
- c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nick\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.10.224.30/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
FF - ProfilePath - c:\documents and settings\Cynthia\Application Data\Mozilla\Firefox\Profiles\74nf7eas.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsadsoftinc.dll
FF - plugin: c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 22:15:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-01-04 22:17:24
ComboFix-quarantined-files.txt 2009-01-05 03:16:07
ComboFix2.txt 2009-01-05 02:06:34

Pre-Run: 149,287,124,992 bytes free
Post-Run: 149,291,479,040 bytes free

252 --- E O F --- 2008-12-18 08:00:36

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/4/2009 10:22:53 PM
mbam-log-2009-01-04 (22-22-53).txt

Scan type: Quick Scan
Objects scanned: 66522
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hikepohe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\takihiru.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fagesefa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dat32bn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dat32vn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

BrotherFlounder · « **Reply #3 on:** January 04, 2009, 10:40:28 PM »

Oh, I just saw the ATF Cleaner addition to your post and I ran it. D'ya want me to rerun Malwarebytes?

guestolo · « **Reply #4 on:** January 04, 2009, 10:45:45 PM »

go to this link
http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to 'Upload a File'
If using Firefox, you may have to paste to the Filename field of the File Upload box that opens
Or Browse to the file

c:\windows\system32\afahahiy.tmp
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page

Can you do the same to the next 2 files please
c:\windows\system32\idufatap.tmp
c:\windows\system32\F7EF99F7EE.dll

You may have to
Set Windows is to show hidden files/folders
In MyComputer select TOOLS>>FOLDER OPTIONS>>VIEW
Select the Radio button to Show hidden files/folders
Apply and OK it

BrotherFlounder · « **Reply #5 on:** January 04, 2009, 10:52:12 PM »

c:\windows\system32\afahahiy.tmp
http://www.virustotal.com/analisis/5bb665b...15735153a841d2c

c:\windows\system32\idufatap.tmp
c:\windows\system32\F7EF99F7EE.dll
Neither file will show up in the dialog box or the System32 folder, even with hidden files shown.

guestolo · « **Reply #6 on:** January 04, 2009, 11:18:40 PM »

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
KillAll::
Driver::
UD
File::
c:\windows\system32\afahahiy.tmp
c:\windows\system32\idufatap.tmp
c:\windows\system32\wzdrafjdoecy.exe
c:\windows\jmm.exe
c:\windows\20081203051514-downloader_silent.exe
c:\windows\system32\F7EF99F7EE.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..

with that log, can you also do the following
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color][/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES

Under Additional Scans, put a tick beside
Reg - Uninstall List

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
NOTE: If you do get an error posting this log, please Upload it, but Only if you get an error

BrotherFlounder · « **Reply #7 on:** January 05, 2009, 01:03:54 AM »

[attachment=4890:otscanit2log.txt]Yoog is now seemingly gone from IE (though I won't trust that for a restart or two) but is still hanging around in Firefox. (The OTScanIt2 log is attached; it was giving me 500 errors when I tried posting it.)

ComboFix 09-01-02.01 - Cynthia 2009-01-04 23:38:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1565 [GMT -5:00]
Running from: c:\documents and settings\Cynthia\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\20081203051514-downloader_silent.exe
c:\windows\jmm.exe
c:\windows\system32\afahahiy.tmp
c:\windows\system32\F7EF99F7EE.dll
c:\windows\system32\idufatap.tmp
c:\windows\system32\wzdrafjdoecy.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UD
-------\Service_UD

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-30 11:57 . 2008-12-30 11:57 <DIR> d-------- c:\program files\Bonjour
2008-12-26 21:36 . 2008-12-26 21:38 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\vlc
2008-12-26 19:58 . 2008-12-26 21:40 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\mIRC
2008-12-25 16:59 . 2008-12-25 16:59 <DIR> d-------- c:\program files\BitTornado
2008-12-25 16:59 . 2008-12-25 16:59 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\.BitTornado
2008-12-25 09:59 . 2008-12-25 09:59 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-12-25 09:59 . 2008-12-25 10:01 <DIR> d-------- c:\documents and settings\Cynthia\logitech
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\program files\Logitech
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-12-25 09:58 . 2008-12-25 09:58 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\InstallShield
2008-12-20 22:28 . 2008-12-20 22:28 <DIR> d-------- C:\rsit
2008-12-20 13:34 . 2009-01-04 21:27 <DIR> d-------- c:\program files\HJT
2008-12-20 11:49 . 2008-12-20 11:49 <DIR> d-------- c:\program files\Panda Security
2008-12-20 11:49 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-19 23:38 . 2008-12-19 23:38 <DIR> d-------- c:\program files\Ares
2008-12-17 21:50 . 2008-12-17 21:50 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-17 21:46 . 2008-12-17 21:46 <DIR> d-------- c:\program files\Avira
2008-12-17 21:46 . 2008-12-17 21:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-17 21:33 . 2008-12-18 16:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-17 21:33 . 2008-12-18 16:21 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\SUPERAntiSpyware.com
2008-12-17 21:33 . 2008-12-17 21:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 21:31 . 2008-12-17 21:44 14,042,553 --a------ c:\windows\system32\RAW
2008-12-17 19:46 . 2008-12-17 19:46 <DIR> d--hs---- C:\found.000
2008-12-17 18:17 . 2008-12-17 18:17 <DIR> d-------- c:\documents and settings\Cynthia\Application Data\Malwarebytes
2008-12-17 18:17 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 18:16 . 2009-01-04 22:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 18:16 . 2008-12-17 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 18:16 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 17:09 . 2008-12-15 17:09 8,192 --ahs---- c:\windows\Thumbs.db
2008-12-12 20:28 . 2008-12-12 20:28 <DIR> d-------- C:\Temp
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 16:56 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 02:02 --------- d-----w c:\documents and settings\Cynthia\Application Data\dvdcss
2008-12-27 01:48 --------- d-----w c:\program files\mIRC
2008-12-26 15:04 --------- d-----w c:\program files\SG2
2008-12-25 14:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 02:03 --------- d-----w c:\documents and settings\Andrew\Application Data\mIRC
2008-12-18 21:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-18 08:07 --------- d-----w c:\program files\Google
2008-12-18 02:35 --------- d-----w c:\documents and settings\Andrew\Application Data\Lavasoft
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-02 17:32 --------- d-----w c:\program files\QuickTime
2008-12-02 17:12 --------- d-----w c:\program files\iTunes
2008-12-02 17:12 --------- d-----w c:\program files\iPod
2008-12-02 17:12 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 17:00 --------- d-----w c:\program files\Safari
2008-11-24 01:32 --------- d-----w c:\documents and settings\Cynthia\Application Data\CopyTrans
2008-11-20 08:34 --------- d-----w c:\program files\WindSolutions
2008-11-20 08:34 --------- d-----w c:\documents and settings\Cynthia\Application Data\iCloner
2008-11-20 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\CopyTransControlCenter
2008-11-20 08:33 --------- d-----w c:\documents and settings\Cynthia\Application Data\CopyTransControlCenter
2008-11-16 17:50 --------- d-----w c:\program files\AIM6
2008-11-16 17:09 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-16 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-09 05:54 --------- d-----w c:\program files\IrfanView
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-03-05 01:24 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-09 02:24 400 ----a-w c:\documents and settings\Nick\score.dat
2008-09-30 13:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008093020081001\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-04_21.04.35.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-04-23 95800]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Google Update"="c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-12-22 2746104]

c:\documents and settings\Nick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Cynthia\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Run BBDTMngr.exe.lnk - c:\program files\Bright Bug Software\Shared\Screen Savers\BBDTMngr.exe [2004-11-20 176128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Nick\\Desktop\\RedFaction\\RF.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\Cynthia\\Desktop\\Unused Desktop Shortcuts\\Ares.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiadap.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25714:TCP"= 25714:TCP:BitComet 25714 TCP
"25714:UDP"= 25714:UDP:BitComet 25714 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-20 28544]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S0 hrhkrko;hrhkrko;c:\windows\system32\drivers\grdv.sys --> c:\windows\system32\drivers\grdv.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-09-02 39048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aecd6c4-d121-11dd-90bb-001676c7ec29}]
\Shell\Shell00\Command - J:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f61d696a-07f4-11dd-9037-001676c7ec29}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1991672920-3934449333-2286609329-1009.job
- c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nick\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.10.224.30/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
FF - ProfilePath - c:\documents and settings\Cynthia\Application Data\Mozilla\Firefox\Profiles\74nf7eas.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsadsoftinc.dll
FF - plugin: c:\documents and settings\Cynthia\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 23:42:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-01-04 23:47:41
ComboFix-quarantined-files.txt 2009-01-05 04:46:22
ComboFix2.txt 2009-01-05 03:17:25
ComboFix3.txt 2009-01-05 02:06:34

Pre-Run: 149,187,317,760 bytes free
Post-Run: 149,174,751,232 bytes free

259 --- E O F --- 2008-12-18 08:00:36

guestolo · « **Reply #8 on:** January 05, 2009, 01:13:59 AM »

While I'm checking over the logs, can you do the following
go to this link
http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to 'Upload a File'
If using Firefox, you may have to paste to the Filename field of the File Upload box that opens
Or Browse to the file

c:\windows\system32\drivers\grdv.sys
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page

BrotherFlounder · « **Reply #9 on:** January 05, 2009, 09:24:30 AM »

(Sorry for not replying last night; had to get some sleep.)

Again, I can't find that file either in the Sys32/drivers folder or in the upload window.

BrotherFlounder · « **Reply #10 on:** January 05, 2009, 09:46:45 AM »

Huh. After a restart, Yoog appears to be gone! Thanks very much for your help.

guestolo · « **Reply #11 on:** January 05, 2009, 12:26:03 PM »

Can you still do the following
Let's ensure yoog is gone, you may not find any of the below, but take a look
Open IE7>beside the Address bar, is a Search bar
To the right of the search bar is a magnifying glass and a drop down arrow
Left click the drop down arrow
and select>>"Change Search Defaults"
If you see "Yoog Search" in the list
Highlight it and Remove it
Then highlight Google (or another search provider) and set to Default
Close IE7 and don't reopen

In Firefox:
Beside the address bar is the Search engine bar
Can you use the drop down arrow beside the search box, >>Select "Manage Search Engines"
If YOOG is listed, can you highlight it and remove it
Then Highlight Google and Hit OK

Navigate to the following folder
c:\documents and settings\Cynthia\Application Data\Mozilla\Firefox\Profiles\74nf7eas.default
In that folder
right click on prefs.js and select EDIT
Delete the line referring to the following

===================================================
user_pref("keyword.URL", "http://www2.yoog.com/search.php?q=");
======================================================
Don't leave spacings
Close prefs.js and save the changes when prompted
remain in the 74nf7eas.default\ folder
Right click on user.js

Delete the lines referring to the following
========================================
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
=========================================

Close user.js and save the changes when prompted
download [color=\"#2E8B57\"]JavaRa[/color]
Save it then unzip it to your Desktop.

**Close any instances of Internet Explorer or other Browsers before continuing!***

* Double-click on JavaRa.exe to start the program.
* From the drop-down menu, choose English and click on Select.
* JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
* Click Yes when prompted.
* When JavaRa is finished, a notice will appear that a logfile has been produced. Click OK.
* A logfile will pop up. Please save it to a convenient location.

Leave browser windows closed
Access your Add and Remove Programs and remove the following if you didn't intentionally install them
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Remain in add/remove and remove
RON Tool Adsoftinc
You may be prompted to type in a verification code
Do so and click Uninstall
If it prompts of an error and to remove it from the list, please do so

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> p2pmax.lnk -> %UserProfile%\Start Menu\Programs\Startup\p2pmax.lnk
[Custom Items]
:files
c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
:end
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. I'll need to see that in a bit

But first
[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
Click the "Download" button to the right.
In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.

Post back all the following and let me know how things are running
1. The log from OTScanIT2
2. The log from JavaRA
3. A fresh Hijackthis log

TheTechGuide Forum

News:

Author Topic: Yoog Search (Firefox + IE) (Read 801 times)

BrotherFlounder

Yoog Search (Firefox + IE)

guestolo

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

guestolo

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

guestolo

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

guestolo

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

BrotherFlounder

Yoog Search (Firefox + IE)

guestolo

Yoog Search (Firefox + IE)