Matcash/Yoog/Zedo. Multiple issues..

[Dinonosaur]

At first, I had Zedo pop up a lot when I used CA Anti-Spyware scan.

I don't have that show up anymore, that was a few days ago. I still have Zedo pop-ups though. And.. Now it says Matcash. Zedo doesn't show up in the spyware scan, but is Matcash does. Is it related somehow? I hope I am asking for help the right way..

I don't know how to get rid of the Yoog Search engine/malware that is on Mozilla either. I just realized that is in the log. I tried reinstalling Mozilla, didn't help I don't think


DDS (Ver_09-01-07.01) - NTFSx86
Run by Leah Dermody at 13:56:47.15 on Sun 01/11/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1446 [GMT -8:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\GetPack\GetPack26.exe
C:\Program Files\GetModule\GetModule33.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\Marvell\61xx\tray\zRaidTray.exe
C:\Program Files\CA\CA Internet Security Suite\casecuritycenter.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavGUIScan.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Leah Dermody\Desktop\dds(3).com

============== Pseudo HJT Report ===============

BHO: globaladsolution: {2839f9a5-b307-7ce1-de3b-a5e23618fb15} - c:\winnt\system32\nslB.dll
BHO: GrandBar IE Helper: {84ba8988-33e1-4c89-a150-bf428e8d3213} - c:\program files\grandpack\GrandPack2.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: Internet Speed Monitor: {17bfcf1a-b579-48a7-9849-719ddd11d340} - c:\program files\grandpack\GrandPack2.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Twain] c:\documents and settings\leah dermody\application data\twain\Twain.exe
uRun: [GetPack26] "c:\program files\getpack\GetPack26.exe"
uRun: [gadcom] "c:\documents and settings\leah dermody\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [GetModule33] c:\program files\getmodule\GetModule33.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [PPRT] c:\program files\ca\sharedcomponents\pprt\bin\ITMRTSVC_Logon.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\leahde~1\startm~1\programs\startup\marvel~1.lnk - c:\program files\marvell\61xx\tray\RaidTray.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\okilpr~1.lnk - c:\program files\okidata\oki lpr utility\okilpr.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: c:\winnt\system32\VetRedir.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\yayvVpnm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leahde~1\applic~1\mozilla\firefox\profiles\ycq4i27z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://en-us.www.mozilla.com/en-US/firefox/central/
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\winnt\system32\drivers\mv61xx.sys [2007-6-14 143256]
R1 VET-FILT;VET File System Filter;c:\winnt\system32\drivers\vet-filt.sys [2008-12-14 26352]
R1 VET-REC;VET File System Recognizer;c:\winnt\system32\drivers\vet-rec.sys [2008-12-14 21104]
R1 VETEFILE;VET File Scan Engine;c:\winnt\system32\drivers\vetefile.sys [2008-12-14 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\winnt\system32\drivers\vetfddnt.sys [2008-12-14 21488]
R1 VETMONNT;VET File Monitor;c:\winnt\system32\drivers\vetmonnt.sys [2008-12-14 32240]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\winnt\system32\drivers\l150x86.sys [2008-9-28 35328]
R3 Marvell RAID;Marvell RAID Event Agent;c:\program files\marvell\61xx\svc\mvraidsvc.exe [2007-6-12 61440]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-12-14 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\winnt\system32\drivers\veteboot.sys [2008-12-14 108368]
R4 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-12-14 144696]
R4 MRUWebService;MRU Web Service;c:\program files\marvell\61xx\apache2\bin\Apache.exe [2007-5-22 20539]
R4 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-12-14 255216]

=============== Created Last 30 ================

2009-01-11 13:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_35c.dat
2009-01-11 13:54 <DIR> --d-h--- c:\winnt\PIF
2009-01-11 13:48 <DIR> --d----- c:\documents and settings\leah dermody\.thumbnails
2009-01-11 13:46 <DIR> --d----- c:\documents and settings\leah dermody\.gimp-2.2
2009-01-11 13:44 <DIR> --d----- c:\program files\GIMP-2.2
2009-01-11 13:43 <DIR> --d----- c:\program files\common files\GTK
2009-01-09 23:57 47,596 a------- c:\winnt\system32\bhcvgvaghyrg.exe
2009-01-09 23:57 <DIR> --d----- c:\program files\GrandPack
2009-01-09 23:57 <DIR> --d----- c:\program files\iCheck
2009-01-09 23:57 <DIR> --d----- c:\program files\GetModule
2009-01-07 04:06 683,008 a------- c:\winnt\system32\nslB.dll
2009-01-03 20:51 <DIR> --d----- c:\docume~1\leahde~1\applic~1\gadcom
2009-01-03 20:51 <DIR> --d----- c:\program files\GetPack
2009-01-03 20:50 198,716 a------- c:\winnt\system32\wpv251229907443.cpx
2009-01-03 20:50 <DIR> --d----- c:\docume~1\leahde~1\applic~1\GetModule
2009-01-03 20:50 22,016 a------- c:\winnt\system32\~.exe
2008-12-19 14:44 11,376 a------- c:\winnt\system32\drivers\SECDRV.SYS
2008-12-19 14:44 582 a------- c:\winnt\eReg.dat
2008-12-19 14:34 <DIR> --d----- c:\program files\Maxis
2008-12-17 18:45 1,665,243 ---sh--- c:\winnt\system32\trcsmhpp.ini
2008-12-16 18:44 1,664,935 a--sh--- c:\winnt\system32\shfhqhsm.ini
2008-12-15 18:51 <DIR> --d----- c:\docume~1\leahde~1\applic~1\Twain
2008-12-15 18:46 <DIR> --d----- c:\program files\Webtools
2008-12-15 18:45 1,647,997 a--sh--- c:\winnt\system32\dhptfaxx.ini
2008-12-15 18:41 <DIR> --d----- c:\program files\Mjcore
2008-12-15 11:49 <DIR> --d----- c:\winnt\CAVTemp
2008-12-14 19:02 32,240 a------- c:\winnt\system32\drivers\vetmonnt.sys
2008-12-14 19:02 21,488 a------- c:\winnt\system32\drivers\vetfddnt.sys
2008-12-14 19:02 21,104 a------- c:\winnt\system32\drivers\vet-rec.sys
2008-12-14 19:02 91,376 a------- c:\winnt\system32\isafprod.dll
2008-12-14 19:02 26,352 a------- c:\winnt\system32\drivers\vet-filt.sys
2008-12-14 19:02 99,568 a------- c:\winnt\system32\isafeif.dll
2008-12-14 19:02 83,256 a------- c:\winnt\system32\vetredir.dll
2008-12-14 19:02 880,560 a------- c:\winnt\system32\drivers\vetefile.sys
2008-12-14 19:02 108,368 a------- c:\winnt\system32\drivers\veteboot.sys
2008-12-14 19:00 <DIR> --d----- c:\winnt\Downloaded Installations
2008-12-14 19:00 250,544 a------- c:\winnt\system32\KeyHelp.ocx
2008-12-14 19:00 <DIR> --d----- c:\program files\common files\Scanner
2008-12-14 19:00 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\CA
2008-12-14 19:00 <DIR> --d----- c:\program files\CA
2008-12-14 18:42 1,647,997 a--sh--- c:\winnt\system32\qwclxlos.ini
2008-12-14 18:39 901,425 a--sh--- c:\winnt\system32\mnpVvyay.ini2
2008-12-14 18:39 901,425 a--sh--- c:\winnt\system32\mnpVvyay.ini

==================== Find3M ====================

2008-11-09 19:21 2,678 a------- c:\winnt\java\packages\data\SCHBLBPV.DAT
2008-11-09 19:21 2,678 a------- c:\winnt\java\packages\data\8HRVTVTN.DAT
2008-11-09 19:21 2,678 a------- c:\winnt\java\packages\data\9373XFB3.DAT
2008-11-09 19:21 2,678 a------- c:\winnt\java\packages\data\7DBZ1JNV.DAT
2008-11-09 19:21 2,678 a------- c:\winnt\java\packages\data\0DZLZTZN.DAT
2008-10-22 21:27 237,840 a------- c:\winnt\system32\GDI32.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\WININET.DLL
2008-09-28 21:25 21,952 ----h--- c:\program files\folder.htt
2008-09-28 21:25 271 ----h--- c:\program files\desktop.ini
2006-06-23 06:48 32,768 a----r-- c:\winnt\inf\UpdateUSB.exe
2000-07-26 04:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 13:57:11.31 ===============

[tetonbob]

Hello -

I see that you have Windows 2000 on this machine. Do you have the Windows 2000 installation disk?

[Dinonosaur]

I should. I need to go look for it. I think I do but I am not sure.

[tetonbob]

The reason I ask is that we like to have the Windows Recovery Console installed on a machine before attempting malware removal.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

ComboFix includes a method to do so for Windows XP, but for Windows 2000, it needs to be done from the install disk.

This page should help explain how to install it from your Windows 2000 CD

http://support.microsoft.com/kb/216417

Install the Windows Recovery Console After Windows is Already Installed on the Computer

1. Click Start, click Run, and then type <CD-ROM drive letter>:\i386\winnt32.exe /cmdcons in the Open box, where <CD-ROM drive letter> is the drive letter assigned to your CD-ROM drive.
2. Click OK, follow the instructions on the screen to finish Setup, and then restart your computer.


Once you've done that....



Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Dinonosaur]

ComboFix 09-01-20.05 - Leah Dermody 2009-01-21 9:49:33.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1555 [GMT -8:00]
Running from: c:\documents and settings\Leah Dermody\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Leah Dermody\Application Data\gadcom
c:\documents and settings\Leah Dermody\Application Data\GetModule
c:\documents and settings\Leah Dermody\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule33.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack2.dll
c:\program files\GrandPack\qdrloader.exe
c:\program files\GrandPack\Uninstall.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\winnt\system32\~.exe
c:\winnt\system32\dhptfaxx.ini
c:\winnt\system32\mnpVvyay.ini
c:\winnt\system32\mnpVvyay.ini2
c:\winnt\system32\qwclxlos.ini
c:\winnt\system32\shfhqhsm.ini
c:\winnt\system32\trcsmhpp.ini
c:\winnt\Tasks\oooaorvw.job
c:\winnt\Web\default.htt
c:\winnt\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-11 13:59 . 09-01-15 07:46 250 --a------ c:\winnt\gmer.ini
2009-01-11 13:54 . 09-01-11 13:54 <DIR> d--h----- c:\winnt\PIF
2009-01-11 13:48 . 09-01-11 13:48 <DIR> d-------- c:\documents and settings\Leah Dermody\.thumbnails
2009-01-11 13:46 . 09-01-20 22:13 <DIR> d-------- c:\documents and settings\Leah Dermody\.gimp-2.2
2009-01-11 13:44 . 09-01-11 13:45 <DIR> d-------- c:\program files\GIMP-2.2
2009-01-11 13:43 . 09-01-11 13:43 <DIR> d-------- c:\program files\Common Files\GTK
2009-01-09 23:57 . 09-01-09 23:57 47,596 --a------ c:\winnt\system32\bhcvgvaghyrg.exe
2009-01-07 04:06 . 09-01-07 04:06 683,008 --a------ c:\winnt\system32\nslB.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 06:05 927,113 ----a-w c:\program files\GIMP-2.xcf
2009-01-20 03:16 --------- d---a-w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-20 03:16 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\ZoomBrowser EX
2008-12-25 21:32 --------- d-----w c:\program files\EA GAMES
2008-12-19 22:44 11,376 ----a-w c:\winnt\system32\drivers\SECDRV.SYS
2008-12-19 22:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 22:35 --------- d-----w c:\program files\Maxis
2008-12-19 22:34 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-16 02:51 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\Twain
2008-12-16 02:46 --------- d-----w c:\program files\Webtools
2008-12-15 03:05 --------- d-----w c:\program files\Common Files\Scanner
2008-12-15 03:01 880,560 ----a-w c:\winnt\system32\drivers\vetefile.sys
2008-12-15 03:01 32,240 ----a-w c:\winnt\system32\drivers\vetmonnt.sys
2008-12-15 03:01 26,352 ----a-w c:\winnt\system32\drivers\vet-filt.sys
2008-12-15 03:01 21,488 ----a-w c:\winnt\system32\drivers\vetfddnt.sys
2008-12-15 03:01 21,104 ----a-w c:\winnt\system32\drivers\vet-rec.sys
2008-12-15 03:01 108,368 ----a-w c:\winnt\system32\drivers\veteboot.sys
2008-12-15 03:00 --------- d---a-w c:\documents and settings\All Users\Application Data\CA
2008-12-15 03:00 --------- d-----w c:\program files\CA
2008-12-12 18:44 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\gtk-2.0
2008-12-11 12:09 239,472 ----a-w c:\winnt\system32\drivers\SRV.SYS
2008-12-02 20:33 --------- d-----w c:\program files\Inkscape
2008-11-26 20:03 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\AdobeUM
2008-11-26 20:02 --------- d-----w c:\program files\Common Files\Adobe
2008-09-29 05:25 271 ---h--w c:\program files\desktop.ini
2008-09-29 05:25 21,952 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2839f9a5-b307-7ce1-de3b-a5e23618fb15}]
09-01-07 04:06 683008 --a------ c:\winnt\system32\nslB.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [07-12-04 09:41 8523776]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [07-12-04 09:41 81920]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [08-12-14 19:01 247024]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08-12-14 19:01 234736]
"PPRT"="c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe" [07-09-26 13:55 21256]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz"="nwiz.exe" [07-12-04 09:41 1626112 c:\winnt\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [07-03-21 06:49 16126464 c:\winnt\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\Leah Dermody\Start Menu\Programs\Startup\
MarvellTrayStartup.lnk - c:\program files\Marvell\61xx\tray\RaidTray.bat [2008-09-28 201]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
OKI LPR Utility.lnk - c:\program files\Okidata\OKI LPR Utility\okilpr.exe [2008-11-08 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 mv61xx;mv61xx;c:\winnt\system32\drivers\mv61xx.sys [2007-06-14 143256]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\winnt\system32\drivers\l150x86.sys [2008-09-28 35328]
R3 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [2007-06-12 61440]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-12-14 185584]
R4 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [2007-05-22 20539]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\winnt\Tasks\CAAntiSpywareScan_Daily as Leah Dermody at 7 00 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [08-12-14 19:01 ]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-GetPack26 - c:\program files\GetPack\GetPack26.exe
HKCU-Run-GetModule33 - c:\program files\GetModule\GetModule33.exe


.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: c:\winnt\system32\VetRedir.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Leah Dermody\Application Data\Mozilla\Firefox\Profiles\ycq4i27z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://en-us.www.mozilla.com/en-US/firefox/central/
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 09:53:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\mvraidsvc.log 669 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\program files\CA\SharedComponents\PPRT\bin\MSVCR71.dll

- - - - - - - > 'lsass.exe'(324)
c:\winnt\system32\VetRedir.dll
c:\winnt\system32\ISafeIf.dll
.
Completion time: 2009-01-21 9:55:42 - machine was rebooted [Leah Dermody]
ComboFix-quarantined-files.txt 2009-01-21 17:55:40

Pre-Run: 145,474,703,360 bytes free
Post-Run: 145,782,116,352 bytes free

165 --- E O F --- 2009-01-15 06:19:39

[Dinonosaur]

Can I enable the anti-virus/ant-spyware or should i wait?

[tetonbob]

Yes, after each run of ComboFix, once it's done, re-enable the protections.

But...since we need to run another script, may as well leave them disabled for now.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335072-matcash-yoog-zedo-multiple-issues-post1925694.html#post1925694
   
   Folder::
   c:\documents and settings\Leah Dermody\Application Data\Twain
   c:\Program Files\Webtools
   
   Collect::
   c:\winnt\system32\bhcvgvaghyrg.exe
   c:\winnt\system32\nslB.dll
   
   FireFox::
   FF - ProfilePath - c:\documents and settings\Leah Dermody\Application Data\Mozilla\Firefox\Profiles\ycq4i27z.default\
   FF - prefs.js: browser.search.selectedEngine - Yoog Search
   FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
   FF - user.js: browser.search.defaultenginename - Yoog Search
   FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. Follow the prompts.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

[Dinonosaur]

ComboFix 09-01-21.02 - Leah Dermody 01/21/2009 16:28:48.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1581 [GMT -8:00]
Running from: c:\documents and settings\Leah Dermody\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Leah Dermody\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Leah Dermody\Application Data\Twain
c:\program files\Webtools
c:\winnt\system32\bhcvgvaghyrg.exe
c:\winnt\system32\nslB.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:02 259,496 ----a-w c:\program files\desaturated_leopard.xcf
2009-01-21 06:05 927,113 ----a-w c:\program files\GIMP-2.xcf
2009-01-20 03:16 --------- d---a-w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-20 03:16 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\ZoomBrowser EX
2009-01-11 21:45 --------- d-----w c:\program files\GIMP-2.2
2009-01-11 21:43 --------- d-----w c:\program files\Common Files\GTK
2008-12-25 21:32 --------- d-----w c:\program files\EA GAMES
2008-12-19 22:44 11,376 ----a-w c:\winnt\system32\drivers\SECDRV.SYS
2008-12-19 22:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 22:35 --------- d-----w c:\program files\Maxis
2008-12-19 22:34 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-15 03:05 --------- d-----w c:\program files\Common Files\Scanner
2008-12-15 03:01 99,568 ----a-w c:\winnt\system32\isafeif.dll
2008-12-15 03:01 91,376 ----a-w c:\winnt\system32\isafprod.dll
2008-12-15 03:01 880,560 ----a-w c:\winnt\system32\drivers\vetefile.sys
2008-12-15 03:01 83,256 ----a-w c:\winnt\system32\vetredir.dll
2008-12-15 03:01 32,240 ----a-w c:\winnt\system32\drivers\vetmonnt.sys
2008-12-15 03:01 26,352 ----a-w c:\winnt\system32\drivers\vet-filt.sys
2008-12-15 03:01 21,488 ----a-w c:\winnt\system32\drivers\vetfddnt.sys
2008-12-15 03:01 21,104 ----a-w c:\winnt\system32\drivers\vet-rec.sys
2008-12-15 03:01 108,368 ----a-w c:\winnt\system32\drivers\veteboot.sys
2008-12-15 03:00 --------- d---a-w c:\documents and settings\All Users\Application Data\CA
2008-12-15 03:00 --------- d-----w c:\program files\CA
2008-12-12 18:44 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\gtk-2.0
2008-12-11 12:09 239,472 ----a-w c:\winnt\system32\drivers\SRV.SYS
2008-12-02 20:33 --------- d-----w c:\program files\Inkscape
2008-11-26 20:03 --------- d-----w c:\documents and settings\Leah Dermody\Application Data\AdobeUM
2008-11-26 20:02 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 05:27 237,840 ----a-w c:\winnt\system32\GDI32.DLL
2008-09-29 05:25 271 ---h--w c:\program files\desktop.ini
2008-09-29 05:25 21,952 ---h--w c:\program files\folder.htt
2006-06-23 14:48 32,768 ----a-r c:\winnt\inf\UpdateUSB.exe
2000-07-26 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Wed 2009-01-21_ 9.55.21.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-22 00:28:30 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_344.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [09/04/07 04:40p 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [12/04/07 09:41a 8523776]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [12/04/07 09:41a 81920]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [12/14/08 07:01p 247024]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [12/14/08 07:01p 234736]
"PPRT"="c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe" [09/26/07 01:55p 21256]
"Synchronization Manager"="mobsync.exe" [06/19/03 11:05a 111376 c:\winnt\system32\mobsync.exe]
"nwiz"="nwiz.exe" [12/04/07 09:41a 1626112 c:\winnt\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [03/21/07 06:49a 16126464 c:\winnt\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

c:\documents and settings\Leah Dermody\Start Menu\Programs\Startup\
MarvellTrayStartup.lnk - c:\program files\Marvell\61xx\tray\RaidTray.bat [2008-09-28 201]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
OKI LPR Utility.lnk - c:\program files\Okidata\OKI LPR Utility\okilpr.exe [2008-11-08 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 mv61xx;mv61xx;c:\winnt\system32\drivers\mv61xx.sys [2007-06-14 143256]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\winnt\system32\drivers\l150x86.sys [2008-09-28 35328]
R3 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [2007-06-12 61440]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-12-14 185584]
R4 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [2007-05-22 20539]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\winnt\Tasks\CAAntiSpywareScan_Daily as Leah Dermody at 7 00 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [12/14/08 07:01p]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2839f9a5-b307-7ce1-de3b-a5e23618fb15} - c:\winnt\system32\nslB.dll


.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: c:\winnt\system32\VetRedir.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Leah Dermody\Application Data\Mozilla\Firefox\Profiles\ycq4i27z.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.www.mozilla.com/en-US/firefox/central/

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 16:30:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_170.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\program files\CA\SharedComponents\PPRT\bin\MSVCR71.dll

- - - - - - - > 'lsass.exe'(320)
c:\winnt\system32\VetRedir.dll
c:\winnt\system32\ISafeIf.dll
.
Completion time: 01/21/2009 16:31:21
ComboFix-quarantined-files.txt 2009-01-22 00:30:58
ComboFix2.txt 2009-01-21 17:55:43

Pre-Run: 145,793,019,904 bytes free
Post-Run: 145,793,933,312 bytes free

136 --- E O F --- 2009-01-15 06:19:39

[tetonbob]

Next....

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[Dinonosaur]

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3787 (20090121)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9c06427bef73944b913ed6a46926ea93
# end=stopped
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-22 03:12:53
# local_time=2009-01-21 07:12:53 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=0
# found=0
# scan_time=2052369

[Dinonosaur]

I just now reran the CA Anti-Spyware Scan and got 5 detected items. These are what I got.

Bifrost
WinSpywareProtect
KaZaA
euroclick.com
HitBox.com

Isn't KaZaA like a music downloading company? I don't even use that. P.S Thanks for your help!

EDIT: I just realized the Yoog toolbar on Mozilla is gone. It says Google now. :)

[tetonbob]

Regarding what CA Antispyware found...much depends on the location. Some look to me like they may be cookies.

Some might be in ComboFix quarantine or System Restore points. Those will get flushed out when we uninstall ComboFix once we're done.

Does it give you full location? File path, registry key or value? Does it give you the opportunity to fix what it finds? I don't have any experience with that application, so I can't tell you what to do about it without more information.

Yup...we fixed that Yoog

[Dinonosaur]

Each item has: Key "hkey_users\S-1-5-21-1078081 under the Spyware Location

And the category for each one is..

Bifrost Category: Backdoor
WinSpywareProtect Category: Rogue Security Software
KaZaA Category: P2P
euroclick.com Category: Tracking Cookie
HitBox.com Category: Tracking Cookie

[tetonbob]

Two of those are cookies. We shan't worry much about them. The others are likely orphaned registry items. With no active loading point, they cannot do harm...however....

hkey_users\S-1-5-21-1078081 is a partial registry key. To help you fix it, if your application won't, I'd need the full registry information. Is there a log you can save with more complete output?

Does it not fix what it finds?

[Dinonosaur]

I think it's fixed, because I do the CA Spyware Scan now and it comes up clean. :) thank you again.

[tetonbob]

Ok, great...some final instructions for you...


Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Dinonosaur]

Thank you. I will try this!

[tetonbob]

You're welcome.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.