Author Topic: I need your help Corrine. (Read 2346 times)

-blaze- · « **Reply #15 on:** January 31, 2010, 01:21:52 AM »

Here is the mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3665
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/30/2010 9:21:22 PM
mbam-log-2010-01-30 (21-21-22).txt

Scan type: Quick Scan
Objects scanned: 148537
Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 39
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\testCPV6.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f7fced71-ac73-4131-8836-a13c0fb0385b} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bb112471-9094-471b-92b0-931a40c42b98} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.band (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.band.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.bho (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.bho.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GrandPack (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bchanger (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\grandpack (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule31 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack26 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnpcsuwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnpcsuwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\sandra\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\BChanger (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\sandra\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Local Settings\Temp\e.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\A.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\B.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\BChanger\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\BChanger\data.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\QdrDrive\QdrDrive20.dll (Adware.DrFlex) -> Quarantined and deleted successfully.
C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogo.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Corrine · « **Reply #16 on:** January 31, 2010, 01:27:28 AM »

Yippee!!!!

Have you restarted yet?

-blaze- · « **Reply #17 on:** January 31, 2010, 01:39:43 AM »

"Yippee!!!!!" -Please tell me thats a good thing ... ='(

and yes, i restarted so that malwarebytes can finish deleting the infected files.

Corrine · « **Reply #18 on:** January 31, 2010, 01:42:00 AM »

Yes, it is a good thing. Very definitely, good. Now, let's see what else is left on your computer.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you use AVG, you must also open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar as well as the following:

Click on Tools.
Select Advanced Settings.
In the left hand pane, scroll down to "Resident Shield".
In the main pane, deselect the option to "Enable Resident Shield."
To re-enable AVG 8, please select "Enable Resident Shield" again.

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click "Yes" to continue scanning for malware.
When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

-blaze- · « **Reply #19 on:** January 31, 2010, 02:19:50 AM »

Ok, i followed your directions, took a while, but heres the log:

ComboFix 10-01-30.02 - sandra 01/30/2010 21:53:15.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.398 [GMT -5:00]
Running from: c:\documents and settings\sandra\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 091031-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\sandra\Application Data\Install.dat
c:\documents and settings\sandra\Temporary Internet Files\CPV.stt
c:\documents and settings\sandra\winlogo.exe
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1006
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1007
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1008
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1009
c:\windows\EventSystem.log
c:\windows\system32\app.exe
c:\windows\system32\install.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 02:03 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-31 02:03 . 2010-01-31 02:03   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-31 02:02 . 2010-01-31 02:02   --------   d-----w-   c:\documents and settings\sandra\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-31 01:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-31 01:54   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 01:50 . 2010-01-31 01:50   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-30 08:03 . 2010-01-31 01:41   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware 1.44
2010-01-30 06:55 . 2010-01-31 02:00   --------   d-----w-   c:\documents and settings\sandra\Local Settings\Application Data\oeqlgx
2010-01-26 03:34 . 2010-01-26 03:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-23 02:26 . 2009-11-21 15:51   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-23 01:25 . 2008-12-11 10:57   333952   ------w-   c:\windows\system32\dllcache\srv.sys
2010-01-23 01:23 . 2009-07-10 13:27   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll
2010-01-23 01:21 . 2008-10-15 16:34   337408   ------w-   c:\windows\system32\dllcache\netapi32.dll
2010-01-23 01:14 . 2008-10-24 11:21   455296   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-01-13 05:24 . 2010-01-13 08:18   --------   d-----w-   c:\program files\Algebrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 02:46 . 2006-08-10 09:51   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-31 02:26 . 2009-10-28 02:28   --------   d-----w-   c:\program files\Steam
2010-01-25 09:09 . 2006-11-14 17:33   102672   ----a-w-   c:\documents and settings\sandra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 02:57 . 2009-12-17 03:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-25 02:44 . 2006-08-10 09:37   --------   d-----w-   c:\program files\Microsoft Works
2010-01-25 02:12 . 2008-11-18 03:53   --------   d-----w-   c:\program files\HighKey
2010-01-24 03:47 . 2009-12-11 04:17   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-12 07:48 . 2006-11-15 12:57   3624   ----a-w-   c:\documents and settings\sandra\Application Data\wklnhst.dat
2010-01-05 10:00 . 2004-08-04 21:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 21:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 21:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-21 00:35 . 2008-11-27 18:52   --------   d-----w-   c:\program files\DivX
2009-12-21 00:35 . 2009-12-21 00:35   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-17 03:50 . 2009-12-17 03:50   --------   d-----w-   c:\program files\MSBuild
2009-12-17 03:48 . 2009-12-17 03:48   --------   d-----w-   c:\program files\Microsoft.NET
2009-12-17 03:03 . 2009-12-17 02:41   --------   d-----w-   c:\documents and settings\sandra\Application Data\GetRightToGo
2009-12-02 23:26 . 2006-03-27 16:17   82543   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 15:51 . 2004-08-04 21:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-07 15:29 . 2006-11-07 15:29   50736   c:\program files\AIM6\bak\aim6.exe
2008-03-25 20:21 . 2008-03-25 20:21   50528   c:\program files\AIM6\aim6.exe

2006-03-21 01:34 . 2005-08-11 23:30   81920   c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-08-11 22:30 . 2005-08-11 22:30   81920   c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2006-03-21 01:34 . 2005-08-11 23:30   249856   c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
2005-08-11 22:30 . 2005-08-11 22:30   249856   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2006-10-14 23:15 . 2006-11-18 21:10   163576   c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe

2005-02-17 06:11 . 2005-02-17 06:11   49152   c:\program files\Hp\HP Software Update\bak\HPWuSchd2.exe
2006-02-19 06:41 . 2006-02-19 06:41   49152   c:\program files\Hp\HP Software Update\hpwuSchd2.exe

2006-08-10 09:40 . 2006-04-12 04:54   102400   c:\program files\Hp\QuickPlay\bak\QPService.exe

2006-08-10 10:13 . 2006-01-26 23:18   40960   c:\program files\HPQ\Default Settings\bak\cpqset.exe

2005-11-11 05:03 . 2005-11-11 05:03   36975   c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

2005-06-14 18:05 . 2005-06-14 18:05   6856704   c:\program files\MSN Messenger\bak\MsnMsgr.Exe

2006-08-10 09:39 . 2006-03-04 05:46   761948   c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2006-08-10 10:31 . 2005-10-11 17:23   1187840   c:\windows\SMINST\bak\RecGuard.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-25 3660848]
"Steam"="c:\program files\steam\steam.exe" [2009-10-29 1217808]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [N/A]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-02-02 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [N/A]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"p2p networking"="p2pnetworking.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"DVMedia"="e:\\Resource\AutoRerun.exe" [N/A]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [N/A]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\Genesis\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\sandra\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-8-22 159744]
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-2-20 303104]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-10-10 156784]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/25/2008 7:28 PM 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/25/2008 7:28 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2008 10:59 PM 24652]
S2 crd;crd;c:\docume~1\sandra\LOCALS~1\Temp\IXP001.TMP\poststp.exe --> c:\docume~1\sandra\LOCALS~1\Temp\IXP001.TMP\poststp.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-01-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-08 01:26]

2010-01-19 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 18:04]

2010-01-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Evangelista.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 16:13]

2010-01-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - sandra.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a1efbd1483ce404d8d52e509325ddd08
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a1efbd1483ce404d8d52e509325ddd08
FF - ProfilePath - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\9u98lcdz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-30 22:06:40
ComboFix-quarantined-files.txt 2010-01-31 03:06

Pre-Run: 14,098,931,712 bytes free
Post-Run: 14,119,653,376 bytes free

- - End Of File - - A48A4F8587A9A0E43DA234184837414F

R-C · « **Reply #20 on:** January 31, 2010, 05:47:26 AM »

wow! hi blaze I am that ravencajun person LOL I sure am glad you found that old post over on GW and found your way over here.
Looks like LandzDown is definitely the one you needed on your side!
Impressive work!

-blaze- · « **Reply #21 on:** January 31, 2010, 07:51:32 AM »

Hey Raven! If it wasnt for you, i woulda never found this place, and i would've still had that virus.
And ofcourse, thanks to landzdown.

Thank You

Eric the Red · « **Reply #22 on:** January 31, 2010, 08:54:14 AM »

-blaze-

Your installed version of Java is out of date and poses a security risk.

Please download JavaRa and unzip it to your desktop.

Double-click on JavaRa.exe to start the program. (Windows Vista users Right-click JavaRa.exe > Select "Run as Administrator")
Click on Remove Older Versions to remove older versions of Java.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 18.

Note: UNCHECK any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Corrine · « **Reply #23 on:** January 31, 2010, 03:23:18 PM »

Hi, -blaze-.

After you run JavaRa as requested by Eric the Red, please continue with the following in the order presented.

1) A strong word of caution: You have Limewire installed on your computer, a P2P program. P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft and P2P Dangers Have Not Gone Away. You should have an entry in add/remove programs to uninstall Limewire.

2) Antivirus Software/Firewall

Your Norton Antivirus is outdated. If your subscription to Norton has expired, you need to obtain a new license or select a different antivirus software and uninstall Norton. Whether it is Norton or a different antivirus program, please do the following:

download your selected program
disconnect from the Internet
uninstall Norton 2006
install the replacement software
reconnect to the internet and update the selected antivirus

In the event you decide to install an antivirus software other than Norton, please then download and run the Norton Removal Tool from http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Note also that replacing Norton will also involve selecting a replacement software firewall. The following are free for personal use.

Free Antivirus Software:

avast! 4 Home Edition
Avira AntiVir PersonalEdition Classic
Microsoft Security Essentials

Free Software Firewalls:

Online Armor Free
-- Setup instructions at http://www.tallemu.com/webhelp3/Welcome.html
-- Additional assistance at the support forum at http://support.tallemu.com/vbforum/
Agnitum Outpost Firewall
-- Guide at http://www.outpostfirewall.com/guide/index.htm for Outpost Free Firewall
-- Outpost FREE FAQ at the support forum here: Outpost Users Support Forum

3) Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code: [Select]

File::
c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

Firefox::
FireFox -: Profile - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\9u98lcdz.default\
FireFox -: prefs.js - browser.search.selectedEngine - Yoog Search
FireFox -: prefs.js - keyword.URL - hxxp://www9.yoog.com/search.php?q=

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

4) Extra:

In addition to the ComboFix log, please also navigate to the following location and post the contents. Note that it may require more than one reply as the forum software only allows a certain number of characters in each response.

---> C:\QooBox\Add-Remove Programs.txt

LandzDown Forum

News:

Author Topic: I need your help Corrine. (Read 2346 times)

-blaze-

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

R-C

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Eric the Red

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.