Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - -blaze-

Pages: [1]
1
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 31, 2010, 06:51:32 AM »
Hey Raven! If it wasnt for you, i woulda never found this place, and i would've still had that virus.
And ofcourse, thanks to landzdown.




Thank You :)

2
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 31, 2010, 01:19:50 AM »
Ok, i followed your directions, took a while, but heres the log:

ComboFix 10-01-30.02 - sandra 01/30/2010  21:53:15.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.959.398 [GMT -5:00]
Running from: c:\documents and settings\sandra\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 091031-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\sandra\Application Data\Install.dat
c:\documents and settings\sandra\Temporary Internet Files\CPV.stt
c:\documents and settings\sandra\winlogo.exe
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1006
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1007
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1008
c:\recycler\S-1-5-21-3993084090-3807977492-3083739162-1009
c:\windows\EventSystem.log
c:\windows\system32\app.exe
c:\windows\system32\install.exe
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-31  )))))))))))))))))))))))))))))))
.

2010-01-31 02:03 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-31 02:03 . 2010-01-31 02:03   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-31 02:02 . 2010-01-31 02:02   --------   d-----w-   c:\documents and settings\sandra\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-31 01:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-31 01:54   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-31 01:54 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 01:50 . 2010-01-31 01:50   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-30 08:03 . 2010-01-31 01:41   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware 1.44
2010-01-30 06:55 . 2010-01-31 02:00   --------   d-----w-   c:\documents and settings\sandra\Local Settings\Application Data\oeqlgx
2010-01-26 03:34 . 2010-01-26 03:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-23 02:26 . 2009-11-21 15:51   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-23 01:25 . 2008-12-11 10:57   333952   ------w-   c:\windows\system32\dllcache\srv.sys
2010-01-23 01:23 . 2009-07-10 13:27   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll
2010-01-23 01:21 . 2008-10-15 16:34   337408   ------w-   c:\windows\system32\dllcache\netapi32.dll
2010-01-23 01:14 . 2008-10-24 11:21   455296   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-01-13 05:24 . 2010-01-13 08:18   --------   d-----w-   c:\program files\Algebrator

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 02:46 . 2006-08-10 09:51   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-31 02:26 . 2009-10-28 02:28   --------   d-----w-   c:\program files\Steam
2010-01-25 09:09 . 2006-11-14 17:33   102672   ----a-w-   c:\documents and settings\sandra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 02:57 . 2009-12-17 03:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-25 02:44 . 2006-08-10 09:37   --------   d-----w-   c:\program files\Microsoft Works
2010-01-25 02:12 . 2008-11-18 03:53   --------   d-----w-   c:\program files\HighKey
2010-01-24 03:47 . 2009-12-11 04:17   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-12 07:48 . 2006-11-15 12:57   3624   ----a-w-   c:\documents and settings\sandra\Application Data\wklnhst.dat
2010-01-05 10:00 . 2004-08-04 21:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 21:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 21:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-21 00:35 . 2008-11-27 18:52   --------   d-----w-   c:\program files\DivX
2009-12-21 00:35 . 2009-12-21 00:35   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-17 03:50 . 2009-12-17 03:50   --------   d-----w-   c:\program files\MSBuild
2009-12-17 03:48 . 2009-12-17 03:48   --------   d-----w-   c:\program files\Microsoft.NET
2009-12-17 03:03 . 2009-12-17 02:41   --------   d-----w-   c:\documents and settings\sandra\Application Data\GetRightToGo
2009-12-02 23:26 . 2006-03-27 16:17   82543   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 15:51 . 2004-08-04 21:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-07 15:29 . 2006-11-07 15:29   50736   c:\program files\AIM6\bak\aim6.exe
2008-03-25 20:21 . 2008-03-25 20:21   50528   c:\program files\AIM6\aim6.exe

2006-03-21 01:34 . 2005-08-11 23:30   81920   c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-08-11 22:30 . 2005-08-11 22:30   81920   c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2006-03-21 01:34 . 2005-08-11 23:30   249856   c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
2005-08-11 22:30 . 2005-08-11 22:30   249856   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2006-10-14 23:15 . 2006-11-18 21:10   163576   c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe

2005-02-17 06:11 . 2005-02-17 06:11   49152   c:\program files\Hp\HP Software Update\bak\HPWuSchd2.exe
2006-02-19 06:41 . 2006-02-19 06:41   49152   c:\program files\Hp\HP Software Update\hpwuSchd2.exe

2006-08-10 09:40 . 2006-04-12 04:54   102400   c:\program files\Hp\QuickPlay\bak\QPService.exe

2006-08-10 10:13 . 2006-01-26 23:18   40960   c:\program files\HPQ\Default Settings\bak\cpqset.exe

2005-11-11 05:03 . 2005-11-11 05:03   36975   c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

2005-06-14 18:05 . 2005-06-14 18:05   6856704   c:\program files\MSN Messenger\bak\MsnMsgr.Exe

2006-08-10 09:39 . 2006-03-04 05:46   761948   c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2006-08-10 10:31 . 2005-10-11 17:23   1187840   c:\windows\SMINST\bak\RecGuard.exe

.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-25 3660848]
"Steam"="c:\program files\steam\steam.exe" [2009-10-29 1217808]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [N/A]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-02-02 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [N/A]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"p2p networking"="p2pnetworking.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"DVMedia"="e:\\Resource\AutoRerun.exe" [N/A]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [N/A]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\Genesis\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\sandra\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-8-22 159744]
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
 WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-2-20 303104]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-10-10 156784]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/25/2008 7:28 PM 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/25/2008 7:28 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2008 10:59 PM 24652]
S2 crd;crd;c:\docume~1\sandra\LOCALS~1\Temp\IXP001.TMP\poststp.exe --> c:\docume~1\sandra\LOCALS~1\Temp\IXP001.TMP\poststp.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-01-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-08 01:26]

2010-01-19 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 18:04]

2010-01-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Evangelista.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 16:13]

2010-01-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - sandra.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a1efbd1483ce404d8d52e509325ddd08
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a1efbd1483ce404d8d52e509325ddd08
FF - ProfilePath - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\9u98lcdz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-30  22:06:40
ComboFix-quarantined-files.txt  2010-01-31 03:06

Pre-Run: 14,098,931,712 bytes free
Post-Run: 14,119,653,376 bytes free

- - End Of File - - A48A4F8587A9A0E43DA234184837414F

3
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 31, 2010, 12:39:43 AM »
"Yippee!!!!!" -Please tell me thats a good thing ...   ='(

and yes, i restarted so that malwarebytes can finish deleting the infected files.

4
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 31, 2010, 12:21:52 AM »
Here is the mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3665
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/30/2010 9:21:22 PM
mbam-log-2010-01-30 (21-21-22).txt

Scan type: Quick Scan
Objects scanned: 148537
Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 39
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\testCPV6.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f7fced71-ac73-4131-8836-a13c0fb0385b} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bb112471-9094-471b-92b0-931a40c42b98} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.band (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.band.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.bho (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.bho.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GrandPack (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{180175c0-913e-451c-9419-2d5500368d43} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bchanger (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\grandpack (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule31 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack26 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnpcsuwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnpcsuwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\sandra\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\BChanger (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\sandra\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandra\Local Settings\Temp\e.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\A.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\B.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\BChanger\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\BChanger\data.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\QdrDrive\QdrDrive20.dll (Adware.DrFlex) -> Quarantined and deleted successfully.
C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogo.exe (Trojan.Banker) -> Quarantined and deleted successfully.

5
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 31, 2010, 12:18:39 AM »
Corrine, i followed your directions in post #12.
It didnt work in normal mode, so i shutdown the computer manually. When i turned it back on, the computer started checking something, im unsure what it was. When it was done, i clicked f8 and ran it in safe mode with networking. Then i tried downloading malwarebytes, but the computer turned off. I turned it back on, and as soon as it was turning on, i clicked on exeHelper, here is what was in the exeHelperlog:

exeHelper by Raktor
exeHelper by Raktor
Build 20091220
exeHelper by Raktor
Build 20091220
Run at 18:23:46exeHelper by Raktor
Build 20091220
Run at 18:23:57 on exeHelper by Raktor
Build 20091220
Run at 20:55:50 on 01/30/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


After that, i noticed that there was no sign of the virus. So i went ahead and double clicked on malwarebytes, and it worked. I did a quick scan and now im following the directions you gave me in your 1st post.

6
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 30, 2010, 09:24:35 PM »
As soon as i double click on exeHelper.com, the black window comes up, but only for less than a second =/ and it does the same for notepad.exe



When i run the computer in safe mode, the virus doesnt seem to bother.

7
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 30, 2010, 08:12:33 PM »
both DDS.scr and DDS.pif wont open. "Antivirus Soft (virus)" wont let me open them.

8
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 30, 2010, 03:11:30 PM »
Yes, I saved the copies to the desktop, and ran them from the desktop.

And another thing is:

Every 5-15 seconds, i get this message: "Application cannot be executed. The file hpzipm12.exe is infected. Do you want to activate your antivirus software now?"

9
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 30, 2010, 02:49:53 PM »
Its saying something almost similar for each.

For the 1st one it says: "Application cannot be executed. The file cmd.exe is infected. Do you want to activate software now?"
2nd one it says: "Application cannot be executed. The file pev.exe is infected, Do you want to activate antivirus software now?"
etc.

so its basicly saying: "Application cannot be executed. The file (file name) is infected. Do you want to activate software now?"

And i believe the name of the virus is called "Antivirus Soft"

10
Analysis and Malware Removal / Re: I need your help Corrine.
« on: January 30, 2010, 02:33:25 PM »
I downloaded all 6 of them, but none of them will work. It keeps saying that the file is "infected". And it wont let it run.

11
Analysis and Malware Removal / I need your help Corrine.
« on: January 30, 2010, 06:58:28 AM »
 My firewall popped up with a warning and stupidly I allowed the action. First thing i noticed was that a program called "Antivirus Soft"  downloaded itself and started scanning my computer, and on the right hand side it said "Antivirus Software Alert" "Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan -dropper or similar".

-I googled on how to remove the virus
-I tried dowloading "kavremover9", it downloaded, but it wouldnt open. It gives this message everytime i try to open it "Application cannot be executed. The file kavremover9.exe is infected. Do you want to activate your antivirus software now?"
-I also tried downloading a program called "Malware bytes", i tried extracting it, but it wouldnt let me.
-Next thing i did was shutdown my computer, and running it in "Safe mode with networking". I tried downloading the programs, but after 5 mins, the computer shut off. I turned it back on, and tried running it in "Safe mode with networking", but the computer shut off again.
-Also, the virus keeps opening up an internet explorer window and these sites keep popping up "porno.org", and "viagra.com", and it wouldnt let me use internet explorer to go on any other websites besides those two.
-I kept googling, and came across a post in "gardenweb.com" that sort of sounded similar to that problem i have. A user named ravencajun, suggested to the topic starter: "that sounds like it could be one of the bad ones possibly vundo, let me suggest you go here and post in this area, ask Corrine for help tell her I sent you, she will assist you with this using some special programs. Be sure to say in your post that you are unable to get a hijack this log or run AV programs including online scans."  and the problem was solved. But the topic starter never posted what solved his problem, so i came here, hoping that you'd help me.





-b1aze-


P.S i need to sleep, so for now, im going to leave my computer turned off until i wake up.

Pages: [1]