Another Win Blue Virus. Help Please

View previous topic View next topic Go down

Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 2:45 am

I found out the original source was from form iPod recycler virus. I would like to run a check on the iPod itself after this but I don't know. Anyway, I can run everything on the laptop but I can't get the report from Hijack This because it denies me entry into in the C:, saying something about a RECYCLE error. Should I run MGTools and upload the log? Thanks again for the help.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Origin on 2nd June 2009, 2:47 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 2:51 am

It after the scan it won't open up the notepad like it usually does and I can't get access to it. I could screen capture the scan itself and post it if that works, or is there another way?

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Origin on 2nd June 2009, 3:03 am

Try to rename Hijackthis to anythign for example Hijkachuis.exe then run the above instructions to see if you can get the log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 3:14 am

No dice.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Origin on 2nd June 2009, 3:20 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 3:35 am

Avenger won't open. And for the Hijack Log, I was looking around a bit and it's blocking text documents in general.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 2nd June 2009, 9:17 am

The c drive error is just an autorun.inf file.

Go into "My Computer", then right click the C: drive > Explore.

Run MGTools if you can.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 4:00 pm

MG Tools gets to the command screen but then shuts down and Hijack this scans but I don't know where it's saving the log if it's making one at all.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 2nd June 2009, 4:09 pm

It's insdie the folder called MGTools inside the C drive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 4:16 pm

Oh ok, thank you very much. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:53 AM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\MGtools\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Run] C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10718 bytes

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 2nd June 2009, 4:24 pm

Hello.
Is this log from the same machine we cleaned before? anyhow, you have the newest version. That setup2.exe is now tempo-setup2.exe

  • Open HijackThis (remember it's called "Analyse.exe")
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [Run] C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
    O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
    O20 - AppInit_DLLs: blocker.dll
    O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Trend Micro)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

forgot some stuff

Post by PatTheBaker on 2nd June 2009, 4:47 pm

No, someone installed an iPod virus remover on the previous and now this one.

I ran Hijack This and Removed everything posted but combo-fix won't open. It might be the anti-virus that's blocking but I can't disable because it won't let me open Trend Micro. On that note, I can't run regedit either. Should I go and find the setup2, ieocx and sysav?

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 2nd June 2009, 4:58 pm

Hello.
Try running Combofix in safe mode, also, did you rename it as Combo-Fix?

Try and delete the following files/folders in bold. Do you remember how to unhide system files? one of these files to delete are in a hidden system folder.

C:\Program Files\WinBlueSoft Software <== folder
C:\Program Files\MyWebSearch <== folder
C:\WINDOWS\system32\tempo-setup2.exe <== file
C:\WINDOWS\system32\blocker.dll <== file
C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe <== file


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 2nd June 2009, 9:26 pm

It's the blocker.dll. Do I need the .inf file again?

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 12:13 am

Not if the O20 is gone in Hijack This.
Try manually deleting the files as I asked.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 12:20 am

The only one I found was blocker.dll. Everything else has been deleted.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 12:24 am

Hello.

  • Open HijackThis
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Locate this file: C:\Windows\system32\blocker.dll
  • Okay any prompt and select yes to reboot.

Then after reboot, see if you can delete the O20 item again in a normal Hijack This run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 1:20 am

Here's the log:

ComboFix 09-05-31.06 - Bao-Chau 06/02/2009 18:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.161 [GMT -6:00]
Running from: c:\documents and settings\Bao-Chau\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0102A84F.urr
c:\program files\FunWebProducts\Shared\0004E01B.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0028E953
c:\program files\MyWebSearch\bar\Cache\002900F2.bin
c:\program files\MyWebSearch\bar\Cache\002901CD.bin
c:\program files\MyWebSearch\bar\Cache\002902C7.bin
c:\program files\MyWebSearch\bar\Cache\002903B1.bin
c:\program files\MyWebSearch\bar\Cache\002D0F37.bin
c:\program files\MyWebSearch\bar\Cache\002D12D1.bin
c:\program files\MyWebSearch\bar\Cache\0079C130
c:\program files\MyWebSearch\bar\Cache\007F2716
c:\program files\MyWebSearch\bar\Cache\00D3BFD3
c:\program files\MyWebSearch\bar\Cache\01301A76
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\1034v9rus58z.cpl
c:\windows\10355not-a-9zru55f3.exe
c:\windows\10544no9za-virus3b4.cpl
c:\windows\105z9worm7a95.ocx
c:\windows\10685sp9mbot5az.exe
c:\windows\1188zhac95ool535.ocx
c:\windows\12049ownloader25z9.ocx
c:\windows\12302not-a-5irus90z.ocx
c:\windows\12527hack9ozl39b.ocx
c:\windows\1259down9oader2z49.ocx
c:\windows\1259vzr2867.dll
c:\windows\12984hack5ool19z.exe
c:\windows\129e5pyzare2593.exe
c:\windows\12z25spy9d7.ocx
c:\windows\12z39troj592.exe
c:\windows\13209zp9655.bin
c:\windows\133ddowz9oa5er1509.bin
c:\windows\135z9spy6659.dll
c:\windows\13628zackto595a2.ocx
c:\windows\137z29acktool555.bin
c:\windows\13869teaz2915.bin
c:\windows\14533h9cktool2zc5.ocx
c:\windows\149zdownlo5der872.ocx
c:\windows\15105troj609z.exe
c:\windows\15519hacktool17z.ocx
c:\windows\15583hackt9olzda.exe
c:\windows\15836trojzac9.bin
c:\windows\15840sp94z8.dll
c:\windows\1591hackto5l4z5.ocx
c:\windows\15935worz1d9.cpl
c:\windows\1597tz5eat16046.cpl
c:\windows\15b6thief915z.cpl
c:\windows\15z67wo5m96c.bin
c:\windows\15z71spam9ot230.dll
c:\windows\16185spa5bot9z9.dll
c:\windows\161zvirus95f.exe
c:\windows\16484z95mbot2d7.dll
c:\windows\16511zor935c.cpl
c:\windows\1695worz5f.exe
c:\windows\1747addwa5e923z.cpl
c:\windows\179z15orm45b.exe
c:\windows\1816vi59z3f2.dll
c:\windows\18399virzs658.dll
c:\windows\19028spa9boz725.ocx
c:\windows\193985iruz2df.ocx
c:\windows\193z6troj6c5.exe
c:\windows\19555worz9b.dll
c:\windows\19579szy548.dll
c:\windows\196z0worm7459.ocx
c:\windows\197z5not-a-vi5us341.bin
c:\windows\19990ha5ktooz7bf9.bin
c:\windows\19cdthiefz2705.cpl
c:\windows\1b4faddw5re1941z.cpl
c:\windows\1d955ddwarz179.bin
c:\windows\1df5vir1986z.bin
c:\windows\1f0ca9dware5z5.bin
c:\windows\1z000h9cktool5b1.bin
c:\windows\1z41t5ief259.exe
c:\windows\20757spy4c9z.bin
c:\windows\20919spazbot1885.dll
c:\windows\20985not9a-5irzs26.dll
c:\windows\211z0not9a-viru5318.cpl
c:\windows\21867ha9ktoolza5.cpl
c:\windows\21997vizu55e7.exe
c:\windows\2199vir202z5.bin
c:\windows\21z91tr5j3c0.bin
c:\windows\22219pamb5t5dz.dll
c:\windows\22426n9t-a-5irusz2f.dll
c:\windows\2249downloader123z5.cpl
c:\windows\2252threa9253z1.bin
c:\windows\229215ackt9olz82.dll
c:\windows\22945sp9mbzt75b.dll
c:\windows\23179zo954b.ocx
c:\windows\235fthz5f9199.ocx
c:\windows\237839pz77d5.exe
c:\windows\23855irz9789.dll
c:\windows\23908h9cktzol425.cpl
c:\windows\23994zpy5fa.bin
c:\windows\23d5t5zeat118919.bin
c:\windows\24294not-a-v5rzs6aa.ocx
c:\windows\24507not9z-virus2d8.cpl
c:\windows\245665ir9sz4.bin
c:\windows\245fth5ef2z19.ocx
c:\windows\248not-a-59rus62z.dll
c:\windows\2490bac9door115z.bin
c:\windows\251z79roj57.cpl
c:\windows\25264tz9j56f.ocx
c:\windows\25480sp9mbotz5c.dll
c:\windows\2553threat9018z.exe
c:\windows\25549haz9tool6da.dll
c:\windows\25590zorm1bb.exe
c:\windows\255aspywaze1905.exe
c:\windows\255spy9arz85.bin
c:\windows\2595spzware503.dll
c:\windows\259z7hacktool25.cpl
c:\windows\25c0st9a52z51.bin
c:\windows\25cetz9ea519398.bin
c:\windows\26295not-a-v5ruszc9.cpl
c:\windows\26953zirus529.dll
c:\windows\2769spambo573ez.bin
c:\windows\2786bzc5door1491.ocx
c:\windows\27903notz9-vi5us142.bin
c:\windows\27950not5azv9rusbc.exe
c:\windows\2805vi99z9.bin
c:\windows\28095spambo57z0.dll
c:\windows\284479ot-z-vir5s2a4.bin
c:\windows\2855zha5kt9old8.ocx
c:\windows\28759za5ktool5d69.cpl
c:\windows\2890thr5at3073z.cpl
c:\windows\28da9hz5f2528.exe
c:\windows\28z65w9rm53b.ocx
c:\windows\29126trzj519.ocx
c:\windows\291915a9ktool65az.bin
c:\windows\29213szy256.dll
c:\windows\2960zhacktool335.exe
c:\windows\29895not-a-virus4zc.exe
c:\windows\29b1spazse1959.exe
c:\windows\29b8downloa5er9z3.exe
c:\windows\2a9bbac9d5oz2707.bin
c:\windows\2bb8z59eat29985.ocx
c:\windows\2e85thre9t5781z.dll
c:\windows\2e9bzpyware5339.dll
c:\windows\2z59t5ief9659.bin
c:\windows\2z684tr9j27b5.ocx
c:\windows\2zeasparse5964.ocx
c:\windows\30099tro9495z.bin
c:\windows\30492spy5z25.dll
c:\windows\30908wozm36e5.exe
c:\windows\309z89py1195.dll
c:\windows\31335sp9z17.dll
c:\windows\31892no9-a-vir5s245z.exe
c:\windows\319z3hack5ool487.cpl
c:\windows\32109w5zm24e.exe
c:\windows\3255spyware29z9.bin
c:\windows\3256zwor9645.cpl
c:\windows\32591noz-a-viru55b0.dll
c:\windows\32z18troj995.bin
c:\windows\3428backdoor9z55.dll
c:\windows\3500vir99z7.dll
c:\windows\355zac9doo52311.ocx
c:\windows\35c5thie931z0.bin
c:\windows\36779r5z16b.bin
c:\windows\36b9downlo9d5r332z.exe
c:\windows\379zpam5ot2d8.ocx
c:\windows\3849sp5zs92629.dll
c:\windows\3929szyware1335.cpl
c:\windows\3995thief22z6.bin
c:\windows\39ethi5f577z.dll
c:\windows\39z6steal5494.exe
c:\windows\3aed5pzrse2928.cpl
c:\windows\3ba9zd9ware2594.ocx
c:\windows\3c3e9zr2524.dll
c:\windows\3c5s9eal236z.dll
c:\windows\3d50ste9l5z14.dll
c:\windows\3z515s9y7c1.cpl
c:\windows\3zd6do5n9oader1737.cpl
c:\windows\3ze2steal31559.exe
c:\windows\405ezackdoor9590.exe
c:\windows\411cs5zrs92594.exe
c:\windows\4259szambo553.ocx
c:\windows\429dback59or1z06.ocx
c:\windows\45df59ief2633z.dll
c:\windows\45e7zi95085.cpl
c:\windows\4614vi5us7z9.dll
c:\windows\4671ste951817z.bin
c:\windows\4700spywzr53259.bin
c:\windows\4701s951z9.cpl
c:\windows\47zcspar5991.dll
c:\windows\4904spyza5e1627.cpl
c:\windows\495bv5r81z.bin
c:\windows\49b4addwa59z755.ocx
c:\windows\4a2fste9z5101.dll
c:\windows\4a77addw95e1z73.exe
c:\windows\4b1czownloader9505.exe
c:\windows\4bf4s5ywzre2932.bin
c:\windows\4c69vi52284z.exe
c:\windows\4d7csp9r5e1086z.bin
c:\windows\4dzfaddwar52940.ocx
c:\windows\4e35sparsz9478.bin
c:\windows\4fc0t9rezt8553.ocx
c:\windows\4fd7tz9eat12150.cpl
c:\windows\4z52dow9loader1070.dll
c:\windows\5016spy9zre2357.exe
c:\windows\502dthrezt95621.exe
c:\windows\503fspyzar524239.ocx
c:\windows\5059doznloader9059.ocx
c:\windows\50bdvzr15189.ocx
c:\windows\50f0sze9l27.cpl
c:\windows\5121tro919ez.ocx
c:\windows\51794wzr91bd.ocx
c:\windows\51b0vzr2499.cpl
c:\windows\52z2virus4d39.cpl
c:\windows\5362thi9f55z.dll
c:\windows\5368sp5zse1209.cpl
c:\windows\53fzspywa9e5363.cpl
c:\windows\546downloade59445z.ocx
c:\windows\54c2sp9zare2579.ocx
c:\windows\5523thi9526z5.ocx
c:\windows\5581spywaze24939.dll
c:\windows\5594ba5zdoor3108.exe

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 1:21 am

c:\windows\55e0steaz9032.ocx
c:\windows\55z29ackdoor1785.dll
c:\windows\569asp5rze2922.bin
c:\windows\56czspy5a9e3257.cpl
c:\windows\5798threzt24131.dll
c:\windows\57f6spyzar514829.cpl
c:\windows\58295pambot3acz.exe
c:\windows\587195oj5fz.bin
c:\windows\58798troj743z.dll
c:\windows\5894zspy369.bin
c:\windows\5905worm905z.exe
c:\windows\5911sp5war91z96.ocx
c:\windows\59257spy69z9.exe
c:\windows\5929addwarez08.cpl
c:\windows\59397zot-a-virus90a.cpl
c:\windows\59694hacztoo92b4.bin
c:\windows\598zh5c9tool13.cpl
c:\windows\5991zackdoo92599.dll
c:\windows\5bz5sparse9679.cpl
c:\windows\5c159tezl648.cpl
c:\windows\5c39sparsez968.bin
c:\windows\5cddspar9e200z.ocx
c:\windows\5cebspyware3z09.cpl
c:\windows\5cf9t59zf2113.ocx
c:\windows\5d6addwzre984.bin
c:\windows\5e7zsteal49.dll
c:\windows\5e85b9ck5oor2z0.exe
c:\windows\5ec5add9arz760.cpl
c:\windows\5z53downloader9189.exe
c:\windows\5ze695reat24966.exe
c:\windows\60e19zwnloader1553.bin
c:\windows\6106backdoo59z12.bin
c:\windows\6128do5nloader9z49.exe
c:\windows\61ddz9reat55907.exe
c:\windows\636zthreat232985.bin
c:\windows\63b39ackdozr2365.exe
c:\windows\64d5zhreat12319.dll
c:\windows\653zs9eal1665.exe
c:\windows\6567zroj59d.exe
c:\windows\6599stzal5956.cpl
c:\windows\659d9ackd5oz835.ocx
c:\windows\65ezbac59oor255.ocx
c:\windows\65z4threat17329.dll
c:\windows\66e4zackdo9r4115.bin
c:\windows\66zebac5door14489.dll
c:\windows\6719addware3095z.exe
c:\windows\6862ste5l1z39.dll
c:\windows\6930not-a-zi9us3de5.exe
c:\windows\693dthr59t2z197.dll
c:\windows\6a1et5izf15519.cpl
c:\windows\6d3st5al9934z.ocx
c:\windows\6eb1thrza595684.exe
c:\windows\6ed5spyware1z9.exe
c:\windows\6f3ethi951z55.ocx
c:\windows\6z095pyware1279.ocx
c:\windows\6z5459r780.cpl
c:\windows\7155zhi9f1686.ocx
c:\windows\71565ro92za.cpl
c:\windows\7173w9r56z9.cpl
c:\windows\72259orz679.ocx
c:\windows\7369irus7zd5.dll
c:\windows\7379ba5kdoorz21.bin
c:\windows\7395s5y24bz.bin
c:\windows\754c9hreat551z.bin
c:\windows\7563b9ckdoor290z.bin
c:\windows\7598addzare3092.ocx
c:\windows\7669hre5t6239z.cpl
c:\windows\769p517z.exe
c:\windows\776sz9ware16295.dll
c:\windows\7799sp5ware1077z.ocx
c:\windows\7933zroj457.exe
c:\windows\7949vir125z.cpl
c:\windows\7962b5ckdozr1458.exe
c:\windows\797dthief5z81.dll
c:\windows\7a6zspywa9e14935.bin
c:\windows\7d655zyware9815.cpl
c:\windows\7ebaszars92205.bin
c:\windows\8043no9-a-virzs355.exe
c:\windows\85169p5z49.ocx
c:\windows\8590szambot29e.cpl
c:\windows\8596virzs151.ocx
c:\windows\8935hacztool211.ocx
c:\windows\8z35sp59e5.dll
c:\windows\9002w5rz56b.exe
c:\windows\9122znot-a-virus38b5.bin
c:\windows\91264t5ojzb1.exe
c:\windows\916z5troj288.dll
c:\windows\91bfdownloa5zr2584.bin
c:\windows\92zdsparse2957.ocx
c:\windows\935z7spambot4605.exe
c:\windows\935zspywa5e2250.cpl
c:\windows\935zworm525.cpl
c:\windows\93dszarse2541.ocx
c:\windows\94055vi5us2z2.cpl
c:\windows\94153nz5-a-virus33.bin
c:\windows\942925izusc5.cpl
c:\windows\9476wo5m197z.cpl
c:\windows\94z7sparse885.dll
c:\windows\9567vzru5579.ocx
c:\windows\95a2backdooz2857.dll
c:\windows\95a6zhreat8354.bin
c:\windows\969threaz52291.bin
c:\windows\98112viruz458.exe
c:\windows\983z5viru5696.bin
c:\windows\986zvir145.dll
c:\windows\98895roj5z3.ocx
c:\windows\9969virus85z.ocx
c:\windows\99901worm5fz.ocx
c:\windows\9bf95ackdoor31z2.bin
c:\windows\9c44vir2545z.dll
c:\windows\9d0zpars52295.exe
c:\windows\9e0fb5ckzoor1920.dll
c:\windows\9e51sparze120.dll
c:\windows\9f3dspa5se1967z.ocx
c:\windows\af9zir1057.cpl
c:\windows\b92downloadzr1185.dll
c:\windows\b99thiefz857.dll
c:\windows\c0add5aze30489.dll
c:\windows\c9fzteal5011.ocx
c:\windows\d5czd9ware1618.bin
c:\windows\dc8z59ef949.cpl
c:\windows\f03stea95886z.bin
c:\windows\f15s9eal3z65.ocx
c:\windows\f40addwz592977.ocx
c:\windows\fb9szarse54539.cpl
c:\windows\system32\10257spy3z59.exe
c:\windows\system32\10915hzcktool399.dll
c:\windows\system32\10962wzr58.dll
c:\windows\system32\11086not-a-9irus5z1.cpl
c:\windows\system32\11z54w5rm49c.exe
c:\windows\system32\12455virzs5c49.dll
c:\windows\system32\12879spz5bot375.dll
c:\windows\system32\1293spam9ot5fz.dll
c:\windows\system32\13685z9y5a1.exe
c:\windows\system32\13994hacktoz5103.ocx
c:\windows\system32\13caa5d9arz2790.cpl
c:\windows\system32\13e79ackdoor5973z.bin
c:\windows\system32\13z665acktool94.cpl
c:\windows\system32\13zfvir5996.ocx
c:\windows\system32\14246s5y9e5z.ocx
c:\windows\system32\143z9not-a-vir5s6cb.ocx
c:\windows\system32\14650zpamb9t50d.bin
c:\windows\system32\14915vir5s61fz.cpl
c:\windows\system32\15037virusz94.cpl
c:\windows\system32\15264vzrus49b.bin
c:\windows\system32\15286hacztool4a9.exe
c:\windows\system32\15356zacktool2849.ocx
c:\windows\system32\153zbac5door12039.ocx
c:\windows\system32\1549zw5rm7f.dll
c:\windows\system32\15539vir5s5cfz.dll
c:\windows\system32\1576059zj420.cpl
c:\windows\system32\15765h9ckzool179.bin
c:\windows\system32\15909sp5z9c.cpl
c:\windows\system32\15z939irus551.dll
c:\windows\system32\15z95spy37.bin
c:\windows\system32\15z97not-a-viru976d.exe
c:\windows\system32\16049pywzr53111.cpl
c:\windows\system32\16777h95kzool276.bin
c:\windows\system32\1739zownloa9er7465.bin
c:\windows\system32\1856zsp9mbot450.bin
c:\windows\system32\185z9i5us488.exe
c:\windows\system32\1889adzware1355.exe
c:\windows\system32\18933tzo5398.cpl
c:\windows\system32\189fback5oor54z9.bin
c:\windows\system32\19038tr5j59z.cpl
c:\windows\system32\19053vzrus5695.dll
c:\windows\system32\1929not-azviruse95.dll
c:\windows\system32\193z35py523.bin
c:\windows\system32\1945tzi9f1888.bin
c:\windows\system32\19555troj58az.dll
c:\windows\system32\19726tzoj185.ocx
c:\windows\system32\19750trzj95.exe
c:\windows\system32\19824virzs685.cpl
c:\windows\system32\1989pam5oz80.bin
c:\windows\system32\19949w9rm3z25.dll
c:\windows\system32\19965zirus591.ocx
c:\windows\system32\1af5addwaze8359.bin
c:\windows\system32\1d39dowzl5ader2350.exe
c:\windows\system32\1d65downlozde51697.bin
c:\windows\system32\1z009w5rm76.exe
c:\windows\system32\1z09ownlo5der2058.dll
c:\windows\system32\1z8955i9us54f.bin
c:\windows\system32\20060spazbot59d5.ocx
c:\windows\system32\20110spamb5tz9d.cpl
c:\windows\system32\20217sz9395.ocx
c:\windows\system32\20529s9zmbot50d.exe
c:\windows\system32\2069ztroj5bb.dll
c:\windows\system32\20736spy9e5z.exe
c:\windows\system32\2099vi51049z.cpl
c:\windows\system32\20z7spyware21295.bin
c:\windows\system32\21323no9-a-vizus225.exe
c:\windows\system32\21846s9y39z5.dll
c:\windows\system32\21869zroj7579.cpl
c:\windows\system32\21z42spy19b5.ocx
c:\windows\system32\2252zspambot39.bin
c:\windows\system32\22534s9amzot3a5.cpl
c:\windows\system32\2271no5-a-zirus129.cpl
c:\windows\system32\23498spambzt29e5.exe
c:\windows\system32\239559zy1b55.bin
c:\windows\system32\2397tz5eat10185.cpl
c:\windows\system32\24462zot9a-v5rus700.cpl
c:\windows\system32\2451not-z-virus297.ocx
c:\windows\system32\24958hzcktool2585.exe
c:\windows\system32\249z9spy9025.cpl
c:\windows\system32\25212tr9jzd5.bin
c:\windows\system32\25353z9rm46e.dll
c:\windows\system32\2538h5c9tozlb9.ocx
c:\windows\system32\253hzcktoo914f.dll
c:\windows\system32\25549spazbot115.bin
c:\windows\system32\25752viruz5295.ocx
c:\windows\system32\25823noz-9-virus4a6.exe
c:\windows\system32\2586vzrus159.ocx
c:\windows\system32\25945worm34dz.bin
c:\windows\system32\259down59adzr659.exe
c:\windows\system32\25b3tzreat93615.cpl
c:\windows\system32\25c5a5dzare19839.dll
c:\windows\system32\25z4back9oor2457.exe
c:\windows\system32\264dsteal95z.ocx
c:\windows\system32\26639h5cktzol59c.exe
c:\windows\system32\275359pambotz88.ocx
c:\windows\system32\27th9ef57z.cpl
c:\windows\system32\28260spz95d5.cpl
c:\windows\system32\299375pz2c.bin
c:\windows\system32\29z61worm495.bin
c:\windows\system32\29z815roj3a.bin
c:\windows\system32\2a2fba95zoor788.exe
c:\windows\system32\2bbczteal11359.dll
c:\windows\system32\2c8cspar5e1960z.exe
c:\windows\system32\2d6zspyware31395.ocx
c:\windows\system32\2d9backdzor2454.cpl
c:\windows\system32\2e5zad5ware498.exe
c:\windows\system32\2e7dth5zf9149.bin
c:\windows\system32\2f6bb5zkdoor9527.bin
c:\windows\system32\2z207spamb9t356.ocx
c:\windows\system32\2z5bback9oor92.dll
c:\windows\system32\2ze5v9r1325.ocx
c:\windows\system32\3015trz959f.dll
c:\windows\system32\304dste5lz8919.bin
c:\windows\system32\306895pz2cb.exe
c:\windows\system32\30812virzs9c05.exe
c:\windows\system32\30z73no9-a-vir5s3a5.cpl
c:\windows\system32\31075tr5j19z.bin
c:\windows\system32\317559irus58cz.exe
c:\windows\system32\319z2spambot7a95.cpl
c:\windows\system32\3203zhief1595.dll
c:\windows\system32\324cspywzre27995.cpl
c:\windows\system32\3398dow5loazer1200.cpl
c:\windows\system32\33b9sp5rze1899.cpl
c:\windows\system32\3489s5yware297z.ocx
c:\windows\system32\351bst9al323z.ocx
c:\windows\system32\351edo9nloader935z.dll
c:\windows\system32\3539vi5uz6c2.cpl
c:\windows\system32\3625zi91120.ocx
c:\windows\system32\3659vir127z.cpl
c:\windows\system32\3768t9zef1555.dll
c:\windows\system32\3919zpamb5t1d6.exe
c:\windows\system32\394fbackzoor6315.bin
c:\windows\system32\3951z5ief1129.dll
c:\windows\system32\3954baczdoor2825.dll
c:\windows\system32\3985spambotzb55.bin
c:\windows\system32\398f5parsez38.bin
c:\windows\system32\398z7wo5m28b.bin
c:\windows\system32\39908not-a-5iruz542.bin
c:\windows\system32\3992a5dware295z.ocx
c:\windows\system32\39dzspywar52197.dll
c:\windows\system32\3c11d5wnlozder9167.exe
c:\windows\system32\3c1ddown5oaze92539.exe
c:\windows\system32\3cfadown5za9er1288.bin
c:\windows\system32\3d59s9arse21z1.exe
c:\windows\system32\3ea9sz59are2198.dll
c:\windows\system32\3f05st9al1691z.cpl
c:\windows\system32\3z0wor5698.bin
c:\windows\system32\3z7169o5m5c.cpl
c:\windows\system32\3zb0do5n9oader2220.bin
c:\windows\system32\3ze5down9oader18845.ocx
c:\windows\system32\405addzar989.exe
c:\windows\system32\4097ba5kdooz2951.exe
c:\windows\system32\409bviz5344.cpl
c:\windows\system32\44405ze9l1203.bin
c:\windows\system32\45a89hzef1411.bin
c:\windows\system32\45eb9hzeat228295.cpl
c:\windows\system32\4690threa51461z.dll
c:\windows\system32\469b5pywarez897.bin
c:\windows\system32\46f15hrea9z0196.cpl
c:\windows\system32\47345pa9zot65d.ocx
c:\windows\system32\4815trzj24d9.exe
c:\windows\system32\49z3thre5t271969.cpl
c:\windows\system32\4a69a5kdzor596.exe
c:\windows\system32\4ae2downlo5derz9669.cpl
c:\windows\system32\4c47ztea9595.exe
c:\windows\system32\4d53spyware9415z.exe
c:\windows\system32\4e4cb5c9dooz666.cpl
c:\windows\system32\4e77szeal9835.dll
c:\windows\system32\4f05doznloader57919.exe
c:\windows\system32\4z6f9ownloader2503.dll
c:\windows\system32\4z89thief3536.dll
c:\windows\system32\50709ot-azvirus168.exe
c:\windows\system32\50925virus49z.exe
c:\windows\system32\51455sz9744.exe
c:\windows\system32\51825hackzoo9491.bin
c:\windows\system32\51z69spambot3e8.exe
c:\windows\system32\5259add9zr5994.exe
c:\windows\system32\5292spamzot3e.ocx
c:\windows\system32\529dzwnloader73.exe
c:\windows\system32\52d2vir94z.exe
c:\windows\system32\5388thre9t24458z.exe
c:\windows\system32\539caddwaze9185.dll
c:\windows\system32\53f3t95ez999.exe
c:\windows\system32\5429addwa5ez7839.dll
c:\windows\system32\545779roj5z4.bin
c:\windows\system32\54z75hreat8961.ocx
c:\windows\system32\5545hacktooz9e.ocx
c:\windows\system32\555fbaczdo9r756.dll
c:\windows\system32\555stealz898.dll
c:\windows\system32\559ba5dwarez321.exe
c:\windows\system32\55c59ackdozr2644.cpl
c:\windows\system32\55fthzef9129.ocx
c:\windows\system32\55z0worm5869.exe
c:\windows\system32\5643sparsez8985.dll
c:\windows\system32\5695spamz9tb9.exe
c:\windows\system32\56d95teal2193z.cpl
c:\windows\system32\571709zambot107.bin
c:\windows\system32\5757backdo9rz399.dll
c:\windows\system32\575fthrezt9909.exe
c:\windows\system32\577549acktool3az.cpl
c:\windows\system32\58509zdware999.bin
c:\windows\system32\587espy9are1650z.dll
c:\windows\system32\5903downloazer5884.ocx
c:\windows\system32\5952szea51733.ocx
c:\windows\system32\595cthizf656.exe
c:\windows\system32\595fthiefz702.cpl
c:\windows\system32\595thz9f652.exe
c:\windows\system32\5965th5efz257.dll
c:\windows\system32\596cstea5z937.dll
c:\windows\system32\597599rojz8f.exe
c:\windows\system32\59819pzrse25955.bin
c:\windows\system32\59947w9rm2fz.cpl
c:\windows\system32\599vz9515.bin
c:\windows\system32\59b9thre5t19713z.dll
c:\windows\system32\59z3hacktool796.ocx
c:\windows\system32\5a66th5efz191.ocx
c:\windows\system32\5b29sza5se25409.exe
c:\windows\system32\5c78th5ef2z99.cpl
c:\windows\system32\5d50backzoo92918.bin
c:\windows\system32\5d94downloadez259.cpl
c:\windows\system32\5dzath5e9930.exe
c:\windows\system32\5e05down5oade9188z.exe
c:\windows\system32\5e20b9ckdoor9z5.dll
c:\windows\system32\5e48spy9zre1571.exe
c:\windows\system32\5e7athreat2z479.ocx
c:\windows\system32\5f59t9ief1842z.dll
c:\windows\system32\5f7a9pywaz53176.exe
c:\windows\system32\5fa5ste59z04.exe
c:\windows\system32\5z212spy159.bin
c:\windows\system32\5z989orm572.cpl
c:\windows\system32\5z99vir5s649.exe
c:\windows\system32\6058v9ruz5a7.bin
c:\windows\system32\6098vir1345z.dll
c:\windows\system32\60bb5ackdzo92478.ocx
c:\windows\system32\60fe5pyware2496z.exe
c:\windows\system32\6213spy9are1357z.dll
c:\windows\system32\6320dzw9loader4845.cpl
c:\windows\system32\6354steal32z9.ocx
c:\windows\system32\646zthr5at29919.exe
c:\windows\system32\64785pamzot39.bin
c:\windows\system32\6499do5nlozder3234.exe
c:\windows\system32\655bspywa5e42z9.ocx
c:\windows\system32\65bebackdoor146z9.cpl
c:\windows\system32\667not-a-vz9u52f7.ocx
c:\windows\system32\66e1b5ckzoor9830.ocx
c:\windows\system32\670a5zyware22029.exe
c:\windows\system32\6904szamb5t191.dll
c:\windows\system32\6911vzr355.cpl
c:\windows\system32\6991wzr535.ocx
c:\windows\system32\69e55tealz63.bin
c:\windows\system32\6a0695arsez6.bin
c:\windows\system32\6a20zddwar52719.bin
c:\windows\system32\6b24spyw5re3z39.ocx
c:\windows\system32\6cb09ddw5re9z1.cpl
c:\windows\system32\6d0zsp5ware26539.bin
c:\windows\system32\6d55add9are28z45.cpl
c:\windows\system32\6e95v9r5z18.dll
c:\windows\system32\6efdz9r3151.dll
c:\windows\system32\6f38dow5loader9z47.bin
c:\windows\system32\6z40backdo9r5363.cpl
c:\windows\system32\6ze8sparse95.dll
c:\windows\system32\7109virz5949.exe
c:\windows\system32\711cspars53z59.dll
c:\windows\system32\71b1ba9kdoorz051.cpl
c:\windows\system32\71e9downloadez1985.dll
c:\windows\system32\7263tz9j25.bin
c:\windows\system32\73189py53z.exe
c:\windows\system32\7399threat24598z.cpl
c:\windows\system32\746zhacktool9885.cpl
c:\windows\system32\751zbackdoor9742.dll

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 1:21 am

c:\windows\system32\759dvzr126.dll
c:\windows\system32\759szarse1427.ocx
c:\windows\system32\7639spywzre105.exe
c:\windows\system32\764esteal795z.cpl
c:\windows\system32\769bsteal292z5.bin
c:\windows\system32\7711do95loazer349.dll
c:\windows\system32\7835s957z6.cpl
c:\windows\system32\786cdo9nloa5zr1980.cpl
c:\windows\system32\79d7th5ef484z.ocx
c:\windows\system32\7a5bs9arze1310.exe
c:\windows\system32\7a5dthi9f935z.exe
c:\windows\system32\7c3ebzck5oor596.exe
c:\windows\system32\7c80down5zader1690.exe
c:\windows\system32\7dacsparse5951z.ocx
c:\windows\system32\7z43v9r17975.cpl
c:\windows\system32\855addw9re929z.dll
c:\windows\system32\85tzief2594.exe
c:\windows\system32\8d5stezl593.bin
c:\windows\system32\905z3not-a-virus17d.bin
c:\windows\system32\91f8zir2457.dll
c:\windows\system32\9225parse5z1.ocx
c:\windows\system32\9255hacktzol292.cpl
c:\windows\system32\94207not-a-vir5s29z.dll
c:\windows\system32\945szy260.exe
c:\windows\system32\946sparsz8215.ocx
c:\windows\system32\95150spambot4z0.ocx
c:\windows\system32\95196troj4z4.bin
c:\windows\system32\953znot5a-vir9s50.cpl
c:\windows\system32\9565vi9uz7.bin
c:\windows\system32\95858sp5mbzt7f0.bin
c:\windows\system32\95cfspywzre563.cpl
c:\windows\system32\9622szyware2355.bin
c:\windows\system32\96513spy1bz.ocx
c:\windows\system32\9651spywarz825.exe
c:\windows\system32\97z8spyware459.dll
c:\windows\system32\982spzrse95.ocx
c:\windows\system32\98386not-a-viruz105.cpl
c:\windows\system32\98a5stzal1450.exe
c:\windows\system32\9926zi52361.ocx
c:\windows\system32\99313hzcktoo58d.ocx
c:\windows\system32\99353tzoj358.ocx
c:\windows\system32\9b4zdownloader5092.cpl
c:\windows\system32\9c5bbackdoorz78.ocx
c:\windows\system32\9c78spz5se3027.ocx
c:\windows\system32\9e35spyware3063z.dll
c:\windows\system32\9e9steaz5929.exe
c:\windows\system32\9eczadd5are2605.cpl
c:\windows\system32\9etzie52801.dll
c:\windows\system32\9f185hreat781z.cpl
c:\windows\system32\9z00thief1548.ocx
c:\windows\system32\9z374spy645.exe
c:\windows\system32\a44baczdoor959.cpl
c:\windows\system32\a599zreat23160.cpl
c:\windows\system32\b04add9aze285.bin
c:\windows\system32\b47s5eal495z.ocx
c:\windows\system32\b695ackdoor276z.bin
c:\windows\system32\c1z5p9rse2110.cpl
c:\windows\system32\c5aadd9zr5261.exe
c:\windows\system32\e295pywarz2397.cpl
c:\windows\system32\ed5steaz25139.bin
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\z015ackdoo9715.cpl
c:\windows\system32\z1884spy695.cpl
c:\windows\system32\z3015wor91465.exe
c:\windows\system32\z339spa5bote4.dll
c:\windows\system32\z4992not-a-v5rus3b0.bin
c:\windows\system32\z5095orm62a9.cpl
c:\windows\system32\z50thief791.dll
c:\windows\system32\z5455w59m196.exe
c:\windows\system32\z5564v9rus5be.dll
c:\windows\system32\z595spyware875.exe
c:\windows\system32\z5b7th9ef2110.cpl
c:\windows\system32\z676not9a-viru579.dll
c:\windows\system32\z7339ha5ktool745.exe
c:\windows\system32\z75dbackd9or2296.bin
c:\windows\system32\z775hi9f72.ocx
c:\windows\system32\z795sparse3028.dll
c:\windows\system32\z7969spam5ot421.exe
c:\windows\system32\z8595spambot633.bin
c:\windows\system32\z885vir999.cpl
c:\windows\system32\z8955vi5us9e6.cpl
c:\windows\system32\z90thie52763.ocx
c:\windows\system32\z91cdownloader1715.ocx
c:\windows\system32\z922thief35.exe
c:\windows\system32\z92b5ackdoor808.ocx
c:\windows\system32\z9858troj750.cpl
c:\windows\system32\z9938not-a-virus5ee.ocx
c:\windows\system32\z994backd5or2873.cpl
c:\windows\system32\zb4bdownlo5der9549.ocx
c:\windows\system32\zd465tea9274.ocx
c:\windows\system32\ze54st9al551.bin
c:\windows\z0f5backdoor594.bin
c:\windows\z1295vir5s3f5.dll
c:\windows\z15955irus8c.bin
c:\windows\z1935parse986.bin
c:\windows\z298virus7e59.bin
c:\windows\z3674v95us1a3.exe
c:\windows\z3fath59at2851.dll
c:\windows\z4530wo9m356.dll
c:\windows\z5756worm59a5.ocx
c:\windows\z6986spy57b.bin
c:\windows\z69do5n9oader112.exe
c:\windows\z6e8spa5se492.exe
c:\windows\z77c9ddwa5e2318.cpl
c:\windows\z8614w9rm156.cpl
c:\windows\z9005ackdo9r2991.dll
c:\windows\z9448spy595.ocx
c:\windows\z969t5reat22591.bin
c:\windows\z9cvi91507.cpl
c:\windows\z9fes59ware2762.exe
c:\windows\za449p5ware1495.bin
c:\windows\za969teal598.ocx
c:\windows\zb5a9p5ware2365.bin
c:\windows\zd95vir99.dll
c:\windows\zefcthie91345.exe
c:\windows\zf19threat54333.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 02:15 . 2009-06-02 02:14 1164288 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-05-30 01:46 . 2009-05-30 01:46 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\InterVideo
2009-05-30 01:04 . 2009-06-03 00:42 -------- d-----w- C:\MGtools
2009-05-29 16:26 . 2009-05-29 16:26 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\Malwarebytes
2009-05-29 01:34 . 2009-05-29 01:35 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\GetRightToGo
2009-05-13 20:33 . 2009-05-13 20:33 5419 ----a-w- c:\windows\system32\532noz59-virusd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 00:49 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\BitTorrent
2009-06-02 02:33 . 2008-09-27 21:44 -------- d-----w- c:\program files\Trend Micro
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\program files\DNA
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\DNA
2009-04-06 12:47 . 2008-09-22 01:36 -------- d-----w- c:\program files\AVS4YOU
2009-04-02 22:00 . 2008-09-27 21:48 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 22:00 . 2008-09-27 21:48 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 22:00 . 2008-09-27 21:48 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 00:01 . 2009-04-02 00:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-04-01 21:16 . 2009-04-01 21:16 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-14 04:40 . 2008-09-22 01:39 55800 ----a-w- c:\documents and settings\Bao-Chau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-13 02:34 . 2009-03-13 02:34 503808 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcp71.dll
2009-03-13 02:34 . 2009-03-13 02:34 499712 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\jmc.dll
2009-03-13 02:34 . 2009-03-13 02:34 348160 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcr71.dll
2009-03-13 02:24 . 2009-03-13 02:24 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 11:19 . 2008-12-04 04:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 02:12 . 2008-12-19 05:33 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-08-09 20:38 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-04-02 00:14 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-09-07 04:08 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 492808]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-09-26 634672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-01 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 1:21 am

--- Other Services/Drivers In Memory ---

*Deregistered* - ACS
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CFSvcs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - DVD-RAM_Service
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Swupdtmr
*Deregistered* - TapiSrv
*Deregistered* - TBiosDrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcfw
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmPfw
*Deregistered* - tmpreflt
*Deregistered* - tmproxy
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 18:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Bao-Chau\Application Data\Mozilla\Firefox\Profiles\rgvhgajh.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-02 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\WinRAR\rarext.dll
c:\program files\Sonic\RecordNow!\shlext.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Trend Micro\Internet Security\TmProxy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\Internet Security\UfUpdUi.exe
c:\program files\Trend Micro\Internet Security\SfFnUp.exe
.
**************************************************************************
.
Completion time: 2009-06-03 19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 01:16

Pre-Run: 2,830,245,888 bytes free
Post-Run: 3,451,670,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1075 --- E O F --- 2009-05-15 07:03

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Origin on 3rd June 2009, 2:43 am

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\tempo-setup2.exe
c:\windows\system32\532noz59-virusd.exe
c:\program files\DNA
c:\documents and settings\Bao-Chau\Application Data\DNA

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 3:34 am

ComboFix 09-05-31.06 - Bao-Chau 06/02/2009 21:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.93 [GMT -6:00]
Running from: c:\documents and settings\Bao-Chau\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bao-Chau\Desktop\CFScript.txt.txt
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\documents and settings\Bao-Chau\Application Data\DNA"
"c:\program files\DNA"
"c:\windows\system32\532noz59-virusd.exe"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\532noz59-virusd.exe
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-05-30 01:46 . 2009-05-30 01:46 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\InterVideo
2009-05-30 01:04 . 2009-06-03 00:42 -------- d-----w- C:\MGtools
2009-05-29 16:26 . 2009-05-29 16:26 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\Malwarebytes
2009-05-29 01:34 . 2009-05-29 01:35 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:28 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\BitTorrent
2009-06-03 01:18 . 2005-08-09 22:45 -------- d-----w- c:\program files\America Online 9.0
2009-06-02 02:33 . 2008-09-27 21:44 -------- d-----w- c:\program files\Trend Micro
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\program files\DNA
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\DNA
2009-04-06 12:47 . 2008-09-22 01:36 -------- d-----w- c:\program files\AVS4YOU
2009-04-02 22:00 . 2008-09-27 21:48 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 22:00 . 2008-09-27 21:48 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 22:00 . 2008-09-27 21:48 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 00:01 . 2009-04-02 00:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-04-01 21:16 . 2009-04-01 21:16 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-14 04:40 . 2008-09-22 01:39 55800 ----a-w- c:\documents and settings\Bao-Chau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-13 02:34 . 2009-03-13 02:34 503808 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcp71.dll
2009-03-13 02:34 . 2009-03-13 02:34 499712 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\jmc.dll
2009-03-13 02:34 . 2009-03-13 02:34 348160 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcr71.dll
2009-03-13 02:24 . 2009-03-13 02:24 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 11:19 . 2008-12-04 04:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 02:12 . 2008-12-19 05:33 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-08-09 20:38 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-04-02 00:14 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-09-07 04:08 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-01 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/27/2008 3:48 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 8:37 AM 36368]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 8:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/27/2008 3:48 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/27/2008 3:48 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Bao-Chau\Application Data\Mozilla\Firefox\Profiles\rgvhgajh.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-02 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 21:30
ComboFix-quarantined-files.txt 2009-06-03 03:30
ComboFix2.txt 2009-06-03 01:16

Pre-Run: 3,543,367,680 bytes free
Post-Run: 3,528,015,872 bytes free

149 --- E O F --- 2009-05-15 07:03

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 3:35 am

By the way, after this could you help with scanning an iPod. Said person said when they opened their iPod as a USB in MyComputer the virus automatically installed itself.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 11:15 am

Thanks Origin. Smile

PatTheBaker - We need to clean the iPod then, but read my instructions carefully, because when we plug it in, we need to have this next tool already open and running because it will disable the infection on the iPod.

Please download [You must be registered and logged in to see this link.] to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
  4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 8:09 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 2:15:30 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {f7178da6-7c6b-11dd-86d3-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for f7178da6-7c6b-11dd-86d3-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\autorun.inf.vir
----------------------------------------
[autorun]
;tkwhbrmeqmsucxgfrxhazfdpiwhnpnadsnfwmbzcacussdngwierruzqkiycldpeqbxqkgainjnx
shellexecute="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com c:\"
;bophwpwedljgdhjwjgrcmjhgdxyojtrxqeyuxfxfd
shell\Open\command="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com c:\"
;rymhmdvswyxnwdguamozcdapdpripjxzcdhwstotykmazroxlmknzqgihnhwwtqxipwgdrekbprvmryiujzmpx
shell=Open
----------------------------------------
========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 2:17:51 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {b3a518fa-9033-11dd-8715-00c09fda8693}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
autorun.inf found on F:
----------------------------------------
File F:\autorun.inf renamed successfully

Content of F:\autorun.inf.blocked
----------------------------------------
[autorun]
;iykaktyojqhzpgbowchprnrbccezpulrhqqhlsdtbigvbvgdfypqyncnagwbpnsqfxpalugxrlpvimvfyeuatohobrdbseobuckfhtzfa
shellexecute="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com f:\"
;znwqmsbpycckmwh
shell\Open\command="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com f:\"
;avsqollqwxvyvxzsjtwelnsmtixyiuebyrmhjplqtssndkhejzuplspnkazjswqbgtaigtsxphszjmkzraygbuzjmyoaobyaaqzyxi
shell=Open
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Sanitized mountpoint for b3a518fa-9033-11dd-8715-00c09fda8693
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================


Last edited by PatTheBaker on 3rd June 2009, 8:20 pm; edited 2 times in total (Reason for editing : Here's the Log)

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 8:39 pm

Hello.
That's disabled the infection, now we need to remove it fully. Whatever drive F:\ is, make sure you keep it plugged in and do not unplug it until I say so, otherwise this won't work.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

  1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.

    {f7178da6-7c6b-11dd-86d3-806d6172696f}
    protect:
    {b3a518fa-9033-11dd-8715-00c09fda8693}
    delete: F:\autorun.inf.blocked
    protect:



  2. Then press the Run Script button.
  3. Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 8:58 pm

It gets a Not Responding when I run the script so I can't get a log.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 9:04 pm

Might be some other software conflicting. Lets try disabling Trend Micro.

See [You must be registered and logged in to see this link.] for how to disable your AV. (Trend Micro)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 9:24 pm

No response still.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 9:31 pm

Fine, we'll delete it manually.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    F:\autorun.inf.blocked


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 9:34 pm

USB No Risk moved the autorun file onto the desktop.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 9:40 pm

Weird.
Okay, delete it manually.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 9:42 pm

OK, I deleted.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 9:44 pm

This should be fine now. The iPod is clean now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 9:54 pm

Thank you very much for helping again. Anything else left for the computer?

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by Belahzur on 3rd June 2009, 9:54 pm

Nope, not that I can see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Another Win Blue Virus. Help Please

Post by PatTheBaker on 3rd June 2009, 10:04 pm

OK, thanks.

PatTheBaker
Intermediate
Intermediate

Posts Posts : 67
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : XP Home Edition
Points Points : 27585
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum