Brand New WinBlue Soft Victim

View previous topic View next topic Go down

Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 8:50 am

Hello
I've noticed I'm not the first victim of this malware, I've read many topics but still I'm not able to get rid of it.
I cannot open any executable files except mozilla, and I cannot install/run MalwareRemoval nor HijackThis.
Any help woul be extremely appreciated.
Please (puppy eyes)

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 1:24 pm

Hello.
Delete this file in bold:
C:\Windows\system32\blocker.dll

Let me know if you can run exe files now, or if the file won't delete.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 1:34 pm

I tried to delete it but I failed, because it says that the program is actually running Sad tearing

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 1:47 pm

Please download the Pocket Killbox from [You must be registered and logged in to see this link.]

  • Open the Killbox.
  • Under "Full path of file to delete", copy and paste in the following:

    C:\Windows\system32\blocker.dll

  • Change the option from "Standard file kill" to "Delete on reboot"
  • Press the Red X to delete the file.
  • It will ask if you want to make a backup of the file we deleted, select Yes to the prompt.
  • Okay any prompt and select yes to reboot.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 1:52 pm

Alas, even Killbox is blocked and cannot be opened.
It apperars a message "Invalid Picture"

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 2:17 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 2:32 pm

Thank you for the reply.
Combofix is blocked too if I try to open it by double click.
Instead, if I try to open it with left click>execute as..., a small window appears in the middle of the screen: there's writen "ComboFix" above an empty load bar... and nothing happens. So i guess the program doesn't work properly, even if I followed all the instructions you've kindly given me.
I'm starting to think I'm helpless here

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 2:42 pm

Hello.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.


  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 3:02 pm

At least this worked, thank you so much
Here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.57.18, on 03/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinBlueSoft] C:\Programmi\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\185.85\is\PhysX_9.09.0408_SystemSoftware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1BD845F-E98C-4DFD-9E69-8A513B597DCA}: NameServer = 85.255.112.16,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138
O20 - AppInit_DLLs: blocker.dll
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2973 bytes

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 3:07 pm

Hello.
Were gonna do TWO fixes using Hijack This, so read carefully.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [WinBlueSoft] C:\Programmi\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1BD845F-E98C-4DFD-9E69-8A513B597DCA}: NameServer = 85.255.112.16,85.255.112.138
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.16,85.255.112.138


  • Press "Fix Checked"

Now close Hijack This, then re-open it for the second part of the fix.

  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find and select this file: C:\windows\system32\blocker.dll
  • Select okay and select yes to reboot.

After reboot, try running Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 3:21 pm

Done.
Now the machine seems to work properly, everything seems to be fixed.
Thank you Belahzur, you saved my life!
Goodbye and good work ^^

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 3:28 pm

No where near fixed, all we did was disable it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 3:32 pm

D'oh.
So what else should I do?

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 3:32 pm

"After reboot, try running Combofix."


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 4:25 pm

I had already done it ^^

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 4:26 pm

Post the log then please. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 5:51 pm

Yes sir

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.51.07, on 03/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\185.85\is\PhysX_9.09.0408_SystemSoftware.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF78B87-BE96-4886-A400-179AC88223FC}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF78B87-BE96-4886-A400-179AC88223FC}: NameServer = 85.37.17.5 85.38.28.77
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3885 bytes

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 5:58 pm

Hello.
That's a Hijack This log, but anyhow, there's a few things that could be removed using Hijack This.

  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF78B87-BE96-4886-A400-179AC88223FC}: NameServer = 85.37.17.5 85.38.28.77
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF78B87-BE96-4886-A400-179AC88223FC}: NameServer = 85.37.17.5 85.38.28.77


  • Press "Fix Checked"
  • Close Hijack This.

My Combofix instructions for you are in this post.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 10:17 pm

I've run ComboFix again, here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.15.10, on 04/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MST" WISE_SETUP_EXE_PATH="c:\nvidia\winxp\185.85\is\PhysX_9.09.0408_SystemSoftware.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3299 bytes

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 10:22 pm

That's still a Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 10:26 pm

Yikes
ComboFix log:

ComboFix 09-06-01.03 - Paxx 04/06/2009 0.08.16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.39.1040.18.2047.1676 [GMT 2:00]
Eseguito da: c:\documents and settings\Paxx\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Creati Da 2009-05-03 al 2009-06-03 )))))))))))))))))))))))))))))))))))
.

2009-06-03 22:00 . 2009-06-03 22:00 -------- d-----w- c:\documents and settings\Paxx\Impostazioni locali\Dati applicazioni\Help
2009-06-03 21:58 . 2009-06-03 22:06 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-03 18:58 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-03 17:39 . 2009-06-03 17:39 112144 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\X86\kl1.sys
2009-06-03 17:39 . 2009-06-03 17:39 682512 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\updater.dll
2009-06-03 17:39 . 2009-06-03 17:39 194320 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\klif.sys
2009-06-03 17:39 . 2009-06-03 17:39 150032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\diffs.dll
2009-06-03 17:39 . 2009-06-03 17:39 342544 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\ckahum.dll
2009-06-03 17:29 . 2009-06-03 17:39 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-03 17:29 . 2009-06-03 17:39 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-03 17:28 . 2009-06-03 17:28 -------- d-----w- c:\programmi\Kaspersky Lab
2009-06-03 17:28 . 2009-06-03 21:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-06-03 17:28 . 2009-06-03 22:11 50464 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-03 17:28 . 2009-06-03 22:10 991008 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-03 14:53 . 2009-06-03 14:53 -------- d-----w- c:\programmi\Trend Micro
2009-06-03 14:50 . 2009-06-03 14:50 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\documents and settings\NetworkService\Menu Avvio
2009-06-02 23:17 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 23:17 . 2009-06-02 23:17 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-06-02 23:17 . 2009-06-02 23:17 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-06-02 23:17 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 23:09 . 2009-06-02 23:09 3361 ----a-w- c:\windows\system32\2fefsparse95z.bin
2009-06-02 23:09 . 2009-06-02 23:09 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-02 23:02 . 2000-01-24 16:20 17408 ----a-w- c:\windows\system32\ftdll16.dll
2009-06-02 23:02 . 1999-08-04 07:48 40960 ----a-w- c:\windows\system32\Qa3dload.dll
2009-06-02 23:02 . 1999-09-15 16:33 57344 ----a-w- c:\windows\system32\Qa3d.dll
2009-06-02 23:02 . 2001-08-30 21:07 98304 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2009-06-02 23:02 . 2001-08-30 21:07 98304 ----a-w- c:\windows\system32\a3d.dll
2009-06-02 23:02 . 2000-04-22 13:41 115856 ----a-w- c:\windows\system32\SND801.drv
2009-06-02 23:02 . 1999-05-19 14:18 20255 ----a-w- C:\cfg801.exe
2009-06-02 23:02 . 1999-05-19 15:15 4657 ----a-w- C:\DOS801.EXE
2009-06-02 23:00 . 1999-12-13 15:10 24064 ----a-w- c:\windows\system32\ftdll32.dll
2009-06-02 23:00 . 2000-02-24 09:38 259072 ----a-w- c:\windows\system32\fmctrl.exe
2009-06-02 23:00 . 1998-01-23 10:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-06-02 23:00 . 2009-06-02 23:00 -------- d-----w- c:\documents and settings\Paxx\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 22:10 . 2009-06-03 17:28 6800 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-03 22:10 . 2009-06-03 17:28 13976 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-03 17:39 . 2007-04-28 14:51 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-02 22:57 . 2009-06-02 22:57 0 ----a-w- c:\windows\nsreg.dat
2009-06-02 21:54 . 2009-06-02 21:54 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-06-02 21:39 . 2009-06-02 21:39 -------- d-----w- c:\programmi\File comuni\Adobe
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Alice ti aiuta
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Common Files
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Motive
2009-06-02 21:31 . 2009-06-02 21:31 2232 ----a-w- c:\windows\java\Packages\Data\QADRL39R.DAT
2009-06-02 21:31 . 2009-06-02 21:31 155995 ----a-w- c:\windows\java\Packages\BLB9NF9N.ZIP
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\IQZFH77B.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\UAFVBXN5.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\KV9FLRXF.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\JTBRJ3TF.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\EITFV79J.DAT
2009-06-02 21:27 . 2009-06-02 21:27 -------- d-----w- c:\programmi\Attansic
2009-06-02 21:27 . 2009-06-02 21:16 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-06-02 21:27 . 2009-06-02 21:15 -------- d-----w- c:\programmi\File comuni\InstallShield
2009-06-02 21:20 . 2009-06-02 21:20 -------- d-----w- c:\programmi\Intel
2009-06-02 21:15 . 2009-06-02 21:15 -------- d-----w- c:\programmi\Telecom Italia
2009-06-02 21:12 . 2006-03-02 12:00 47814 ----a-w- c:\windows\system32\perfc010.dat
2009-06-02 21:12 . 2006-03-02 12:00 345382 ----a-w- c:\windows\system32\perfh010.dat
2009-06-02 21:08 . 2009-06-02 21:08 -------- d-----w- c:\programmi\microsoft frontpage
2009-06-02 21:07 . 2009-06-02 21:07 76875 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-02 21:07 . 2009-06-02 21:07 -------- d-----w- c:\programmi\Servizi in linea
2009-06-02 21:06 . 2009-06-02 21:06 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-30 22:30 . 2009-04-30 22:30 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-04-30 20:02 . 2009-06-02 21:53 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-04-30 20:02 . 2009-04-30 20:02 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-04-30 20:02 . 2009-04-30 20:02 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-04-30 20:02 . 2009-04-30 20:02 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 20:02 . 2009-04-30 20:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 20:02 . 2009-04-30 20:02 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 20:02 . 2009-04-30 20:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 20:02 . 2009-04-30 20:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-30 20:02 . 2009-04-30 20:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-26 22:42 . 2009-06-02 21:53 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 21:08 . 2007-11-30 12:39 18808 c:\windows\system32\spmsg.dll
+ 2007-06-28 10:50 . 2007-06-28 10:50 22457 c:\windows\system32\drivers\klop.dat
+ 2007-04-04 12:58 . 2007-04-04 12:58 24344 c:\windows\system32\drivers\klim5.sys
- 2009-06-02 21:10 . 2009-06-02 21:11 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-06-02 21:10 . 2009-06-02 21:11 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-06-02 21:10 . 2009-06-02 21:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-02 12:00 . 2006-03-02 12:00 351232 c:\windows\system32\winhttp.dll
+ 2006-03-02 12:00 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2007-06-28 10:51 . 2007-06-28 10:51 206088 c:\windows\system32\klogon.dll
+ 2007-06-27 15:31 . 2009-06-03 17:39 194320 c:\windows\system32\drivers\klif.sys
+ 2006-03-02 12:00 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
- 2006-03-02 12:00 . 2006-03-02 12:00 351232 c:\windows\system32\dllcache\winhttp.dll
- 2009-06-02 21:06 . 2006-03-02 12:00 331776 c:\windows\system32\dllcache\msadce.dll
+ 2009-06-02 21:06 . 2008-05-01 14:31 331776 c:\windows\system32\dllcache\msadce.dll
+ 2009-06-03 18:49 . 2008-04-15 17:55 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2009-6-2 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [02/06/2009 23.27.40 38656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [04/04/2007 14.58.26 24344]
.
.
------- Scansione supplementare -------
.
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Paxx\Dati applicazioni\Mozilla\Firefox\Profiles\yfe0lyo1.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 00:11
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\docume~1\Paxx\IMPOST~1\Temp\RGI1.tmp 7117 bytes

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1096)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll

- - - - - - - > 'explorer.exe'(132)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\rundll32.exe
c:\programmi\Alice ti aiuta\bin\mpbtn.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-06-03 0.14.20 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2009-06-03 22:14
ComboFix2.txt 2009-06-03 15:16

Pre-Run: 72.116.248.576 byte disponibili
Post-Run: 75.260.055.552 byte disponibili

182 --- E O F --- 2009-06-03 18:58

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Wed Jun 03, 2009 10:28 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\2fefsparse95z.bin
c:\windows\system32\tempo-setup2.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Wed Jun 03, 2009 10:44 pm

Here's the new log:

ComboFix 09-06-01.03 - Paxx 04/06/2009 0.38.57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.39.1040.18.2047.1726 [GMT 2:00]
Eseguito da: c:\documents and settings\Paxx\Desktop\Combo-Fix.exe
Opzioni usate :: c:\documents and settings\Paxx\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\2fefsparse95z.bin"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\2fefsparse95z.bin
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((( Files Creati Da 2009-05-03 al 2009-06-03 )))))))))))))))))))))))))))))))))))
.

2009-06-03 22:31 . 2004-08-03 21:08 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2009-06-03 22:31 . 2004-08-03 21:08 10624 ----a-w- c:\windows\system32\drivers\gameenum.sys
2009-06-03 22:21 . 2000-05-29 22:06 5779 ----a-w- c:\windows\system32\drivers\FMPNP.SYS
2009-06-03 22:21 . 2001-11-02 08:49 9728 ----a-w- c:\windows\system32\drivers\FMJOY.SYS
2009-06-03 22:21 . 2001-11-02 12:33 328320 ----a-w- c:\windows\system32\drivers\FM801.SYS
2009-06-03 22:19 . 2009-06-03 22:19 -------- d-----w- c:\documents and settings\Paxx\Impostazioni locali\Dati applicazioni\Adobe
2009-06-03 22:00 . 2009-06-03 22:00 -------- d-----w- c:\documents and settings\Paxx\Impostazioni locali\Dati applicazioni\Help
2009-06-03 21:58 . 2009-06-03 22:06 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-03 18:58 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-03 17:39 . 2009-06-03 17:39 112144 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\X86\kl1.sys
2009-06-03 17:39 . 2009-06-03 17:39 682512 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\updater.dll
2009-06-03 17:39 . 2009-06-03 17:39 194320 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\klif.sys
2009-06-03 17:39 . 2009-06-03 17:39 150032 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\diffs.dll
2009-06-03 17:39 . 2009-06-03 17:39 342544 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\ckahum.dll
2009-06-03 17:29 . 2009-06-03 17:39 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-03 17:29 . 2009-06-03 17:39 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-03 17:28 . 2009-06-03 17:28 -------- d-----w- c:\programmi\Kaspersky Lab
2009-06-03 17:28 . 2009-06-03 22:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-06-03 17:28 . 2009-06-03 22:40 1046560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-03 17:28 . 2009-06-03 22:40 56608 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-03 14:53 . 2009-06-03 14:53 -------- d-----w- c:\programmi\Trend Micro
2009-06-03 14:50 . 2009-06-03 14:50 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\documents and settings\NetworkService\Menu Avvio
2009-06-02 23:17 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 23:17 . 2009-06-02 23:17 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-06-02 23:17 . 2009-06-02 23:17 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-06-02 23:17 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 23:02 . 2000-01-24 16:20 17408 ----a-w- c:\windows\system32\ftdll16.dll
2009-06-02 23:02 . 1999-08-04 07:48 40960 ----a-w- c:\windows\system32\Qa3dload.dll
2009-06-02 23:02 . 1999-09-15 16:33 57344 ----a-w- c:\windows\system32\Qa3d.dll
2009-06-02 23:02 . 2001-08-30 21:07 98304 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2009-06-02 23:02 . 2001-08-30 21:07 98304 ----a-w- c:\windows\system32\a3d.dll
2009-06-02 23:02 . 2000-04-22 13:41 115856 ----a-w- c:\windows\system32\SND801.drv
2009-06-02 23:02 . 1999-05-19 14:18 20255 ----a-w- C:\cfg801.exe
2009-06-02 23:02 . 1999-05-19 15:15 4657 ----a-w- C:\DOS801.EXE
2009-06-02 23:00 . 2001-10-15 12:15 53248 ----a-w- c:\windows\system32\ftdll32.dll
2009-06-02 23:00 . 2001-08-20 19:47 270336 ----a-w- c:\windows\system32\fmctrl.exe
2009-06-02 23:00 . 1998-01-23 10:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-06-02 23:00 . 2009-06-02 23:00 -------- d-----w- c:\documents and settings\Paxx\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 22:29 . 2009-06-02 21:07 76875 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-03 22:22 . 2009-06-03 17:28 7064 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-03 22:22 . 2009-06-03 17:28 14648 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-03 17:39 . 2007-04-28 14:51 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-02 22:57 . 2009-06-02 22:57 0 ----a-w- c:\windows\nsreg.dat
2009-06-02 21:54 . 2009-06-02 21:54 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-06-02 21:39 . 2009-06-02 21:39 -------- d-----w- c:\programmi\File comuni\Adobe
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Alice ti aiuta
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Common Files
2009-06-02 21:31 . 2009-06-02 21:31 -------- d-----w- c:\programmi\Motive
2009-06-02 21:31 . 2009-06-02 21:31 2232 ----a-w- c:\windows\java\Packages\Data\QADRL39R.DAT
2009-06-02 21:31 . 2009-06-02 21:31 155995 ----a-w- c:\windows\java\Packages\BLB9NF9N.ZIP
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\IQZFH77B.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\UAFVBXN5.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\KV9FLRXF.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\JTBRJ3TF.DAT
2009-06-02 21:31 . 2009-06-02 21:31 2678 ----a-w- c:\windows\java\Packages\Data\EITFV79J.DAT
2009-06-02 21:27 . 2009-06-02 21:27 -------- d-----w- c:\programmi\Attansic
2009-06-02 21:27 . 2009-06-02 21:16 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-06-02 21:27 . 2009-06-02 21:15 -------- d-----w- c:\programmi\File comuni\InstallShield
2009-06-02 21:20 . 2009-06-02 21:20 -------- d-----w- c:\programmi\Intel
2009-06-02 21:15 . 2009-06-02 21:15 -------- d-----w- c:\programmi\Telecom Italia
2009-06-02 21:12 . 2006-03-02 12:00 47814 ----a-w- c:\windows\system32\perfc010.dat
2009-06-02 21:12 . 2006-03-02 12:00 345382 ----a-w- c:\windows\system32\perfh010.dat
2009-06-02 21:08 . 2009-06-02 21:08 -------- d-----w- c:\programmi\microsoft frontpage
2009-06-02 21:07 . 2009-06-02 21:07 -------- d-----w- c:\programmi\Servizi in linea
2009-06-02 21:06 . 2009-06-02 21:06 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-30 22:30 . 2009-04-30 22:30 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-04-30 20:02 . 2009-06-02 21:53 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-04-30 20:02 . 2009-04-30 20:02 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-04-30 20:02 . 2009-04-30 20:02 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-04-30 20:02 . 2009-04-30 20:02 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 20:02 . 2009-04-30 20:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 20:02 . 2009-04-30 20:02 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 20:02 . 2009-04-30 20:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 20:02 . 2009-04-30 20:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-30 20:02 . 2009-04-30 20:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-26 22:42 . 2009-06-02 21:53 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 21:08 . 2007-11-30 12:39 18808 c:\windows\system32\spmsg.dll
+ 2007-06-28 10:50 . 2007-06-28 10:50 22457 c:\windows\system32\drivers\klop.dat
+ 2007-04-04 12:58 . 2007-04-04 12:58 24344 c:\windows\system32\drivers\klim5.sys
- 2009-06-02 21:10 . 2009-06-02 21:11 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-06-02 21:10 . 2009-06-02 21:11 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-06-02 21:10 . 2009-06-03 17:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-02 21:10 . 2009-06-02 21:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-02 21:07 . 2009-06-03 22:29 2378 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2009-06-02 21:07 . 2009-06-03 22:29 8972 c:\windows\pchealth\helpctr\Config\Cntstore.bin
- 2006-03-02 12:00 . 2006-03-02 12:00 351232 c:\windows\system32\winhttp.dll
+ 2006-03-02 12:00 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2007-06-28 10:51 . 2007-06-28 10:51 206088 c:\windows\system32\klogon.dll
+ 2007-06-27 15:31 . 2009-06-03 17:39 194320 c:\windows\system32\drivers\klif.sys
- 2006-03-02 12:00 . 2006-03-02 12:00 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2006-03-02 12:00 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
- 2009-06-02 21:06 . 2006-03-02 12:00 331776 c:\windows\system32\dllcache\msadce.dll
+ 2009-06-02 21:06 . 2008-05-01 14:31 331776 c:\windows\system32\dllcache\msadce.dll
+ 2009-06-03 18:49 . 2008-04-15 17:55 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2009-6-2 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [02/06/2009 23.27.40 38656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [04/04/2007 14.58.26 24344]
.
.
------- Scansione supplementare -------
.
TCP: {0AF78B87-BE96-4886-A400-179AC88223FC} = 85.37.17.5 85.38.28.77
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Paxx\Dati applicazioni\Mozilla\Firefox\Profiles\yfe0lyo1.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 00:40
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1092)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
Ora fine scansione: 2009-06-03 0.41.42
ComboFix-quarantined-files.txt 2009-06-03 22:41
ComboFix2.txt 2009-06-03 22:14
ComboFix3.txt 2009-06-03 15:16

Pre-Run: 75.261.935.616 byte disponibili
Post-Run: 75.249.913.856 byte disponibili

182 --- E O F --- 2009-06-03 18:58

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Belahzur on Thu Jun 04, 2009 12:14 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Brand New WinBlue Soft Victim

Post by Paxx on Thu Jun 04, 2009 7:54 am

The machine runs perfectly now, as good as new Big Grin
Thank You!

Paxx
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-06-03
Gender : Male
OS : Windows XP Home SP2

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum