I'm another victim of winblue

View previous topic View next topic Go down

Re: I'm another victim of winblue

Post by Belahzur on Wed Jun 03, 2009 10:34 pm


  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find and select this file: C:\windows\system32\blocker.dll
  • Select okay and select yes to reboot.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Wed Jun 03, 2009 10:36 pm

there is one called mskdectorex and another called kernalfaultcheck do i need to check else?

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Wed Jun 03, 2009 10:56 pm

ok i got it now
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:41 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tempo-setup2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm088YYUS
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Candi Drop\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 9042 bytes

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Wed Jun 03, 2009 11:04 pm

did i do it right?

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Wed Jun 03, 2009 11:11 pm

...

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Wed Jun 03, 2009 11:38 pm

so.......... what now

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by Origin on Thu Jun 04, 2009 12:08 am

Please do not keep Bumping your topic as you are not the only one that needs help,



  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
    O8 - Extra context menu item: &Search - ?p=ZJxdm088YYUS
    O15 - Trusted Zone: *.moove.com
    O20 - AppInit_DLLs: blocker.dll
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



  • Press "Fix Checked"
  • Close Hijack This.






1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:10 am

ComboFix 09-06-03.01 - Candi Drop 06/03/2009 20:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.144 [GMT -4:00]
Running from: c:\documents and settings\Candi Drop\My Documents\My Videos\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\101zt9ief5830.ocx
c:\windows\105659roz1d4.ocx
c:\windows\1058spzmbot6359.ocx
c:\windows\10875zackto9l7765.exe
c:\windows\10z85hackt5o989.dll
c:\windows\1126459t-a-virus5z.cpl
c:\windows\1145thzeat26998.bin
c:\windows\115159cktool680z.ocx
c:\windows\1206zwo9m555.cpl
c:\windows\12170zpy5d09.cpl
c:\windows\122459orm52z.cpl
c:\windows\12479not5a-zirus635.bin
c:\windows\1274295oj43z.dll
c:\windows\12775viru941z.cpl
c:\windows\12968ha9k5zol173.dll
c:\windows\129ca5dware15z0.exe
c:\windows\131329zrus995.cpl
c:\windows\13273s95z5a.exe
c:\windows\13289hackto5lz2c.ocx
c:\windows\13439vi9uz3595.cpl
c:\windows\13566h5cktoo91acz.bin
c:\windows\13577spzmbo9255.dll
c:\windows\13596not-5-virus4e6z.cpl
c:\windows\138zthr9at9523.dll
c:\windows\14189virusz9d5.ocx
c:\windows\14235not-az5iru9712.ocx
c:\windows\142zv9r5s587.ocx
c:\windows\14320vi59z496.exe
c:\windows\143z7not5a-viru95b8.ocx
c:\windows\14417hackto9524z.cpl
c:\windows\14595pa9bot39z.exe
c:\windows\14598virzs359.exe
c:\windows\14902ha9ktzol58.ocx
c:\windows\1510hackt9ol6adz.bin
c:\windows\151719pyz5e.dll

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:10 am

c:\windows\151719pyz5e.dll
c:\windows\15290virusz5e.ocx
c:\windows\155bbaczdoor50569.bin
c:\windows\155zsparse2992.bin
c:\windows\15639hzc9tool5e9.bin
c:\windows\157z0s5amb9t21e.dll
c:\windows\15f8ad5wzre978.bin
c:\windows\15z8addware693.dll
c:\windows\16256not5a-virus9z8.cpl
c:\windows\16a0downloade9255z.bin
c:\windows\16bzthief26159.dll
c:\windows\17193zo5-a-9irus1b5.ocx
c:\windows\1720spy9a5e303z.bin
c:\windows\175zvir1279.bin
c:\windows\17673hazkt9ol185.exe
c:\windows\17802hackt5oz9f5.bin
c:\windows\1802spyzare2598.dll
c:\windows\1829s5eal1z14.ocx
c:\windows\1859backzoor1054.dll
c:\windows\185z6wo9m678.ocx
c:\windows\18862not-azvirus2f95.dll
c:\windows\1887n9t-a-5irzs70b.cpl
c:\windows\189025zy3be.dll
c:\windows\189959py5bz.ocx
c:\windows\18z49viru539a.bin
c:\windows\190299ackzool2c5.dll
c:\windows\191145orz9cb.ocx
c:\windows\19215zpambot3df.ocx
c:\windows\19415vizus6cc.ocx
c:\windows\198z05pambot19f.bin
c:\windows\1997downzoader5695.dll
c:\windows\19dzth5eat20845.bin
c:\windows\19f35ir1z92.bin
c:\windows\19f9addwa5z2573.dll
c:\windows\19z83hackt5ol169.bin
c:\windows\1a56zte9l1125.ocx
c:\windows\1ac4ba9kdoor235z.ocx
c:\windows\1b509pzrs51822.cpl
c:\windows\1d399parse85z.exe
c:\windows\1e90backdo9r5z21.bin
c:\windows\1z586spy25c9.ocx
c:\windows\1zd8spa9se1756.dll
c:\windows\205fbackdooz26899.dll
c:\windows\21829hackto5l1z4.bin
c:\windows\21954not5a-virus45z.exe
c:\windows\21z1t9ief575.exe
c:\windows\21z61sp5mbot697.dll
c:\windows\227359za5bot6f1.dll
c:\windows\23388hack5oo94dz.ocx
c:\windows\23391spambz54a9.dll
c:\windows\235015or91z5.ocx
c:\windows\2361z9ot-a-virus595.bin
c:\windows\23885viz9s1e3.ocx
c:\windows\239szarse885.bin
c:\windows\241zs5y933.exe
c:\windows\2424ste9l25z9.dll
c:\windows\24575vzrus6b69.dll
c:\windows\24854zp5mbot99.bin
c:\windows\24959spambot2zd9.cpl
c:\windows\2495tro97z2.exe
c:\windows\24z745iru930e.dll
c:\windows\2525d5wnlz9der452.bin
c:\windows\252fthrzat195.exe
c:\windows\25385vi9zs45c5.exe
c:\windows\253z9hief3185.bin
c:\windows\25557v9r5s6za.exe
c:\windows\25727zi9us1a5.bin
c:\windows\25891sza59ot1b7.ocx
c:\windows\25c2spa9ze2798.bin
c:\windows\26459troj5z.bin
c:\windows\265649pa5botz9.dll
c:\windows\265775pamboz2e9.exe
c:\windows\265vi93176z.cpl
c:\windows\26841zir9s7a45.bin
c:\windows\26902notza-viru592a.exe
c:\windows\27215worm39z.ocx
c:\windows\272379o5m466z.cpl
c:\windows\27245hazktool949.cpl
c:\windows\27556not9a-zirus6df.exe
c:\windows\2791znot-a-vi5us72f.cpl
c:\windows\27fzown95ader1912.ocx
c:\windows\28457hackt9oz756.cpl
c:\windows\2845z9roj5615.exe
c:\windows\28c8d9wzload5r2580.bin
c:\windows\29045h5cktzol1019.cpl
c:\windows\29557worm6ze.exe
c:\windows\29589zpy44d.ocx
c:\windows\29671spy675z.dll
c:\windows\2980ztro5522.bin
c:\windows\299565r9jza7.cpl
c:\windows\29b8ad5ware1z089.dll
c:\windows\29czt9ief3259.exe
c:\windows\29f3dzwnloa9er9125.ocx
c:\windows\29z06vir9s7f35.exe
c:\windows\29z1v5r580.exe
c:\windows\2z40n5t9a-virus414.ocx
c:\windows\2z540vi9us14e.dll
c:\windows\2z671w9rm56c.exe
c:\windows\2z6asparse2395.exe
c:\windows\2z9115orm384.bin
c:\windows\2z995spambot70f.dll
c:\windows\3009virzs56b9.exe
c:\windows\3032ad5war9z401.dll
c:\windows\30549ir2337z.ocx
c:\windows\308529orz315.exe
c:\windows\3155ha9ktool2z5.exe
c:\windows\318445zambot3b99.dll
c:\windows\3275zs9y5d5.dll
c:\windows\3326ha5ktool5z9.bin
c:\windows\340295zeat10341.exe
c:\windows\3412th9eaz67295.bin
c:\windows\3452add9arez014.dll
c:\windows\3456sz9mbot35.exe
c:\windows\352faddware199z.bin
c:\windows\35a8spyzar93226.bin
c:\windows\365dsparsz1529.dll
c:\windows\3695hackt9zl28a.ocx
c:\windows\37529ir92z.exe
c:\windows\3842h9cktoo57z8.bin
c:\windows\38zabackdoo95183.dll
c:\windows\3953virzs946.bin
c:\windows\39575a9kdooz1664.cpl
c:\windows\39585tzoj659.ocx
c:\windows\3992spyzare2519.ocx
c:\windows\39d95ackdoor1759z.ocx
c:\windows\39f5thizf2971.dll
c:\windows\39fe9p5zare178.dll
c:\windows\3a55s9ezl509.cpl
c:\windows\3b6cba9kdoor17z35.bin
c:\windows\3e409parsez525.ocx
c:\windows\3f25back9ozr2350.exe
c:\windows\3f9eaddz5re1450.cpl
c:\windows\3fz5addware5119.ocx
c:\windows\3z35spywa9e595.cpl
c:\windows\3z574w9rm2e5.bin
c:\windows\406bbackdzor19985.dll
c:\windows\411cthz9f2258.ocx
c:\windows\42055a9ktool7d9z.cpl
c:\windows\42z7ad9ware2157.dll
c:\windows\43best9zl19105.bin
c:\windows\4558spzmbo972c5.exe

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:11 am

c:\windows\4574zpy69f9.cpl
c:\windows\4712z5ambot907.exe
c:\windows\4759s5arse2658z.ocx
c:\windows\4a2ethr9zt15832.cpl
c:\windows\4c69tzie52979.bin
c:\windows\4cds5ea92z06.bin
c:\windows\4d4zt5rea915733.dll
c:\windows\4e05iz915.exe
c:\windows\4e53downlozder53599.cpl
c:\windows\4e73zddw9re935.dll
c:\windows\4efzbac5door1914.dll
c:\windows\4ezfspar952366.bin
c:\windows\4f53tz5ef1929.ocx
c:\windows\4f7ebackdz9r1459.bin
c:\windows\4z3aa59ware1367.dll
c:\windows\4zbdownload5r957.ocx
c:\windows\501e9dd5zre1539.cpl
c:\windows\5085v5ruz349.bin
c:\windows\515z7spy6a9.ocx
c:\windows\51c9zir852.bin
c:\windows\51z7t9reat192685.exe
c:\windows\52756viru95z3.dll
c:\windows\52z9thie51981.exe
c:\windows\530z5i988.bin
c:\windows\5340down9oade52968z.dll
c:\windows\5388no5-a-vzrus2d9.exe
c:\windows\542cthi9z5315.dll
c:\windows\5449wo9m3az.ocx
c:\windows\5454thie9z69.dll
c:\windows\54908spz4ea.bin
c:\windows\54bc9ddzare1871.ocx
c:\windows\5555z5y6799.cpl
c:\windows\55e2sp9rsz3597.bin
c:\windows\55zfaddware1519.bin
c:\windows\5674a9dw5rz2245.exe
c:\windows\5681wo5z359.dll
c:\windows\56e9spzrse2959.exe
c:\windows\572dtzi9f3086.dll
c:\windows\57703worm39z.exe
c:\windows\579dth9efz955.bin
c:\windows\5859add9arz1514.exe
c:\windows\58919teaz2095.dll
c:\windows\5901st5zl1686.cpl
c:\windows\59267t9oj5c6z.ocx
c:\windows\592bthreat5z54.dll
c:\windows\5933wor5350z.bin
c:\windows\595ad5wzloader652.dll
c:\windows\59859te5l2478z.dll
c:\windows\59939ot-a-zir5sce.ocx
c:\windows\59z9troj280.cpl
c:\windows\5a56tz5ef931.ocx
c:\windows\5a9aazdware2137.dll
c:\windows\5abasza9se29635.exe
c:\windows\5c1dz5r27139.ocx
c:\windows\5cdcthrzat9899.exe
c:\windows\5d9fstealz98.bin
c:\windows\5ddaspywarz4159.exe
c:\windows\5ea5backdo5rz6689.cpl
c:\windows\5f3e95ywaze923.dll
c:\windows\5ff2ad59zre1132.cpl
c:\windows\5z56w9rm146.bin
c:\windows\5z6thief159.dll
c:\windows\5z75thief31479.bin
c:\windows\5z90t5ief2241.exe
c:\windows\5zafaddw9re1820.cpl
c:\windows\5zcet59ef631.ocx
c:\windows\6025spywar9z903.cpl
c:\windows\611notza-9irus575.exe
c:\windows\626fthrezt582109.ocx
c:\windows\63a59zdware2539.cpl
c:\windows\6505back9oor1z78.cpl
c:\windows\65z0thief31049.bin
c:\windows\66999d5waze680.dll
c:\windows\6785szyware9623.exe
c:\windows\67d5sp9rsez085.ocx
c:\windows\683z9a5kdoor201.cpl
c:\windows\6915steal965z.exe
c:\windows\6941ad9waze2159.bin
c:\windows\695ztroj9c3.bin
c:\windows\6962th5ef272z.cpl
c:\windows\696s5y234z.dll
c:\windows\6a0b5tez93158.bin
c:\windows\6a50spyw9ze3003.exe
c:\windows\6aafthzeat958935.ocx
c:\windows\6czthief20259.exe
c:\windows\6dbzthrea952458.bin
c:\windows\6e15threaz92500.exe
c:\windows\6f29a9dwarz525.dll
c:\windows\6z24tro919c5.ocx
c:\windows\70035zr1893.dll
c:\windows\70389hie52076z.exe
c:\windows\7069viruz9855.exe
c:\windows\712f5par9z1186.dll
c:\windows\7195sz9ware173.exe
c:\windows\71aca95warz2864.cpl
c:\windows\71d9threat5z09.exe
c:\windows\7243zpyware15659.bin
c:\windows\7255no5-a-virus5ze9.bin
c:\windows\7255t9oz225.exe
c:\windows\738zt5re9t10057.ocx
c:\windows\740d59eal51z.dll
c:\windows\7476s5zware9600.dll
c:\windows\7520tzo93f6.ocx
c:\windows\75vir19z.exe
c:\windows\760ebackdozr915.bin
c:\windows\7895z5915c.cpl
c:\windows\7936vir1295z.bin
c:\windows\7bb39h5ef1578z.cpl
c:\windows\7bbcba9kzoo52764.exe
c:\windows\7d575ownzoader25969.dll
c:\windows\7db5dzwnlo5der729.cpl
c:\windows\7dcza9dwar5606.bin
c:\windows\7dezste5l8489.ocx
c:\windows\7z03steal3519.bin
c:\windows\7z95spambot157.ocx
c:\windows\8528hacktoo59z.dll
c:\windows\85449ot-a-zirus485.dll
c:\windows\8575spazb9t75.exe
c:\windows\8795vzr9s58.bin
c:\windows\8z49not-a-virus656.bin
c:\windows\90ezaddw5re1578.ocx
c:\windows\9100stzal2965.bin
c:\windows\9175sparse2972z.dll
c:\windows\9258spy78az.cpl
c:\windows\9268not-a-v9rus55bz.exe
c:\windows\926z8viru5200.bin
c:\windows\93491spy54z.dll
c:\windows\940backdoz5669.dll
c:\windows\949zhack9ool6705.cpl

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:11 am

c:\windows\951bazk95or2802.exe
c:\windows\955z6spy2335.bin
c:\windows\95706spy16z.exe
c:\windows\9649not-a-viru951fz.bin
c:\windows\96559wormz0b.bin
c:\windows\96bzparse27945.dll
c:\windows\982vi59s7z3.bin
c:\windows\98czthreat275355.exe
c:\windows\9a2z5ir1319.cpl
c:\windows\9adth5eaz5059.bin
c:\windows\9b25thzeat24564.dll
c:\windows\9b3cspar5e2z85.dll
c:\windows\9d1stezl5549.exe
c:\windows\9d20spar5e10z7.cpl
c:\windows\9ezi51103.bin
c:\windows\9z60downl5ader190.bin
c:\windows\9zc6vir5795.exe
c:\windows\a61down5o9dzr1937.bin
c:\windows\bd0thief2z519.exe
c:\windows\bz7sp9rse59.dll
c:\windows\dzfad5ware28799.exe
c:\windows\e375hief19z9.cpl
c:\windows\e85backdozr997.bin
c:\windows\f41spyw9re256z.ocx
c:\windows\f925teal1z77.exe
c:\windows\fa9st5az2122.bin
c:\windows\IE4 Error Log.txt
c:\windows\system32\10249wzrm4d65.dll
c:\windows\system32\1039zhief519.ocx
c:\windows\system32\11464spambz539b.cpl
c:\windows\system32\115255pambot2z9.cpl
c:\windows\system32\11585troz309.cpl
c:\windows\system32\115spzm9ot7af5.exe
c:\windows\system32\11652spambot695z.dll
c:\windows\system32\11693spy5za.cpl
c:\windows\system32\11811s5z9d4.cpl
c:\windows\system32\120zth5e92550.dll
c:\windows\system32\1239z5pambot58.bin
c:\windows\system32\1265tr9z699.bin
c:\windows\system32\1327tro9z05.bin
c:\windows\system32\13497szamb5966f.exe
c:\windows\system32\13909spam5zt31b.exe
c:\windows\system32\13a5baczdoor2999.exe
c:\windows\system32\14406hackt5z9174.exe
c:\windows\system32\1451backdoor29z9.bin
c:\windows\system32\14598s5ambzt95.exe
c:\windows\system32\146z0hack5oo9399.bin
c:\windows\system32\14f6bz95door649.ocx
c:\windows\system32\1509hackzoole59.ocx
c:\windows\system32\15495not5azvirus19a.cpl
c:\windows\system32\15574worm9zb.bin
c:\windows\system32\15594zroj9ea.bin
c:\windows\system32\15951tzoj6f5.dll
c:\windows\system32\15976wzr57b1.dll
c:\windows\system32\15a2thz9at21507.bin
c:\windows\system32\15z859orm95.bin
c:\windows\system32\15z8t9reat16335.cpl
c:\windows\system32\16575trz950c.dll
c:\windows\system32\1687sp9mbztee5.dll
c:\windows\system32\16995not-5-zirus793.dll
c:\windows\system32\175529zrm46d.dll
c:\windows\system32\17f5addza9e5673.exe
c:\windows\system32\17f85pyw9ze2729.bin
c:\windows\system32\17z23not-95virus7c3.cpl
c:\windows\system32\180759pambot359z.bin
c:\windows\system32\188z1h5cktool2df9.dll
c:\windows\system32\18999trojz5.bin
c:\windows\system32\18zds59rse276.dll
c:\windows\system32\19033spzm5ot4c9.dll
c:\windows\system32\19033zirus4185.exe
c:\windows\system32\19056vzru9604.cpl
c:\windows\system32\19098z9rus1e85.exe
c:\windows\system32\19385zorm3c59.bin
c:\windows\system32\19398spambo9325z.bin
c:\windows\system32\19553vi5us5za.dll
c:\windows\system32\1959zvirus391.exe
c:\windows\system32\19839zorm556.bin
c:\windows\system32\19845no5-a-v9rus61z.ocx
c:\windows\system32\1990addw5re6z3.ocx
c:\windows\system32\1995spzmbot6f5.bin
c:\windows\system32\199z8spy57.bin
c:\windows\system32\19c2d9wnlzad5r2192.ocx
c:\windows\system32\1c47z5eal9659.exe
c:\windows\system32\1d1ezpyware20569.ocx
c:\windows\system32\1z102spy5559.ocx
c:\windows\system32\1z114vir9s70f5.exe
c:\windows\system32\1za9s5e9l2725.bin
c:\windows\system32\20296hack9oolz5.dll
c:\windows\system32\20449vir5s7cz.cpl
c:\windows\system32\20456zot-a-vi5u97e1.exe
c:\windows\system32\20512trzj913.cpl
c:\windows\system32\209935rojzd9.dll
c:\windows\system32\209z1spamb9t258.dll
c:\windows\system32\21542spzmbo9460.exe
c:\windows\system32\219cthre5t2606z.exe
c:\windows\system32\21c7s9y5are2548z.ocx
c:\windows\system32\22883s5ambot13z9.dll
c:\windows\system32\23256hackzool9b8.bin
c:\windows\system32\2352zhackt59l7c4.cpl
c:\windows\system32\23837zack5o9l779.exe
c:\windows\system32\23978not-5-vizu9138.exe
c:\windows\system32\239bspz5se31839.cpl
c:\windows\system32\2519hac5tzol69d.ocx
c:\windows\system32\25252w9rm35z.ocx
c:\windows\system32\2529szeal1171.dll
c:\windows\system32\25323z9oj5a9.bin
c:\windows\system32\253z5worm9d.dll
c:\windows\system32\255239orm5az.exe
c:\windows\system32\25587sp9mzot775.exe
c:\windows\system32\255athzef27945.bin
c:\windows\system32\25688s5ambo97c4z.ocx
c:\windows\system32\25732tzo9791.cpl
c:\windows\system32\2576zhack59ol7d3.ocx
c:\windows\system32\2590659t-a-virus5z4.dll
c:\windows\system32\2592th5zf66.exe
c:\windows\system32\25963hack5z9l5bc.bin
c:\windows\system32\259d9teal25z8.dll
c:\windows\system32\259dthief972z.bin
c:\windows\system32\25a0spyzare931.exe
c:\windows\system32\26059zp559.exe
c:\windows\system32\26872spy935z.exe
c:\windows\system32\26902spamboz159.dll
c:\windows\system32\26930tro5290z.bin
c:\windows\system32\26azdwa5e23969.cpl
c:\windows\system32\26bsp9warez53.cpl
c:\windows\system32\26d5thief597z.dll
c:\windows\system32\26z9vir3581.bin
c:\windows\system32\2719addwzre29015.dll
c:\windows\system32\275e5tezl1190.exe
c:\windows\system32\2799stzal5095.exe
c:\windows\system32\27c1bzckd5or9196.ocx
c:\windows\system32\27e4sz5rse9250.cpl
c:\windows\system32\2813995y5zc.cpl
c:\windows\system32\2830spzr5e7729.dll
c:\windows\system32\28395spz749.cpl
c:\windows\system32\286z595y25c.bin
c:\windows\system32\28813hzck59ol1db.bin
c:\windows\system32\289009zambot526.cpl
c:\windows\system32\28956not-a-viruz5b9.dll
c:\windows\system32\29098not-a-vir5z77b.cpl
c:\windows\system32\292th9eat52947z.bin
c:\windows\system32\29376ha9ktozl356.exe
c:\windows\system32\294735py2f2z.dll
c:\windows\system32\2955spzware1977.exe
c:\windows\system32\295zdownloader79.bin
c:\windows\system32\298zspy5ar91242.ocx
c:\windows\system32\2a585dd9are3116z.ocx
c:\windows\system32\2aes9ars53z72.dll
c:\windows\system32\2af85ac9dooz1981.dll
c:\windows\system32\2d79th5ef20z9.dll
c:\windows\system32\2e50addwaze5029.cpl
c:\windows\system32\2z045ir890.bin
c:\windows\system32\2z088spamb5t980.cpl
c:\windows\system32\2z4th95at15381.exe
c:\windows\system32\2z8775ot-a-9irus5e6.ocx
c:\windows\system32\30169v9zus3c65.dll
c:\windows\system32\30594v5rus73z.bin
c:\windows\system32\30794s5ambot51z9.cpl
c:\windows\system32\31594t9oj7e5z.ocx
c:\windows\system32\31627z9ambot4dd5.dll
c:\windows\system32\31644v5rzs692.ocx
c:\windows\system32\32299trz5533.cpl
c:\windows\system32\329115irus5z1.dll
c:\windows\system32\3294sz9ware1650.exe
c:\windows\system32\34c8z5reat210689.cpl
c:\windows\system32\351zhackto9l578.ocx
c:\windows\system32\35409spy42z.dll
c:\windows\system32\355a5tealz6559.cpl
c:\windows\system32\35930zirus407.cpl
c:\windows\system32\3595thrzat155515.ocx
c:\windows\system32\35dfsparze9924.bin
c:\windows\system32\35zdbackdoor2996.exe
c:\windows\system32\3607zr95734.ocx
c:\windows\system32\367ebackd5or196z.bin
c:\windows\system32\37zcspywar932595.cpl
c:\windows\system32\38979ac5zoor402.bin
c:\windows\system32\3960tzre9t56352.exe
c:\windows\system32\39d7spywa5e57z.dll
c:\windows\system32\3a8zs95al1894.bin
c:\windows\system32\3aza9pyware5706.ocx
c:\windows\system32\3bbdt9iez1159.cpl
c:\windows\system32\3c5adownloade51z99.ocx
c:\windows\system32\3ddds5ar9e315z.ocx
c:\windows\system32\3z175troj792.exe
c:\windows\system32\3z39troj4975.bin
c:\windows\system32\3z9steal19915.ocx
c:\windows\system32\40czdownloader2995.cpl
c:\windows\system32\4204th95f4z4.exe
c:\windows\system32\4289nzt5a-virus89.ocx
c:\windows\system32\42b9thief90z5.cpl
c:\windows\system32\43zro579d.ocx
c:\windows\system32\4501s9yw5ze3055.cpl
c:\windows\system32\4515o9nloader20z5.exe

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:12 am

c:\windows\system32\4520thie91542z.exe
c:\windows\system32\45d6th9ef898z.dll
c:\windows\system32\48135ownlz9der851.exe
c:\windows\system32\4897thiez2395.dll
c:\windows\system32\492add9az5546.bin
c:\windows\system32\4956zackdoor900.bin
c:\windows\system32\49c7bazkdo5r2914.dll
c:\windows\system32\4a5dsza9se1441.exe
c:\windows\system32\4b2ev59308z.exe
c:\windows\system32\4b82thre5t183z69.ocx
c:\windows\system32\4ba6d9wn5oader920z.cpl
c:\windows\system32\4ca2thie95094z.bin
c:\windows\system32\4cdzaddwar9750.cpl
c:\windows\system32\4f18downloa9er242z5.cpl
c:\windows\system32\4f8fthizf9520.ocx
c:\windows\system32\4z47s9ambot295.ocx
c:\windows\system32\4z999ir2546.cpl
c:\windows\system32\50275hrzat9089.bin
c:\windows\system32\5043downloazer8899.cpl
c:\windows\system32\5054zv9rus164.dll
c:\windows\system32\5063zir494.bin
c:\windows\system32\50ee9irz3.ocx
c:\windows\system32\51083hackzool58f9.exe
c:\windows\system32\5135t5rzat9595.exe
c:\windows\system32\513z7troj19f9.cpl
c:\windows\system32\51425viru9z2b.dll
c:\windows\system32\519zv591008.ocx
c:\windows\system32\536bac9zoor1100.exe
c:\windows\system32\539zvi52331.ocx
c:\windows\system32\53e8stezl2985.cpl
c:\windows\system32\549notza-virus48e.dll
c:\windows\system32\5509z9rm1b5.exe
c:\windows\system32\550c9hr5at304z6.dll
c:\windows\system32\5526ste9l211z.dll
c:\windows\system32\5529irz222.cpl
c:\windows\system32\5546downlozder2395.dll
c:\windows\system32\554addwaze24999.bin
c:\windows\system32\5550v5ruz3259.bin
c:\windows\system32\558hazktoo92d9.ocx
c:\windows\system32\558zhacktool926.cpl
c:\windows\system32\5594s5ar9e73z.exe
c:\windows\system32\56bba9dzare755.exe
c:\windows\system32\57099oznload5r2904.bin
c:\windows\system32\5780not-a-vi9us109z.ocx
c:\windows\system32\57z55py596.exe
c:\windows\system32\5839threat115z.dll
c:\windows\system32\589b9ckdooz126.dll
c:\windows\system32\58e9z5eal731.ocx
c:\windows\system32\58z65ir31659.cpl
c:\windows\system32\5919threat10251z.dll
c:\windows\system32\5938trzj5915.cpl
c:\windows\system32\594fvi5z87.bin
c:\windows\system32\596athief103z.ocx
c:\windows\system32\59c5vir118z.bin
c:\windows\system32\59despa9se51z5.ocx
c:\windows\system32\5a0zd59nloader625.cpl
c:\windows\system32\5az49hreat9019.dll
c:\windows\system32\5azddware1892.ocx
c:\windows\system32\5b6cbackdooz5983.cpl
c:\windows\system32\5c8fbackd5or15z9.ocx
c:\windows\system32\5c98sparse149z.exe
c:\windows\system32\5ce45tz9l2580.exe
c:\windows\system32\5ce7s5ywaze259.ocx
c:\windows\system32\5cf5downloadzr28829.cpl
c:\windows\system32\5d4zack9o5r1199.ocx
c:\windows\system32\5e09s5yware31z4.dll
c:\windows\system32\5ed8sparse295z.cpl
c:\windows\system32\5efbthreaz91775.cpl
c:\windows\system32\5f50vzr9357.ocx
c:\windows\system32\5f52add9are14z5.ocx
c:\windows\system32\5f5zspywar92394.ocx
c:\windows\system32\5f6downloazer16789.dll
c:\windows\system32\5fz5sp9rse512.bin
c:\windows\system32\5z289acktool60.cpl
c:\windows\system32\5z35t9reat57142.dll
c:\windows\system32\5z67sparse1095.dll
c:\windows\system32\5z98vir3515.dll
c:\windows\system32\5ze2th5eat19378.exe
c:\windows\system32\603zsparse9205.bin
c:\windows\system32\6055steal1289z.dll
c:\windows\system32\6092sparse2539z.dll
c:\windows\system32\61629azkdoor565.dll
c:\windows\system32\635dthrz9t27366.exe
c:\windows\system32\639bdow5zoader1599.bin
c:\windows\system32\6511spy9are538z.bin
c:\windows\system32\6529thief316z.bin
c:\windows\system32\655backdozr3902.bin
c:\windows\system32\655zspyware194.dll
c:\windows\system32\65b5addwzre960.ocx
c:\windows\system32\6695spamb9t8z.ocx
c:\windows\system32\67179parse235z.ocx
c:\windows\system32\6753hacztoo92b2.ocx
c:\windows\system32\67939hr5at54z.cpl
c:\windows\system32\6985th9eat56261z.dll
c:\windows\system32\69c6d5wnloaderz50.dll
c:\windows\system32\6az95hreat19828.dll
c:\windows\system32\6c15st9az944.bin
c:\windows\system32\6c7ds5ar9e510z.ocx
c:\windows\system32\6d3fste9l5z9.cpl
c:\windows\system32\6e9azddware505.bin
c:\windows\system32\6f29downloader594z.bin
c:\windows\system32\6z495i92856.dll
c:\windows\system32\6z63s5eal9979.cpl
c:\windows\system32\6z81thi59871.ocx
c:\windows\system32\7059za5kdoor2725.bin
c:\windows\system32\705bbz5kd9or286.ocx
c:\windows\system32\71159teaz1865.dll
c:\windows\system32\714addwa5e93z1.dll
c:\windows\system32\715fad9waze3044.dll
c:\windows\system32\7345addw9rez895.ocx
c:\windows\system32\73z4sp5rse21509.bin
c:\windows\system32\7495zi5us30c9.bin
c:\windows\system32\749d9ir2z965.bin
c:\windows\system32\751cdownloaze93145.bin
c:\windows\system32\7549virzs7f15.exe
c:\windows\system32\7557downloadzr59.exe
c:\windows\system32\75zesp9rse5148.cpl
c:\windows\system32\7607a9dw5re249z.bin
c:\windows\system32\765dbackdooz2909.exe
c:\windows\system32\765troz3c9.dll
c:\windows\system32\77ddadd9are1591z.dll
c:\windows\system32\77eb9ckdooz1253.exe
c:\windows\system32\79a8threat5z089.ocx
c:\windows\system32\79e3spazse39275.bin
c:\windows\system32\79f8downzoader2915.bin
c:\windows\system32\7acadowzloade915805.ocx
c:\windows\system32\7ad9th9eatz6705.exe
c:\windows\system32\7b9zth5eat7678.bin
c:\windows\system32\7bbspa9se3z75.bin
c:\windows\system32\7c26threa97325z.ocx
c:\windows\system32\7c59zhreat11612.dll
c:\windows\system32\7fc5vi9768z.cpl
c:\windows\system32\7z619ir24295.dll
c:\windows\system32\7zf3addw9re26925.ocx
c:\windows\system32\885s9zm5ot1ad.ocx
c:\windows\system32\8915n9t-a-virus23cz.exe
c:\windows\system32\898zorm95.bin
c:\windows\system32\89bspy5arez94.dll
c:\windows\system32\8dfszywar59608.exe
c:\windows\system32\9099t59j73az.exe
c:\windows\system32\90c4thzef5765.bin
c:\windows\system32\9338not-a5vizus6af9.cpl
c:\windows\system32\9386zworm7045.ocx
c:\windows\system32\93eavir5980z.ocx
c:\windows\system32\947dback5oor1569z.exe
c:\windows\system32\9489addwar5360z.cpl
c:\windows\system32\94zevir5489.ocx
c:\windows\system32\952viz2879.dll
c:\windows\system32\9539zwo5m371.dll
c:\windows\system32\9542spy6z89.dll
c:\windows\system32\9557virzs1a5.exe
c:\windows\system32\957addz5re577.exe
c:\windows\system32\95z3spywar51329.ocx
c:\windows\system32\96azthief5588.exe
c:\windows\system32\9795spy2fz.exe
c:\windows\system32\9815szy335.exe
c:\windows\system32\985adownloader1978z.dll
c:\windows\system32\989bviz5985.exe
c:\windows\system32\98a5sp5zare2254.dll
c:\windows\system32\99211ha5ztool748.bin
c:\windows\system32\9929hackto5l2za.ocx
c:\windows\system32\993z5teal804.ocx
c:\windows\system32\9975troj7ze.cpl
c:\windows\system32\997backzoo95937.exe
c:\windows\system32\9beaadzware5237.ocx
c:\windows\system32\9befstzal2335.cpl
c:\windows\system32\9c2zsteal5450.ocx
c:\windows\system32\9cbe5ownloader126z.ocx
c:\windows\system32\9f01azdwar5676.dll
c:\windows\system32\9z856virus595.cpl
c:\windows\system32\9zfdow9loader85.exe
c:\windows\system32\b9f9azkdoo5958.cpl
c:\windows\system32\c50d5znloade92100.cpl
c:\windows\system32\drivers\I2220NTA.CAT
c:\windows\system32\drivers\I2220NTX.CAT
c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
c:\windows\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
c:\windows\system32\drivers\netag3n.cat
c:\windows\system32\drivers\tmimo3p.CAT
c:\windows\system32\e1dazd95re2646.exe
c:\windows\system32\z0075worm2b95.cpl
c:\windows\system32\z0419spambo52aa.ocx
c:\windows\system32\z10f5pyware8689.dll
c:\windows\system32\z1359spy595.dll
c:\windows\system32\z1a0s9eal15115.ocx
c:\windows\system32\z263ad5ware1093.cpl
c:\windows\system32\z276vi5us693.bin
c:\windows\system32\z2cfthi591317.dll
c:\windows\system32\z3579wo9m5265.bin
c:\windows\system32\z3bbvir5977.ocx
c:\windows\system32\z4055spambot9e65.exe
c:\windows\system32\z436spa9bot6e95.ocx
c:\windows\system32\z45129p521f.ocx
c:\windows\system32\z459addware3060.bin
c:\windows\system32\z4b7s9yware451.bin

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:12 am

c:\windows\system32\z5349vi5us42b.bin
c:\windows\system32\z5e0steal2952.exe
c:\windows\system32\z69bdownload5r716.bin
c:\windows\system32\z70bbackdoor6589.cpl
c:\windows\system32\z74295arse2345.exe
c:\windows\system32\z756hacktoo9b8.bin
c:\windows\system32\z897t5ief3099.dll
c:\windows\system32\z9dthr5at14421.dll
c:\windows\system32\z9fdsparse560.exe
c:\windows\system32\za5cspy9are884.bin
c:\windows\system32\zb5e9ir2179.cpl
c:\windows\system32\zb79t9reat12573.ocx
c:\windows\system32\zd51spy9are930.ocx
c:\windows\system32\ze57add5are896.cpl
c:\windows\system32\zf05sparse9394.exe
c:\windows\z0168worm45e9.bin
c:\windows\z035t9reat219575.dll
c:\windows\z051addware2149.ocx
c:\windows\z158spambot40a9.cpl
c:\windows\z1951w5rm748.ocx
c:\windows\z1d7addwa9e7195.exe
c:\windows\z2126spy9de5.dll
c:\windows\z2255r9j3a0.cpl
c:\windows\z3895wor54919.ocx
c:\windows\z492vir23125.bin
c:\windows\z495hacktool195.dll
c:\windows\z495vir1593.dll
c:\windows\z4a95hief1771.cpl
c:\windows\z4d5vir9079.bin
c:\windows\z595st9al589.ocx
c:\windows\z5b9addware75.cpl
c:\windows\z6458tro95fc.ocx
c:\windows\z6549spyee.dll
c:\windows\z677ste5l12819.exe
c:\windows\z6955spy157.ocx
c:\windows\z785t9i5f2577.ocx
c:\windows\z7997worm68f5.exe
c:\windows\z817threat59974.cpl
c:\windows\z8558hacktoo95c.ocx
c:\windows\z857tr9j15d.bin
c:\windows\z89305py91d.exe
c:\windows\z906thre5t28205.ocx
c:\windows\z951threa5952.exe
c:\windows\z9e9stea5652.ocx
c:\windows\z9parse3475.dll
c:\windows\za19s5yware1225.dll
c:\windows\za9ev5r597.ocx
c:\windows\zdb95hreat23937.exe
c:\windows\zf8ad5ware2990.bin
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 00:08 . 2009-06-04 00:09 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot
2009-06-03 21:38 . 2009-06-03 21:38 -------- d-----w- c:\program files\Trend Micro
2009-06-03 21:03 . 2009-06-03 21:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-03 00:02 . 2009-06-03 00:02 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-01 23:57 . 2009-06-01 23:57 10684866 ----a-w- c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-24 23:02 . 2009-05-24 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-24 23:02 . 2009-06-03 00:07 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\Azureus
2009-05-24 22:59 . 2009-05-24 23:08 -------- d-----w- c:\program files\Vuze
2009-05-24 02:11 . 2009-05-24 02:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-23 23:39 . 2009-05-23 23:39 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVU Previewer
2009-05-23 23:34 . 2009-05-23 23:37 15890416 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\SetupImvu_previewer.exe
2009-05-23 23:32 . 2009-05-23 23:32 -------- d-----w- c:\program files\ImvuTools2
2009-05-23 19:20 . 2009-05-25 21:46 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVU
2009-05-23 19:20 . 2009-05-23 19:20 80967 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\Uninstall.exe
2009-05-23 19:19 . 2009-05-23 23:34 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVUClient
2009-05-23 19:04 . 2009-05-23 19:04 -------- d-----w- c:\documents and settings\Candi Drop\Local Settings\Application Data\Mozilla
2009-05-07 21:59 . 2009-05-07 21:59 95584 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\IMVUupdater.exe
2009-05-07 21:59 . 2009-05-07 21:59 49920 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\IMVUClient.exe
2009-05-07 21:59 . 2009-05-07 21:59 19200 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\imvuqualityagent.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 00:37 . 2009-02-07 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-04 00:35 . 2009-02-07 16:09 712736 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-04 00:35 . 2009-02-07 16:09 3516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-04 00:35 . 2009-02-07 16:09 3046432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-04 00:35 . 2009-02-07 16:09 25928 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-01 21:47 . 2007-01-30 19:58 2842 ----a-w- c:\documents and settings\Candi Drop\Application Data\wklnhst.dat
2009-05-26 01:48 . 2009-03-07 20:12 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\gtk-2.0
2009-05-23 00:39 . 2008-02-15 23:59 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\Move Networks
2009-05-20 20:27 . 2009-02-07 16:10 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-20 20:27 . 2009-02-07 16:10 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-03 02:20 . 2009-05-02 16:59 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\DivX
2009-05-02 16:58 . 2009-05-02 16:57 -------- d-----w- c:\program files\DivX
2009-05-02 16:57 . 2009-05-02 16:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-23 22:52 . 2009-04-23 22:52 38400 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\MemoryHook.dll
2009-04-23 22:52 . 2009-04-23 22:52 288768 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\cal3d.dll
2009-04-23 22:52 . 2009-04-23 22:52 185856 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\boost_python.dll
2009-04-23 22:52 . 2009-04-23 22:52 256000 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\audiere.dll
2009-04-23 22:51 . 2009-04-23 22:51 28672 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\CallStack.dll
2009-04-22 17:28 . 2009-04-22 17:28 9433600 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\xul.dll
2009-04-16 00:31 . 2009-02-13 02:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-16 00:31 . 2006-10-21 16:16 -------- d-----w- c:\program files\Java
2009-04-16 00:30 . 2009-04-16 00:30 152576 ----a-w- c:\documents and settings\Candi Drop\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-16 00:21 . 2006-12-21 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-04-15 20:25 . 2009-05-02 16:58 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 20:25 . 2009-05-02 16:58 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 20:25 . 2009-05-02 16:58 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-05-02 16:58 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:25 . 2009-05-02 16:58 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2005-04-25 07:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-06 16:04 . 2009-04-06 16:04 271929 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\pixomatic.dll
2009-03-19 14:43 . 2009-03-19 14:43 34062 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\Uninst.exe
2009-03-18 21:55 . 2009-04-16 00:21 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w- c:\windows\system32\pdh.dll
2007-11-14 22:10 . 2007-11-14 03:16 24 -csh--w- c:\windows\SAE0A6F7D.tmp
2006-10-30 19:58 . 2006-10-26 14:10 88 -csh--r- c:\windows\system32\7CEC145601.sys
2006-10-30 19:58 . 2006-10-26 14:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-07 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-21 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/2/2008 8:33 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Candi Drop\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Candi Drop\Application Data\Mozilla\Firefox\Profiles\nh0i1hm4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-04 21:04
ComboFix-quarantined-files.txt 2009-06-04 01:03

Pre-Run: 21,312,040,960 bytes free
Post-Run: 21,868,310,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

920 --- E O F --- 2009-06-03 23:54

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by Belahzur on Thu Jun 04, 2009 1:15 am

Hello.

I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\tempo-setup2.exe
c:\windows\SAE0A6F7D.tmp

Folder::
c:\documents and settings\Candi Drop\Application Data\Azureus
c:\program files\Vuze
c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:42 am

ComboFix 09-06-03.01 - Candi Drop 06/03/2009 21:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.119 [GMT -4:00]
Running from: c:\documents and settings\Candi Drop\My Documents\My Videos\Combo-Fix.exe
Command switches used :: c:\documents and settings\Candi Drop\My Documents\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\SAE0A6F7D.tmp"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Candi Drop\Application Data\Azureus
c:\documents and settings\Candi Drop\Application Data\Azureus\.certs
c:\documents and settings\Candi Drop\Application Data\Azureus\.keystore
c:\documents and settings\Candi Drop\Application Data\Azureus\.lock
c:\documents and settings\Candi Drop\Application Data\Azureus\active\0A0B6EAAD77C0CDF31DF350E5253887564366881.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\active\0A0B6EAAD77C0CDF31DF350E5253887564366881.dat.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\active\FE646CAF4CF1F5F159AD13AB54EFD5802319A55B.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\active\FE646CAF4CF1F5F159AD13AB54EFD5802319A55B.dat.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\azureus.config
c:\documents and settings\Candi Drop\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\azureus.statistics
c:\documents and settings\Candi Drop\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\cnetworks.config
c:\documents and settings\Candi Drop\Application Data\Azureus\devices.config
c:\documents and settings\Candi Drop\Application Data\Azureus\devices.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\dht\general.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\dht\version.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\downloads.config
c:\documents and settings\Candi Drop\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\friends.config
c:\documents and settings\Candi Drop\Application Data\Azureus\friends.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Candi Drop\Application Data\Azureus\metasearch.config
c:\documents and settings\Candi Drop\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\net\pm_22773.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azump\azump_1.3.jar
c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azump\azump_1.3.zip
c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azump\mplayer.exe
c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azump\mplayer\config
c:\documents and settings\Candi Drop\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Candi Drop\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\subs\400B09C6BFC041C77125.vuze
c:\documents and settings\Candi Drop\Application Data\Azureus\subs\7076DB20A5F225DDB82C.vuze
c:\documents and settings\Candi Drop\Application Data\Azureus\subs\87E23B1872099785E348.vuze
c:\documents and settings\Candi Drop\Application Data\Azureus\subs\AA18A55630A89D766D85.vuze
c:\documents and settings\Candi Drop\Application Data\Azureus\subs\FDA6C9DF3B7E1F2FABB6.vuze
c:\documents and settings\Candi Drop\Application Data\Azureus\subscriptions.config
c:\documents and settings\Candi Drop\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\tables.config
c:\documents and settings\Candi Drop\Application Data\Azureus\tables.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\timingstats.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU107787296963972247.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU1529233668609806418.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU214149684569347568.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU2514381345798138013.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU275085248884005532.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU4233609604609371708.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU5245277886146964402.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU5389728241646696845.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU6082309576462123970.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU6243922447146768488.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU6283595954165585738.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU7536209642271768462.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU7568853768625403076.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU7859733689560533652.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU8368403792997730814.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\tmp\AZU8520211911358395100.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\torrents\AZU5962977002979067292.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\torrents\AZU6785125243215119707.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\torrents\AZU7122738622163932536.tmp
c:\documents and settings\Candi Drop\Application Data\Azureus\torrents\He's_Just_Not_That_Into_You_[2009]_DvdRip_XviD-aXXo.torrent
c:\documents and settings\Candi Drop\Application Data\Azureus\torrents\Terminator Salvation (2009) !DVDRip XviD - aXXo.torrent

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:43 am

c:\documents and settings\Candi Drop\Application Data\Azureus\tracker.config
c:\documents and settings\Candi Drop\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\unsentdata.config
c:\documents and settings\Candi Drop\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\update.log
c:\documents and settings\Candi Drop\Application Data\Azureus\update.properties
c:\documents and settings\Candi Drop\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Candi Drop\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Candi Drop\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Candi Drop\Application Data\Azureus\VuzeActivities.config.bak
c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot
c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot\Log\2009 Jun 03 - 08_08_57 PM_375.log
c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot\rs.dat
c:\documents and settings\Candi Drop\Application Data\MalwareRemovalBot\Settings\ScanResults.pie
c:\windows\SAE0A6F7D.tmp
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-03 21:38 . 2009-06-03 21:38 -------- d-----w- c:\program files\Trend Micro
2009-06-03 21:03 . 2009-06-03 21:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-24 23:02 . 2009-05-24 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-24 02:11 . 2009-05-24 02:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-23 23:39 . 2009-05-23 23:39 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVU Previewer
2009-05-23 23:34 . 2009-05-23 23:37 15890416 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\SetupImvu_previewer.exe
2009-05-23 23:32 . 2009-05-23 23:32 -------- d-----w- c:\program files\ImvuTools2
2009-05-23 19:20 . 2009-05-25 21:46 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVU
2009-05-23 19:20 . 2009-05-23 19:20 80967 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\Uninstall.exe
2009-05-23 19:19 . 2009-05-23 23:34 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\IMVUClient
2009-05-23 19:04 . 2009-05-23 19:04 -------- d-----w- c:\documents and settings\Candi Drop\Local Settings\Application Data\Mozilla
2009-05-07 21:59 . 2009-05-07 21:59 95584 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\IMVUupdater.exe
2009-05-07 21:59 . 2009-05-07 21:59 49920 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\IMVUClient.exe
2009-05-07 21:59 . 2009-05-07 21:59 19200 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\imvuqualityagent.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 01:32 . 2009-02-07 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-04 01:31 . 2006-10-21 16:27 -------- d-----w- c:\program files\Viewpoint
2009-06-04 01:30 . 2009-02-07 16:09 712736 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-04 01:30 . 2009-02-07 16:09 3516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-04 01:30 . 2009-02-07 16:09 3046432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-04 01:30 . 2009-02-07 16:09 25928 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-04 01:18 . 2006-10-21 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-01 21:47 . 2007-01-30 19:58 2842 ----a-w- c:\documents and settings\Candi Drop\Application Data\wklnhst.dat
2009-05-26 01:48 . 2009-03-07 20:12 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\gtk-2.0
2009-05-23 00:39 . 2008-02-15 23:59 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\Move Networks
2009-05-20 20:27 . 2009-02-07 16:10 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-20 20:27 . 2009-02-07 16:10 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-03 02:20 . 2009-05-02 16:59 -------- d-----w- c:\documents and settings\Candi Drop\Application Data\DivX
2009-05-02 16:58 . 2009-05-02 16:57 -------- d-----w- c:\program files\DivX
2009-05-02 16:57 . 2009-05-02 16:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-23 22:52 . 2009-04-23 22:52 38400 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\MemoryHook.dll
2009-04-23 22:52 . 2009-04-23 22:52 288768 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\cal3d.dll
2009-04-23 22:52 . 2009-04-23 22:52 185856 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\boost_python.dll
2009-04-23 22:52 . 2009-04-23 22:52 256000 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\audiere.dll
2009-04-23 22:51 . 2009-04-23 22:51 28672 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\CallStack.dll
2009-04-22 17:28 . 2009-04-22 17:28 9433600 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\xul.dll
2009-04-16 00:31 . 2009-02-13 02:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-16 00:31 . 2006-10-21 16:16 -------- d-----w- c:\program files\Java
2009-04-16 00:30 . 2009-04-16 00:30 152576 ----a-w- c:\documents and settings\Candi Drop\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-16 00:21 . 2006-12-21 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-04-15 20:25 . 2009-05-02 16:58 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 20:25 . 2009-05-02 16:58 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 20:25 . 2009-05-02 16:58 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-05-02 16:58 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:25 . 2009-05-02 16:58 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2005-04-25 07:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-06 16:04 . 2009-04-06 16:04 271929 ----a-w- c:\documents and settings\Candi Drop\Application Data\IMVUClient\pixomatic.dll
2009-03-19 14:43 . 2009-03-19 14:43 34062 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\Uninst.exe
2009-03-18 21:55 . 2009-04-16 00:21 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w- c:\documents and settings\Candi Drop\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w- c:\windows\system32\pdh.dll
2006-10-30 19:58 . 2006-10-26 14:10 88 -csh--r- c:\windows\system32\7CEC145601.sys
2006-10-30 19:58 . 2006-10-26 14:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 01:31 . 2009-06-04 01:31 16384 c:\windows\Temp\Perflib_Perfdata_388.dat
+ 2009-06-04 01:31 . 2009-06-04 01:31 16384 c:\windows\Temp\Perflib_Perfdata_32c.dat
- 2009-06-02 22:18 . 2009-06-02 22:18 16384 c:\windows\Temp\Perflib_Perfdata_28c.dat
+ 2009-06-04 01:31 . 2009-06-04 01:31 16384 c:\windows\Temp\Perflib_Perfdata_28c.dat
+ 2006-10-26 01:33 . 2009-06-04 01:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-26 01:33 . 2009-06-04 00:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-26 01:33 . 2009-06-04 00:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-26 01:33 . 2009-06-04 01:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-26 01:33 . 2009-06-04 00:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-26 01:33 . 2009-06-04 01:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-07 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-21 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 1:43 am

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Candi Drop\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Candi Drop\Application Data\Mozilla\Firefox\Profiles\nh0i1hm4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Connect 2\wmccds.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-04 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 01:38
ComboFix2.txt 2009-06-04 01:04

Pre-Run: 21,894,123,520 bytes free
Post-Run: 21,910,466,560 bytes free

299 --- E O F --- 2009-06-03 23:54

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by Origin on Thu Jun 04, 2009 3:02 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm another victim of winblue

Post by mscandidrop on Thu Jun 04, 2009 8:03 pm

ok i got it..... everything seems to be running great... plus the viewpoint thing was great idea... i didn't know what it was for and wasn't sure if i should remove it or not. so thanks for the heads up on that... I'm trying to get rid of some of the things i don't need. lol thankyou agian. you guys are very good at this.... i'll have to slide you guys a little something sometime.

mscandidrop
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-06-03
OS OS : windows xp
Points Points : 27464
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum