Win Blue Soft got me on the run HELP!

View previous topic View next topic Go down

Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Sun Jun 07, 2009 7:33 pm

My computer is infected with Winblue soft and I had previously attempted to remove it by control pannel and remove programs which apparently made it worse. I have read all of your posts howevr when I installed Malewarebytes Antimalware it installed fine however when I click the shortcut a box appears asking me if i wish to run the program but upon selecting run nothing happens:S HELP ASAP please i need my comp running again and winblue soft gone! I also am not sure how to get a log file if thats what you will need

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Sun Jun 07, 2009 7:52 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Log File

Post by ryan.wyatt on Sun Jun 07, 2009 7:54 pm

Hopefully this is what you need

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:40 PM, on 07/06/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Users\Ryan Wyatt\Program Files\DNA\btdna.exe
C:\Windows\System32\setup2.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Users\Ryan Wyatt\Desktop\Pics of Wedges\yoyo\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan Wyatt\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [setup2.exe] C:\Windows\system32\setup2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{88AB5643-2E48-4BBC-B9A7-91D032D8F0AE}: NameServer = 85.255.112.140,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECC25C7B-D189-4EDD-BBA6-F39066265040}: NameServer = 85.255.112.140,85.255.112.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10312 bytes

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Sun Jun 07, 2009 7:58 pm


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan Wyatt\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [setup2.exe] C:\Windows\system32\setup2.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88AB5643-2E48-4BBC-B9A7-91D032D8F0AE}: NameServer = 85.255.112.140,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ECC25C7B-D189-4EDD-BBA6-F39066265040}: NameServer = 85.255.112.140,85.255.112.132
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.140,85.255.112.132


  • Press "Fix Checked"
  • Close Hijack This.

Next,

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Windows Defender)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Post Run Log

Post by ryan.wyatt on Sun Jun 07, 2009 8:38 pm

The post run log is way to big to be sent it would take like 3 different posts however should my computer be fixed now or is there another step?

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Sun Jun 07, 2009 8:44 pm

Skip the ((( other deletions ))) bit, I know that big it long.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Sun Jun 07, 2009 9:06 pm

Ive already closed the post run notes is there anyway to find them again? there is no trace of winblue since my comp restarted so I believe it is gone...

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Sun Jun 07, 2009 9:56 pm

It should be here:
C:\Combofix.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Sun Jun 07, 2009 10:00 pm

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 20:20 . 2009-06-07 20:20 -------- d-sh--w- \$RECYCLE.BIN
2009-06-07 20:05 . 2009-06-07 20:06 -------- d-----w- \Qoobox
2009-06-07 19:53 . 2009-06-07 19:53 -------- d-----w- c:\program files\Trend Micro
2009-06-07 19:16 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-07 19:16 . 2009-06-07 19:16 -------- d-----w- c:\programdata\Malwarebytes
2009-06-07 19:16 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-27 12:28 . 2009-05-27 12:29 34 ----a-w- c:\users\Ryan Wyatt\jagex_runescape_preferences.dat
2009-05-27 12:28 . 2009-05-27 12:30 -------- d-----w- C:\.jagex_cache_32
2009-05-27 12:28 . 2009-05-27 12:30 -------- d-----w- \.jagex_cache_32
2009-05-10 16:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-10 16:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-10 16:44 . 2009-05-10 16:44 -------- d-----w- c:\program files\iPod
2009-05-10 16:44 . 2009-06-07 18:16 -------- d-----w- c:\program files\iTunes
2009-05-10 16:44 . 2009-05-10 16:44 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-10 16:39 . 2009-05-10 16:39 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 20:20 . 2008-09-07 05:05 3210756096 --sha-w- \hiberfil.sys
2009-06-07 20:20 . 2008-07-27 04:27 3524546560 --sha-w- \pagefile.sys
2009-06-07 19:57 . 2008-11-15 22:00 -------- d-----w- c:\users\Ryan Wyatt\AppData\Roaming\DNA
2009-06-07 19:13 . 2008-02-22 10:32 672380 ----a-w- c:\windows\system32\perfh00C.dat
2009-06-07 19:13 . 2008-02-22 10:32 127578 ----a-w- c:\windows\system32\perfc00C.dat
2009-06-07 19:07 . 2008-12-07 19:21 5648 ----a-w- c:\users\Ryan Wyatt\AppData\Local\d3d9caps.dat
2009-06-07 18:16 . 2009-01-11 18:04 -------- d-----w- c:\program files\WinSCP
2009-06-07 18:16 . 2008-09-06 21:07 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-07 18:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-07 18:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-07 18:16 . 2009-03-21 06:47 -------- d-----w- c:\program files\Bonjour
2009-06-07 18:16 . 2008-07-27 04:43 -------- d-----w- c:\program files\Apoint2K
2009-06-05 23:13 . 2008-10-26 03:11 -------- d-----w- c:\users\Ryan Wyatt\AppData\Roaming\FrostWire
2009-06-01 19:51 . 2008-11-15 22:00 -------- d-----w- c:\users\Ryan Wyatt\AppData\Roaming\BitTorrent
2009-05-10 16:44 . 2008-10-12 20:26 -------- d-----w- c:\program files\Common Files\Apple
2009-04-23 01:46 . 2009-04-23 01:46 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-04-18 20:24 . 2009-04-11 19:20 -------- d-----w- c:\program files\PokerStars.NET
2009-03-22 17:48 . 2009-03-22 17:40 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-06 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-30 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1115059687-4206018883-815105962-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBB1980F-B43B-4F6F-A8BC-8368F659B6B3}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C5FC5CF4-94D2-4A9C-A03B-2C4090AE5219}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{5D496620-6886-42D4-96FA-75EAE7E4FEB1}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{E6D4A71A-174F-45E9-9908-B0EC464DE667}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8BFBDBCE-C215-44A8-8416-1C0520349372}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{23E14C05-75AD-4956-90BB-5AA8B098B6E7}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8A47A03B-C727-429B-BD2E-7AD81D693181}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{74283465-2ED3-489F-9F6E-4830CFE3BF6D}c:\\program files\\air mouse\\air mouse\\air mouse.exe"= UDP:c:\program files\air mouse\air mouse\air mouse.exe:AirMouse
"UDP Query User{BACD740D-DC59-445B-BF0B-DFFE4496B14C}c:\\program files\\air mouse\\air mouse\\air mouse.exe"= TCP:c:\program files\air mouse\air mouse\air mouse.exe:AirMouse
"TCP Query User{683382EB-3C2D-4855-8F95-E20E73C741D5}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{1A5A823F-9364-450E-B083-C26513B8D2C0}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"{2BDFFB6C-9BDB-45F1-B6B4-155F3A0D6ED8}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{5E5DC969-466B-4605-B3C2-1497E48DB088}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{C41B4BE4-A542-48D6-A1B0-8203BA553A87}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{19388AF6-6ADF-48E1-B843-9FB57D6A59DD}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{29126803-BF8A-4A69-B814-047C242A85E9}c:\\users\\ryan wyatt\\program files\\dna\\btdna.exe"= UDP:c:\users\ryan wyatt\program files\dna\btdna.exe:btdna.exe
"UDP Query User{8707D903-DDE2-4484-9069-04B1D0FE3633}c:\\users\\ryan wyatt\\program files\\dna\\btdna.exe"= TCP:c:\users\ryan wyatt\program files\dna\btdna.exe:btdna.exe
"{C5BC1BE2-3D33-40BC-B77A-CF132B641E68}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B20F5C8B-D8AE-46B0-B97E-E4DBFCC8C8C6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADE786F8-2C76-4893-87CC-D492EC101B54}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{161D05A3-05D9-41F0-9EE9-B3BFCCFAC399}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\User_Feed_Synchronization-{CB602B6E-5D7E-4468-9E4C-DBC233FA4B27}.job
- c:\windows\system32\msfeedssync.exe [2009-04-05 10:01]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-07 16:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(540)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-07 16:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 20:31

Pre-Run: 75,167,199,232 bytes free
Post-Run: 76,425,641,984 bytes free

932 --- E O F --- 2009-04-05 16:20

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Sun Jun 07, 2009 10:07 pm

Hello.
A few things still need to go.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
npggsvc

File::
c:\windows\Rnure.dat

Folder::
c:\users\Ryan Wyatt\AppData\Roaming\FrostWire
c:\users\ryan wyatt\program files\dna
c:\users\Ryan Wyatt\AppData\Roaming\BitTorrent
c:\program files\frostwire
c:\program files\bittorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
TCP Query User{683382EB-3C2D-4855-8F95-E20E73C741D5}c:\\program files\\frostwire\\frostwire.exe"=-
"UDP Query User{1A5A823F-9364-450E-B083-C26513B8D2C0}c:\\program files\\frostwire\\frostwire.exe"=-
"{2BDFFB6C-9BDB-45F1-B6B4-155F3A0D6ED8}"=-
"{5E5DC969-466B-4605-B3C2-1497E48DB088}"=-
"TCP Query User{C41B4BE4-A542-48D6-A1B0-8203BA553A87}c:\\program files\\bittorrent\\bittorrent.exe"=-
"UDP Query User{19388AF6-6ADF-48E1-B843-9FB57D6A59DD}c:\\program files\\bittorrent\\bittorrent.exe"=-
"TCP Query User{29126803-BF8A-4A69-B814-047C242A85E9}c:\\users\\ryan wyatt\\program files\\dna\\btdna.exe"=-
"UDP Query User{8707D903-DDE2-4484-9069-04B1D0FE3633}c:\\users\\ryan wyatt\\program files\\dna\\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Sun Jun 07, 2009 10:26 pm

((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 22:18 . 2009-06-07 22:18 -------- d-sh--w- \$RECYCLE.BIN
2009-06-07 22:15 . 2009-06-07 22:18 -------- d-----w- c:\users\Ryan Wyatt\AppData\Local\temp
2009-06-07 22:15 . 2009-06-07 22:15 -------- d-----w- C:\temp
2009-06-07 22:15 . 2009-06-07 22:15 -------- d-----w- \temp
2009-06-07 22:11 . 2009-06-07 22:18 -------- d-s---w- \Combo-Fix
2009-06-07 20:05 . 2009-06-07 22:12 -------- d-----w- \Qoobox
2009-06-07 19:53 . 2009-06-07 19:53 -------- d-----w- c:\program files\Trend Micro
2009-06-07 19:16 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-07 19:16 . 2009-06-07 19:16 -------- d-----w- c:\programdata\Malwarebytes
2009-06-07 19:16 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-27 12:28 . 2009-05-27 12:29 34 ----a-w- c:\users\Ryan Wyatt\jagex_runescape_preferences.dat
2009-05-27 12:28 . 2009-05-27 12:30 -------- d-----w- C:\.jagex_cache_32
2009-05-27 12:28 . 2009-05-27 12:30 -------- d-----w- \.jagex_cache_32
2009-05-10 16:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-10 16:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-10 16:44 . 2009-05-10 16:44 -------- d-----w- c:\program files\iPod
2009-05-10 16:44 . 2009-06-07 18:16 -------- d-----w- c:\program files\iTunes
2009-05-10 16:44 . 2009-05-10 16:44 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-10 16:39 . 2009-05-10 16:39 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 22:16 . 2008-09-07 05:05 3208683520 --sha-w- \hiberfil.sys
2009-06-07 22:16 . 2008-07-27 04:27 3524546560 --sha-w- \pagefile.sys
2009-06-07 19:57 . 2008-11-15 22:00 -------- d-----w- c:\users\Ryan Wyatt\AppData\Roaming\DNA
2009-06-07 19:13 . 2008-02-22 10:32 672380 ----a-w- c:\windows\system32\perfh00C.dat
2009-06-07 19:13 . 2008-02-22 10:32 127578 ----a-w- c:\windows\system32\perfc00C.dat
2009-06-07 19:07 . 2008-12-07 19:21 5648 ----a-w- c:\users\Ryan Wyatt\AppData\Local\d3d9caps.dat
2009-06-07 18:16 . 2009-01-11 18:04 -------- d-----w- c:\program files\WinSCP
2009-06-07 18:16 . 2008-09-06 21:07 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-07 18:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-07 18:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-07 18:16 . 2009-03-21 06:47 -------- d-----w- c:\program files\Bonjour
2009-06-07 18:16 . 2008-07-27 04:43 -------- d-----w- c:\program files\Apoint2K
2009-05-10 16:44 . 2008-10-12 20:26 -------- d-----w- c:\program files\Common Files\Apple
2009-04-23 01:46 . 2009-04-23 01:46 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-04-18 20:24 . 2009-04-11 19:20 -------- d-----w- c:\program files\PokerStars.NET
2009-03-22 17:48 . 2009-03-22 17:40 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-06 23:55 . 2009-03-15 01:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-06 23:55 . 2009-06-07 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-06 23:55 . 2009-03-15 01:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 23:55 . 2009-06-07 21:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-06 23:55 . 2009-03-15 01:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-06 23:55 . 2009-06-07 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:24 . 2008-01-21 02:24 9728 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\lsass.exe
+ 2009-06-07 22:16 . 2009-06-07 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-07 20:20 . 2009-06-07 20:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-07 22:16 . 2009-06-07 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-01-21 02:24 . 2008-01-21 02:24 441400 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\ksecdd.sys
+ 2008-09-06 23:58 . 2009-06-07 22:15 119240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:22 . 2009-06-07 22:16 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-04-05 20:33 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-06-07 22:12 . 2009-06-07 22:12 6328320 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2008-02-08 06:54 . 2009-06-07 20:34 100161884 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-06 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-30 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1115059687-4206018883-815105962-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBB1980F-B43B-4F6F-A8BC-8368F659B6B3}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C5FC5CF4-94D2-4A9C-A03B-2C4090AE5219}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{5D496620-6886-42D4-96FA-75EAE7E4FEB1}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{E6D4A71A-174F-45E9-9908-B0EC464DE667}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8BFBDBCE-C215-44A8-8416-1C0520349372}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{23E14C05-75AD-4956-90BB-5AA8B098B6E7}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8A47A03B-C727-429B-BD2E-7AD81D693181}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{74283465-2ED3-489F-9F6E-4830CFE3BF6D}c:\\program files\\air mouse\\air mouse\\air mouse.exe"= UDP:c:\program files\air mouse\air mouse\air mouse.exe:AirMouse
"UDP Query User{BACD740D-DC59-445B-BF0B-DFFE4496B14C}c:\\program files\\air mouse\\air mouse\\air mouse.exe"= TCP:c:\program files\air mouse\air mouse\air mouse.exe:AirMouse
"TCP Query User{683382EB-3C2D-4855-8F95-E20E73C741D5}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"{C5BC1BE2-3D33-40BC-B77A-CF132B641E68}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B20F5C8B-D8AE-46B0-B97E-E4DBFCC8C8C6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADE786F8-2C76-4893-87CC-D492EC101B54}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{161D05A3-05D9-41F0-9EE9-B3BFCCFAC399}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\User_Feed_Synchronization-{CB602B6E-5D7E-4468-9E4C-DBC233FA4B27}.job
- c:\windows\system32\msfeedssync.exe [2009-04-05 10:01]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-07 18:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4736)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\System32\Macromed\Flash\FlashUtil10a.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-07 18:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 22:24
ComboFix2.txt 2009-06-07 20:31

Pre-Run: 73,663,045,632 bytes free
Post-Run: 73,355,427,840 bytes free

372 --- E O F --- 2009-06-07 20:35

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Mon Jun 08, 2009 5:20 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Mon Jun 08, 2009 8:03 pm

so combofix is uninstalled howabout hijack this can i dump that too and the computer is running perfectly except one small change that may be unrelated unless you have a quick fix, when browsing an album of photos on the web e.g facebook when i click next to see the following picture a loading bar comes up and the picture never appears:S is that some internet setting error?

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by Belahzur on Mon Jun 08, 2009 8:34 pm

Nope, nothing related to our fixes. Maybe an error with facebook, or flash is blocked somehow.

You can uninstall Hijack This too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win Blue Soft got me on the run HELP!

Post by ryan.wyatt on Mon Jun 08, 2009 8:35 pm

Okay well thank you very much for all of your help youve definetly saved me alot of trouble! cheers

ryan.wyatt
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-07
OS OS : Vista
Points Points : 27390
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum