WinBlueSoft - crying for help

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 2:02 pm

Can someone please help me?
I got infected by this WinBlueSoft this morning...I don't know what else can I do to remove it...I browsed through this page and...I tried that mbam.exe but that thing can't open for me. I tried downloading DDS by sUBs, hijackthis too, but nothing.
Please help me, I'm getting hopeless.
Please note that I'm not some computer-expert..

Thank you!

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 3:12 pm

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Then look in the left hand bottom of the program and press "Registry"
  4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  6. Now look in the right side pane for two run values that are just random numbers.
  7. Once you have found the value(s), right click it and press "Delete"
  8. Okay the prompt and close IceSword.

**If you are unable to open the zipped file, download IceSword from here:

  • Please download IceSword from here, I unzipped it so you should only get the .exe file:

    [You must be registered and logged in to see this link.]

  • Once the file has downloaded, see if you can do the above instructions.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 3:25 pm

I got to step no.6...I don't have just numbers here.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Mon Jun 22, 2009 3:52 pm

Hello.
Origin got the key wrong, the problem is in this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Then in the right side pane of Winlogon, find AppInit_DLLs, which points are "blocker.dll"
Delete the AppInit_DLLs value.

See if you can run Hijack This then.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 3:56 pm

I don't have AppInit_DLLs in the folder.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 4:19 pm

Hello can you rename HijackThis to Flowers.exe See if it runs.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 4:26 pm

I found this AppInit_DLLs file in Windows folder...should I delete it?

I tried renameing HijackThis...not working.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 4:35 pm

Whats the name of the file?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 4:37 pm

AppInit_DLLs

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 4:44 pm

No I don't think you should, many of those are crucial to the system.

Download MGtools from here: [You must be registered and logged in to see this link.]

Now follow the instructions on this page:

[You must be registered and logged in to see this link.]

Once you haver MGtools extracted to your C:\ drive there will be a file there called Analyze.exe That file will be HijackThis, now follow these directions:

  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 4:48 pm

That link is not working...

downloaded it from another one...will see if it works

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 4:51 pm

Weird works on my end, download it here:

[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 4:55 pm

I downloaded it and runed it. It created MGTools folder but there is only empty temp folder and filelog and sysinfo file in it Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 4:58 pm

Locate and delete this file: C:\windows\system32\blocker.dll

Now see if you can run HijackThis.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 5:01 pm

I did it with MGTools...here it is :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:05, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\setup2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winrlkbyt.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\dqpo.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
\Arhitekt-397a7d\C\MGtools\analyse.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{5864CB14-1664-4ECB-BEA0-F37208407BFA}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70F942A-4CC0-4075-BFA4-274B1F4F1211}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 9599 bytes

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 5:11 pm


  • Open HijackThis. (In this case Analyze.exe)
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
    O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Kordic')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5864CB14-1664-4ECB-BEA0-F37208407BFA}: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E70F942A-4CC0-4075-BFA4-274B1F4F1211}: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199



  • Press "Fix Checked"
  • Close Hijack This.




1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 5:30 pm

I'm not able to diable my NOD32 nor to run combo-fix Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 5:36 pm

I accidentally restarted my computer and now it seems that WunBlueSoft is gone...is it possible that it's all gone even without running that Combo-Fix? :S

although I still can't runn NOD32 and my net keeps comming up with that ''cannot find server''....but those annoying messages are gone.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 5:50 pm

Its gone because you fixed the infected lines in HijackThis but its not totally gone from your system as there are leftovers that could trigger it to come back.

Please do the following:

Open up Task Manager(Ctrl + Shift + Esc.), Locate egui.exe and highlight it by clicking on it, once highlighted, click on the "End Process" button. Now try running ComboFix.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 5:53 pm

I'm such a pain in the arse...sorry! But...when I press Ctrl+Shift+Esc it says Task Manager has been disabled by your administrator. I don't know why it says so 'cause I'm the administrator on this pc.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 6:07 pm

Most likely its due to virus, lets try a different approach,

  • Open HijackThis(Analyze.exe)
  • Click on the Open the Misc Tools section button
  • Navigate to System tools and click on Open process manager
  • Now locate egui.exe and click on the Kill process button

Now try running ComboFix


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 6:11 pm

there is no egui.exe here

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 6:17 pm

I need to see a list of your processes, please do the following:


  • Open HijackThis(Analyze.exe)
  • Click on the Open the Misc Tools section button
  • Navigate to System tools and click on Open process manager
  • Once there, click on the copy to clip board button


  • The process list should now be on your clip board, paste the list in your next reply


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 6:20 pm

Process list saved on 20:20:07, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
804 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
880 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
924 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
948 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1136 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4174 ATI Technologies Inc.
1152 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1360 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1384 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe 5.1.0.3000 Broadcom Corporation.
1756 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4174 ATI Technologies Inc.
1876 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
2016 C:\WINDOWS\Explorer.exe 6.0.2900.2894 Microsoft Corporation
388 C:\Program Files\Analog Devices\Core\smax4pnp.exe 6.0.0.82 Analog Devices, Inc.
560 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe 6.3.8.1 Hewlett-Packard Development Company, L.P.
576 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 2.0.0.0 Advanced Micro Devices Inc.
636 C:\Program Files\Java\jre6\bin\jusched.exe 6.0.130.3 Sun Microsystems, Inc.
844 C:\Program Files\Winamp\winampa.exe
1164 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
1276 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe 2.0.5.0 Nero AG
1336 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe 5.1.0.3000 Broadcom Corporation.
1928 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe 2.0.0.0 ATI Technologies Inc.
2100 C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE 5.1.0.3000 Broadcom Corporation.
2380 C:\WINDOWS\system32\agrsmsvc.exe 1.0.0.4 Agere Systems
2460 C:\Program Files\Java\jre6\bin\jqs.exe 6.0.130.3 Sun Microsystems, Inc.
2480 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
2916 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe 2.0.5.0 Nero AG
3004 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe 2.0.2.3 Hewlett-Packard Development Company, L.P.
3096 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe 2.0.5.0 Nero AG
2692 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.0.2900.2180 Microsoft Corporation
2160 C:\DOCUME~1\Kordic\LOCALS~1\Temp\winsbhp.exe
3804 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.0.2900.2180 Microsoft Corporation
3944 C:\DOCUME~1\Kordic\LOCALS~1\Temp\suiujl.exe
4320 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe 3.0.642.0 ESET
5176 \Arhitekt-397a7d\c\MGtools\analyse.exe


thank you so much for helping me...

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 6:32 pm

Kill a process in HijackThis

  • Open HijackThis
  • Click on the Open the Misc Tools section button
  • Navigate to System tools and click on Open process manager
  • Now locate the following process(es)
    winsbhp.exe
    suiujl.exe
    ekrn.exe

  • and click on the Kill process button


Now locate and delete these files:

C:\DOCUME~1\Kordic\LOCALS~1\Temp\winsbhp.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\suiujl.exe


Now try to run ComboFix


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 6:41 pm

It still says that my NOD32 is working.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 6:43 pm

Looks like we are going to have to do this is safe mode,

Can you do the following in Safe Mode with Networking, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Now follow the ComboFix instructions.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 6:54 pm

my problems don't end.... I cannot access safe mode...I select it but then it starts to show lots of lines with [You must be registered and logged in to see this link.] including and then it restarts and takes me back to choose between safe mode and normal.

Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 6:57 pm

Can you still access normal Safe mode not safe mode with networking?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 6:58 pm

nope, neither of them.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Mon Jun 22, 2009 6:59 pm

Hello.
New ideas. Please post a new Hijack This log, I want to kill some other items too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 7:04 pm

here it is....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:02, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winuutq.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winlqsfs.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7447 bytes

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Mon Jun 22, 2009 7:07 pm

Hello.
Some new items showed up, yet I'm suprised Origins Hijack This fix actually worked, because registry editing was disabled.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
    F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
    O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

There's a file on your machine I can't find anything on, which maybe regenerating this infection, so I want to get it uploaded and scanned.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\lspcfm.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 7:14 pm

I can't open that page...it just loads for ages and then ''cannot find server''.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 7:17 pm

Thats due to the Rookit, looks like we are going to have to kill it manually,

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Mon Jun 22, 2009 7:18 pm

Two more online scanners to try::

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Let me know which (if) one works, and upload the file for a scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:04 pm

neither of those sites work for me...

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-22 22:03:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74C16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74BFC2

Code 8A9A9688 ZwFlushInstructionCache
Code 8AADD446 IofCallDriver
Code 8AADD4C6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF15A 5 Bytes JMP 8AADD44B
.text ntkrnlpa.exe!IofCompleteRequest 804EF1EA 5 Bytes JMP 8AADD4CB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5288 5 Bytes JMP 8A9A968C
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9C8180C 5 Bytes JMP 8AC801C8
? C:\WINDOWS\system32\drivers\pukmnn.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[728] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E146D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 01E172A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 01E153B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01E153C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 01E16CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 01E15920 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 01E163E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 01E13070 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 01E13040 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 01E12A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 01E130A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 01E130D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 01E12810 C:\WINDOWS\system32\lspcfm.dll

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:04 pm

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AF051E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8A6E5790
Device \Driver\NetBT \Device\NetBT_Tcpip_{E70F942A-4CC0-4075-BFA4-274B1F4F1211} 8AB61790
Device \Driver\usbuhci \Device\USBPDO-0 8AC7F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AE951E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AE951E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AE951E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AE951E8
Device \Driver\usbehci \Device\USBPDO-1 8AC681E8
Device \Driver\usbuhci \Device\USBPDO-2 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8AC7F1E8
Device \Driver\usbehci \Device\USBPDO-4 8AC681E8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-6 8AC7F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF071E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort0 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort1 8AF061E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AF061E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB61790
Device \Driver\NetBT \Device\NetbiosSmb 8AB61790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5864CB14-1664-4ECB-BEA0-F37208407BFA} 8AB61790
Device \Driver\usbuhci \Device\USBFDO-0 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8AC7F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A104790
Device \Driver\usbehci \Device\USBFDO-2 8AC681E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A104790
Device \Driver\usbuhci \Device\USBFDO-3 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-4 8AC7F1E8
Device \Driver\Ftdisk \Device\FtControl 8AF071E8
Device \Driver\usbuhci \Device\USBFDO-5 8AC7F1E8
Device \Driver\usbehci \Device\USBFDO-6 8AC681E8
Device \FileSystem\Fastfat \Fat 8A6E5790

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8ABFC790

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:05 pm

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 8:08 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
MSIVXserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:11 pm

I completed the first step, I'm not allowed to do the second by my Administrator. It asks me to reboot now...

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:15 pm

I've rebooted it and here is the file :


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSIVXserv.sys" found!
ImagePath: \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "MSIVXserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 8:16 pm

See if you can run Malwarebytes now.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:17 pm

yes, I can. Smile

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 8:18 pm

Thats great new, please do a quick scan and post all the contents of the log back here Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:24 pm

here it is :

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

22.6.2009 22:23:46
mbam-log-2009-06-22 (22-23-39).txt

Scan type: Quick Scan
Objects scanned: 97186
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> No action taken.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> No action taken.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 8:26 pm

Good, the infection is getting beat, now you should be able to run DDS,


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:30 pm

I downloaded that but when I run it it opens a .txt with lots of gibberish...just a lot of letters

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Mon Jun 22, 2009 8:34 pm

Upload the .txt to rapidhsare for em to look at, do the following:

go to this site: [You must be registered and logged in to see this link.]

Once there, click on the Choose button and locate the DDS.txt and click ok. The file should upload and then it will give you a link to download the file from. Please post the link back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Mon Jun 22, 2009 8:37 pm

[You must be registered and logged in to see this link.]

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum