WinBlueSoft - crying for help

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 6:41 pm

It still says that my NOD32 is working.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 6:43 pm

Looks like we are going to have to do this is safe mode,

Can you do the following in Safe Mode with Networking, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Now follow the ComboFix instructions.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 6:54 pm

my problems don't end.... I cannot access safe mode...I select it but then it starts to show lots of lines with [You must be registered and logged in to see this link.] including and then it restarts and takes me back to choose between safe mode and normal.

Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 6:57 pm

Can you still access normal Safe mode not safe mode with networking?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 6:58 pm

nope, neither of them.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 22nd June 2009, 6:59 pm

Hello.
New ideas. Please post a new Hijack This log, I want to kill some other items too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 7:04 pm

here it is....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:02, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winuutq.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winlqsfs.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraivanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7447 bytes

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 22nd June 2009, 7:07 pm

Hello.
Some new items showed up, yet I'm suprised Origins Hijack This fix actually worked, because registry editing was disabled.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
    F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
    O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

There's a file on your machine I can't find anything on, which maybe regenerating this infection, so I want to get it uploaded and scanned.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\lspcfm.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 7:14 pm

I can't open that page...it just loads for ages and then ''cannot find server''.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 7:17 pm

Thats due to the Rookit, looks like we are going to have to kill it manually,

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 22nd June 2009, 7:18 pm

Two more online scanners to try::

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Let me know which (if) one works, and upload the file for a scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:04 pm

neither of those sites work for me...

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-22 22:03:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74C16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74BFC2

Code 8A9A9688 ZwFlushInstructionCache
Code 8AADD446 IofCallDriver
Code 8AADD4C6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF15A 5 Bytes JMP 8AADD44B
.text ntkrnlpa.exe!IofCompleteRequest 804EF1EA 5 Bytes JMP 8AADD4CB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5288 5 Bytes JMP 8A9A968C
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9C8180C 5 Bytes JMP 8AC801C8
? C:\WINDOWS\system32\drivers\pukmnn.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[728] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E146D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 01E172A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 01E153B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01E153C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 01E16CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 01E15920 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 01E163E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 01E13070 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 01E13040 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 01E12A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 01E130A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 01E130D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 01E12810 C:\WINDOWS\system32\lspcfm.dll

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:04 pm

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AF051E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8A6E5790
Device \Driver\NetBT \Device\NetBT_Tcpip_{E70F942A-4CC0-4075-BFA4-274B1F4F1211} 8AB61790
Device \Driver\usbuhci \Device\USBPDO-0 8AC7F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AE951E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AE951E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AE951E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AE951E8
Device \Driver\usbehci \Device\USBPDO-1 8AC681E8
Device \Driver\usbuhci \Device\USBPDO-2 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8AC7F1E8
Device \Driver\usbehci \Device\USBPDO-4 8AC681E8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-6 8AC7F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF071E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort0 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort1 8AF061E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AF061E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB61790
Device \Driver\NetBT \Device\NetbiosSmb 8AB61790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5864CB14-1664-4ECB-BEA0-F37208407BFA} 8AB61790
Device \Driver\usbuhci \Device\USBFDO-0 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8AC7F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A104790
Device \Driver\usbehci \Device\USBFDO-2 8AC681E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A104790
Device \Driver\usbuhci \Device\USBFDO-3 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-4 8AC7F1E8
Device \Driver\Ftdisk \Device\FtControl 8AF071E8
Device \Driver\usbuhci \Device\USBFDO-5 8AC7F1E8
Device \Driver\usbehci \Device\USBFDO-6 8AC681E8
Device \FileSystem\Fastfat \Fat 8A6E5790

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8ABFC790

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:05 pm

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:08 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
MSIVXserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:11 pm

I completed the first step, I'm not allowed to do the second by my Administrator. It asks me to reboot now...

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:15 pm

I've rebooted it and here is the file :


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSIVXserv.sys" found!
ImagePath: \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "MSIVXserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:16 pm

See if you can run Malwarebytes now.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:17 pm

yes, I can. Smile

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:18 pm

Thats great new, please do a quick scan and post all the contents of the log back here Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:24 pm

here it is :

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

22.6.2009 22:23:46
mbam-log-2009-06-22 (22-23-39).txt

Scan type: Quick Scan
Objects scanned: 97186
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> No action taken.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> No action taken.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:26 pm

Good, the infection is getting beat, now you should be able to run DDS,


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:30 pm

I downloaded that but when I run it it opens a .txt with lots of gibberish...just a lot of letters

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:34 pm

Upload the .txt to rapidhsare for em to look at, do the following:

go to this site: [You must be registered and logged in to see this link.]

Once there, click on the Choose button and locate the DDS.txt and click ok. The file should upload and then it will give you a link to download the file from. Please post the link back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:37 pm

[You must be registered and logged in to see this link.]

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:37 pm

I just saw that it's now .txt.... It openes after I click on dds icon...just that.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:39 pm

You uploaded the wrong file, you gave me the application instead of the log Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:41 pm

I get only that after I click Run

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:46 pm

When you click on the dds.scr icon a black CMD window should appear, it will give you some brief description of what the tool does while in the background the scan is taking place. Once the scan is finished, two logs will pop up, a DDS.txt and a Attach.txt, I need to see the DDS.txt. Make sure you save both of them to the desktop. If you didn't save them then please run the scan again.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:49 pm

when I download it from the second link and run it I get the message that it is not a valid Win32 application...

when I run it from the first link I get that notepad screen with lots of letters.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:50 pm

Instead of uploading it can you post all contents of the log back here. It may take two or more posts.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:57 pm

this is all that makes any sense between losts of unconnected letters :

                            
  S e l e c t d e s t i n a t i o n f o l d e r
E x t r a c t i n g % s S k i p p i n g % s  U n e x p e c t e d e n d o f a r c h i v e  T h e f i l e " % s " h e a d e r i s c o r r u p t % T h e a r c h i v e c o m m e n t h e a d e r i s c o r r u p t  T h e a r c h i v e c o m m e n t i s c o r r u p t  N o t e n o u g h m e m o r y  U n k n o w n m e t h o d i n % s  C a n n o t o p e n % s  C a n n o t c r e a t e % s  C a n n o t c r e a t e f o l d e r % s  6 C R C f a i l e d i n t h e e n c r y p t e d f i l e % s ( w r o n g p a s s w o r d ? )  C R C f a i l e d i n % s  P a c k e d d a t a C R C f a i l e d i n % s  W r o n g p a s s w o r d f o r % s 5 W r i t e e r r o r i n t h e f i l e % s . P r o b a b l y t h e d i s k i s f u l l  R e a d e r r o r i n t h e f i l e % s  F i l e c l o s e e r r o r  T h e r e q u i r e d v o l u m e i s a b s e n t 2 T h e a r c h i v e i s e i t h e r i n u n k n o w n f o r m a t o r d a m a g e d  E x t r a c t i n g f r o m % s N e x t v o l u m e  T h e a r c h i v e h e a d e r i s c o r r u p t  C l o s e  E r r o r a E r r o r s e n c o u n t e r e d w h i l e p e r f o r m i n g t h e o p e r a t i o n
L o o k a t t h e i n f o r m a t i o n w i n d o w f o r m o r e d e t a i l s PA  b y t e s m o d i f i e d o n  f o l d e r i s n o t a c c e s s i b l e l S o m e f i l e s c o u l d n o t b e c r e a t e d .
P l e a s e c l o s e a l l a p p l i c a t i o n s , r e b o o t W i n d o w s a n d r e s t a r t t h i s i n s t a l l a t i o n \ S o m e i n s t a l l a t i o n f i l e s a r e c o r r u p t .
P l e a s e d o w n l o a d a f r e s h c o p y a n d r e t r y t h e i n s t a l l a t i o n A l l f i l e s PA E < u l > < l i > P r e s s < b > I n s t a l l < / b > b u t t o n t o s t a r t e x t r a c t i o n . < / l i > < b r > < b r > 6 < l i > U s e < b > B r o w s e < / b > b u t t o n t o s e l e c t t h e d e s t i n a t i o n 4 f o l d e r f r o m t h e f o l d e r s t r e e . I t c a n b e a l s o e n t e r e d  m a n u a l l y . < / l I > < b r > < b r > 8 < l I > I f t h e d e s t i n a t i o n f o l d e r d o e s n o t e x i s t , i t w i l l b e 2 c r e a t e d a u t o m a t i c a l l y b e f o r e e x t r a c t i o n . < / l I > < / u l > PAh        |

version="1.0.0.0"
processorArchitecture="X86"
name="WinRAR SFX"
type="win32"/>
WinRAR SFX module



uiAccess="false"/>





type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"/>



P e e f e f e f e (f e 2f e

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:04 pm

Lets try this locate the DDs.txt file, right click on it and select open with, now click on Word pad (If wordpad isn't present on the list select "browse" and search for word pad.

Are the symbols still appearing?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:07 pm

I don't have dds.txt file! just this .scr...Notepad opens when I click on it.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:11 pm

Alright lets try this, delete the current DDS.scr file and download this one:

[You must be registered and logged in to see this link.]

Run it and see if you can get those logs, if not we are going to have to use another system scanner.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:14 pm

it says that it is not a valid Win32 application.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:17 pm

oh well lets try RSIT:


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:23 pm

the same mesagge Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:27 pm

It pops out with "not a valid Win32 application."?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:28 pm

yes.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:31 pm

Alright try ComboFix even though it says ESET is still active.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:34 pm

now it says the same for Combo-Fix...did I delete something important so this is happening?

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:47 pm

Not that I can think of since I haven't given you anything harmful to run. I am talking to a colleague of mine that will have you sorted out, please be patient for the moment.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:48 pm

ok, thank you for your help.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:53 pm

For the mean time can you reboot your computer and then see if it works.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 22nd June 2009, 9:57 pm

Hello.
I still think that lspcfm is malicious maybe, can you upload a copy of it to rapidshare please? I want a sample of it and I'll upload it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 8:12 am

[You must be registered and logged in to see this link.] wrote:For the mean time can you reboot your computer and then see if it works.
no, still the same.

@Belahzur : what's Ispcfm?

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 23rd June 2009, 5:04 pm

Locate and upload this file to Rapidshare:

c:\windows\system32\lspcfm.dll


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 5:56 pm

[You must be registered and logged in to see this link.]

now internet isn't working on infected computer either Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 6:06 pm

Hello.
Thank you for the file. It is indeed malware, but guess what? It's a new version of something, not exactly sure what right yet, only 3 scanners find something.

Microsoft 1.4803 2009.06.23 PWS:Win32/Pemsepos.A
NOD32 4181 2009.06.23 a variant of Win32/Kryptik.SR
Sunbelt 3.2.1858.2 2009.06.23 Trojan.Crypt.Krap (v)

Please download the LSPfix from here: [You must be registered and logged in to see this link.]
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "lspcfm.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Reboot normally and your net connection should be back.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum