Blue Netsky screen

View previous topic View next topic Go down

Re: Blue Netsky screen

Post by Belahzur on 21st February 2010, 1:58 am

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Java(TM) 6 Update 11
    LimeWire 5.0.11

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    File::
    c:\windows\Gcuro.dat
    c:\windows\Vpapagelewizute.bin

    FCopy::
    C:\drivers\storage\R130118\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 21st February 2010, 2:34 am

ComboFix 10-02-19.03 - Owner 02/20/2010 20:10:05.4.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1803 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Gcuro.dat"
"c:\windows\Vpapagelewizute.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gcuro.dat
c:\windows\Vpapagelewizute.bin

.
--------------- FCopy ---------------

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 01:36 . 2010-02-19 01:36 -------- d-----w- C:\_OTL
2010-02-18 18:03 . 2010-02-18 18:03 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-01-29 06:45 . 2010-01-29 06:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 00:02 . 2010-01-27 00:02 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 02:01 . 2007-10-11 00:28 -------- d-----w- c:\program files\LimeWire
2010-02-21 00:46 . 2009-11-25 14:20 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-19 00:46 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-02-10 09:01 . 2009-01-14 21:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-03 21:38 . 2009-01-27 22:18 -------- d-----w- c:\program files\World of Warcraft
2010-01-24 05:02 . 2009-10-14 01:41 -------- d-----w- c:\program files\World of Warcraft Public Test
2010-01-24 05:02 . 2007-10-09 11:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-23 15:23 . 2009-11-25 16:39 79488 ----a-w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 12:32 . 2009-11-25 09:45 79488 ----a-w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-10 04:44 . 2009-02-09 20:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-10 00:35 . 2009-01-17 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2004-08-10 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 18:21 . 2009-01-18 13:01 -------- d-----w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 14:14 . 2009-01-18 00:57 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 13:52 . 2009-01-17 20:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-12-25 02:29 . 2009-12-24 18:07 0 ---ha-w- c:\documents and settings\Owner\hpothb07.dat
2009-12-24 18:59 . 2009-12-24 18:07 5924 ---ha-w- C:\hpothb07.dat
2009-12-24 17:48 . 2009-12-24 17:36 20454 ----a-w- c:\windows\hpoins01.dat
2009-12-20 15:02 . 2009-12-20 15:02 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 12:58 . 2009-01-14 19:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:35 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2005-03-30 01:21 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2005-03-30 01:01 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 11:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-10 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-10 11:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-10 11:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-03-21 03:42 . 2009-03-21 03:42 305 ---ha-w- c:\program files\hpothb07.dat
2009-03-21 03:42 . 2009-03-21 03:42 515 ---ha-w- c:\program files\hpothb07.tif
2008-08-09 23:33 . 2008-08-09 23:33 0 ----a-w- c:\program files\temp01
2008-06-16 01:27 . 2008-06-13 17:45 1254593 ----a-w- c:\program files\WotLK-F&F-enUS-downloader.exe
2010-01-18 20:09 . 2010-01-18 20:09 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-18 20:09 . 2010-01-18 20:09 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-18 20:10 . 2010-01-18 20:10 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-21_00.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 02:00 . 2010-02-21 02:00 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 8:26 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 8:26 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 8:26 AM 566872]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/16/2009 8:28 AM 36224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
S2 gupdate1c9d05b86bf973;Google Update Service (gupdate1c9d05b86bf973);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:02 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8232728900.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2009-06-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8236365442.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8255979293.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-01-24 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8261677408.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 04:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-20 20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A31881A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\iaStor -> iaStor.sys @ 0xba674f78
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Linksys LNE100TX(v5) Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba553af9
PacketIndicateHandler -> NDIS.sys @ 0xba55eb21
SendHandler -> NDIS.sys @ 0xba553938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2010-02-20 20:33:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 02:33
ComboFix2.txt 2010-02-21 00:48
ComboFix3.txt 2009-10-09 15:46

Pre-Run: 82,645,127,168 bytes free
Post-Run: 82,597,912,576 bytes free

- - End Of File - - D0A813D173DF9A5DA2F4670379C05449

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 21st February 2010, 3:08 pm

Hello.
Did you copy my entire script? Combofix sees the FCopy command, but didn't copy the file I wanted it to.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 21st February 2010, 5:29 pm

I did it last night so I'm not absoƖute positive, but I did copy and paste everything that was in the box above. Should I do it again?

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 21st February 2010, 5:38 pm

Yes, make sure you get everything inside my quote box.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 21st February 2010, 6:27 pm

ComboFix 10-02-19.03 - Owner 02/21/2010 12:08:09.5.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1787 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Gcuro.dat"
"c:\windows\Vpapagelewizute.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\drivers\storage\R130118\iastor.sys --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 01:36 . 2010-02-19 01:36 -------- d-----w- C:\_OTL
2010-02-18 18:03 . 2010-02-18 18:03 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-01-29 06:45 . 2010-01-29 06:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 00:02 . 2010-01-27 00:02 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 02:50 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-02-21 02:01 . 2007-10-11 00:28 -------- d-----w- c:\program files\LimeWire
2010-02-10 09:01 . 2009-01-14 21:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-03 21:38 . 2009-01-27 22:18 -------- d-----w- c:\program files\World of Warcraft
2010-01-24 05:02 . 2009-10-14 01:41 -------- d-----w- c:\program files\World of Warcraft Public Test
2010-01-24 05:02 . 2007-10-09 11:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-10 04:44 . 2009-02-09 20:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-10 00:35 . 2009-01-17 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2004-08-10 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 18:21 . 2009-01-18 13:01 -------- d-----w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 14:14 . 2009-01-18 00:57 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 13:52 . 2009-01-17 20:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-12-25 02:29 . 2009-12-24 18:07 0 ---ha-w- c:\documents and settings\Owner\hpothb07.dat
2009-12-24 18:59 . 2009-12-24 18:07 5924 ---ha-w- C:\hpothb07.dat
2009-12-24 17:48 . 2009-12-24 17:36 20454 ----a-w- c:\windows\hpoins01.dat
2009-12-16 12:58 . 2009-01-14 19:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:35 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2005-03-30 01:21 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2005-03-30 01:01 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 11:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-10 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-10 11:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-10 11:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-03-21 03:42 . 2009-03-21 03:42 305 ---ha-w- c:\program files\hpothb07.dat
2009-03-21 03:42 . 2009-03-21 03:42 515 ---ha-w- c:\program files\hpothb07.tif
2008-08-09 23:33 . 2008-08-09 23:33 0 ----a-w- c:\program files\temp01
2008-06-16 01:27 . 2008-06-13 17:45 1254593 ----a-w- c:\program files\WotLK-F&F-enUS-downloader.exe
2010-01-18 20:09 . 2010-01-18 20:09 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-18 20:09 . 2010-01-18 20:09 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-18 20:10 . 2010-01-18 20:10 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-21_00.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 02:00 . 2010-02-21 02:00 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-02-21 09:00 . 2010-02-21 09:00 19210240 c:\windows\Installer\16d14a1.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 8:26 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 8:26 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 8:26 AM 566872]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/16/2009 8:28 AM 36224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
S2 gupdate1c9d05b86bf973;Google Update Service (gupdate1c9d05b86bf973);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:02 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8232728900.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2009-06-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8236365442.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8255979293.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-01-24 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8261677408.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 04:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-21 12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-21 12:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 18:26
ComboFix2.txt 2010-02-21 02:33
ComboFix3.txt 2010-02-21 00:48
ComboFix4.txt 2009-10-09 15:46

Pre-Run: 82,517,815,296 bytes free
Post-Run: 82,538,840,064 bytes free

- - End Of File - - 584ED0B12DA6BBCCC24D1B70CE945BC8

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 21st February 2010, 8:16 pm

Hello.
It worked that time, okay, last few things to clean up.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 11
    LimeWire 5.0.11

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 21st February 2010, 10:05 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=78176bbcb20acf4d93f7993dc888b00f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-02-21 10:01:47
# local_time=2010-02-21 04:01:47 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777195 100 0 36977092 36977092 0 0
# compatibility_mode=1026 16777214 0 2 38326878 38326878 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=167068
# found=58
# cleaned=58
# scan_time=3602
C:\Documents and Settings\Angelique\My Documents\My Downloads\snowwhitesnemesis4.exe multiple threats (deleted - quarantined) 2919BE3EC2E45FBD1583C2678A5260FF C
C:\Documents and Settings\Angelique\My Documents\My Music\LimeWire\cool sources human abstract 192kb.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 877A8EFFDC193DC9B8F00D08EFB9F298 C
C:\Documents and Settings\Angelique\My Documents\My Themes\blackexperience.exe multiple threats (deleted - quarantined) F428150A7557582F7B73B52B063033AD C
C:\Documents and Settings\Angelique\My Documents\My Walpaper\wmoonnight.exe Win32/Adware.OneStep application (deleted - quarantined) FFB99C7A54444B574219DDD9D77A48DB C
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\sargasso sea.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) A0E8FF9CEAAE51F4A499BC3861A6EDE0 C
C:\Documents and Settings\Troy.OWNER-B0D885443\Desktop\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) BE22F445A15857E83EE2C68AB58642FF C
C:\Program Files\Trend Micro\Internet Security 14\BRfD_de4.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102318801r0409J0b000601R0143fdeeX951a1291Yde4ba96eZ03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102318801r0409J0b000601X951a154eYde4ba96eZ03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102801r0409J0b000601X951a1571Yde4ba96eZ03f0173030dP000000090[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\eH8c829754V03f01630002R0143fdee102Tc7bc8747Q000002fd901801F0020000aJ0b000601l04093180[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) 086E95B797E95140808336B819FDCD49 C
C:\Program Files\Trend Micro\Internet Security 14\H8SRTc499.tmp Win32/Adware.CoreguardAntivirus application (cleaned by deleting - quarantined) B52C2ABA109F76371FB16F873BAD3BAB C
C:\Program Files\Trend Micro\Internet Security 14\HHUE_de4.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\jaws theme song.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 1AE778C955B8558233E66CFCE206202A C
C:\Program Files\Trend Micro\Internet Security 14\ksim_e70.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) 086E95B797E95140808336B819FDCD49 C
C:\Program Files\Trend Micro\Internet Security 14\mrkgrn.dll_a94.VIR Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\Program Files\Trend Micro\Internet Security 14\Ooos_28c.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) DB4374BBEF7025605CD53CDFBBD4B9D3 C
C:\Program Files\Trend Micro\Internet Security 14\pzpsp23511834.exe_abc.VIR Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 7B5007C3B4819E72DF56799C4513343C C
C:\Program Files\Trend Micro\Internet Security 14\T-5188466-kayleigh [very good quality]_ab4.VIR a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) D4B4854EEF571808FA73A1F4D99F07C0 C
C:\Program Files\Trend Micro\Internet Security 14\xbuS_dd8.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\z002102318801r0409J0b000601R0143fdeeXd11cd988Y9a4faa64Z03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) DB4374BBEF7025605CD53CDFBBD4B9D3 C
C:\Program Files\Trend Micro\Internet Security 14\_VOIDd.sys a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined) 42D1D9D16D4744C485000E499CE8C295 C
C:\Qoobox\Quarantine\C\Program Files\Gamevance\gamevancelib32.dll.vir a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined) C9417323BAEEAF0038108416BAE7ECC8 C
C:\Qoobox\Quarantine\C\Program Files\Gamevance\gvtl.dll.vir a variant of Win32/Adware.Gamevance.AB application (cleaned by deleting - quarantined) CB21462ACBADFAE66F4AEE696E6C29E7 C
C:\Qoobox\Quarantine\C\Program Files\Securityessentials2010\SE2010.exe.vir Win32/Adware.AdvancedVirusRemover.B application (cleaned by deleting - quarantined) 9C5D9358A02D8A80B85D54A92EDC10ED C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hdaihl.sys.vir Win32/SpamTool.Agent.NDR trojan (cleaned by deleting - quarantined) 4C7A681B8F87924370E98AB01412A968 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00000044.tmp.vir Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) E4EDC2505D7FF83825358C739B0038FA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\0000646e.tmp.vir Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) E4EDC2505D7FF83825358C739B0038FA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\23281.exe.vir a variant of Win32/Kryptik.CIZ trojan (cleaned by deleting - quarantined) 6EF341EAE123C60D094F7B73BE7D6434 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\a78dz.dll.vir probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 3F12906AE4B6A15BF9B118151C95B2CA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\dojapode.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\helpers32.dll.vir Win32/TrojanDownloader.FakeAlert.AUL trojan (cleaned by deleting - quarantined) 340E56E893582E56DC327458619F4C71 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir a variant of Win32/TrojanClicker.Punad.AA trojan (cleaned by deleting - quarantined) FEE204FF50931BE9287EB2EA890F8E2A C
C:\Qoobox\Quarantine\C\WINDOWS\system32\semajosu.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) DCEB3622D1325817CD55EE92F1B1EEA9 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sshnas21.dll.vir a variant of Win32/Kryptik.CLW trojan (cleaned by deleting - quarantined) 5898A25738A35CE000C3A822DCD835D4 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\togobanu.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 3BBD3B7C8C33B5FD0EE6A205F9B95EB9 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) DCEB3622D1325817CD55EE92F1B1EEA9 C
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.CLW trojan (cleaned by deleting - quarantined) 15D2D092ACF3A3983B6AC1C5A52CFD9F C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP715\A0141691.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP715\A0142726.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP724\A0151758.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP724\A0151759.exe Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 7B5007C3B4819E72DF56799C4513343C C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000024.dll a variant of Win32/Kryptik.CLA trojan (cleaned by deleting - quarantined) 96893165BB2CA2341E6DBB5A20DF8760 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000025.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 52AEFC12895819344283F70827C62FE9 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000026.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 6F20912603999EFDF7543F8BDB8FB606 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000027.dll a variant of Win32/Kryptik.CMN trojan (cleaned by deleting - quarantined) 2E3DD34D262274048817484EDE1D8FEA C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000028.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) A7532F6F1052CBC28E25C09C4663FE4F C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000029.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 52AEFC12895819344283F70827C62FE9 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000030.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 47005ABE765816D52E2F3F523D99C324 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000031.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 0289243625A2E4A1620503D4131E5BF3 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000032.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000033.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000776.exe multiple threats (deleted - quarantined) 2919BE3EC2E45FBD1583C2678A5260FF C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000777.exe multiple threats (deleted - quarantined) F428150A7557582F7B73B52B063033AD C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000778.exe Win32/Adware.OneStep application (deleted - quarantined) FFB99C7A54444B574219DDD9D77A48DB C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000779.exe a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) BE22F445A15857E83EE2C68AB58642FF C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000780.sys a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined) 42D1D9D16D4744C485000E499CE8C295 C

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 21st February 2010, 10:07 pm

BTW I did remove Limewire, Java, and Ask Toolbar last night. I did it normal mode and not safe. When I checked both normal and safe mode today its not showing up in the add/remove programs box.

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 21st February 2010, 11:52 pm

Hello.

Looks like this infection came from Limewire, ESET found these:

C:\Documents and Settings\Angelique\My Documents\My Downloads\snowwhitesnemesis4.exe
C:\Documents and Settings\Angelique\My Documents\My Music\LimeWire\cool sources human abstract 192kb.mp3
C:\Documents and Settings\Angelique\My Documents\My Themes\blackexperience.exe
C:\Documents and Settings\Angelique\My Documents\My Walpaper\wmoonnight.exe
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\sargasso sea.mp3

Guessing they all came through Limewire?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 22nd February 2010, 12:00 am

Those are old files downloaded a long time ago. He was downloading from just a generic site when the infection happened. It's running fine, after the first scan the fake virus pop up stopped. It was still trying to open new tabs everytime I got on the internet. But I've been in safe mode for the last few scans of stuff so I don't know what its doing.

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 22nd February 2010, 12:01 am

Should I remove goored, systemlook and OTL also?

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 22nd February 2010, 12:22 am

Yes. Boot to normal mode please, let me know what's happening, the logs look good now


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 22nd February 2010, 12:27 am

Everything seems to be running fine no pop ups and when I'm on firefox it's not trying to open more tabs on its own.

To remove those programs use add/uninstall programs?

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 22nd February 2010, 1:10 am

No, just delete them, Gooredfix and what not don't install, they just run when needed like.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by adgirouard on 22nd February 2010, 2:07 pm

Thanks so much for all your help.

adgirouard
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2008-11-26
OS OS : Windows XP
Points Points : 29713
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Blue Netsky screen

Post by Belahzur on 22nd February 2010, 8:51 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum