win blue malware?

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 2:26 am

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PnkBstrA]
"ImagePath"="c:\windows\system32\PnkBstrA.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PnkBstrB]
"ImagePath"="c:\windows\system32\PnkBstrB.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QBCFMonitorService]
"ImagePath"="\"c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QBFCService]
"ImagePath"="\"c:\program files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\REGHOOK]
"ImagePath"="\??\c:\windows\System32\Drivers\REGHOOK.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdAuxService]
"ImagePath"="c:\program files\Spyware Doctor\pctsAuxs.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdCoreService]
"ImagePath"="c:\program files\Spyware Doctor\pctsSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="c:\windows\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 2:26 am

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\STHDA]
"ImagePath"="system32\drivers\sthda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{93A44E3E-59FF-4964-9930-2D856FE1254C}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UMWdf]
"ImagePath"="c:\windows\system32\wdfmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbstor]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 2:27 am

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSPD]
"ImagePath"="\??\c:\windows\System32\Drivers\VSPD.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VXD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebPost]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\ASWLNDLL.dll

- - - - - - - > 'explorer.exe'(6012)
c:\program files\Spyware Doctor\pctgmhk.dll
.
Completion time: 2009-05-22 22:23
ComboFix-quarantined-files.txt 2009-05-22 02:23
ComboFix2.txt 2009-05-22 01:14

Pre-Run: 196,521,664,512 bytes free
Post-Run: 196,516,024,320 bytes free

735 --- E O F --- 2009-04-15 19:07

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 3:01 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\20494no9-z-vi5us7.bin


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 3:10 am

========== FILES ==========
c:\windows\system32\20494no9-z-vi5us7.bin moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05212009_230911

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 3:16 am

how are things on your end?

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 3:17 am

how are things on your end?

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 3:22 am

So far so good. I do have clicksor redirecting bug that I have had for several days now. We don't have to do that now unless you have a quick solution. Either way you have been a great help. I'm amazed. You guys are great, no kidding.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 3:24 am

Is this redirections going on in firefox?

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 3:26 am

No. I have explorer and yahoo. Is that what you need to know?

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 3:27 am

can you post a fresh HijackThis log.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 3:29 am

Yes

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 3:30 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:38 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppMgrGui] C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} (LaunchObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9bb11483f0eaf) (gupdate1c9bb11483f0eaf) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9136 bytes

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 4:00 am

Download HostsXpert from [You must be registered and logged in to see this link.]

  • Unzip it.
  • Right click the program > "Run as administrator" to open the program.
  • If "Make writeable?" is shown in red at the top, click it to make writeable.
  • Press "Restore MS Hosts File"
  • OK the prompt.
  • Then click on "Make read only"
  • Exit HostXpert.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 4:05 am

OK I did it. Is that all?

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Fri May 22, 2009 4:30 am

Thanks

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Fri May 22, 2009 4:32 am

This is stumping me as I don't see anything in HijackThis, I would recommend using FireFox though as it is more secure then Internet Explorer.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Redirecting prob

Post by waderight on Fri May 22, 2009 5:22 am

This bug won't let me go to windows update. It sends me to google search page. I even had my windows auto update set for once a day and I'm guessing it hasn't been working. Anytime I try to get updates or info to cure it, it seems to know what I'm doing and redirects me. I did download Firefox though. I'm off to bed. I'll be back sometime after noon. If you figure it out, just let me know. Thanks again.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sat May 23, 2009 12:44 am

Download [You must be registered and logged in to see this link.]

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sat May 23, 2009 12:12 pm

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) D CPU 2.80GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A05
USER : PRESTON WRIGHT ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.5 (Activated)
C:\ (Local Disk) - NTFS - Total:232 Go (Free:182 Go)
E:\ (USB)
F:\ (CD or DVD) - UDF - Total:6 Go (Free:0 Go)
G:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
H:\ (Local Disk) - FAT32 - Total:149 Go (Free:64 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Sat 05/23/2009| 8:02 )

--------------------\\ Listing folders in APPLIC~1

[03/08/2009|10:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Microsoft

[08/17/2008|07:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Adobe
[01/11/2009|08:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple Computer
[01/11/2009|08:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ ArcSoft
[08/26/2007|11:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Broderbund Software
[10/18/2008|03:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ BVRP Software
[08/23/2007|01:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ DIGStream
[11/03/2008|11:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ GARMIN
[02/13/2009|09:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Google
[03/06/2009|08:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Google Updater
[08/23/2007|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ InstallShield
[08/23/2007|03:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Intuit
[12/12/2007|03:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ iolo
[01/11/2009|08:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Kodak
[10/24/2008|08:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ McAfee
[12/05/2007|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Microsoft
[08/27/2007|05:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Microsoft Help
[10/28/2008|01:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ PC Drivers HeadQuarters
[08/26/2007|11:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Riverdeep Interactive Learning Limited
[10/06/2008|09:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ SiteAdvisor
[08/23/2007|02:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Sonic
[08/23/2007|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Symantec
[11/15/2008|12:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ The Generations Network
[08/09/2008|01:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Ubisoft
[08/30/2007|01:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Windows Genuine Advantage
[12/26/2008|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ WinZip
[08/27/2007|10:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Yahoo!
[12/31/2007|08:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Yahoo! Companion

[04/05/2009|09:32] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ {00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[04/05/2009|09:37] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ 1026A
[03/18/2009|12:17] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Adobe
[04/05/2009|09:30] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Apple
[04/05/2009|09:31] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Apple Computer
[03/07/2009|10:20] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ avg8
[03/08/2009|05:02] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Broderbund Software
[03/07/2009|08:48] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Citrix
[03/08/2009|12:50] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ COMMON FILES
[03/07/2009|06:00] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ DIGStream
[03/08/2009|09:28] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ EPSON
[04/12/2009|11:48] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ GARMIN
[05/23/2009|03:26] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Google Updater
[03/08/2009|01:44] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Intuit
[04/21/2009|08:48] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Kodak
[05/14/2009|11:20] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Malwarebytes
[03/07/2009|10:08] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Microsoft
[03/08/2009|02:19] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ NOS
[05/21/2009|03:38] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ PC Tools
[03/08/2009|05:10] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Riverdeep Interactive Learning Limited
[03/08/2009|12:23] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Sonic
[03/08/2009|01:08] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ SQL Anywhere 10
[05/23/2009|04:27] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ TEMP
[03/08/2009|01:19] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Windows Genuine Advantage
[05/21/2009|02:52] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Yahoo!
[05/21/2009|02:52] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ Yahoo! Companion

[08/23/2007|01:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Microsoft

[05/18/2009|03:09] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\ Macromedia
[03/07/2009|05:50] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\ Microsoft

[09/01/2007|12:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Microsoft
[11/07/2008|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\ SACore

[03/07/2009|10:20] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\ Microsoft

[08/23/2007|01:20] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Microsoft
[08/23/2007|03:04] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Symantec

[03/07/2009|10:20] C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\ Microsoft

[08/17/2008|07:12] C:\DOCUME~1\preston\APPLIC~1\ Adobe
[01/14/2009|02:05] C:\DOCUME~1\preston\APPLIC~1\ AdobeUM
[01/16/2009|01:12] C:\DOCUME~1\preston\APPLIC~1\ Apple Computer
[01/12/2009|08:39] C:\DOCUME~1\preston\APPLIC~1\ ArcSoft
[01/14/2009|02:05] C:\DOCUME~1\preston\APPLIC~1\ com.adobe.example.NFL-Countdown.7AE105D383F287E7D49518EE19AFF40385BCDC49.1
[01/14/2009|02:05] C:\DOCUME~1\preston\APPLIC~1\ EPSON
[11/09/2008|10:42] C:\DOCUME~1\preston\APPLIC~1\ GARMIN
[03/07/2009|04:08] C:\DOCUME~1\preston\APPLIC~1\ GetRightToGo
[01/13/2009|11:50] C:\DOCUME~1\preston\APPLIC~1\ Google
[04/26/2008|09:36] C:\DOCUME~1\preston\APPLIC~1\ Help
[11/10/2008|09:42] C:\DOCUME~1\preston\APPLIC~1\ Identities
[12/12/2007|03:38] C:\DOCUME~1\preston\APPLIC~1\ iolo
[11/15/2008|12:22] C:\DOCUME~1\preston\APPLIC~1\ KeyingTool
[02/04/2009|08:26] C:\DOCUME~1\preston\APPLIC~1\ KodakCredentialStore
[08/24/2007|06:19] C:\DOCUME~1\preston\APPLIC~1\ Leadertech
[08/23/2007|02:13] C:\DOCUME~1\preston\APPLIC~1\ Macromedia
[10/24/2008|08:33] C:\DOCUME~1\preston\APPLIC~1\ McAfee
[10/23/2008|09:21] C:\DOCUME~1\preston\APPLIC~1\ Microsoft
[06/30/2008|04:21] C:\DOCUME~1\preston\APPLIC~1\ Millennia
[08/23/2007|03:55] C:\DOCUME~1\preston\APPLIC~1\ MyFamily.com
[11/11/2007|09:41] C:\DOCUME~1\preston\APPLIC~1\ Progeny
[12/05/2007|08:34] C:\DOCUME~1\preston\APPLIC~1\ SecuROM
[01/11/2009|08:43] C:\DOCUME~1\preston\APPLIC~1\ Skinux
[12/12/2007|02:41] C:\DOCUME~1\preston\APPLIC~1\ Sonic
[08/25/2007|06:02] C:\DOCUME~1\preston\APPLIC~1\ Sun
[08/23/2007|02:29] C:\DOCUME~1\preston\APPLIC~1\ Symantec
[01/19/2009|07:44] C:\DOCUME~1\preston\APPLIC~1\ U3
[12/26/2007|10:44] C:\DOCUME~1\preston\APPLIC~1\ WinRAR
[11/09/2008|07:21] C:\DOCUME~1\preston\APPLIC~1\ Yahoo!

[05/20/2009|11:21] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Adobe
[05/17/2009|08:03] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Apple Computer
[05/21/2009|02:52] C:\DOCUME~1\PRESTO~1\APPLIC~1\ AVGTOOLBAR
[05/16/2009|08:45] C:\DOCUME~1\PRESTO~1\APPLIC~1\ com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[03/08/2009|01:02] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Download Manager
[05/12/2009|06:24] C:\DOCUME~1\PRESTO~1\APPLIC~1\ dtuser
[04/12/2009|11:48] C:\DOCUME~1\PRESTO~1\APPLIC~1\ GARMIN
[04/11/2009|09:53] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Google
[04/02/2009|03:28] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Help
[03/07/2009|06:38] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Identities
[03/07/2009|09:26] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Macromedia
[05/14/2009|11:20] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Malwarebytes
[03/22/2009|01:35] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Microsoft
[03/24/2009|09:40] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Millennia
[05/22/2009|12:46] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Mozilla
[05/21/2009|03:38] C:\DOCUME~1\PRESTO~1\APPLIC~1\ PC Tools
[05/21/2009|02:52] C:\DOCUME~1\PRESTO~1\APPLIC~1\ U3
[05/21/2009|02:55] C:\DOCUME~1\PRESTO~1\APPLIC~1\ Yahoo!

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[05/23/2009 03:26 AM][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[05/23/2009 03:26 AM][--a------] C:\WINDOWS\tasks\Google Software Updater.job
[05/21/2009 10:24 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[03/08/2009|07:24] C:\Program Files\ Activision
[05/16/2009|09:16] C:\Program Files\ Adobe
[03/08/2009|12:39] C:\Program Files\ Akamai
[04/05/2009|09:31] C:\Program Files\ Apple Software Update
[04/02/2009|05:57] C:\Program Files\ AppStream
[03/07/2009|10:20] C:\Program Files\ AVG
[05/05/2008|01:49] C:\Program Files\ BCL Technologies
[04/05/2009|09:36] C:\Program Files\ BearShare Applications
[02/01/2008|03:59] C:\Program Files\ Belkin
[04/05/2009|09:32] C:\Program Files\ Bonjour
[03/29/2009|01:29] C:\Program Files\ Broderbund
[03/07/2009|08:47] C:\Program Files\ Citrix
[05/21/2009|10:19] C:\Program Files\ Common Files
[08/23/2007|01:13] C:\Program Files\ ComPlus Applications
[03/13/2009|04:55] C:\Program Files\ Coupons
[03/08/2009|12:23] C:\Program Files\ Dell
[03/07/2009|10:54] C:\Program Files\ DIGStream
[05/21/2009|02:55] C:\Program Files\ DivX

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sat May 23, 2009 12:13 pm

[08/23/2007|01:24] C:\Program Files\ EnglishOtto
[03/08/2009|12:45] C:\Program Files\ epson
[05/21/2009|02:52] C:\Program Files\ GemMaster
[05/21/2009|02:54] C:\Program Files\ Google
[03/27/2009|02:43] C:\Program Files\ Homestead
[03/08/2009|12:45] C:\Program Files\ InstallShield Installation Information
[04/02/2009|03:28] C:\Program Files\ Instant Photo Album
[08/23/2007|01:52] C:\Program Files\ Intel
[03/08/2009|12:23] C:\Program Files\ InterActual
[04/15/2009|03:07] C:\Program Files\ Internet Explorer
[03/08/2009|12:54] C:\Program Files\ Intuit
[04/05/2009|09:32] C:\Program Files\ iPod
[04/05/2009|09:32] C:\Program Files\ iTunes
[05/21/2009|06:33] C:\Program Files\ Java
[05/21/2009|02:54] C:\Program Files\ Malwarebytes' Anti-Malware
[03/08/2009|09:31] C:\Program Files\ Messenger
[08/30/2007|01:45] C:\Program Files\ MFInstall
[08/23/2007|03:38] C:\Program Files\ Microsoft ActiveSync
[08/23/2007|01:17] C:\Program Files\ microsoft frontpage
[08/23/2007|03:38] C:\Program Files\ Microsoft Office
[08/27/2007|05:03] C:\Program Files\ Microsoft WSE
[08/23/2007|03:37] C:\Program Files\ Microsoft.NET
[03/07/2009|10:04] C:\Program Files\ Millennia
[10/18/2007|05:52] C:\Program Files\ Motorola
[03/08/2009|09:20] C:\Program Files\ Movie Maker
[05/23/2009|08:00] C:\Program Files\ Mozilla Firefox
[02/16/2009|01:59] C:\Program Files\ MSBuild
[12/10/2008|07:27] C:\Program Files\ MSN
[08/23/2007|01:11] C:\Program Files\ MSN Gaming Zone
[08/24/2007|06:31] C:\Program Files\ MSXML 4.0
[12/06/2007|04:54] C:\Program Files\ MySoftware
[03/08/2009|09:17] C:\Program Files\ NetMeeting
[03/08/2009|02:19] C:\Program Files\ NOS
[08/23/2007|01:13] C:\Program Files\ Online Services
[03/08/2009|09:31] C:\Program Files\ Outlook Express
[10/28/2008|01:48] C:\Program Files\ PC Drivers HeadQuarters
[03/22/2009|01:39] C:\Program Files\ Photo Print Gold
[04/05/2009|09:31] C:\Program Files\ QuickTime
[02/16/2009|01:59] C:\Program Files\ Reference Assemblies
[03/07/2009|06:03] C:\Program Files\ RGB
[08/23/2007|02:38] C:\Program Files\ Roxio
[08/23/2007|02:15] C:\Program Files\ SigmaTel
[05/21/2009|03:39] C:\Program Files\ Spyware Doctor
[08/05/2008|04:00] C:\Program Files\ Sun
[08/23/2007|02:57] C:\Program Files\ SymNetDrv
[11/15/2008|12:20] C:\Program Files\ The Generations Network
[05/21/2009|12:57] C:\Program Files\ Trend Micro
[08/23/2007|01:31] C:\Program Files\ Uninstall Information
[04/02/2009|03:56] C:\Program Files\ Web Publish
[08/31/2007|05:04] C:\Program Files\ Windows Media Connect 2
[03/08/2009|09:16] C:\Program Files\ Windows Media Player
[03/08/2009|09:16] C:\Program Files\ Windows NT
[08/23/2007|01:13] C:\Program Files\ Windows Plus
[08/23/2007|01:15] C:\Program Files\ WindowsUpdate
[12/26/2007|10:43] C:\Program Files\ WinRAR
[12/26/2008|11:45] C:\Program Files\ WMV9_VCM
[08/23/2007|01:17] C:\Program Files\ xerox
[08/27/2007|10:47] C:\Program Files\ Yahoo!
[08/25/2007|10:49] C:\Program Files\ ZakFromAnotherPlanet

--------------------\\ Listing Folders in C:\Program Files\Common Files

[03/08/2009|01:33] C:\Program Files\Common Files\ Adobe
[08/17/2008|07:12] C:\Program Files\Common Files\ Adobe AIR
[03/08/2009|01:43] C:\Program Files\Common Files\ AnswerWorks 4.0
[04/05/2009|09:30] C:\Program Files\Common Files\ Apple
[01/11/2009|08:39] C:\Program Files\Common Files\ ArcSoft
[08/26/2007|11:06] C:\Program Files\Common Files\ Broderbund
[08/23/2007|03:38] C:\Program Files\Common Files\ DESIGNER
[05/21/2009|02:55] C:\Program Files\Common Files\ DivX Shared
[08/23/2007|02:40] C:\Program Files\Common Files\ InstallShield
[03/08/2009|12:55] C:\Program Files\Common Files\ Intuit
[08/25/2007|06:00] C:\Program Files\Common Files\ Java
[01/11/2009|08:35] C:\Program Files\Common Files\ Kodak
[05/07/2008|02:57] C:\Program Files\Common Files\ McAfee
[01/25/2008|10:27] C:\Program Files\Common Files\ merlin
[12/26/2007|05:51] C:\Program Files\Common Files\ Microsoft Shared
[08/23/2007|01:15] C:\Program Files\Common Files\ MSSoap
[12/06/2007|04:54] C:\Program Files\Common Files\ MySoftware
[08/22/2007|06:08] C:\Program Files\Common Files\ ODBC
[05/21/2009|03:39] C:\Program Files\Common Files\ PC Tools
[08/23/2007|02:36] C:\Program Files\Common Files\ Roxio Shared
[08/23/2007|01:15] C:\Program Files\Common Files\ Services
[03/08/2009|12:23] C:\Program Files\Common Files\ Sonic Shared
[08/22/2007|06:08] C:\Program Files\Common Files\ SpeechEngines
[09/30/2008|07:04] C:\Program Files\Common Files\ Streetwise Shared
[03/08/2009|12:57] C:\Program Files\Common Files\ supportsoft
[08/23/2007|03:20] C:\Program Files\Common Files\ SWF Studio
[03/08/2009|09:31] C:\Program Files\Common Files\ System
[08/23/2007|02:40] C:\Program Files\Common Files\ TiVo Shared

--------------------\\ Process

( 55 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\PRESTO~1\Cookies\preston_wright@advertising[1].txt
C:\DOCUME~1\PRESTO~1\Cookies\preston_wright@bid.advertising[2].txt
C:\DOCUME~1\PRESTO~1\Cookies\preston_wright@partypoker[1].txt
C:\DOCUME~1\PRESTO~1\Cookies\preston_wright@888[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-23 08:08:26
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:3][D:1]-> C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp
[F:1411][D:0]-> C:\DOCUME~1\PRESTO~1\Cookies
[F:7107][D:14]-> C:\DOCUME~1\PRESTO~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sat 05/23/2009| 8:10 - Option : [1]

--------------------\\ Scan completed at 8:10:13

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sat May 23, 2009 4:36 pm

Download [You must be registered and logged in to see this link.]

Double-click Lop S&D.exe
Choose the language, then choose Option 2 (Fix + Hosts)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sat May 23, 2009 4:46 pm

'© Eric_71 ( Contact : [You must be registered and logged in to see this link.] )
On Error Resume Next
Dim fso
Set FSO = CreateObject("Scripting.FileSystemObject")
Set FTX = FSO.createTextFile("OS_v.txt",true)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\cimv2")

Set OS__infos = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
Set BO__infos = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
Set US__infos = objWMIService.ExecQuery("Select * from Win32_NetworkLoginProfile")
Set PR__infos = objWMIService.ExecQuery("Select * from Win32_Processor")
Set BI__infos = objWMIService.ExecQuery("Select * from Win32_BIOS")
Set DI__infos = objWMIService.ExecQuery("Select * from Win32_LogicalDisk",,48)
Set objWMISecurity = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter")
Set colAV = objWMISecurity.ExecQuery("Select * from AntiVirusProduct")
Set colFI = objWMISecurity.ExecQuery("Select * from FirewallProduct")
Set wshNetwork = CreateObject("WScript.Network")
strUser = wshNetwork.Username
For Each objOS__ in OS__infos
OSvers = objOS__.Caption & " ( v" & objOS__.Version & " ) " & objOS__.CSDVersion
OSbuild = objOS__.BuildType
Next
For Each objBO__ in BO__infos
BOprocT = objBO__.SystemType
Next
For Each objPR__ in PR__infos
PRprocN = objPR__.Name
Next
For Each objBI__ in BI__infos
BIbios = "BIOS : " & objBI__.Name
Next
For Each objUS__ in US__infos
If objUS__.Privileges = 2 Then
USuser = "USER : " & strUser & " ( Administrator )"
Else
USuser = "USER : " & strUser & " ( Not Administrator ! )"
End If
Next
For Each objBO__ in BO__infos
BOboot = "BOOT : " & objBO__.BootupState
Next
For Each objAV In colAV
If objAV.OnAccessScanningEnabled = 0 Then
AVstatus = "Not Activated"
Else
AVstatus = "Activated"
End If
Next
For Each objFI In colFI
If objFI.Enabled = 0 Then
FIstatus = "Not Activated"
Else
FIstatus = "Activated"
End If
Next
For Each objAV in colAV
AVstat = "Antivirus : " & objAV.DisplayName & " " & objAV.VersionNumber & " (" & AVstatus & ")"
Next
For Each objFI In colFI
FIstat = "Firewall : " & objFI.DisplayName & " " & objFI.VersionNumber & " (" & FIstatus & ")"
Next
For Each objDI__ in DI__infos
Select Case objDI__.DriveType
Case 1 strTL = "..."
Case 2 strTL = "USB"
Case 3 strTL = "Local Disk"
Case 4 strTL = "Network Disk"
Case 5 strTL = "CD or DVD"
Case 6 strTL = "RAM"
Case Else strTL = "..."
End Select
If objDI__.DriveType =2 Then
strTD = Int(objDI__.Size /1048576) & " Mo"
Else
strTD = Int(objDI__.Size /1073741824) & " Go"
End If
if strTD = " Go" Then
strDI = strDI & objDI__.Name & "\ (" & strTL & ")" & vbCrlf
elseif strTD = " Mo" Then
strDI = strDI & objDI__.Name & "\ (" & strTL & ")" & vbCrlf
else
strDI = strDI & objDI__.Name & "\ (" & strTL & ") - " & objDI__.FileSystem & _
" - Total:" & strTD & " (Free:" & Int(objDI__.FreeSpace /1073741824) & " Go)" & vbCrlf
end if
Next
FTX.writeline OSvers
FTX.writeline BOprocT & " ( " & OSbuild & " : " & PRprocN & " )"
FTX.writeline BIbios
FTX.writeline USuser
FTX.writeline BOboot
FTX.writeline ""
FTX.writeline AVstat
FTX.writeline FIstat
FTX.writeline ""
FTX.writeline strDI
FTX.close

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sat May 23, 2009 4:59 pm

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sat May 23, 2009 11:40 pm

It was already set the way you described, so I didn't change anything. I can't update windows, recently installed system mechanic, or spy doctor. It's like they're hijacking my updates? Thanks for your help.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sat May 23, 2009 11:42 pm

Ok lets try a different approach,


Smitfraud Infection Detected
Please download [You must be registered and logged in to see this link.] (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 12:33 am

SmitFraudFix v2.417

Scan done at 20:25:51.39, Sat 05/23/2009
Run from C:\Documents and Settings\PRESTON WRIGHT\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT\Application Data

C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 93.188.166.105
DNS Server Search Order: 93.188.161.105

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 1:44 am

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 2:11 am

The program wouldn't let me follow your instructions. It didn't give me many choices. As soon as I double clicked the download it went through the whole process and didn't seem to need to reboot. See if this is what you need.

SDFix has been extracted to %systemdrive%\SDFix\
(Drive that contains the Windows directory - typically C:\SDFix)

Open the SDFix folder in Safe Mode and double click the RunThis.bat file to start the fixtool
If RunThis.bat is started in Normal Mode, options to download and run Anti-Virus command line scanners are displayed

Catchme.exe Stealth Malware Detector by GMER is also included in the SDFix folder

Additional SDFix Instructions & screen shots can be found here - [You must be registered and logged in to see this link.]





SDFix a été extrait dans %systemdrive%\SDFix\
(Le disque qui contient le répertoire Windows - typiquement C:\SDFix)

Ouvrez le dossier SDFix en mode sans échec et double cliquez sur le fichier RunThis.bat pour démarrer l'outil.
Si RunThis.bat est lancé en mode normal, les options pour télécharger et lancer les scanners Antivirus en ligne de commande seront affichées

Catchme.exe Stealth Malware Detector de GMER est également inclus dans le dossier SDFix

Instructions supplémentaires pour SDFix & captures d'écran peuvent être trouvées ici - [You must be registered and logged in to see this link.]






SDFix wurde nach %systemdrive%\SDFix\ entpackt
(Das ist das laufwerk welches den Windows Ordner enthält - normalerweise c:\SDFix)

Öffe den SDFix Ordner im Abgesicherten Modus und doppelklicke zum starten die RunThis.bat Datei
Sollte die RunThis.bat im normalen Modus gestartet werden, wird einem die Möglichkeiten geboten Antivirenscanner für die Kommandozeile
(Dosbox) downzuloaden.

Das Programm Catchme Malware Detector von Gmer ist auch im SDFix Ordner enthalten.

Zusätzliche SDFix Anleitungen und Screen Shots können hier nach geschaut werden: [url="http://www.bleepingcomputer.com/forums/topic131299.html"][You must be registered and logged in to see this link.]

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 5:44 pm

Thought that would work, lets try a different approach:


Please download Dial-A-Fix from [You must be registered and logged in to see this link.].

Save it to your Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:05 pm

Windows update still doesn't work. Anytime I try to go to windows update site it just sends me to google search page.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:12 pm

Now taht is strange, by the way are you using a router?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:23 pm

Time Warner Internet and a wireless netgear router.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:28 pm

The infection might not be in your computer but in the firmware of you router, can you update your router and see if you can update windows? If you don't know how to update your router then please tell me what model you have.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:39 pm

Netgear Range Max WPN824 v2. I agree this may be the problem. I saw some of the same probs on my lap top the only time I ever used it through the wireless router. Because I have had probs with my laptop picking up wireless reception on the home network, I have been using mobile wireless connection even at home.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:50 pm

Hello please download the latest fireware here:

[You must be registered and logged in to see this link.]

Save it to your desktop for easy access


  • Log in the router at [You must be registered and logged in to see this link.]
  • Click Maintenance > Router Upgrade
  • Click Browse and locate the file you just downloaded.
  • Click Upload. While the firmware is loading, do not interrupt the upgrade process.
  • The router reboots when the upgrade is complete.
  • To check that the upgrade was successful, log in to the router again at [You must be registered and logged in to see this link.] and check the firmware version.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 7:18 pm

I can't log in. It's asking for a password. Also the file I have on my desk top is labeled as: Recovered file fragment, pieces of files found when your disc was scanned. Do I suppose to have a program that handles my router in my computer or is it in the router?

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 7:22 pm

the program is in the router itself, the password is the serial that is on the back of your router, usually the one you give someone if you would like them to use your router for wifi internet.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 7:37 pm

I did it and I have the new version.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 8:39 pm

can you update windows now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 8:51 pm

No, it's still sending me to google search page.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 8:56 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:02 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by PRESTON WRIGHT at 2009-05-24 16:59:57
Microsoft Windows XP Professional Service Pack 3
System drive C: has 187 GB (79%) free of 238 GB
Total RAM: 1022 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:15 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PRESTON WRIGHT\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\PRESTON WRIGHT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [AppMgrGui] C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp\E_SE0.tmp" /EF "HKCU"
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} (LaunchObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9bb11483f0eaf) (gupdate1c9bb11483f0eaf) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9704 bytes

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:02 pm

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-19 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-19 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-11 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-19 2223872]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-19 1947928]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2008-11-18 623880]
"AppMgrGui"=C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe [2006-09-27 24064]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"SystemGuardAlerter"=C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe [2005-10-26 454656]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-11-12 68856]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe [2005-10-26 548864]
"EPSON Stylus CX7800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE [2007-01-23 177664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ASWLNDLL]
C:\WINDOWS\system32\ASWLNDLL.dll [2007-05-13 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-19 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-03-07 10536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\Program Files\ZakFromAnotherPlanet\Yazak Chat\yazak.exe"="C:\Program Files\ZakFromAnotherPlanet\Yazak Chat\yazak.exe:*:Enabled:yazak"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"="C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - NOTEPAD.EXE %1
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-05-24 16:59:57 ----DC---- C:\rsit
2009-05-24 13:56:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-23 22:01:00 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-23 21:52:47 ----DC---- C:\SDFix
2009-05-23 20:26:03 ----A---- C:\WINDOWS\system32\tmp.txt
2009-05-23 20:25:51 ----AC---- C:\rapport.txt
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swsc.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swreg.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\Process.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-05-23 10:44:01 ----A---- C:\WINDOWS\SysMech6.INI
2009-05-23 10:29:11 ----A---- C:\WINDOWS\isRS-000.tmp
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\xercesxmldom.dll
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\XercesLib.dll
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\CC3260MT.DLL
2009-05-23 10:28:32 ----A---- C:\WINDOWS\system32\smrgdf.exe
2009-05-23 10:28:31 ----A---- C:\WINDOWS\system32\iolobtdfg.exe
2009-05-23 10:28:31 ----A---- C:\WINDOWS\system32\Incinerator.dll
2009-05-23 10:28:25 ----D---- C:\Program Files\iolo
2009-05-23 08:02:44 ----AC---- C:\lopR.txt
2009-05-23 08:01:42 ----DC---- C:\Lop SD
2009-05-22 17:38:20 ----SHDC---- C:\RECYCLER
2009-05-22 00:46:39 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Mozilla
2009-05-22 00:46:24 ----D---- C:\Program Files\Mozilla Firefox
2009-05-21 23:05:58 ----DC---- C:\_OTMoveIt
2009-05-21 22:24:02 ----AC---- C:\ComboFix.txt
2009-05-21 22:16:02 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-21 20:57:17 ----AC---- C:\Boot.bak
2009-05-21 20:57:12 ----RASHDC---- C:\cmdcons
2009-05-21 20:55:25 ----A---- C:\WINDOWS\zip.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWSC.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWREG.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\sed.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\PEV.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\grep.exe
2009-05-21 20:55:10 ----D---- C:\WINDOWS\ERDNT
2009-05-21 20:46:51 ----ADC---- C:\Qoobox
2009-05-21 15:39:08 ----ADC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2009-05-21 15:38:46 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Tools
2009-05-21 15:38:46 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\PC Tools
2009-05-21 14:55:46 ----D---- C:\Program Files\Common Files\DivX Shared
2009-05-21 14:55:42 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Yahoo!
2009-05-21 12:57:04 ----D---- C:\Program Files\Trend Micro
2009-05-18 22:38:19 ----D---- C:\Program Files\DivX
2009-05-17 23:21:16 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2009-05-17 23:20:22 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2009-05-16 20:45:28 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-16 19:27:11 ----A---- C:\WINDOWS\system32\log.txt
2009-05-15 11:44:00 ----D---- C:\Program Files\Common Files\PC Tools
2009-05-15 11:43:55 ----D---- C:\Program Files\Spyware Doctor
2009-05-14 23:20:30 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Malwarebytes
2009-05-14 23:20:22 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-05-14 23:20:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-12 18:24:29 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\dtuser

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:03 pm

======List of files/folders modified in the last 1 months======

2009-05-24 16:59:48 ----D---- C:\WINDOWS\Prefetch
2009-05-24 16:58:19 ----D---- C:\WINDOWS\Temp
2009-05-24 16:17:57 ----D---- C:\WINDOWS\system32\wbem
2009-05-24 15:53:47 ----D---- C:\WINDOWS
2009-05-24 15:53:26 ----D---- C:\WINDOWS\Registration
2009-05-24 15:53:16 ----D---- C:\WINDOWS\system32\drivers
2009-05-24 15:53:10 ----SD---- C:\WINDOWS\Tasks
2009-05-24 15:51:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-24 15:40:57 ----SHD---- C:\WINDOWS\Installer
2009-05-24 13:57:17 ----SHDC---- C:\Config.Msi
2009-05-24 13:56:42 ----D---- C:\WINDOWS\system32
2009-05-24 13:56:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-24 13:04:00 ----HDC---- C:\$AVG8.VAULT$
2009-05-24 11:25:36 ----D---- C:\Legacy
2009-05-24 10:27:18 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2009-05-23 10:49:18 ----D---- C:\WINDOWS\system32\config
2009-05-23 10:37:41 ----RD---- C:\WINDOWS\Offline Web Pages
2009-05-23 10:28:25 ----RD---- C:\Program Files
2009-05-21 22:21:24 ----AC---- C:\WINDOWS\system.ini
2009-05-21 22:19:30 ----D---- C:\WINDOWS\AppPatch
2009-05-21 22:19:28 ----D---- C:\Program Files\Common Files
2009-05-21 20:57:17 ----RASHC---- C:\boot.ini
2009-05-21 18:33:40 ----D---- C:\Program Files\Java
2009-05-21 14:56:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-21 14:54:56 ----D---- C:\Program Files\Google
2009-05-21 14:54:17 ----HD---- C:\WINDOWS\inf
2009-05-21 14:52:43 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\U3
2009-05-21 14:52:34 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\AVGTOOLBAR
2009-05-21 14:52:25 ----D---- C:\Program Files\GemMaster
2009-05-21 14:12:21 ----RSD---- C:\WINDOWS\assembly
2009-05-20 11:21:38 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Adobe
2009-05-19 11:53:19 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-18 22:38:40 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-17 20:03:01 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Apple Computer
2009-05-16 21:16:29 ----D---- C:\Program Files\Adobe
2009-05-16 20:50:07 ----D---- C:\WINDOWS\network diagnostic
2009-05-12 18:57:14 ----D---- C:\WINDOWS\system32\Restore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 APPSTREAM;APPSTREAM; \??\C:\WINDOWS\System32\Drivers\APPSTREAM.SYS []
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-19 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-19 108552]
R1 FileDisk;FileDisk; C:\WINDOWS\system32\drivers\FileDisk.sys [2004-05-29 9728]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 REGHOOK;REGHOOK; \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS []
R2 VSPD;VSPD; \??\C:\WINDOWS\System32\Drivers\VSPD.SYS []
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-07-19 230400]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-01-15 23848]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-10 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 OMCI;OMCI; \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp\catchme.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 AppMgrService;AWE 5.1.0 Application Manager; C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe [2006-09-27 1990656]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-19 908568]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-19 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-11 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IOLO_SRV;iolo System Guard; C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe [2005-10-26 195584]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-03-08 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-03-08 103736]
R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2009-01-15 24576]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 gupdate1c9bb11483f0eaf;Google Update Service (gupdate1c9bb11483f0eaf); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-04-11 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-11 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-03-07 16680]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2008-11-18 61440]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-03 38912]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:04 pm

info.txt logfile of random's system information tool 1.06 2009-05-24 17:00:22

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AppStream Technology Windows Edition Client-->MsiExec.exe /X{46B26804-569B-4355-9678-0DDF6ADCFB0F}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BearShare-->C:\Program Files\BearShare Applications\BearShare\UninstallSurvey.exe C:\Program Files\BearShare Applications\BearShare\UnwiseLauncher.exe /A C:\PROGRA~1\BEARSH~1\BEARSH~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Resource CD-->MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON CardMonitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON PhotoStarter3.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE704636-ECD0-426C-952E-05B8DABD1949}\Setup.exe" -l0x9 uninst
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
Google Chrome-->"C:\Program Files\Google\Chrome\Application\1.0.154.65\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
iolo technologies' System Mechanic Professional 6-->"C:\Program Files\iolo\System Mechanic Professional 6\UninstallSMPro.exe"
iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38}
Legacy 7.0-->"C:\Legacy\UNWISE.EXE" /U "C:\Legacy\Install.log"
Legacy Charting 7.0-->"C:\Program Files\Millennia\LegacyCharting7\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Otto-->"C:\Program Files\EnglishOtto\uninstallotto.exe"
Photo Print Gold-->C:\Program Files\Photo Print Gold\Uninstal.exe
QuickBooks Pro 2009-->msiexec.exe /I {9A2F0810-369F-4E86-9072-973FBE1679C5} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2009" ADDREMOVE=1
QuickBooks-->MsiExec.exe /I{9A2F0810-369F-4E86-9072-973FBE1679C5}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:06 pm

Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
The Print Shop 20-->MsiExec.exe /I{1B06427F-1845-44E2-9022-AA630EBFF817}
The Print Shop 22-->MsiExec.exe /I{E34351A4-4B10-4DFF-96BC-84C642D9C625}
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VBRunDLL 3.3-->C:\PROGRA~1\ZAKFRO~1\VBRunDLL\Setup.exe /remove
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Media Center Edition 2005 KB908250-->"C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Yazak Chat 8.86.47-->C:\PROGRA~1\ZAKFRO~1\YAZAKC~1\Setup.exe /remove

=====HijackThis Backups=====

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local [2009-05-21]
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\WINDOWS\TEMP\E_S1509.tmp" /EF "HKCU" [2009-05-21]
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe [2009-05-21]
O4 - HKCU\..\Run: [AntiMalware_ProMFCT] C:\Program Files\AntiMalware_Pro\Anti_Malware_Pro.exe [2009-05-21]
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min [2009-05-21]

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: PWES-AD8DFA766A
Event Code: 3
Message: Printer QuickBooks PDF Converter was deleted.

Record Number: 3823
Source Name: Print
Time Written: 20090505101954.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 4
Message: Printer QuickBooks PDF Converter is pending deletion.

Record Number: 3822
Source Name: Print
Time Written: 20090505101954.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3495
Source Name: W32Time
Time Written: 20090428101055.000000-240
Event Type: warning
User:

Computer Name: PWES-AD8DFA766A
Event Code: 1002
Message: The IP address lease 192.168.1.5 for the Network Card with network address 001372260089 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 3346
Source Name: Dhcp
Time Written: 20090425134700.000000-240
Event Type: error
User:

Computer Name: PWES-AD8DFA766A
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001372260089. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 3136
Source Name: Dhcp
Time Written: 20090422074741.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3727
Source Name: MsiInstaller
Time Written: 20090502220846.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1001
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical' failed during request for component '{247A0CD4-88E9-11D4-A755-00B0D0428C0C}'

Record Number: 3725
Source Name: MsiInstaller
Time Written: 20090502220845.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3724
Source Name: MsiInstaller
Time Written: 20090502220845.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1001
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical' failed during request for component '{247A0CD4-88E9-11D4-A755-00B0D0428C0C}'

Record Number: 3722
Source Name: MsiInstaller
Time Written: 20090502220843.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3721
Source Name: MsiInstaller
Time Written: 20090502220843.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 9:24 pm

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 10:18 pm

How do I turn off AVG Anti virus? It's blocking the update Kaspersky.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 11:51 pm

Check how to disable it here:

[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum