win blue malware?

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: win blue malware?

Post by Origin on Sat May 23, 2009 11:42 pm

Ok lets try a different approach,


Smitfraud Infection Detected
Please download [You must be registered and logged in to see this link.] (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 12:33 am

SmitFraudFix v2.417

Scan done at 20:25:51.39, Sat 05/23/2009
Run from C:\Documents and Settings\PRESTON WRIGHT\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT\Application Data

C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 93.188.166.105
DNS Server Search Order: 93.188.161.105

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 1:44 am

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 2:11 am

The program wouldn't let me follow your instructions. It didn't give me many choices. As soon as I double clicked the download it went through the whole process and didn't seem to need to reboot. See if this is what you need.

SDFix has been extracted to %systemdrive%\SDFix\
(Drive that contains the Windows directory - typically C:\SDFix)

Open the SDFix folder in Safe Mode and double click the RunThis.bat file to start the fixtool
If RunThis.bat is started in Normal Mode, options to download and run Anti-Virus command line scanners are displayed

Catchme.exe Stealth Malware Detector by GMER is also included in the SDFix folder

Additional SDFix Instructions & screen shots can be found here - [You must be registered and logged in to see this link.]





SDFix a été extrait dans %systemdrive%\SDFix\
(Le disque qui contient le répertoire Windows - typiquement C:\SDFix)

Ouvrez le dossier SDFix en mode sans échec et double cliquez sur le fichier RunThis.bat pour démarrer l'outil.
Si RunThis.bat est lancé en mode normal, les options pour télécharger et lancer les scanners Antivirus en ligne de commande seront affichées

Catchme.exe Stealth Malware Detector de GMER est également inclus dans le dossier SDFix

Instructions supplémentaires pour SDFix & captures d'écran peuvent être trouvées ici - [You must be registered and logged in to see this link.]






SDFix wurde nach %systemdrive%\SDFix\ entpackt
(Das ist das laufwerk welches den Windows Ordner enthält - normalerweise c:\SDFix)

Öffe den SDFix Ordner im Abgesicherten Modus und doppelklicke zum starten die RunThis.bat Datei
Sollte die RunThis.bat im normalen Modus gestartet werden, wird einem die Möglichkeiten geboten Antivirenscanner für die Kommandozeile
(Dosbox) downzuloaden.

Das Programm Catchme Malware Detector von Gmer ist auch im SDFix Ordner enthalten.

Zusätzliche SDFix Anleitungen und Screen Shots können hier nach geschaut werden: [url="http://www.bleepingcomputer.com/forums/topic131299.html"][You must be registered and logged in to see this link.]

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 5:44 pm

Thought that would work, lets try a different approach:


Please download Dial-A-Fix from [You must be registered and logged in to see this link.].

Save it to your Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:05 pm

Windows update still doesn't work. Anytime I try to go to windows update site it just sends me to google search page.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:12 pm

Now taht is strange, by the way are you using a router?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:23 pm

Time Warner Internet and a wireless netgear router.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:28 pm

The infection might not be in your computer but in the firmware of you router, can you update your router and see if you can update windows? If you don't know how to update your router then please tell me what model you have.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 6:39 pm

Netgear Range Max WPN824 v2. I agree this may be the problem. I saw some of the same probs on my lap top the only time I ever used it through the wireless router. Because I have had probs with my laptop picking up wireless reception on the home network, I have been using mobile wireless connection even at home.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 6:50 pm

Hello please download the latest fireware here:

[You must be registered and logged in to see this link.]

Save it to your desktop for easy access


  • Log in the router at [You must be registered and logged in to see this link.]
  • Click Maintenance > Router Upgrade
  • Click Browse and locate the file you just downloaded.
  • Click Upload. While the firmware is loading, do not interrupt the upgrade process.
  • The router reboots when the upgrade is complete.
  • To check that the upgrade was successful, log in to the router again at [You must be registered and logged in to see this link.] and check the firmware version.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 7:18 pm

I can't log in. It's asking for a password. Also the file I have on my desk top is labeled as: Recovered file fragment, pieces of files found when your disc was scanned. Do I suppose to have a program that handles my router in my computer or is it in the router?

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 7:22 pm

the program is in the router itself, the password is the serial that is on the back of your router, usually the one you give someone if you would like them to use your router for wifi internet.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 7:37 pm

I did it and I have the new version.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 8:39 pm

can you update windows now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 8:51 pm

No, it's still sending me to google search page.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 8:56 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:02 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by PRESTON WRIGHT at 2009-05-24 16:59:57
Microsoft Windows XP Professional Service Pack 3
System drive C: has 187 GB (79%) free of 238 GB
Total RAM: 1022 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:15 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PRESTON WRIGHT\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\PRESTON WRIGHT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [AppMgrGui] C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp\E_SE0.tmp" /EF "HKCU"
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3356DB7C-58A7-11D4-AA5C-006097314BF8} (LaunchObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9bb11483f0eaf) (gupdate1c9bb11483f0eaf) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9704 bytes

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:02 pm

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-19 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-19 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-11 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-19 2223872]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-19 1947928]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2008-11-18 623880]
"AppMgrGui"=C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe [2006-09-27 24064]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"SystemGuardAlerter"=C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe [2005-10-26 454656]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-11-12 68856]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe [2005-10-26 548864]
"EPSON Stylus CX7800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE [2007-01-23 177664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ASWLNDLL]
C:\WINDOWS\system32\ASWLNDLL.dll [2007-05-13 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-19 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-03-07 10536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\Program Files\ZakFromAnotherPlanet\Yazak Chat\yazak.exe"="C:\Program Files\ZakFromAnotherPlanet\Yazak Chat\yazak.exe:*:Enabled:yazak"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"="C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - NOTEPAD.EXE %1
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-05-24 16:59:57 ----DC---- C:\rsit
2009-05-24 13:56:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-23 22:01:00 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-23 21:52:47 ----DC---- C:\SDFix
2009-05-23 20:26:03 ----A---- C:\WINDOWS\system32\tmp.txt
2009-05-23 20:25:51 ----AC---- C:\rapport.txt
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swsc.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\swreg.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\Process.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-05-23 20:25:36 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-05-23 10:44:01 ----A---- C:\WINDOWS\SysMech6.INI
2009-05-23 10:29:11 ----A---- C:\WINDOWS\isRS-000.tmp
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\xercesxmldom.dll
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\XercesLib.dll
2009-05-23 10:28:42 ----A---- C:\WINDOWS\system32\CC3260MT.DLL
2009-05-23 10:28:32 ----A---- C:\WINDOWS\system32\smrgdf.exe
2009-05-23 10:28:31 ----A---- C:\WINDOWS\system32\iolobtdfg.exe
2009-05-23 10:28:31 ----A---- C:\WINDOWS\system32\Incinerator.dll
2009-05-23 10:28:25 ----D---- C:\Program Files\iolo
2009-05-23 08:02:44 ----AC---- C:\lopR.txt
2009-05-23 08:01:42 ----DC---- C:\Lop SD
2009-05-22 17:38:20 ----SHDC---- C:\RECYCLER
2009-05-22 00:46:39 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Mozilla
2009-05-22 00:46:24 ----D---- C:\Program Files\Mozilla Firefox
2009-05-21 23:05:58 ----DC---- C:\_OTMoveIt
2009-05-21 22:24:02 ----AC---- C:\ComboFix.txt
2009-05-21 22:16:02 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-21 20:57:17 ----AC---- C:\Boot.bak
2009-05-21 20:57:12 ----RASHDC---- C:\cmdcons
2009-05-21 20:55:25 ----A---- C:\WINDOWS\zip.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWSC.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\SWREG.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\sed.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\PEV.exe
2009-05-21 20:55:25 ----A---- C:\WINDOWS\grep.exe
2009-05-21 20:55:10 ----D---- C:\WINDOWS\ERDNT
2009-05-21 20:46:51 ----ADC---- C:\Qoobox
2009-05-21 15:39:08 ----ADC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2009-05-21 15:38:46 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Tools
2009-05-21 15:38:46 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\PC Tools
2009-05-21 14:55:46 ----D---- C:\Program Files\Common Files\DivX Shared
2009-05-21 14:55:42 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Yahoo!
2009-05-21 12:57:04 ----D---- C:\Program Files\Trend Micro
2009-05-18 22:38:19 ----D---- C:\Program Files\DivX
2009-05-17 23:21:16 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2009-05-17 23:20:22 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2009-05-16 20:45:28 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-16 19:27:11 ----A---- C:\WINDOWS\system32\log.txt
2009-05-15 11:44:00 ----D---- C:\Program Files\Common Files\PC Tools
2009-05-15 11:43:55 ----D---- C:\Program Files\Spyware Doctor
2009-05-14 23:20:30 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Malwarebytes
2009-05-14 23:20:22 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-05-14 23:20:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-12 18:24:29 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\dtuser

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:03 pm

======List of files/folders modified in the last 1 months======

2009-05-24 16:59:48 ----D---- C:\WINDOWS\Prefetch
2009-05-24 16:58:19 ----D---- C:\WINDOWS\Temp
2009-05-24 16:17:57 ----D---- C:\WINDOWS\system32\wbem
2009-05-24 15:53:47 ----D---- C:\WINDOWS
2009-05-24 15:53:26 ----D---- C:\WINDOWS\Registration
2009-05-24 15:53:16 ----D---- C:\WINDOWS\system32\drivers
2009-05-24 15:53:10 ----SD---- C:\WINDOWS\Tasks
2009-05-24 15:51:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-24 15:40:57 ----SHD---- C:\WINDOWS\Installer
2009-05-24 13:57:17 ----SHDC---- C:\Config.Msi
2009-05-24 13:56:42 ----D---- C:\WINDOWS\system32
2009-05-24 13:56:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-24 13:04:00 ----HDC---- C:\$AVG8.VAULT$
2009-05-24 11:25:36 ----D---- C:\Legacy
2009-05-24 10:27:18 ----DC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2009-05-23 10:49:18 ----D---- C:\WINDOWS\system32\config
2009-05-23 10:37:41 ----RD---- C:\WINDOWS\Offline Web Pages
2009-05-23 10:28:25 ----RD---- C:\Program Files
2009-05-21 22:21:24 ----AC---- C:\WINDOWS\system.ini
2009-05-21 22:19:30 ----D---- C:\WINDOWS\AppPatch
2009-05-21 22:19:28 ----D---- C:\Program Files\Common Files
2009-05-21 20:57:17 ----RASHC---- C:\boot.ini
2009-05-21 18:33:40 ----D---- C:\Program Files\Java
2009-05-21 14:56:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-21 14:54:56 ----D---- C:\Program Files\Google
2009-05-21 14:54:17 ----HD---- C:\WINDOWS\inf
2009-05-21 14:52:43 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\U3
2009-05-21 14:52:34 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\AVGTOOLBAR
2009-05-21 14:52:25 ----D---- C:\Program Files\GemMaster
2009-05-21 14:12:21 ----RSD---- C:\WINDOWS\assembly
2009-05-20 11:21:38 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Adobe
2009-05-19 11:53:19 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-18 22:38:40 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-17 20:03:01 ----D---- C:\Documents and Settings\PRESTON WRIGHT\Application Data\Apple Computer
2009-05-16 21:16:29 ----D---- C:\Program Files\Adobe
2009-05-16 20:50:07 ----D---- C:\WINDOWS\network diagnostic
2009-05-12 18:57:14 ----D---- C:\WINDOWS\system32\Restore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 APPSTREAM;APPSTREAM; \??\C:\WINDOWS\System32\Drivers\APPSTREAM.SYS []
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-19 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-19 108552]
R1 FileDisk;FileDisk; C:\WINDOWS\system32\drivers\FileDisk.sys [2004-05-29 9728]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 REGHOOK;REGHOOK; \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS []
R2 VSPD;VSPD; \??\C:\WINDOWS\System32\Drivers\VSPD.SYS []
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-07-19 230400]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-01-15 23848]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-10 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 OMCI;OMCI; \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp\catchme.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 AppMgrService;AWE 5.1.0 Application Manager; C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe [2006-09-27 1990656]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-19 908568]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-19 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-11 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IOLO_SRV;iolo System Guard; C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe [2005-10-26 195584]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-03-08 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-03-08 103736]
R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2009-01-15 24576]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 gupdate1c9bb11483f0eaf;Google Update Service (gupdate1c9bb11483f0eaf); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-04-11 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-11 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-03-07 16680]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2008-11-18 61440]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-03 38912]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:04 pm

info.txt logfile of random's system information tool 1.06 2009-05-24 17:00:22

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AppStream Technology Windows Edition Client-->MsiExec.exe /X{46B26804-569B-4355-9678-0DDF6ADCFB0F}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BearShare-->C:\Program Files\BearShare Applications\BearShare\UninstallSurvey.exe C:\Program Files\BearShare Applications\BearShare\UnwiseLauncher.exe /A C:\PROGRA~1\BEARSH~1\BEARSH~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Resource CD-->MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON CardMonitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON PhotoStarter3.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE704636-ECD0-426C-952E-05B8DABD1949}\Setup.exe" -l0x9 uninst
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
Google Chrome-->"C:\Program Files\Google\Chrome\Application\1.0.154.65\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
iolo technologies' System Mechanic Professional 6-->"C:\Program Files\iolo\System Mechanic Professional 6\UninstallSMPro.exe"
iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38}
Legacy 7.0-->"C:\Legacy\UNWISE.EXE" /U "C:\Legacy\Install.log"
Legacy Charting 7.0-->"C:\Program Files\Millennia\LegacyCharting7\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Otto-->"C:\Program Files\EnglishOtto\uninstallotto.exe"
Photo Print Gold-->C:\Program Files\Photo Print Gold\Uninstal.exe
QuickBooks Pro 2009-->msiexec.exe /I {9A2F0810-369F-4E86-9072-973FBE1679C5} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2009" ADDREMOVE=1
QuickBooks-->MsiExec.exe /I{9A2F0810-369F-4E86-9072-973FBE1679C5}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 9:06 pm

Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
The Print Shop 20-->MsiExec.exe /I{1B06427F-1845-44E2-9022-AA630EBFF817}
The Print Shop 22-->MsiExec.exe /I{E34351A4-4B10-4DFF-96BC-84C642D9C625}
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VBRunDLL 3.3-->C:\PROGRA~1\ZAKFRO~1\VBRunDLL\Setup.exe /remove
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Media Center Edition 2005 KB908250-->"C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Yazak Chat 8.86.47-->C:\PROGRA~1\ZAKFRO~1\YAZAKC~1\Setup.exe /remove

=====HijackThis Backups=====

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local [2009-05-21]
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\WINDOWS\TEMP\E_S1509.tmp" /EF "HKCU" [2009-05-21]
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe [2009-05-21]
O4 - HKCU\..\Run: [AntiMalware_ProMFCT] C:\Program Files\AntiMalware_Pro\Anti_Malware_Pro.exe [2009-05-21]
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min [2009-05-21]

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: PWES-AD8DFA766A
Event Code: 3
Message: Printer QuickBooks PDF Converter was deleted.

Record Number: 3823
Source Name: Print
Time Written: 20090505101954.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 4
Message: Printer QuickBooks PDF Converter is pending deletion.

Record Number: 3822
Source Name: Print
Time Written: 20090505101954.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3495
Source Name: W32Time
Time Written: 20090428101055.000000-240
Event Type: warning
User:

Computer Name: PWES-AD8DFA766A
Event Code: 1002
Message: The IP address lease 192.168.1.5 for the Network Card with network address 001372260089 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 3346
Source Name: Dhcp
Time Written: 20090425134700.000000-240
Event Type: error
User:

Computer Name: PWES-AD8DFA766A
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001372260089. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 3136
Source Name: Dhcp
Time Written: 20090422074741.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3727
Source Name: MsiInstaller
Time Written: 20090502220846.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1001
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical' failed during request for component '{247A0CD4-88E9-11D4-A755-00B0D0428C0C}'

Record Number: 3725
Source Name: MsiInstaller
Time Written: 20090502220845.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3724
Source Name: MsiInstaller
Time Written: 20090502220845.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1001
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical' failed during request for component '{247A0CD4-88E9-11D4-A755-00B0D0428C0C}'

Record Number: 3722
Source Name: MsiInstaller
Time Written: 20090502220843.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

Computer Name: PWES-AD8DFA766A
Event Code: 1004
Message: Detection of product '{1B06427F-1845-44E2-9022-AA630EBFF817}', feature 'Typical', component '{92571486-C412-4C73-B977-A0356B82A54A}' failed. The resource 'C:\Program Files\The Print Shop 20\Support'' does not exist.

Record Number: 3721
Source Name: MsiInstaller
Time Written: 20090502220843.000000-240
Event Type: warning
User: PWES-AD8DFA766A\PRESTON WRIGHT

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 9:24 pm

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by waderight on Sun May 24, 2009 10:18 pm

How do I turn off AVG Anti virus? It's blocking the update Kaspersky.

waderight
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-05-21
OS OS : xp
Points Points : 27610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win blue malware?

Post by Origin on Sun May 24, 2009 11:51 pm

Check how to disable it here:

[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum