Spyware + Winblue

View previous topic View next topic Go down

Spyware + Winblue

Post by quad2k on 31st May 2009, 5:23 am

I downloaded a program called CopyPod. I believe It infected both my computer and my parents.

I'm already formatting my parents. I don't want to have to format mine.
Mine doesn't have popups yet, but I can't go to the Malwebbytes web page.
I have the program installed but it won't run. I can not run MalWareBytes
Spyanitspyware will run, doesn't find it
Loaris Trojan Remover will run and can't find anything
My Nod32 won't delete it
I don't have the winblue pop ups, but I want to stop this before it goes even worst. I'm getting the fake web page search when I type in Google for spyware or what not. I know not to click on them.

I'm also getting the recycle error when I click on my hard drives.
Here is my Hijack Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:08 PM, on 5/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bomgar\Jumpoint\askit.csueastbay.edu\bomgar-jpt.exe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-493CAB05\bomgar-scc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Loaris Trojan Remover\hjt1.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\41154f0f-c481-4b4e-bcab-ec570fa651d9.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bomgar Jumpoint [askit.csueastbay.edu] - Bomgar Corporation - C:\Program Files\Bomgar\Jumpoint\askit.csueastbay.edu\bomgar-jpt.exe
O23 - Service: Bomgar Jump Client [1228712711-1239432886] (bomgar-ps-1228712711-1239432886) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-493CAB05\bomgar-scc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8068 bytes

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 5:52 am

I already did the Combo Fix

I also got online and got the newest version of super anitspyware
Just did it manually.

Here is my combo Log
ComboFix 09-05-30.03 - Quad 05/30/2009 22:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2872 [GMT -7:00]
Running from: c:\documents and settings\Quad\Desktop\Combo-Fix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Quad\Application Data\inst.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\drivers\gxvxcuyavyqmeybwexvakvdyigwvbvdpmyllr.sys
c:\windows\system32\gxvxcbdqnpjjuwktcjtohupjwftmwduxyosri.dll
c:\windows\system32\gxvxcesbxhkjlqjolwmixxoamyuynopxujabm.dll
I:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 05:10 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-31 05:10 . 2009-05-31 05:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-31 05:10 . 2009-05-31 05:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-31 05:10 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 04:45 . 2009-05-31 05:27 -------- d-----w c:\program files\Loaris Trojan Remover
2009-05-31 04:39 . 2009-05-31 05:35 117760 ----a-w c:\documents and settings\Quad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-31 04:36 . 2009-05-31 04:36 -------- d-----w c:\documents and settings\Quad\Application Data\Thinstall
2009-05-16 00:49 . 2009-05-16 00:50 -------- d-----w c:\program files\Killing Floor
2009-05-11 08:55 . 2009-05-18 07:33 25 ----a-w c:\windows\popcinfot.dat
2009-05-11 05:08 . 2009-05-11 05:08 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-03 19:06 . 2009-05-03 19:06 -------- d-----w c:\documents and settings\Quad\Local Settings\Application Data\Atari
2009-05-03 19:06 . 2009-05-03 19:06 -------- d-----w c:\documents and settings\Quad\Application Data\Atari
2009-05-03 01:15 . 2009-05-03 01:15 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 05:36 . 2008-12-08 05:05 -------- d-----w c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05
2009-05-31 05:24 . 2008-10-11 23:56 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-31 04:57 . 2008-09-13 18:18 -------- d-----w c:\documents and settings\Quad\Application Data\uTorrent
2009-05-31 04:39 . 2008-10-11 23:56 -------- d-----w c:\documents and settings\Quad\Application Data\SUPERAntiSpyware.com
2009-05-31 04:39 . 2008-10-11 00:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-24 21:49 . 2008-09-13 18:24 -------- d-----w c:\documents and settings\Quad\Application Data\LimeWire
2009-05-10 10:25 . 2008-11-27 03:38 -------- d-----w c:\documents and settings\Quad\Application Data\dvdcss
2009-05-03 01:15 . 2008-09-18 03:37 -------- d-----w c:\program files\TVUPlayer
2009-04-30 01:46 . 2008-11-17 02:31 38048 ----a-w c:\windows\system32\drivers\CO_Mon.sys
2009-04-25 06:19 . 2009-04-25 06:19 -------- d-----w c:\program files\Ventrilo
2009-04-25 06:19 . 2009-04-25 06:19 3196328 ----a-w C:\ventrilo-3.0.5-Windows-i386.exe
2009-04-19 06:22 . 2009-04-19 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 06:22 . 2009-04-19 06:22 -------- d-----w c:\program files\iTunes
2009-04-19 06:22 . 2009-04-19 06:22 -------- d-----w c:\program files\iPod
2009-04-19 06:22 . 2008-09-14 05:53 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 06:20 . 2009-04-19 06:20 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-13 01:34 . 2009-04-13 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\Tages
2009-04-13 01:19 . 2008-09-13 18:08 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 01:18 . 2008-09-17 15:02 279712 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-04-11 06:54 . 2008-12-08 05:05 42549 ----a-w c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05\unbomgar.exe
2009-04-06 00:49 . 2009-01-16 07:32 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 21:25 . 2009-04-04 21:25 -------- d-----w c:\program files\Electronic Arts
2009-04-04 21:12 . 2009-04-04 21:12 8652 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-04-04 21:12 . 2008-09-13 18:07 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-01 06:06 . 2009-04-01 06:06 -------- d-----w c:\program files\Infogrames
2009-04-01 04:35 . 2009-04-01 04:35 152576 ----a-w c:\documents and settings\Quad\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-26 03:11 . 2009-03-26 03:11 2082104 ----a-w c:\documents and settings\Quad\Application Data\Mozilla\Firefox\Profiles\67gufzyf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-03-25 17:34 . 2009-04-11 06:54 34 ----a-w c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05\uninstall.bat
2009-03-25 17:34 . 2008-12-08 05:05 7168 ----a-w c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05\nstvhook.dll
2009-03-25 17:34 . 2008-12-08 05:05 627064 ----a-w c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05\bomgar-scc.exe
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 21:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-11 00:42 . 2009-03-11 00:42 152576 ----a-w c:\documents and settings\Quad\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-10 01:46 . 2008-09-28 04:14 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-10 01:38 . 2008-09-28 04:14 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-10 01:38 . 2008-09-28 04:14 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-09 12:19 . 2008-11-26 06:28 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2008-04-14 12:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 04:49 . 2009-02-26 02:29 334912 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-03-03 04:49 . 2009-02-26 02:29 441408 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-03-03 04:49 . 2009-02-26 02:29 171072 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-03-03 04:49 . 2009-02-26 02:29 866235 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-03-03 04:49 . 2009-02-26 02:29 57344 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-03-03 04:49 . 2009-02-26 02:29 479232 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-03-03 04:49 . 2009-02-26 02:29 2669632 ----a-w c:\documents and settings\Quad\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-03-03 00:18 . 2008-05-26 21:34 826368 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

[-] 2008-05-26 21:34 1614848 362BC5AF8EAF712832C58CC13AE05750 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\41154f0f-c481-4b4e-bcab-ec570fa651d9.exe" [2009-03-23 1830128]
"Loaris Trojan Remover"="c:\program files\Loaris Trojan Remover\TrojanRemover.exe" [2009-05-29 3135488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-09-13 949376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-17 1040384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"i:\\Games\\S.T.A.L.K.E.R\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"i:\\Games\\S.T.A.L.K.E.R\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"i:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"i:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"i:\\Games\\Brothers.in.Arms.Hells.Highway-RELOADED\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\synergy\\hl2.exe"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\zombie panic! source\\hl2.exe"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\insurgency\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\PolarisX\\mirc.exe"=
"i:\\Games\\Steam\\steam.exe"=
"i:\\Games\\Call.Of.Duty.World.At.War.[PCDVD9]\\CoDWaWmp.exe"=
"i:\\Games\\Call.Of.Duty.World.At.War.[PCDVD9]\\CoDWaW.exe"=
"c:\\Documents and Settings\\Quad\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\counter-strike source\\hl2.exe"=
"i:\\Games\\Legendary-RELOADED\\Binaries\\Legendary.exe"=
"i:\\Games\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"i:\\Games\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"i:\\Games\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"i:\\Games\\Starcraft\\StarCraft.exe"=
"i:\\Games\\Saints Row 2\\SR2_pc.exe"=
"i:\\Games\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"i:\\Games\\Steam\\steamapps\\common\\far cry 2\\bin\\FarCry2.exe"=
"i:\\Games\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2Editor.exe"=
"i:\\Games\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2BenchmarkTool.exe"=
"i:\\Games\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2ServerLauncher.exe"=
"i:\\Games\\Steam\\steamapps\\quaddamage2k\\team fortress classic\\hl.exe"=
"i:\\Games\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"i:\\Games\\Steam\\steamapps\\common\\left 4 dead\\srcds.exe"=
"c:\\Program Files\\Killing Floor\\System\\KillingFloor.exe"=
"i:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Torrent1_tcp
"6881:UDP"= 6881:UDP:Torrent1_udp
"6882:TCP"= 6882:TCP:Torrent2_tcp
"6882:UDP"= 6882:UDP:Torrent2_udp
"6883:TCP"= 6883:TCP:Torrent3_tcp
"6884:TCP"= 6884:TCP:Torrent4_tcp
"6885:TCP"= 6885:TCP:Torrent5_tcp
"6886:TCP"= 6886:TCP:Torrent6_tcp
"6887:TCP"= 6887:TCP:Torrent7_tcp
"6888:TCP"= 6888:TCP:Torrent8_tcp
"6889:TCP"= 6889:TCP:Torrent9_tcp
"6883:UDP"= 6883:UDP:Torrent3_udp
"6884:UDP"= 6884:UDP:Torrent4_udp
"6885:UDP"= 6885:UDP:Torrent5_udp
"6886:UDP"= 6886:UDP:Torrent6_udp
"6887:UDP"= 6887:UDP:Torrent7_udp
"6888:UDP"= 6888:UDP:Torrent8_udp
"6889:UDP"= 6889:UDP:Torrent9_udp

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 5:53 am

R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [10/30/2008 2:14 PM 2911848]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [9/13/2008 11:02 AM 15424]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 bomgar-ps-1228712711-1239432886;Bomgar Jump Client [1228712711-1239432886];c:\documents and settings\All Users\Application Data\Bomgar-SCC-493CAB05\bomgar-scc.exe [12/7/2008 10:05 PM 627064]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/30/2009 10:10 PM 179856]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 89600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/30/2009 10:10 PM 15504]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Quad\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Quad\LOCALS~1\Temp\ALSysIO.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Quad\Desktop\RealTemp_2.70\3.0\WinRing0.sys [2/19/2009 6:47 PM 14416]
.
Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Quad\Application Data\Mozilla\Firefox\Profiles\67gufzyf.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Quad\Application Data\Mozilla\Firefox\Profiles\67gufzyf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-30 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-630328440-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6a,71,cb,8a,33,56,c1,e1,19,53,e4,8a,84,d8,12,27,8c,6f,2c,74,83,
86,5f,03,98,5b,52,f7,50,6a,8a,7c,45,b5,0e,81,13,85,06,fb,4e,e4,1e,a1,2f,84,\
"rkeysecu"=hex:28,65,61,06,3d,50,60,08,7b,10,fa,ec,f3,7b,7a,67
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Quad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\imon.dll
.
Completion time: 2009-05-31 22:38
ComboFix-quarantined-files.txt 2009-05-31 05:38

Pre-Run: 298,481,840,128 bytes free
Post-Run: 301,291,945,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /numproc=2

250 --- E O F --- 2009-05-14 03:00

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 5:55 am

The recycle error went away Smile Very nice!

I'm still blocked from malwarebytes and spybots homepages and I can't updated within the program malware

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 5:57 am

Currently running a Superanitspyware Complete Scan (Updated Manually today)

MalwareBytes 5-19-09 doing a full scan as well

Will post results

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 7:01 am

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/30/2009 11:43:06 PM
mbam-log-2009-05-30 (23-43-06).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 255978
Time elapsed: 38 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


All clean

I still can't updated my Malware Bytes or Go to there home page. Something is still left.

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 7:01 am

It's the same thing on the computer I just formated. NOD32 won't update. and I can't go on the Malware Bytes page or the NOD32 manual update page.


Something is still left, some help PLEASE!

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by quad2k on 31st May 2009, 7:39 am

Wow, This thing is one mean SOB.

I don't know how, but in my routerlogin.com (My router for my home network) this damn thing changed the DNS setting. I just put it back to default and now have working updates for virus scans and I can go to any page now

PLEASE check your DNS settings if you are getting linked to stanage places via your router login page if you are running a router.

WORKED WELL FOR ME!

Way to solve my own problem! YA ME!

quad2k
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-05-31
OS OS : Windows XP SP 3
Points Points : 27491
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware + Winblue

Post by Belahzur on 31st May 2009, 12:52 pm

Please don't make more than one post, otherwise it leads the helper to thinking someone is already helping you and your topic gets left behind.

Do not use Combofix on your own, it's extremely powerful and has the power to trash your OS.

We infection does use a DNS hijacker, and goes as far as altering router settings.
Change your router password from "admin" or whatever to something stronger, this infection attempt to guess passwords to change settings.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum