Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winbluesoft virus - pop-ups "infiltration alert"


  • This topic is locked This topic is locked
36 replies to this topic

#1 J3w3ls

J3w3ls

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 18 June 2009 - 05:24 AM

This lil virus has put a fake windows security centre icon in my task bar... a little red x that claims the virus protection is off and redirects me to register (ie: pay $49 for) Winbluesoft. a little speech bubble appears telling me I have trojans, password stealers or some such. I have checked the real WSC which is fine. I also get two read popups "Security centre alert" on the bottom of my screen every couple of minutes.
My browser has had a few extra pop-ups recently but this virus is annoying... I don't THINK it's actually doing anything too scary but I'm not sure...

*edit* actually it might be scary - i have 2 trojan injectors that avg can't sort out and my browser is really sticky, keeps sending me to myspace or ebay or search pages...

Please would somebody look at my logs & help me out!



DDS (Ver_09-05-14.01) - NTFSx86
Run by Removed at 11:17:44.45 on 18/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.92 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\setup2.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Removed.Removed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://home.bt.yahoo.com
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Power2GoExpress]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [setup2.exe] c:\windows\system32\setup2.exe
mRun: [AOL_Demo] c:\applications\tool\aol demo\DSGDemo.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [USB Storage Toolbox] c:\program files\usb disk win98 driver\Res.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242161346291
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.176,85.255.112.189
TCP: {3C5A291F-500E-4704-B1AC-3BE19925E245} = 85.255.112.176,85.255.112.189
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Removed~1.jul\applic~1\mozilla\firefox\profiles\40voj991.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-12 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-12 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-12 298776]
S2 gupdate1c9d6feb2cf051e;Google Update Service (gupdate1c9d6feb2cf051e);c:\program files\google\update\GoogleUpdate.exe [2009-5-17 133104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2009-06-18 11:01 <DIR> --d----- c:\program files\CCleaner
2009-06-18 10:39 830,976 a------- c:\windows\system32\setup2.exe
2009-06-18 10:27 <DIR> --d----- c:\docume~1\Removed~1.jul\applic~1\Aladdin Systems
2009-06-18 10:27 <DIR> --d----- c:\program files\Aladdin Systems
2009-06-18 10:16 <DIR> --d----- c:\program files\Traktor DJ Studio v2.0_with_serial
2009-06-18 10:12 <DIR> --d----- c:\program files\Sonic Foundry Noise Reduction Plug-In
2009-06-18 10:11 <DIR> --d----- c:\program files\Sonic Foundry
2009-06-18 10:10 <DIR> --d----- c:\program files\Sonic Foundry Setup
2009-06-18 10:08 <DIR> --d----- c:\temp\WinRAR 3.00 Final
2009-06-18 10:07 <DIR> --d----- C:\unzipped
2009-06-18 10:02 <DIR> --d----- c:\program files\FruityLoops 3.4
2009-06-18 09:51 32,768 a------- c:\windows\ReBirth RB-338 2.prf
2009-06-17 22:58 <DIR> --d----- c:\program files\Native Instruments
2009-06-17 22:57 41,216 a---h--- C:\rb20crk.dat
2009-06-17 22:57 <DIR> --d----- C:\audio
2009-06-17 22:55 <DIR> --d----- c:\program files\Fruity Loops
2009-06-17 22:55 <DIR> --d----- c:\program files\Cool Edit Pro 2.0
2009-06-17 22:55 <DIR> --d----- c:\program files\Sony Sound Forge 8.0b Build 110 +Keygen (Latest Update)
2009-06-17 22:55 <DIR> --d----- c:\program files\WinZip + Crack
2009-06-17 22:55 <DIR> --d----- c:\program files\Winrar + Crack
2009-06-17 22:54 <DIR> --d----- c:\program files\Synths
2009-06-17 22:54 <DIR> --d----- c:\program files\Plugins
2009-06-17 22:54 <DIR> --d----- c:\program files\Sound Forge 5
2009-06-17 22:54 <DIR> --d----- c:\program files\Traktor
2009-06-15 20:45 <DIR> --d----- c:\docume~1\Removed~1.jul\applic~1\NetMedia Providers
2009-06-15 20:34 <DIR> --d----- c:\program files\Sony
2009-06-15 20:32 <DIR> --d----- c:\program files\Sony Setup
2009-06-14 23:15 15,955 a------- c:\windows\system32\15904vir5s45cz.bin
2009-06-14 23:02 3,271 a------- c:\windows\system32\655bvi9138z.bin
2009-06-14 19:29 11,426 a------- c:\windows\system32\495dstea9z171.dll
2009-06-14 18:15 <DIR> --d----- c:\program files\Samsung PC Studio 3
2009-06-14 06:38 18,350 a------- c:\windows\z00spyd59.exe
2009-06-13 10:39 6,784 a------- c:\windows\system32\5653add9arez061.cpl
2009-06-12 16:29 17,901 a------- c:\windows\14c5azd9are1252.dll
2009-06-12 15:07 2,556 a------- c:\windows\395as5ywarez018.ocx
2009-06-10 11:09 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-10 11:09 159,232 a------- c:\windows\system32\ptpusd.dll
2009-06-09 12:10 5,181 a------- c:\windows\system32\17135s9y5z.cpl
2009-06-08 19:14 6,654 a------- c:\windows\system32\1397ba5zdoor950.dll
2009-06-08 16:12 <DIR> --d----- c:\docume~1\Removed~1.jul\applic~1\Free Audio Editor
2009-06-08 16:11 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-08 16:11 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-08 16:11 417,792 a------- c:\windows\system32\NCTTextToAudio2.dll
2009-06-08 16:11 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-08 16:11 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-08 16:11 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-08 16:11 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-08 16:11 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-08 16:11 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-08 16:11 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-08 16:11 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-08 16:11 <DIR> --d----- c:\program files\Free Audio Editor
2009-06-08 16:10 15,004,369 a------- c:\program files\FreeAudioEditor.exe
2009-06-06 08:20 3,102 a------- c:\windows\system32\5540s9azse12.ocx
2009-06-04 13:49 6,468 a------- c:\windows\system32\4f09zpyware19955.dll
2009-06-03 16:52 10,617 a------- c:\windows\system32\1484vizus5139.dll
2009-06-03 11:19 <DIR> --d----- c:\program files\USB Disk Win98 Driver
2009-06-03 03:09 12,417 a------- c:\windows\3667back9oorz9465.bin
2009-06-01 03:55 9,127 a------- c:\windows\5zdb9hief1445.cpl
2009-05-31 22:15 19,584 ac------ c:\windows\system32\dllcache\rasirda.sys
2009-05-31 22:15 19,584 a------- c:\windows\system32\drivers\rasirda.sys
2009-05-31 22:15 151,552 ac------ c:\windows\system32\dllcache\irftp.exe
2009-05-31 22:15 88,192 ac------ c:\windows\system32\dllcache\irda.sys
2009-05-31 22:15 28,160 ac------ c:\windows\system32\dllcache\irmon.dll
2009-05-31 22:15 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-05-31 22:15 151,552 a------- c:\windows\system32\irftp.exe
2009-05-31 22:15 88,192 a------- c:\windows\system32\drivers\irda.sys
2009-05-31 22:15 28,160 a------- c:\windows\system32\irmon.dll
2009-05-31 22:15 8,192 a------- c:\windows\system32\wshirda.dll
2009-05-31 22:15 18,688 ac------ c:\windows\system32\dllcache\irsir.sys
2009-05-31 22:15 18,688 a------- c:\windows\system32\drivers\irsir.sys
2009-05-31 22:10 99,328 ac------ c:\windows\system32\dllcache\srusd.dll
2009-05-31 22:10 99,328 a------- c:\windows\system32\srusd.dll
2009-05-31 22:10 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2009-05-31 22:10 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-05-31 22:10 71,680 ac------ c:\windows\system32\dllcache\fnfilter.dll
2009-05-31 22:10 71,680 a------- c:\windows\system32\fnfilter.dll
2009-05-29 18:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-29 18:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 21:00 <DIR> --d----- c:\docume~1\Removed~1.jul\applic~1\Moyea
2009-05-26 04:41 16,785 a------- c:\windows\45azthreat29946.bin
2009-05-25 05:07 16,288 a------- c:\windows\989z7tr5j3c5.dll
2009-05-24 06:04 11,934 a------- c:\windows\system32\90759not-a-vzrus424.cpl
2009-05-23 01:08 10,753 a------- c:\windows\system32\9bbzir1215.ocx
2009-05-22 01:53 3,972 a------- c:\windows\system32\32566viz9s25.bin
2009-05-21 16:11 16,868 a------- c:\windows\58dcs9yzare28145.exe
2009-05-21 11:53 11,667 a------- c:\windows\system32\170z3troj599.exe
2009-05-20 13:43 <DIR> --ds---- c:\documents and settings\Removed.Removed\UserData

==================== Find3M ====================

2009-05-17 23:10 4,524 a------- c:\windows\60a9bzck5oo93169.exe
2009-05-17 22:39 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-17 01:15 7,308 a------- c:\windows\655b5ir1z97.dll
2009-05-16 21:48 17,073 a------- c:\windows\system32\558bzt9al325.dll
2009-05-15 16:32 4,350 a------- c:\windows\50f9spyzare5117.exe
2009-05-12 22:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 22:09 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 22:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 07:54 8,291 a------- c:\windows\system32\51638hack9ozl56b.dll
2009-05-02 20:44 12,683 a------- c:\windows\system32\1z25spyware9451.bin
2009-04-29 05:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 05:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 17:13 7,692 a------- c:\windows\system32\e8b5acz9oor1346.exe
2009-04-25 11:36 13,255 a------- c:\windows\75z9ir2520.dll
2009-04-24 16:03 8,227 a------- c:\windows\3197downlo5der3967z.dll
2009-04-20 22:06 6,309 a------- c:\windows\system32\7zst9al2935.bin
2009-04-19 11:18 14,358 a------- c:\windows\system32\683595iefz5.bin
2009-04-19 01:22 15,355 a------- c:\windows\985fspzware854.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 21:25 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-15 21:25 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-04-15 21:25 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-15 21:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 21:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 21:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 21:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 21:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 21:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-10 01:03 2,627 a------- c:\windows\99019not-a-vizus2f05.exe
2009-04-08 05:56 13,808 a------- c:\windows\system32\5z15spy91e.bin
2009-04-04 12:27 17,604 a------- c:\windows\58dvzr569.bin
2009-04-03 02:52 13,023 a------- c:\windows\system32\5992thief2z32.dll
2009-03-23 08:48 3,463 a------- c:\windows\system32\482zthief17995.exe
2009-03-21 22:07 9,836 a------- c:\windows\7de1add59ze431.bin
2009-03-21 09:17 10,018 a------- c:\windows\system32\6709spyzare745.exe
2009-03-21 02:45 5,454 a------- c:\windows\952znot-9-virus2b1.dll
2008-10-28 10:57 2,122 a------- c:\program files\Uninstall Samsung PC Studio 3.lnk
2008-10-28 10:45 685 a------- c:\program files\Samsung PC Studio 3.lnk
2004-08-04 00:56 28,672 a------- c:\program files\setupSNK.exe
2006-12-26 20:21 0 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 11:18:23.29 ===============

Attached Files


Edited by Orange Blossom, 04 October 2010 - 05:43 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 23 June 2009 - 06:29 PM

Hello,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 13
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by Orange Blossom, 04 October 2010 - 05:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 03 July 2009 - 05:08 AM

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

CCleaner (remove only)
Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Request Timed Out (Check Internet connection?)

Scan took 17 seconds.
`````````End of Log```````````

just having trouble installing the right version of mbam; will message when done :thumbup2:

Edited by Orange Blossom, 04 July 2009 - 07:01 PM.
Fix BB Code. ~ OB


#4 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 03 July 2009 - 05:30 AM

ok - downloaded mbam setep.exe from both cnet and major geeks ( the 3rd link is dead) and tried installing the program twice... then tried it from filehippo - then I checked the Malwarebites site and it's also down. Is there another program you could recommend for this stage?
thanks

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 03 July 2009 - 09:58 AM

Hi,

I just checked those three sites and they are are up.

If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a Quick scan.

Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 04 July 2009 - 06:52 PM

yeh sorry Mike it's not happening... check it out the main [post="http://www.malwarebytes.org"]malwarebytes site[/post] doesn't seem to exist? tried what you said... isn't there another similar program I could try?
***

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 04 July 2009 - 06:57 PM

No, no other program will do the job.

I just tried all these sites and they all work.

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 04 July 2009 - 07:20 PM

Hi,

downloaded mbam setep.exe from both cnet and major geeks ( the 3rd link is dead) and tried installing the program twice


You said the Mawarebytes sites dont work but you said you have downloaded mbam setup.exe.
I am confused.

How could you download mbam setup.exe if the sites dont work? :)

Are you saying the installer is not working? :thumbup2:

If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a Full scan.

Edited by SifuMike, 04 July 2009 - 07:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 07 July 2009 - 05:25 AM

Sorry if I'm being dim, but....
I have downloaded the setup program from 3 different sites, tried using it.... and the programs seems to install each time ok but doesn't launch, whatever I call it. And yes, I definitely ticked "launch".
No amount of clicking on the icon will force the application to open.
No the first two sites work fine, (besttechie doesn't exist) as does filehippo where I found the setep.exe program as well... What I meant is that I just noticed that Malwarebites own home site can't be found any more.
Please Please Please? can't we try using another program??? Will Combofix not do it? I'm getting tired of these trojans mucking up my browser!!!

Edited by Orange Blossom, 04 October 2010 - 05:44 PM.


#10 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 07 July 2009 - 05:30 AM

http://www.malwarebytes.org/mbam.php
Address Not Found

www.malwarebytes.org could not be found. Please check the name and try again.

The browser could not find the host server for the provided address.




* Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of

"www.mozilla.org")


* Are you certain this domain address exists? Its registration may have expired.


* Are you unable to browse other sites? Check your network connection and DNS server settings.


* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 07 July 2009 - 09:05 AM

have downloaded the setup program from 3 different sites, tried using it.... and the programs seems to install each time ok but doesn't launch, whatever I call it. And yes, I definitely ticked "launch".
No amount of clicking on the icon will force the application to open.


I told you in a previous post to please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a quick scan.


Did you do that? :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 07 July 2009 - 02:48 PM

yes. exactly, to the letter....

Edited by Orange Blossom, 04 October 2010 - 05:49 PM.


#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:34 PM

Posted 07 July 2009 - 02:52 PM

Try this random renamer for MBAM http://kixhelp.com/wr/files/mb/randmbam.exe

If it works, then post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 07 July 2009 - 03:00 PM

ah - (your reply just crossed in the post!)
I had already done this (twice) earlier and had had no joy, but after clicking a few times just now it said mbam is already running... so I eventually managed to use task manager to coax the wee blighter out of its shell! phew! urg... back in a few mins with ur log....

#15 J3w3ls

J3w3ls
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 07 July 2009 - 04:27 PM

yeah bizarre... it didn't like newtool.exe but when i duplicated it and called one newtool2.exe... bingo!
So thanks for hanging on in there with me :thumbup2:
Here's dat log :)
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

07/07/2009 21:14:30
mbam-log-2009-07-07 (21-14-30).txt

Scan type: Quick Scan
Objects scanned: 105272
Time elapsed: 12 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\MSIVXknqtqlvyparnmcqollxxjbqltcwraewr.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\WinBlueSoft (Rogue.WinBlue) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3c5a291f-500e-4704-b1ac-3be19925e245}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3c5a291f-500e-4704-b1ac-3be19925e245}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3c5a291f-500e-4704-b1ac-3be19925e245}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.176,85.255.112.189 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\MSIVXknqtqlvyparnmcqollxxjbqltcwraewr.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:41:46, on 07/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Removed.Removed\Desktop\HiJackThis2.0.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=48625
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1242161346291
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9d6feb2cf051e) (gupdate1c9d6feb2cf051e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4465 bytes

Edited by Orange Blossom, 04 October 2010 - 05:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users