WiredWX Hobby Weather ToolsLog in

 


WinBlue infection

3 posters

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
http://rapidshare.com/files/244637585/combofixlog.txt.html

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
mrtRate

File::
c:\windows\1694zs5y2.bin
c:\windows\~DFED5D.tmp
c:\windows\~DFC45A.tmp

Folder::
c:\documents and settings\All Users\Application Data\Napster
c:\program files\Napster

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32"=-


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
WinBlue infection - Page 2 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Here's the link for the new combofix log.

http://rapidshare.com/files/244644117/combofixlog2.txt.html

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

WinBlue infection - Page 2 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Done. The machine is running very slow and froze on IE. I had to shut down.

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
I followed all steps through the complete scan. It took several hours to run. When I Select All of the found items, the Cure button is grayed out and I can only select Move, Rename, or Delete. I stopped there. A message asking if I want to restart the computer has also popped up a number of times. I have not restarted.

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Bump. I had to restart and followed all Dr.Web CureIt steps above after the restart. After the Complete Scan, I clicked Select All of the found items, but the Cure button is grayed out and I can only select Move, Rename, or Delete, not Cure. I tried to copy and paste the list in Notepad, but it would not copy.

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Did it find any virus?

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
Here is the list.
cult.exe
bundle.exe
minibug.exe
home(12).htm\javascript.4
home(12).htm
home(8).htm\javascript.5
home(8).htm
home(1).htm\javascript.12
home(1).htm
home(4).htm\javascript.8
home(4).htm
home(2).htm\javascript.1
home(2).htm\javascript.5
home(2).htm\javascript.6
home(2).htm
home(6).htm\javascript.7
home(6).htm
killwind.exe
install_aim.exe\data041
install_aim.exe
realbar.dll
a0185770.exe
a0185796.exe

descriptionWinBlue infection - Page 2 EmptyRe: WinBlue infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum