WiredWX Hobby Weather ToolsLog in

 


WinBlueSoft - crying for help

3 posters

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
Hello.
New ideas. Please post a new Hijack This log, I want to kill some other items too.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
here it is....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:02, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winuutq.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winlqsfs.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7447 bytes

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
Hello.
Some new items showed up, yet I'm suprised Origins Hijack This fix actually worked, because registry editing was disabled.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
    F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
    O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

There's a file on your machine I can't find anything on, which maybe regenerating this infection, so I want to get it uploaded and scanned.

Submit a file for analysis.

  1. Please visit this website: Jotti's Malware Scanner
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\lspcfm.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
I can't open that page...it just loads for ages and then ''cannot find server''.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
Thats due to the Rookit, looks like we are going to have to kill it manually,

Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
Two more online scanners to try::

http://www.virustotal.com/
http://virscan.org/

Let me know which (if) one works, and upload the file for a scan.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
neither of those sites work for me...

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-22 22:03:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74C16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74BFC2

Code 8A9A9688 ZwFlushInstructionCache
Code 8AADD446 IofCallDriver
Code 8AADD4C6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF15A 5 Bytes JMP 8AADD44B
.text ntkrnlpa.exe!IofCompleteRequest 804EF1EA 5 Bytes JMP 8AADD4CB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5288 5 Bytes JMP 8A9A968C
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9C8180C 5 Bytes JMP 8AC801C8
? C:\WINDOWS\system32\drivers\pukmnn.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[728] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E146D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 01E172A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 01E153B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01E153C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 01E16CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 01E15920 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 01E163E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 01E13070 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 01E13040 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 01E12A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 01E130A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 01E130D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 01E12810 C:\WINDOWS\system32\lspcfm.dll

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AF051E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8A6E5790
Device \Driver\NetBT \Device\NetBT_Tcpip_{E70F942A-4CC0-4075-BFA4-274B1F4F1211} 8AB61790
Device \Driver\usbuhci \Device\USBPDO-0 8AC7F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AE951E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AE951E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AE951E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AE951E8
Device \Driver\usbehci \Device\USBPDO-1 8AC681E8
Device \Driver\usbuhci \Device\USBPDO-2 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8AC7F1E8
Device \Driver\usbehci \Device\USBPDO-4 8AC681E8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-6 8AC7F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF071E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort0 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort1 8AF061E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AF061E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB61790
Device \Driver\NetBT \Device\NetbiosSmb 8AB61790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5864CB14-1664-4ECB-BEA0-F37208407BFA} 8AB61790
Device \Driver\usbuhci \Device\USBFDO-0 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8AC7F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A104790
Device \Driver\usbehci \Device\USBFDO-2 8AC681E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A104790
Device \Driver\usbuhci \Device\USBFDO-3 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-4 8AC7F1E8
Device \Driver\Ftdisk \Device\FtControl 8AF071E8
Device \Driver\usbuhci \Device\USBFDO-5 8AC7F1E8
Device \Driver\usbehci \Device\USBFDO-6 8AC681E8
Device \FileSystem\Fastfat \Fat 8A6E5790

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8ABFC790

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
MSIVXserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
I completed the first step, I'm not allowed to do the second by my Administrator. It asks me to reboot now...

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
I've rebooted it and here is the file :


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSIVXserv.sys" found!
ImagePath: \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "MSIVXserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
See if you can run Malwarebytes now.

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
yes, I can. Smile...

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
Thats great new, please do a quick scan and post all the contents of the log back here Smile...

descriptionWinBlueSoft - crying for help - Page 3 EmptyRe: WinBlueSoft - crying for help

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum