win blue malware?

Ok lets try a different approach,


Smitfraud Infection Detected
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

SmitFraudFix v2.417

Scan done at 20:25:51.39, Sat 05/23/2009
Run from C:\Documents and Settings\PRESTON WRIGHT\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AppStream\WindowsClient\Bin\AppMgrGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PRESTON WRIGHT\Application Data

C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png FOUND !
C:\Documents and Settings\PRESTON WRIGHT\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PRESTO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 93.188.166.105
DNS Server Search Order: 93.188.161.105

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1BE09C5A-D434-40F3-A258-AF9A3120A60C}: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=93.188.166.105 93.188.161.105


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
  

The program wouldn't let me follow your instructions. It didn't give me many choices. As soon as I double clicked the download it went through the whole process and didn't seem to need to reboot. See if this is what you need.

SDFix has been extracted to %systemdrive%\SDFix\
(Drive that contains the Windows directory - typically C:\SDFix)

Open the SDFix folder in Safe Mode and double click the RunThis.bat file to start the fixtool
If RunThis.bat is started in Normal Mode, options to download and run Anti-Virus command line scanners are displayed

Catchme.exe Stealth Malware Detector by GMER is also included in the SDFix folder

Additional SDFix Instructions & screen shots can be found here - http://www.bleepingcomputer.com/forums/topic131299.html





SDFix a été extrait dans %systemdrive%\SDFix\
(Le disque qui contient le répertoire Windows - typiquement C:\SDFix)

Ouvrez le dossier SDFix en mode sans échec et double cliquez sur le fichier RunThis.bat pour démarrer l'outil.
Si RunThis.bat est lancé en mode normal, les options pour télécharger et lancer les scanners Antivirus en ligne de commande seront affichées

Catchme.exe Stealth Malware Detector de GMER est également inclus dans le dossier SDFix

Instructions supplémentaires pour SDFix & captures d'écran peuvent être trouvées ici - http://www.bleepingcomputer.com/forums/topic131299.html






SDFix wurde nach %systemdrive%\SDFix\ entpackt
(Das ist das laufwerk welches den Windows Ordner enthält - normalerweise c:\SDFix)

Öffe den SDFix Ordner im Abgesicherten Modus und doppelklicke zum starten die RunThis.bat Datei
Sollte die RunThis.bat im normalen Modus gestartet werden, wird einem die Möglichkeiten geboten Antivirenscanner für die Kommandozeile
(Dosbox) downzuloaden.

Das Programm Catchme Malware Detector von Gmer ist auch im SDFix Ordner enthalten.

Zusätzliche SDFix Anleitungen und Screen Shots können hier nach geschaut werden: [url="http://www.bleepingcomputer.com/forums/topic131299.html"]http://www.bleepingcomputer.com/forums/topic131299.html[/url]

Thought that would work, lets try a different approach:


Please download Dial-A-Fix from here.

Save it to your Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.

Windows update still doesn't work. Anytime I try to go to windows update site it just sends me to google search page.

Now taht is strange, by the way are you using a router?

Time Warner Internet and a wireless netgear router.

The infection might not be in your computer but in the firmware of you router, can you update your router and see if you can update windows? If you don't know how to update your router then please tell me what model you have.

Netgear Range Max WPN824 v2. I agree this may be the problem. I saw some of the same probs on my lap top the only time I ever used it through the wireless router. Because I have had probs with my laptop picking up wireless reception on the home network, I have been using mobile wireless connection even at home.

Hello please download the latest fireware here:

ftp://downloads.netgear.com/files/WPN824V2-V2.0.26_1.2.17NA.chk

Save it to your desktop for easy access

• Log in the router at http://192.168.1.1
  
• Click Maintenance > Router Upgrade
  
• Click Browse and locate the file you just downloaded.
  
• Click Upload. While the firmware is loading, do not interrupt the upgrade process.
  
• The router reboots when the upgrade is complete.
  
• To check that the upgrade was successful, log in to the router again at http://192.168.1.1 and check the firmware version.

I can't log in. It's asking for a password. Also the file I have on my desk top is labeled as: Recovered file fragment, pieces of files found when your disc was scanned. Do I suppose to have a program that handles my router in my computer or is it in the router?

the program is in the router itself, the password is the serial that is on the back of your router, usually the one you give someone if you would like them to use your router for wifi internet.

I did it and I have the new version.

can you update windows now?