blue.exe?? Recyc.exe???

Forums › Microsoft Windows › blue.exe?? Recyc.exe???

bgorgees

27 posts

Geek

#17885 16-Dec-2007 21:39

I got this spyware or malware in my windows... it installs itself to any storage device connected to the computer (flash drives, other HDD's, even remote drives)... and from there it copies itself, right now its on my USB drive, external HDD, my brothers laptop, my 2 computer hard drives...

every time I try to open a drive or storage device this message pops up, and a Recyc.exe icon pops up in the file background as well...
error message

in my task list there's a Blue.exe running and it'll restart even if I go end process tree...
I even started computer in safe mode and deleted what I think were all the related files, entries and registries and it still comes back...

anyway I did my research on internet and I haven't found an effective way or software to remove it completly...
PC-cillin 2007 doesn't seem to pick it up even...

problem is its on my back up hard drive and I don't want to format that... I formated my main drive but it copied itself back from the back up drive... it also seems to stop iTunes from working, I can't even start the program even after reinstalling the program and formating the computer..

any one out there know what to do...?

Spyware

3771 posts

Uber Geek

Lifetime subscriber

#100309 16-Dec-2007 21:43

There is no "automated" anti-spyware removal tool for this type infection.
There are 2 DLLs involved, the "BHO" DLL which you see in your log and the main culprit which is totally hidden. Removing the "BHO" DLL has no effect as it (main culprit) will simply generate a new BHO DLL.

Ok, here goes ... this is my "How To:" (Hint: print out the below)

[Tools and files needed]

Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows

Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.

IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder. N.B. File may have HIDDEN attribute.
Click File (up top) select: Move

Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
--

Disclaimer: Renaming the "Windows" key modified some security settings.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

Right-click the "Windows" key, select: Permissions

[Example]
Before renaming the "Windows" key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"

--
[Example]

After Renaming the key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--

You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.

Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".

bgorgees

27 posts

Geek

#100447 17-Dec-2007 16:06

thanks man...
ill give it a go latter in the week...
will let you know...

A1iens

2 posts

Wannabe Geek

#103330 7-Jan-2008 13:56

Hi

I to am having the same issue.

attached is my output.txt file. I did not find Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error

I used Find It instead of Find All

Any other ideas?

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Temp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 68EC-E9B1

Directory of C:\WINDOWS\System32

15/12/2007 03:06 a.m.    <DIR>          dllcache
11/03/2007 12:17 a.m.    <DIR>          Microsoft
               0 File(s)              0 bytes
               2 Dir(s)   8,379,183,104 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 68EC-E9B1

Directory of C:\WINDOWS\System32

15/12/2007 03:06 a.m.    <DIR>          dllcache
11/03/2007 12:09 a.m.               488 logonui.exe.manifest
11/03/2007 12:09 a.m.               488 WindowsLogon.manifest
11/03/2007 12:09 a.m.               749 nwc.cpl.manifest
11/03/2007 12:09 a.m.               749 sapi.cpl.manifest
11/03/2007 12:09 a.m.               749 ncpa.cpl.manifest
11/03/2007 12:09 a.m.               749 wuaucpl.cpl.manifest
11/03/2007 12:09 a.m.               749 cdplayer.exe.manifest
               7 File(s)          4,721 bytes
               1 Dir(s)   8,379,183,104 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 68EC-E9B1

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 68EC-E9B1

Directory of C:\WINDOWS\System32

31/08/2007 06:40 p.m.         3,057,069 mp411F0.tmp
31/08/2007 06:38 p.m.         3,043,151 mp411EF.tmp
01/01/2003 01:00 a.m.             2,577 CONFIG.TMP
               3 File(s)      6,102,797 bytes
               0 Dir(s)   8,379,179,008 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (Aspack v%s%s)
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"S3TRAY2"="S3tray2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"tcnzTrayApp"="\"C:\\Program Files\\Xtra Help Assistant\\bin\\McciTrayApp.exe\""
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"WinServer"="C:\\WINDOWS\\BLUE.EXE /BLUE:Kernel32.Dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""

edyleared

1 post

Wannabe Geek

#104268 11-Jan-2008 17:07

hey I had the same bloody virus!! heres what i did.

I searched through the whole of google and found a chinese website.

Goto http://www.cncrk.com/downinfo/6293.html
scroll to halfway down the page and click on any link with the red green or blue chinese writing on the end. Make sure it downloads USBCleaner6.rar (I remmoned using mozilla firefox with noscript installed cause this site is a bit dodgy)

Extract the usbcleaner6.rar file and here comes the fun bit. Since the writing on the buttons and program istelf is in chinese, you'll see a whole lot of "??????" and weird characters I literally clicked all the buttons on it and on each program, and what do you know it got rid of the virus.

p.s i tried every other anitvirus including Norton, Mcafee, trend micro, Nod32, ad-aware and a few others and non of them even spotted the virus! good luck!

bgorgees

27 posts

Geek

#104417 12-Jan-2008 19:01

yeah bro... that fixed it....

cheers...

A1iens

2 posts

Wannabe Geek

#105216 16-Jan-2008 15:21

Sweet as bro worked perfectly :-)
even fixed my Ipod player as well