How to remove PWS-Bluedit

[- 781]

I somehow infected my pc with the PWS-Bluedit virus.
Norton Antivirus 2006 with updated virus definitions was unable to remove
the virus as it keeps coming back.
Here is the website from McAfee
http://vil.nai.com//vil/content/v_132935.htm

Can someone tell me whether I can get a removal tool or do I have to buy
McAfee?
Thanks.
Running WinXP Pro SP2.

 

[- 781]

There are 2 files that are being recreated:
1. IExplorer.dll
2. 2.exe

IExplorer.dll is opened with a program called NOTEDAD
2.exe has a IE Logo on it.

 

[Guest]

Tap F8 until a menu appears when your computer is booting up. Select Safe
mode with command prompt then type "del c:\windows\2.exe" and press enter
(without quotes) do this step for iexplorer.dll (you should know where are
they located). after all finished type exit and press enter.

 

[David H. Lipman]

From: " - 781" <[email protected]>

| I somehow infected my pc with the PWS-Bluedit virus.
| Norton Antivirus 2006 with updated virus definitions was unable to remove
| the virus as it keeps coming back.
| Here is the website from McAfee
| http://vil.nai.com//vil/content/v_132935.htm
|
| Can someone tell me whether I can get a removal tool or do I have to buy
| McAfee?
| Thanks.
| Running WinXP Pro SP2.
|

Please learn what is and what isn't On Topic subject matter for a given news Group.

You posted to numerious News Groups but NONE of them are specific to malware.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[- 781]

2.exe and IExplorer.dll were the viruse files of PWS-Bluedit together with
some registry edits which are here:
http://vil.nai.com//vil/content/v_132935.htm
IExplorer.dll was a dbt filetype and when I looked at File Types in Folder
Options, I noticed it was referring to a file called NOTEDAD.exe
I have deleted a NOTEDAD.exe file that .dbt file was directed to.
I haven't noticed that it was in fact not notePAD, but it was noteDAD.exe.
Inside my registry, I had deleted .ini, .bat, .txt registry locations that
had NOTEDAD.exe

bat registry location that I deleted was in registry located at:
HKCR\batfile\shell\edit\comman (Default) REG_SZ "C:\Windows\NOTEDAD.EXE"
Later I edited the Default value to "%1"%*
I thought that it needed some sort of value in it and copied it from
OPEN\COMMAND's Default value.

I did the same for ini, txt, reg locations that NOTEDAD.exe was found.

Now I think this is the reason that I am unable to edit batfiles, txt files,
ini files since upon right clicking and choosing EDIT, it opens the file.

How can I get my registry back and fix it in regards to editing txt, ini,
bat, reg files.
Thank you.
Hope this was as clear to fix my problem.
Gino.

 

[David H. Lipman]

From: " - 781" <[email protected]>

| 2.exe and IExplorer.dll were the viruse files of PWS-Bluedit together with
| some registry edits which are here:
| http://vil.nai.com//vil/content/v_132935.htm
| IExplorer.dll was a dbt filetype and when I looked at File Types in Folder
| Options, I noticed it was referring to a file called NOTEDAD.exe
| I have deleted a NOTEDAD.exe file that .dbt file was directed to.
| I haven't noticed that it was in fact not notePAD, but it was noteDAD.exe.
| Inside my registry, I had deleted .ini, .bat, .txt registry locations that
| had NOTEDAD.exe

| bat registry location that I deleted was in registry located at:
| HKCR\batfile\shell\edit\comman (Default) REG_SZ "C:\Windows\NOTEDAD.EXE"
| Later I edited the Default value to "%1"%*
| I thought that it needed some sort of value in it and copied it from
| OPEN\COMMAND's Default value.

| I did the same for ini, txt, reg locations that NOTEDAD.exe was found.

| Now I think this is the reason that I am unable to edit batfiles, txt files,
| ini files since upon right clicking and choosing EDIT, it opens the file.

| How can I get my registry back and fix it in regards to editing txt, ini,
| bat, reg files.
| Thank you.
| Hope this was as clear to fix my problem.
| Gino.




There was NO reason to Cross-Post this to;
microsoft.public.windows.inetexplorer.ie6.browser &
microsoft.public.windowsxp.help_and_support once you posted to;
microsoft.public.security.virus

Follow-ups set to; microsoft.public.security.virus


The Multi AV Scanning Tool corrects the Registry enties you posted. You were asked to run
the Multi AV Scanning Tool and post your results.

I don't see the requested HTML Log files.

 

[- 781]

RESULTS:

08/16/2006 13:53:18

Options:
"C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME
/PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [MAIN]
Scanning C:\*.*
C:\Documents and Settings\Chaxkal\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-372d5264.zip\NEWSECURITYCLASSLOADER.CLASS
.... Found the Generic Downloader.v trojan !!!
C:\Documents and Settings\Chaxkal\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-372d5264.zip\NEWURLCLASSLOADER.CLASS
.... Found the Exploit-ByteVerify trojan !!!
C:\Documents and Settings\Chaxkal\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1ab62644-2c7b60a3.zip\DUMMY.CLASS
.... Found the Exploit-ByteVerify trojan !!!

Summary report on C:\*.*
File(s)
Total files: ........... 140090
Clean: ................. 139890
Possibly Infected: ..... 3
Cleaned: ............... 0
Non-critical Error(s): 2


Time: 00:38.25

 

[David H. Lipman]

From: " - 781" <[email protected]>

| RESULTS:
|
| 08/16/2006 13:53:18
|
| Options:
| "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME
| /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
| "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: [MAIN]
| Scanning C:\*.*
| C:\Documents and Settings\Chaxkal\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-372d5264.zip\NEWSECURITYCL
| ASSLOADER.CLASS
| ... Found the Generic Downloader.v trojan !!!
| C:\Documents and Settings\Chaxkal\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-372d5264.zip\NEWURLCLASSLO
| ADER.CLASS
| ... Found the Exploit-ByteVerify trojan !!!
| C:\Documents and Settings\Chaxkal\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1ab62644-2c7b60a3.zip\DUMM
| Y.CLASS
| ... Found the Exploit-ByteVerify trojan !!!
|




If you are using any version of Sun Java that is prior to JRE Version 5.0 update 5,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0 update 5. There are vulnerabilities in them and they are actively being
exploited. It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed ASAP.

The latest version is Sun Java JRE/JSE Version 5.0 Update 8

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_08

http://www.java.com/en/download/manual.jsp

or

http://java.sun.com/javase/downloads/index.jsp

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

3) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

4) Re-scan your system using the Sophos module of the Multi AV Scanning Tool.

 

[Guest]

:

The Multi AV Scanning Tool corrects the Registry enties you posted.

Hi Dave , which module/scanner fixes corrupted or infected registry entries ?
Thanks in advance !

 

[David H. Lipman]

From: "Panda_man" <[email protected]>

| "David H. Lipman" wrote:
|| Hi Dave , which module/scanner fixes corrupted or infected registry entries ?
| Thanks in advance !
|

MENU.KIX

Performed in the function; FixRegistry()

This includes undoing Local Policy chances to reduce PC use management changed by malware.

If you know others "needs" not covered in the FixRegistry() function, I will be very happy
to entertain any/all feedback.

 

[Guest]

Thanks a lot!

From: "Panda_man" <[email protected]>

| "David H. Lipman" wrote:
|
| Hi Dave , which module/scanner fixes corrupted or infected registry entries ?
| Thanks in advance !
|

MENU.KIX

Performed in the function; FixRegistry()

This includes undoing Local Policy chances to reduce PC use management changed by malware.

If you know others "needs" not covered in the FixRegistry() function, I will be very happy
to entertain any/all feedback.

--