GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

WinBlueSoft

View previous topic View next topic Go down

WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:11 am

Hello, I am trying to get rid of this thing, but it is blocking almost all of my executables, including notepad, task manager and malwarebytes. I can run a HijackThis scan, but it does not create the text document, as notepad is blocked.

Any help is greatly appreciated!

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Origin on Wed Jun 03, 2009 3:24 am

Hello can you open it with word pad instead.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:35 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:03 PM, on 6/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\tim\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
O1 - Hosts: 209.44.111.57 [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [Reminder] "%WINDIR%\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WinBlueSoft] "C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe" -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\System\Money Express.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF5904A-207E-4A88-9F16-A482F5E10A84}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2908D85-E3F9-4FC3-AE88-480B3C435ED6}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC7B97CD-6541-40D9-A6C5-193C19090F6A}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: blocker.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 9486 bytes

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 1:40 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 209.44.111.57 security.microsoft.com
    O1 - Hosts: 209.44.111.57 inetavirus.com
    O1 - Hosts: 209.44.111.57 [You must be registered and logged in to see this link.]
    O4 - HKLM\..\Run: [WinBlueSoft] "C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe" -min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKUS\S-1-5-18\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF5904A-207E-4A88-9F16-A482F5E10A84}: NameServer = 85.255.112.10,85.255.112.133
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A2908D85-E3F9-4FC3-AE88-480B3C435ED6}: NameServer = 166.102.165.11 166.102.165.13
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC7B97CD-6541-40D9-A6C5-193C19090F6A}: NameServer = 85.255.112.10,85.255.112.133
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: blocker.dll


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Webroot Spysweeper)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 1:57 pm

[You must be registered and logged in to see this link.] wrote:Hello.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Webroot Spysweeper)

Don't find anything about webroot on this page. I got this far, and am waiting, rather than trying to continue


edit: Also there is no icon for Spysweeper on the taskbar


Last edited by Timothy on Wed Jun 03, 2009 2:06 pm; edited 1 time in total

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 2:01 pm

my uninstall_list.txt:

3003 Crystal Mazes
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Ask & Record Toolbar 4.00
Ask Toolbar
BigFix
DAEMON Tools Toolbar
Digital Media Reader
DVD Solution
Easy CD Creator 5 Platinum
Efficient Networks SpeedStream DSL
Farm Frenzy 2
farm mania,
Google Toolbar for Internet Explorer
Hallmark Card Studio 2006
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB952287)
Hoyle Board Games 3
Hoyle Card Games Demo
HP Deskjet F4200 All-In-One Driver 11.0 03
ICQ6.5
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 13
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2000 Standard Edition
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB954459)
Nero 9 Trial
neroxml
NVIDIA Drivers
OpenOffice.org 3.1
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Sierra Utilities
Skype™ 4.0
Soft Data Fax Modem with SmartCP
Spy Sweeper
Spy Sweeper Core
Tango Manager
UltimateBet
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VCRedistSetup
Viewpoint Media Player
Windows Backup Utility
Windows Communication Foundation
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
WinRAR archiver

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 2:12 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 7.0
  • Ask Toolbar
  • J2SE Runtime Environment 5.0 Update 2
  • Java(TM) 6 Update 13
  • Viewpoint Media Player

Try running Combofix anyhow, there's no AV to interfere.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 2:18 pm

Adobe, J2SE 5.0 u2, Java 6 u13 - none of them could be installed.
Combofix not starting
blocker.dll listed in HijackThis again

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 2:20 pm

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find this file: C:\WIndows\system32\blocker.dll
  • Okay any prompts and select yes to reboot.

After reboot, try doing the Hijack This fix on he O20 item and it should go away this time.
Then try running Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 2:58 pm

Everything ran Ok. It reported some kind of problem near the end of ComboFix about "No Disk". I just closed it and it completed. Here the log:


ComboFix 09-06-01.03 - Owner 06/03/2009 10:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.190 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\tim\Combo-Fix.exe
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\windows\10196not-a-v5rzs595.ocx
c:\windows\10654ha9ktooz53a.ocx
c:\windows\10919h5eat17426z.exe
c:\windows\10aeback9oo51z63.ocx
c:\windows\10z295o9m393.cpl
c:\windows\10z80h9cktool6f45.cpl
c:\windows\1173095rmz97.ocx
c:\windows\117a5hre9t1z815.exe
c:\windows\1180addwz9e14495.bin
c:\windows\11996not-a5virus60z.ocx
c:\windows\119z4v95usd2.dll
c:\windows\1216s59mzotb7.exe
c:\windows\12196spam5otz9d.ocx
c:\windows\122da9dwaze1955.dll
c:\windows\1253thrz9t107055.cpl
c:\windows\12595ac9tool30z.exe
c:\windows\127z89roj552.exe
c:\windows\128z1worm599.ocx
c:\windows\13395v9rus5az.ocx
c:\windows\13577virus59z9.bin
c:\windows\140z9s5ambot160.ocx
c:\windows\1414azd5are22369.exe
c:\windows\14228noz-9-virus2d15.exe
c:\windows\15129pzmbot1b0.exe
c:\windows\15173vi9us75z.bin
c:\windows\15291not-a-zirus799.dll
c:\windows\15342ha5kzoo9517.ocx
c:\windows\156zstea91830.exe
c:\windows\15846vi95z75e.cpl
c:\windows\15z27troj9f4.dll
c:\windows\16549spyzc9.dll
c:\windows\166dow5lz9der550.ocx
c:\windows\167219py6z5.ocx
c:\windows\169dzwn5o9der2546.dll
c:\windows\16z4v5rus539.cpl
c:\windows\16z97not-5-virus796.cpl
c:\windows\16z99h5eat25220.dll
c:\windows\17395irzs229.dll
c:\windows\174z9trojc59.cpl
c:\windows\1755virusz9b.dll
c:\windows\17655v5rus79z.exe
c:\windows\177059pam5ot176z.bin
c:\windows\17776s9yz65.dll
c:\windows\17945worm96z.bin
c:\windows\179765irus3ze.cpl
c:\windows\18065h9cktzol6095.cpl
c:\windows\18399p570z.dll
c:\windows\186455ack9oolz23.bin
c:\windows\18a9s9e5l46z.dll
c:\windows\19033not-azvir5s49d.ocx
c:\windows\19057vzruse1.bin
c:\windows\19156hacktool3cz.dll
c:\windows\191z5not-a-virusa5.dll
c:\windows\195zdow9loader529.exe
c:\windows\19655zorm3495.exe
c:\windows\19705zr5j3bf9.bin
c:\windows\19834haczto5l92f.exe
c:\windows\1b7ct9r5at5040z.exe
c:\windows\1c0f5ownloade92z56.cpl
c:\windows\1c0zthi5f594.exe
c:\windows\1d1bdo9nl5ader2410z.cpl
c:\windows\1f24th95atz573.dll
c:\windows\1f56viz9374.cpl
c:\windows\1z16spy59re598.bin
c:\windows\1z5wor9505.cpl
c:\windows\1z969hack5ool341.exe
c:\windows\20283zo5-a-virus75f9.cpl
c:\windows\2039zwor539d.ocx
c:\windows\203zd9ware295.ocx
c:\windows\206959ezl1493.cpl
c:\windows\2069zspamb5t2a9.bin
c:\windows\20z999pambot5bc.cpl
c:\windows\21832noz-a-virus759.cpl
c:\windows\21857not-a-vizu9274.ocx
c:\windows\21885vir9s4za.dll
c:\windows\219809zr5496.bin
c:\windows\22082z9y765.bin
c:\windows\2275stz9l3231.ocx
c:\windows\23031hackt9ol158z.bin
c:\windows\23054not-z9v5rus336.dll
c:\windows\2356ztroj690.exe
c:\windows\23753zroj935.cpl
c:\windows\23899py655z.cpl
c:\windows\23922not-a9virus75z5.dll
c:\windows\23956spamz597be.dll
c:\windows\239ba5kdzor1130.cpl
c:\windows\24117szy959.ocx
c:\windows\24224tzoj995.bin
c:\windows\2436zt95j135.bin
c:\windows\24677not5a-viru9z18.bin
c:\windows\2476z5irus7aa9.ocx
c:\windows\25456not-a-v9ruszcf.bin
c:\windows\25509hreat2z586.dll
c:\windows\2584spy9are155z.bin
c:\windows\259z2not-a-59rus7d2.ocx
c:\windows\2600zhreat90465.ocx
c:\windows\264not-z-virus5a95.ocx
c:\windows\26659s5z9bot4e2.dll
c:\windows\26752vzrus5b09.cpl
c:\windows\267z45ackt9ol352.cpl
c:\windows\26955zpambo54a1.dll
c:\windows\26972szambo564c.cpl
c:\windows\269z5hac9to5l378.cpl
c:\windows\26c1spzwar53193.dll
c:\windows\26zd5ddwa9e2566.bin
c:\windows\2745ztr9550e.ocx
c:\windows\275099orm32dz.dll
c:\windows\2759szyware239.bin
c:\windows\27914spyz1f5.cpl
c:\windows\27f995reat5745z.dll
c:\windows\28296szy5e2.dll
c:\windows\2846h9cztool65.exe
c:\windows\28605wzrm791.exe
c:\windows\28637z59mbot684.cpl
c:\windows\2874hacz95ol1b3.ocx
c:\windows\28865not-a-9irzs13e.cpl
c:\windows\2905addwarz1763.dll
c:\windows\29151hacktzol55.ocx
c:\windows\2925zsp57d4.ocx
c:\windows\2926vir5z399.cpl
c:\windows\29361vi5zs58.ocx
c:\windows\29556zpy197.cpl
c:\windows\29835tro56az.bin
c:\windows\2985v5z1026.dll
c:\windows\29896spzmbo55af.ocx
c:\windows\29955zpy8e.dll
c:\windows\29c2doznl5ader2013.dll
c:\windows\29z45troj375.exe
c:\windows\2b59thie5134z.ocx
c:\windows\2b61b5ckdooz6899.exe
c:\windows\2b73thrz5t23029.ocx
c:\windows\2e57spa5sz9016.ocx
c:\windows\2e7zdownload5r899.cpl
c:\windows\2f51sparsz1798.exe
c:\windows\2z592spambot6a95.ocx
c:\windows\2z73d9w5loader1137.exe
c:\windows\305z0not-a-virus6e9.cpl
c:\windows\307885ro93z0.cpl
c:\windows\31282hazk9ool155.dll
c:\windows\3184hazk5ool259.cpl
c:\windows\31z9ir3995.dll
c:\windows\323b5zarse9726.cpl
c:\windows\3299thizf2825.dll
c:\windows\32z69py5e6.dll
c:\windows\33czparse9935.bin
c:\windows\34abazdwa5e2945.dll
c:\windows\35699parze1972.dll
c:\windows\358z9ownloader2626.dll
c:\windows\3593addwa5e1z70.ocx
c:\windows\35987tro980z.cpl
c:\windows\3605thiez1496.dll
c:\windows\365zs5y179.dll
c:\windows\3687spywar915z55.cpl
c:\windows\3858spywzre27989.dll
c:\windows\38609hief3105z.ocx
c:\windows\3906downl5adez492.dll
c:\windows\3957downlzader174.ocx
c:\windows\3962zroj55.ocx
c:\windows\3995ste9lz7435.bin
c:\windows\39aczackdoor2255.cpl
c:\windows\3a6fad9warez605.bin
c:\windows\3c9zthief9385.dll
c:\windows\3df3sz9ware2555.cpl
c:\windows\3e55spzware3369.dll
c:\windows\3e6cdow9lo5dez2038.dll
c:\windows\3fbb5ddwaz92444.cpl
c:\windows\3fe9spywar9185z.cpl
c:\windows\3z5dthreat99798.exe
c:\windows\3z9abackd9o52734.bin
c:\windows\3za2thre9t20551.bin
c:\windows\401ddownload95z63.dll
c:\windows\4335v9r2745z.ocx
c:\windows\438aa95waze1073.bin
c:\windows\44z95ddware1780.dll
c:\windows\4515zot-a-v9rus55.cpl
c:\windows\47b5s9arse833z.bin
c:\windows\48z5sparse599.cpl
c:\windows\49z9sparse11045.exe
c:\windows\4a185hze9118.cpl
c:\windows\4a939ac5door295z.exe
c:\windows\4b2fstea9z0985.bin
c:\windows\4c19z5arse2033.bin
c:\windows\4c91backdo5r85z.ocx
c:\windows\4c9dbac5zoor71.dll
c:\windows\4e6fdo9zloader2365.cpl
c:\windows\4z84hackto5l7959.ocx
c:\windows\4z84troj9205.dll
c:\windows\4za1ad9ware1855.exe
c:\windows\50629ot-a-virus6z1.exe
c:\windows\5075zackdoor259.ocx
c:\windows\507dow5loadez549.bin
c:\windows\5090stea9154z.ocx
c:\windows\509b5pyware2z77.dll
c:\windows\509ebackdoor2549z.exe
c:\windows\50ezspar5e79.dll
c:\windows\5108zpywa953031.exe
c:\windows\51855sp97dz.dll
c:\windows\51989trzj292.cpl
c:\windows\519zspy9a.cpl
c:\windows\51d9thr5at5z39.dll
c:\windows\52bzs5arse26069.cpl
c:\windows\52e2backdzo52293.ocx
c:\windows\52e6spyware390z.exe
c:\windows\5325s9ezl3122.ocx
c:\windows\5353zteal9555.exe
c:\windows\535spz9bot3f0.dll
c:\windows\54759spzm9ot75d.cpl
c:\windows\54z09roj6ad.dll
c:\windows\5522wzr9df.bin
c:\windows\55z2th9ef2639.ocx
c:\windows\55z8spy359.dll
c:\windows\56689no9-a-virusa2z.exe
c:\windows\568zaddware2995.exe
c:\windows\57275pamb9t1z7.cpl
c:\windows\5733dowzloader2299.ocx
c:\windows\5734thrzat96636.exe

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 2:59 pm

c:\windows\57d9downloazer1135.dll
c:\windows\5856a5dwar931z4.cpl
c:\windows\58z99ownloader1719.bin
c:\windows\593abackdo5r303z.exe
c:\windows\5944zi51993.bin
c:\windows\5948not-a-5izus45a.exe
c:\windows\594a5ackdzor731.exe
c:\windows\595thzeat25949.ocx
c:\windows\5975virz07.cpl
c:\windows\597bspyw5re2458z.bin
c:\windows\59939trojz5.dll
c:\windows\5998spywar9106z.cpl
c:\windows\5a18back9o5r2464z.exe
c:\windows\5azbaddw5r93134.bin
c:\windows\5bd1ad9zare2789.ocx
c:\windows\5c5bspzrse12419.cpl
c:\windows\5ca859reat17988z.bin
c:\windows\5d57backdozr9062.dll
c:\windows\5d5zt9reat1943.bin
c:\windows\5d7spywarz31439.dll
c:\windows\5daes5yzar9541.dll
c:\windows\5e1fa9dwarez626.bin
c:\windows\5e1fthi5f224z9.cpl
c:\windows\5f759teal116z.exe
c:\windows\5fd6addw9re20z.dll
c:\windows\5ffdbackd5o9166z.dll
c:\windows\5z252spy292.cpl
c:\windows\5z2949py305.dll
c:\windows\5z395acktool125.ocx
c:\windows\5z762spambot29a.bin
c:\windows\5z945spy499.bin
c:\windows\61195hief95z.exe
c:\windows\615b9teal1z59.exe
c:\windows\62a6thie59z1.ocx
c:\windows\64d8spa5se1z69.exe
c:\windows\6555hacz9ool74a.bin
c:\windows\655dthrea9207z.ocx
c:\windows\65e1vzr19079.ocx
c:\windows\65fcszarse1946.ocx
c:\windows\6757downzoade93166.cpl
c:\windows\6758st9az910.cpl
c:\windows\6766zddwar59164.ocx
c:\windows\67ffsteaz19755.dll
c:\windows\6850spambo56z9.exe
c:\windows\68z2thr5at22649.bin
c:\windows\699abackd5or52z.dll
c:\windows\69fbt5zef1059.bin
c:\windows\6c4c5hizf1931.exe
c:\windows\6d1esp9rse956z.dll
c:\windows\6da59hief15z6.exe
c:\windows\6e52z5r9144.dll
c:\windows\6e69bac5door616z.exe
c:\windows\6efadownlzade5929.bin
c:\windows\6f09za5kdoor9510.exe
c:\windows\6f3b59azse3034.bin
c:\windows\6z02thief9455.ocx
c:\windows\6z675h9ef1098.exe
c:\windows\6z925roj113.bin
c:\windows\708cb5ckzoor9974.cpl
c:\windows\711d95reat5z60.exe
c:\windows\71c9t5reaz6175.ocx
c:\windows\7249vi5zs39f.ocx
c:\windows\7255backdoor29z0.exe
c:\windows\730d9pzware2645.bin
c:\windows\739e5ac9dooz1003.bin
c:\windows\739zst59l2062.cpl
c:\windows\7475vir392z.ocx
c:\windows\7515hack59ol6z2.bin
c:\windows\7602azdw95e1891.dll
c:\windows\76509iruz58b.dll
c:\windows\76fdzownloa9er11305.dll
c:\windows\7705sp9za1.exe
c:\windows\77az5ownl9ader1697.bin
c:\windows\78559izus585.ocx
c:\windows\79495hreat12947z.exe
c:\windows\7980t5reat15z7.ocx
c:\windows\7b02doznloa5er1977.bin
c:\windows\7c3bbackdoo599z.bin
c:\windows\7c9fspars51z89.dll
c:\windows\7cfcspyzare1935.ocx
c:\windows\7de5v9r15z9.cpl
c:\windows\7e18downloa5erz98.ocx
c:\windows\7e80steal1z945.cpl
c:\windows\7f0fs9ywarz8795.dll
c:\windows\7z57s95rse1042.ocx
c:\windows\7z59troj3a9.cpl
c:\windows\7z9d5hrea98298.dll
c:\windows\7zespar5e1489.ocx
c:\windows\805wo9m29z.cpl
c:\windows\8342spambo559bz.dll
c:\windows\8777not-az5iru9489.bin
c:\windows\899ad5w9re276z.cpl
c:\windows\909athief125z.cpl
c:\windows\912z25orm2e0.cpl
c:\windows\914zthie5596.ocx
c:\windows\91549r5z593.exe
c:\windows\9161zhief5389.bin
c:\windows\91dszyware29445.dll
c:\windows\920z1vir5s740.cpl
c:\windows\922z3virus5bb.exe
c:\windows\92347sza5bot78d.ocx
c:\windows\925azir2501.cpl
c:\windows\9385troj2z9.cpl
c:\windows\945zspy7f9.exe
c:\windows\950495azbot6b2.exe
c:\windows\95077zo5m41d.bin
c:\windows\952hacktooz12d.cpl
c:\windows\9545viru556z.bin
c:\windows\95647zacktool40c.exe
c:\windows\9596hackzo5l56.bin
c:\windows\959sz55c59.exe
c:\windows\9621sz5379.bin
c:\windows\96268tzo5739.dll
c:\windows\962sza9s5854.exe
c:\windows\96419pazbot7595.dll
c:\windows\96565acktool4z9.exe
c:\windows\966cadd5aze2539.exe
c:\windows\9677spars52z98.exe
c:\windows\9837spyware2755z.ocx
c:\windows\99526vizus290.bin
c:\windows\99575vzrus792.ocx
c:\windows\9a53thie5148z.dll
c:\windows\9baespz5se909.bin
c:\windows\9c6ctzie51692.bin
c:\windows\9ecfthreat305z8.cpl
c:\windows\9fa5threat2z148.bin
c:\windows\9z15s9y5e2.exe
c:\windows\9z458t5oj7e4.dll
c:\windows\9z50downlo5der1564.exe
c:\windows\a9dthreat2z759.dll
c:\windows\b59viz2449.exe
c:\windows\bdz5h9ef752.ocx
c:\windows\e59zhr9at354.cpl
c:\windows\f58bac5dooz2699.bin
c:\windows\sysguard.exe
c:\windows\system32\105809acktooz7c55.cpl
c:\windows\system32\11166hacktooz3695.bin
c:\windows\system32\114575or9542z.bin
c:\windows\system32\1153zw5r977d.ocx
c:\windows\system32\119889acktzo5c1.bin
c:\windows\system32\11cdtzreat19359.dll
c:\windows\system32\1238zviru5196.cpl
c:\windows\system32\1245doznloader9094.dll
c:\windows\system32\12847troj5z9.dll
c:\windows\system32\12952troj9z5.ocx
c:\windows\system32\12a9sza5se2943.exe
c:\windows\system32\12z08troj6975.exe
c:\windows\system32\12z259roj20f.ocx
c:\windows\system32\12z90not-a-v9rus785.cpl
c:\windows\system32\135zth9eat4252.exe
c:\windows\system32\13648n5t-a9virus21z.exe
c:\windows\system32\13954zot-a-viru965c.bin
c:\windows\system32\14058not9z-virus615.cpl
c:\windows\system32\14926szambo56e2.dll
c:\windows\system32\14930zp5319.exe
c:\windows\system32\149troj251z.cpl
c:\windows\system32\14z25w9rm75e.exe
c:\windows\system32\150cthrezt39642.bin
c:\windows\system32\1511threa5923z.ocx
c:\windows\system32\152205zy369.cpl
c:\windows\system32\15254trojz95.cpl
c:\windows\system32\1575vir147z9.exe
c:\windows\system32\1581zvirus5e9.dll
c:\windows\system32\15934spy299z.exe
c:\windows\system32\15999pyzfe.ocx
c:\windows\system32\15c0tzreat95135.exe
c:\windows\system32\16538h9zktool6ad.dll
c:\windows\system32\16589spam5ot5zb.cpl
c:\windows\system32\165z3wor9588.cpl
c:\windows\system32\1690zpambot1359.dll
c:\windows\system32\16926not-a-9iru53zf.exe
c:\windows\system32\17036zroj954.dll
c:\windows\system32\17225zirus5f99.ocx
c:\windows\system32\17367tzoj529.bin
c:\windows\system32\1749595amzot150.dll
c:\windows\system32\1817d59nloader41z.exe
c:\windows\system32\181z5troj9c9.dll
c:\windows\system32\18465v95zs788.dll
c:\windows\system32\18525n9t-a-zir5s258.exe
c:\windows\system32\18540h9c5tool6az.ocx
c:\windows\system32\190thz5f51.ocx
c:\windows\system32\191z9virus495.ocx
c:\windows\system32\192175roj5bz.exe
c:\windows\system32\19612ha5ktoozc7.bin
c:\windows\system32\19674not-a-vzrus4395.cpl
c:\windows\system32\19918troj596z.ocx
c:\windows\system32\1998z5r2481.ocx
c:\windows\system32\199z995oj4b.cpl
c:\windows\system32\19z859py384.bin
c:\windows\system32\1az5spa9se1818.exe
c:\windows\system32\1cf9thz5f2561.ocx
c:\windows\system32\1d59thief419z.exe
c:\windows\system32\1df4tzief54259.ocx
c:\windows\system32\1f61bac5doo91272z.bin
c:\windows\system32\1z10spa5bot9e2.ocx
c:\windows\system32\1z282tr9j7295.dll
c:\windows\system32\1z563troj9b8.ocx
c:\windows\system32\20026noz-a9vi5us697.dll
c:\windows\system32\20455hackto9z6dd.bin
c:\windows\system32\20555n9t-5-virusz30.bin
c:\windows\system32\20589ha5ktozl9ab.dll
c:\windows\system32\2073backdz5r18589.dll
c:\windows\system32\210z9troj9725.ocx
c:\windows\system32\2139s5amboz134.cpl
c:\windows\system32\21525zro9659.exe
c:\windows\system32\21557trzj6d99.ocx
c:\windows\system32\215cz9r488.ocx
c:\windows\system32\2199z5py981.bin
c:\windows\system32\21z99virus352.bin
c:\windows\system32\2201z9irus725.cpl
c:\windows\system32\22355noz-a-vi9us3fc5.dll
c:\windows\system32\227189acktool45z.bin
c:\windows\system32\227975ot-a-vzrus950.cpl
c:\windows\system32\230475p983z.bin
c:\windows\system32\233zno5-a-virus9c2.bin
c:\windows\system32\23420hackt9zl15f.ocx
c:\windows\system32\2441th5ez992.ocx
c:\windows\system32\24z39tr5j580.bin
c:\windows\system32\2503spy5az955.cpl
c:\windows\system32\252899py375z.cpl
c:\windows\system32\2539zhac5tool629.ocx
c:\windows\system32\25420hackz5ol1799.dll
c:\windows\system32\25490tr95z66.dll
c:\windows\system32\25519not-a9virus5z8.cpl
c:\windows\system32\25533s9z7a9.cpl
c:\windows\system32\27249sp9mb5z388.dll
c:\windows\system32\2732zhreat15859.ocx
c:\windows\system32\2755ztro912c.dll
c:\windows\system32\27658spzmbot559.ocx
c:\windows\system32\27730spambot5z59.exe
c:\windows\system32\2807bazkdoo92589.bin
c:\windows\system32\28298not9z-vi5usf7.dll
c:\windows\system32\28411zirus259.cpl
c:\windows\system32\2854ba9kdoor18z5.ocx
c:\windows\system32\28772z5r923d.bin
c:\windows\system32\2890trzj9dc5.bin
c:\windows\system32\29055wzrm675.dll
c:\windows\system32\29058spy2z49.exe
c:\windows\system32\29255s5y3fz.ocx
c:\windows\system32\2945hacktozl4f5.cpl
c:\windows\system32\295z1hack9ool2ba.bin
c:\windows\system32\297athre5t154z99.bin
c:\windows\system32\297zdown5oa9er140.cpl
c:\windows\system32\29877haz5to9l5d4.dll
c:\windows\system32\29901wozm56a.dll
c:\windows\system32\299fspyware52z1.ocx
c:\windows\system32\2b59threzt49015.bin
c:\windows\system32\2dzsp5rs91563.dll
c:\windows\system32\2e95add5are32z3.cpl
c:\windows\system32\2ff5owzloader2129.bin
c:\windows\system32\2z147tro923c5.bin
c:\windows\system32\2z325w9rm75f.dll
c:\windows\system32\2z399vi95s522.bin
c:\windows\system32\2z54a5dwa9e2559.ocx
c:\windows\system32\2z7095pambot4919.bin
c:\windows\system32\2z7495ackto9l184.exe
c:\windows\system32\2zc6thie93695.ocx
c:\windows\system32\30580szy794.ocx
c:\windows\system32\31483n9tza-virus215.dll
c:\windows\system32\31696vir958dz.bin
c:\windows\system32\3189zhi951324.cpl
c:\windows\system32\31z5wor9604.cpl
c:\windows\system32\31zbs9yw5re865.cpl
c:\windows\system32\32395hzeat12968.exe
c:\windows\system32\32484not-a-59rzs24a.cpl
c:\windows\system32\32d1vz531949.exe
c:\windows\system32\3359not-azvirus26.dll
c:\windows\system32\349ba9dw5rez075.ocx
c:\windows\system32\3538virzs7cc9.exe
c:\windows\system32\3545spzmbot2d9.ocx
c:\windows\system32\3571vi5usz9b.ocx
c:\windows\system32\3572z9t-a-virus5cb.exe
c:\windows\system32\3590worm7z9.ocx
c:\windows\system32\35fspzware1992.ocx
c:\windows\system32\35z98n9t-a-virus56.ocx
c:\windows\system32\3694sp56z2.exe
c:\windows\system32\37a9vir1z59.ocx
c:\windows\system32\37eabazk95or443.ocx
c:\windows\system32\3948wo5m73dz.ocx
c:\windows\system32\3980vz918615.cpl
c:\windows\system32\39fbs5ezl1789.cpl
c:\windows\system32\3ab0z9yware31575.exe
c:\windows\system32\3b8esp95sz2712.cpl
c:\windows\system32\3c4downloade9z752.cpl
c:\windows\system32\3d61vir9z59.dll
c:\windows\system32\3f77s5arse235z9.dll
c:\windows\system32\3f7dowzl5ade92529.cpl
c:\windows\system32\3z171w9r5196.exe
c:\windows\system32\3z50vir9945.dll
c:\windows\system32\3z602h5ckto9l689.bin
c:\windows\system32\3z874s9ambot65a.cpl
c:\windows\system32\412zpy9c5.exe
c:\windows\system32\4177wo9m3z5.exe
c:\windows\system32\41b5spyzare2095.exe
c:\windows\system32\4279vi9z585.exe
c:\windows\system32\42zav5r599.cpl
c:\windows\system32\43559rzj112.dll
c:\windows\system32\435b9ckdzor1651.dll
c:\windows\system32\435zth9eat16551.cpl
c:\windows\system32\43zt5ief23789.exe

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:00 pm

c:\windows\system32\4557s9zware1957.ocx
c:\windows\system32\456dv5r2z219.bin
c:\windows\system32\459faddwa9e2z95.exe
c:\windows\system32\461z5py935.exe
c:\windows\system32\479evir235z.exe
c:\windows\system32\4917tzreat17568.bin
c:\windows\system32\495zaddw5re23209.ocx
c:\windows\system32\497zspar5e1936.exe
c:\windows\system32\499szarse1598.exe
c:\windows\system32\49zct5ief9311.exe
c:\windows\system32\4c3f5hiefz1739.cpl
c:\windows\system32\4d7d9tezl17455.exe
c:\windows\system32\4e1cspazse9583.exe
c:\windows\system32\4f5spywzr5914.cpl
c:\windows\system32\4f5stea93z71.cpl
c:\windows\system32\4z4ddow5load9r3011.dll
c:\windows\system32\4z9859dware773.exe
c:\windows\system32\4za5dwar9495.cpl
c:\windows\system32\4zdcback9oor2527.bin
c:\windows\system32\504bt9ief3042z.cpl
c:\windows\system32\504f9hrea5z8219.dll
c:\windows\system32\5050wzrm491.bin
c:\windows\system32\5061t5zef1192.bin
c:\windows\system32\51429irus768z.dll
c:\windows\system32\522759t-a-zirus629.dll
c:\windows\system32\522929acktool46z.exe
c:\windows\system32\5275not-a-zi9us360.exe
c:\windows\system32\53749pa5se3z19.ocx
c:\windows\system32\5384not-a-ziru95e0.dll
c:\windows\system32\53d5thizf592.dll
c:\windows\system32\5426zack9ool76.bin
c:\windows\system32\5525thiez5925.bin
c:\windows\system32\555zth9ef900.dll
c:\windows\system32\556569irzs35b.ocx
c:\windows\system32\5569add5aze498.dll
c:\windows\system32\5599worz554.exe
c:\windows\system32\55z5vir1199.exe
c:\windows\system32\5650s9amzot366.bin
c:\windows\system32\5695dowz9oader25745.ocx
c:\windows\system32\574589irus4z3.bin
c:\windows\system32\57649zroj3b9.bin
c:\windows\system32\57bft9re5t7701z.ocx
c:\windows\system32\57cbdown59zder3059.bin
c:\windows\system32\5840sz5war9627.exe
c:\windows\system32\5856troj59z.bin
c:\windows\system32\5897t5iefz42.exe
c:\windows\system32\58d6spywa9z3153.exe
c:\windows\system32\59519zamb5t506.dll
c:\windows\system32\59539troz14f.exe
c:\windows\system32\5955zteal536.bin
c:\windows\system32\595aspy5are140z.exe
c:\windows\system32\598cdownloader75z.dll
c:\windows\system32\5993spazse5466.cpl
c:\windows\system32\59z59i5us1f9.ocx
c:\windows\system32\59z5hacktool9d5.ocx
c:\windows\system32\5a5cthre9tz335.bin
c:\windows\system32\5a96thiefz055.bin
c:\windows\system32\5c71spa9sez394.dll
c:\windows\system32\5c8zdownloade59784.bin
c:\windows\system32\5czfthre9t2873.bin
c:\windows\system32\5d9astzal485.ocx
c:\windows\system32\5daa9zief8055.dll
c:\windows\system32\5f12thr9atz2631.ocx
c:\windows\system32\5fzfstea92655.bin
c:\windows\system32\5z890not-a-virus31b.cpl
c:\windows\system32\5z940spy572.dll
c:\windows\system32\5zcfbackdoor969.bin
c:\windows\system32\6198hackto95729z.dll
c:\windows\system32\6497vzrus57d.exe
c:\windows\system32\657795oz4f4.ocx
c:\windows\system32\6732do9nl5ader2z63.bin
c:\windows\system32\675dsp5z9re1695.cpl
c:\windows\system32\6772spywaze1599.exe
c:\windows\system32\678zv9r5596.exe
c:\windows\system32\67acback59oz2558.cpl
c:\windows\system32\6832hac95ozl76b.ocx
c:\windows\system32\68455i9us1z2.bin
c:\windows\system32\68b659yzare799.cpl
c:\windows\system32\6962thief215z.dll
c:\windows\system32\6993sza59e948.exe
c:\windows\system32\699zaddwa9e2915.bin
c:\windows\system32\69a4b5zkdoor3157.exe
c:\windows\system32\69e9th95f2z12.cpl
c:\windows\system32\6a5zs9arse1556.ocx
c:\windows\system32\6a7zspywa5e1936.ocx
c:\windows\system32\6ce9back5oor372z.ocx
c:\windows\system32\6e72zpyw5re793.dll
c:\windows\system32\6f72addwa95z895.ocx
c:\windows\system32\6z1ddown9o5der1201.dll
c:\windows\system32\6z39vir1959.exe
c:\windows\system32\6z97steal956.dll
c:\windows\system32\6zd2vir19975.dll
c:\windows\system32\709esteal48z5.ocx
c:\windows\system32\7276wz5m6f9.bin
c:\windows\system32\73a0a5dwzre2049.ocx
c:\windows\system32\73e9s5ealz239.ocx
c:\windows\system32\7455notza-vi9us683.exe
c:\windows\system32\74639owzloa5er309.dll
c:\windows\system32\7490add5are51z.ocx
c:\windows\system32\74959ir4z6.exe
c:\windows\system32\7549iz925.ocx
c:\windows\system32\75fa9hrezt22575.exe
c:\windows\system32\75z8threat35497.dll
c:\windows\system32\76ezparse22459.exe
c:\windows\system32\76f99pyware1z125.ocx
c:\windows\system32\773z5py599.exe
c:\windows\system32\79azst5al990.bin
c:\windows\system32\79d1vi53175z.dll
c:\windows\system32\79z9sp5rse1228.cpl
c:\windows\system32\7b59stzal910.dll
c:\windows\system32\7c4z5r2519.exe
c:\windows\system32\7c93thze5t264.cpl
c:\windows\system32\7e16steaz1695.cpl
c:\windows\system32\7e8et9izf17395.ocx
c:\windows\system32\7fd8addwaz93553.cpl
c:\windows\system32\7feb95ief2697z.cpl
c:\windows\system32\7z09spyware9925.exe
c:\windows\system32\7z9athreat22905.exe
c:\windows\system32\8209zr953dd.dll
c:\windows\system32\8c9zi5896.cpl
c:\windows\system32\8e95ir9z1.dll
c:\windows\system32\90972hzc5tool331.dll
c:\windows\system32\910z3virus5d.ocx
c:\windows\system32\9145no9-a-vi5zs200.dll
c:\windows\system32\91z85tro53f4.exe
c:\windows\system32\9325zi5us95e.exe
c:\windows\system32\933th9eat2z1275.dll
c:\windows\system32\941zthreat25868.cpl
c:\windows\system32\9456zpy951.exe
c:\windows\system32\945tzief558.exe
c:\windows\system32\94600worm8z5.bin
c:\windows\system32\94a9azdw5re213.bin
c:\windows\system32\95145spy3cz.cpl
c:\windows\system32\952165iruzf2.exe
c:\windows\system32\95301troj7z.exe
c:\windows\system32\95306szambot55b.bin
c:\windows\system32\9545irus9zc.exe
c:\windows\system32\9547worm4zb5.ocx
c:\windows\system32\95685ro94az.dll
c:\windows\system32\95759zrm52a.bin
c:\windows\system32\95779viruz1a.bin
c:\windows\system32\95bzth5eat28210.cpl
c:\windows\system32\95z85spy5fa.ocx
c:\windows\system32\95z99irus640.ocx
c:\windows\system32\96575not-a-viru5581z.exe
c:\windows\system32\96z48t5oj321.exe
c:\windows\system32\97625sp5mbzt395.ocx
c:\windows\system32\9762virz154.cpl
c:\windows\system32\9765worm1zf9.ocx
c:\windows\system32\98158troj1z6.cpl
c:\windows\system32\98979s5y668z.ocx
c:\windows\system32\98z975roj69b.exe
c:\windows\system32\99270n5t-z-virus4b4.ocx
c:\windows\system32\9955viz14485.ocx
c:\windows\system32\99585izus737.exe
c:\windows\system32\9dbzddware5391.ocx
c:\windows\system32\9f03downlzader535.exe
c:\windows\system32\9z359troj1ee.bin
c:\windows\system32\a.exe
c:\windows\system32\a395parse1z47.ocx
c:\windows\system32\b0cbackdzo59793.ocx
c:\windows\system32\b92stea9158z.dll
c:\windows\system32\c13zh5eat20597.exe
c:\windows\system32\c85stea9520z.dll
c:\windows\system32\cfbs5a9se2z22.ocx
c:\windows\system32\drivers\gxvxcarpowquoelxxgakyeaeoiysrmmcjaoyl.sys
c:\windows\system32\drivers\gxvxcecuwruucntxmtvelddndgodqhhlkxeaf.sys
c:\windows\system32\drivers\gxvxcitfpppejklbusdotjrlcxadvhmtqmwxg.sys
c:\windows\system32\drivers\gxvxcwiryqkljnoelwvqjciquhwvgqghcuahs.sys
c:\windows\system32\eb9azdwa9e5370.exe
c:\windows\system32\ebspaz951575.dll
c:\windows\system32\f24dzw5lo9der2605.dll
c:\windows\system32\ff6bazkdo5r957.dll
c:\windows\system32\gxvxcwvhoiopoepnubhnpyhtjunknwokxelck.dll
c:\windows\system32\gxvxcwyloeonvxyalsmyacvjnjnbjyruvjnse.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\z029s9arse1505.dll
c:\windows\system32\z0353worm9e.dll
c:\windows\system32\z0749w5r91b.exe
c:\windows\system32\z0759s958e.cpl
c:\windows\system32\z1416viru5a99.cpl
c:\windows\system32\z17895roj709.cpl
c:\windows\system32\z18749py5a5.exe
c:\windows\system32\z2559troj726.cpl
c:\windows\system32\z32edownlo5der28069.dll
c:\windows\system32\z3900spy9b05.cpl
c:\windows\system32\z418w9rm235.cpl
c:\windows\system32\z48135pambot693.exe
c:\windows\system32\z502ad5ware2494.dll
c:\windows\system32\z55929irus7c7.exe
c:\windows\system32\z746bac9d5or1319.ocx
c:\windows\system32\z750steal9685.ocx
c:\windows\system32\z8398troj6d35.bin
c:\windows\system32\z8b7do9n5oader1784.dll
c:\windows\system32\z966d5wnloader2113.bin
c:\windows\system32\z995troj7f45.ocx
c:\windows\system32\z9ccthief1459.dll
c:\windows\system32\zac7ste9l3305.dll
c:\windows\system32\zb58s5arse995.dll
c:\windows\system32\zba759ckdoor1319.bin
c:\windows\system32\zc229ddware29255.ocx
c:\windows\system32\zf67downloa5er2930.ocx
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z1118vi9u5286.exe
c:\windows\z1779sp95.bin
c:\windows\z2679s9a5bot4c2.cpl
c:\windows\z33099ot-5-virus29.exe
c:\windows\z349s9amb5t10c.exe
c:\windows\z3687hacktoo975e.cpl
c:\windows\z39dspar5e3149.ocx
c:\windows\z449worm555.bin
c:\windows\z68bsparse359.bin
c:\windows\z6bthreat555039.dll
c:\windows\z75t59ef405.dll
c:\windows\z935thief925.cpl
c:\windows\z995orm1b5.cpl
c:\windows\za03spyware975.bin
c:\windows\zc9bv5r2015.exe
c:\windows\zeb1thie51296.dll
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 01:47 . 2009-06-03 01:47 3602 ----a-w- c:\windows\87759rz.bin
2009-06-03 01:47 . 2009-06-03 01:47 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-03 01:47 . 2009-06-03 01:47 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 07:01 . 2009-06-02 07:01 -------- d-----w- c:\program files\MSXML

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:00 pm

6.0
2009-05-29 02:44 . 2009-05-29 02:48 -------- d-----w- c:\windows\system32\NtmsData
2009-05-28 14:59 . 2009-05-28 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashtons. Family Resort
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\program files\NOS
2009-05-27 20:36 . 2009-05-27 20:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-27 20:36 . 2009-06-03 14:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-27 20:34 . 2009-06-03 14:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-27 20:33 . 2009-06-01 21:19 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\program files\Common Files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----r- c:\program files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-05-27 20:26 . 2009-05-27 20:26 -------- d-----w- c:\program files\JRE
2009-05-27 20:25 . 2009-05-27 20:25 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-27 12:22 . 2009-06-01 00:15 -------- d-----w- c:\program files\Absolute Poker
2009-05-27 12:21 . 2009-05-27 12:21 -------- d-----w- c:\program files\_uninstallation_info
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\HP
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-27 11:39 . 2004-08-04 02:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-27 11:39 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-27 11:38 . 2008-01-25 12:22 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2009-05-27 11:38 . 2008-01-25 12:22 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-05-27 11:38 . 2008-01-25 12:22 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-05-27 11:38 . 2009-05-27 11:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-27 11:38 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll
2009-05-27 11:38 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll
2009-05-27 11:38 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll
2009-05-27 11:38 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-05-27 11:38 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-05-27 11:37 . 2009-05-27 11:37 -------- d-----w- c:\program files\HP
2009-05-27 11:36 . 2009-05-27 11:40 163142 ----a-w- c:\windows\hpoins28.dat
2009-05-27 11:36 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat
2009-05-26 23:52 . 2009-05-26 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nero
2009-05-26 23:52 . 2009-05-27 00:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-05-26 19:44 . 2009-05-26 19:44 -------- d-----w- c:\program files\Windows Sidebar
2009-05-26 19:22 . 2009-05-26 19:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 19:20 . 2009-05-26 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-26 19:19 . 2009-05-26 19:47 -------- d-----w- c:\program files\Nero
2009-05-26 19:18 . 2009-05-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-26 19:18 . 2009-05-26 20:11 -------- d-----w- c:\program files\Common Files\Nero
2009-05-26 17:31 . 2009-05-26 17:31 -------- d-----w- c:\program files\MSBuild
2009-05-26 17:30 . 2009-05-26 17:30 154152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-26 17:24 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2009-05-26 17:24 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2009-05-26 17:24 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2009-05-26 17:23 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-26 17:23 . 2007-07-20 04:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2009-05-26 17:23 . 2007-06-21 00:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2009-05-26 17:23 . 2009-05-26 17:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-26 17:23 . 2007-05-16 20:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-05-26 17:23 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-05-26 17:23 . 2007-04-04 22:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-05-26 17:23 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2009-05-26 17:23 . 2007-03-12 20:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2009-05-26 17:21 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-26 17:21 . 2009-05-26 17:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-26 17:20 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON
Tools Lite
2009-05-26 14:24 . 2009-05-26 14:30 -------- d-----w- c:\program files\Brain Challenge
2009-05-26 12:53 . 2009-05-26 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:53 . 2009-05-26 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:52 . 2009-05-26 14:09 -------- d-----w- c:\program files\Ashtons Family Resort
2009-05-26 11:19 . 2009-05-26 11:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-26 11:19 . 2009-05-26 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2009-05-25 18:56 . 2009-05-27 01:09 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-05-24 05:41 . 2009-06-02 19:02 -------- d-----w- c:\program files\UltimateBet
2009-05-23 14:34 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Shared
2009-05-23 14:33 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Incomplete
2009-05-23 14:33 . 2009-05-24 06:53 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2009-05-20 16:13 . 2009-05-20 16:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Jane s Hotel Family Hero
2009-05-17 21:41 . 2009-05-17 21:41 57136 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-17 21:41 . 2009-05-17 21:41 40960 ----a-w- c:\windows\uneng.exe
2009-05-17 21:41 . 2009-05-17 21:41 23721 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-17 21:40 . 2009-05-17 21:41 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-05-17 21:40 . 2009-05-17 21:40 -------- d-----w- c:\program files\Adaptec
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\program files\farm mania
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\windows\farm mania,
2009-05-14 23:12 . 2009-05-14 23:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-13 15:36 . 2009-05-13 15:36 -------- d-sh--w- c:\windows\ftpcache
2009-05-13 15:32 . 2009-05-28 18:40 -------- d-----w- c:\program files\Selectsoft
2009-05-13 01:20 . 2009-05-13 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-05-12 02:34 . 2009-05-28 14:58 -------- d-----w- C:\games
2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w- c:\windows\BBSTORE
2009-05-11 19:39 . 2009-05-28 18:45 -------- d-----w- c:\program files\Riven
2009-05-11 19:35 . 1996-08-16 17:49 298496 ----a-w- c:\windows\uninst.exe
2009-05-10 14:54 . 2009-05-10 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\ICQ
2009-05-10 14:53 . 2009-05-10 15:10 -------- d-----w- c:\program files\ICQ6.5
2009-05-10 14:26 . 2009-06-03 02:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService
2009-05-10 14:26 . 2009-05-10 14:26 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-05-10 14:23 . 2009-05-10 14:23 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-05-06 09:46 . 2009-05-06 10:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-05-05 22:27 . 2009-05-05 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-05 18:20 . 2009-05-05 18:20 -------- d-----w- c:\windows\Sun
2009-05-05 18:19 . 2009-05-05 18:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-05 18:17 . 2009-05-05 18:17 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 07:04 . 2009-05-05 07:04 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 11:10 . 2009-04-30 03:03 75184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 10:53 . 2009-05-01 02:07 1148 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-29 11:44 . 2009-04-29 19:58 -------- d-----w- c:\program files\Pure Networks
2009-05-28 18:44 . 2009-04-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-28 18:43 . 2009-04-29 19:57 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 18:43 . 2009-04-29 20:13 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-05-26 12:44 . 2009-04-30 03:06 -------- d-----w- c:\program files\Virtual Villagers
2009-05-17 21:41 . 2002-01-23 15:43 45056 ----a-w- c:\windows\system32\cdrtc.dll
2009-05-17 21:41 . 2002-01-23 15:20 45056 ----a-w- c:\windows\system32\cdral.dll
2009-05-10 14:55 . 2009-04-29 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-08 15:44 . 2009-04-29 20:03 -------- d-----w- c:\program files\McAfee
2009-05-05 18:18 . 2009-04-29 19:51 -------- d-----w- c:\program files\Java
2009-05-04 13:00 . 2009-05-04 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w- c:\program files\MSSOAP
2009-05-03 18:57 . 2009-05-03 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-01 21:04 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-05-01 12:15 . 2009-04-29 18:37 -------- d-----w- c:\program files\Alawar
2009-05-01 03:55 . 2009-05-01 02:54 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-05-01 03:54 . 2009-05-01 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 02:54 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-05-01 02:43 . 2009-05-01 02:43 -------- d-----w- c:\program files\ReflexiveArcade
2009-05-01 02:07 . 2009-05-01 02:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2009-05-01 01:51 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-04-30 20:42 . 2009-04-30 20:39 -------- d-----w- c:\program files\Efficient Networks
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\program files\Common Files\Nova Development
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Home
2009-04-30 02:45 . 2009-04-30 02:45 -------- d-----w- c:\program files\Creative

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:01 pm

Home
2009-04-30 01:37 . 2009-04-29 20:57 -------- d-----w- c:\program files\Sierra On-Line
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\program files\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-04-29 20:57 . 2009-04-29 20:57 -------- d-----w- c:\program files\WON
2009-04-29 20:48 . 2009-04-29 19:54 -------- d-----w- c:\program files\Napster
2009-04-29 20:48 . 2009-04-29 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-04-29 20:03 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-29 20:01 . 2009-04-29 20:00 -------- d-----w- c:\program files\Microsoft Money 2006
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-04-29 19:59 . 2009-04-29 19:58 -------- d-----w- c:\program files\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Common Files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-04-29 19:57 . 2009-04-29 19:57 335 ----a-w- c:\windows\nsreg.dat
2009-04-29 19:57 . 2009-04-29 19:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-04-29 19:57 . 2009-04-29 19:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-04-29 19:57 . 2009-04-29 19:57 -------- d-----w- c:\program files\BigFix
2009-04-29 19:57 . 2009-04-29 19:56 -------- d-----w- c:\program files\Microsoft Works
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\MSN Encarta Plus
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\Digital Media Reader
2009-04-29 19:55 . 2009-04-29 19:41 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-29 19:54 . 2009-04-29 19:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek Sound Manager
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\AvRack
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek AC97
2009-04-29 19:52 . 2009-04-29 19:51 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-04-29 19:52 . 2009-04-29 19:52 4 ----a-w- c:\windows\Pix11.dat
2009-04-29 19:51 . 2009-04-29 19:51 -------- d-----w- c:\program files\Common Files\Java
2009-04-29 19:45 . 2009-04-29 19:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\Google
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\CyberLink
2009-04-29 19:44 . 2009-04-29 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Farm Frenzy
2009-04-29 19:43 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\program files\Common Files\New Boundary
2009-04-29 19:34 . 2009-04-29 19:34 -------- d-----w- c:\program files\CONEXANT
2009-04-29 19:22 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-04-06 17:32 . 2009-05-04 04:18 1563008 ----a-w- c:\windows\WRSetup.dll
2009-04-02 18:30 . 2009-04-02 18:30 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 18:30 . 2009-04-02 18:30 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 18:30 . 2009-04-02 18:30 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-06 14:00 . 2009-04-29 19:17 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money 2006\MNYCoreFiles\System\Money Express.exe" [1999-08-04 122940]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-29 98304]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-4-29 2168360]
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2009-4-29 25896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/4/2009 12:21 AM 1181040]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [4/30/2009 4:42 PM 40832]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [4/30/2009 4:42 PM 7752]
S3 L2XPSR;L2XPSR;c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [4/30/2009 4:42 PM 18478]
S3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [4/30/2009 4:42 PM 16160]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [4/30/2009 4:42 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\wrSpySweeper20090430221446.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-05-04 17:32]

2009-06-03 c:\windows\Tasks\wrSpySweeper20090430221446.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-05-04 17:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
SafeBoot-procexp90.Sys
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 10:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-03 10:52
ComboFix-quarantined-files.txt 2009-06-03 14:52

Pre-Run: 116,199,342,080 bytes free
Post-Run: 119,412,076,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1035 --- E O F --- 2009-06-02 07:01

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:03 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ASKUpgrade

File::
c:\windows\87759rz.bin
c:\windows\system32\tempo-setup2.exe

Folder::
c:\program files\WinBlueSoft Software
c:\program files\Napster

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:24 pm

ComboFix 09-06-01.03 - Owner 06/03/2009 11:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.120 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\tim\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\tim\CFScript.txt
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\87759rz.bin"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Napster
c:\program files\Napster\NMSubscriptionStub.dll
c:\program files\Napster\xdetect.ocx
c:\program files\WinBlueSoft Software
c:\program files\WinBlueSoft Software\WinBlueSoft\data.bin
c:\program files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
c:\windows\87759rz.bin
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKUPGRADE
-------\Service_ASKUpgrade


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 07:01 . 2009-06-02 07:01 -------- d-----w- c:\program files\MSXML 6.0
2009-05-29 02:44 . 2009-05-29 02:48 -------- d-----w- c:\windows\system32\NtmsData
2009-05-28 14:59 . 2009-05-28 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashtons. Family Resort
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\program files\NOS
2009-05-27 20:36 . 2009-05-27 20:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-27 20:36 . 2009-06-03 14:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-27 20:34 . 2009-06-03 14:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-27 20:33 . 2009-06-01 21:19 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\program files\Common Files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----r- c:\program files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-05-27 20:26 . 2009-05-27 20:26 -------- d-----w- c:\program files\JRE
2009-05-27 20:25 . 2009-05-27 20:25 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-27 12:22 . 2009-06-01 00:15 -------- d-----w- c:\program files\Absolute Poker
2009-05-27 12:21 . 2009-05-27 12:21 -------- d-----w- c:\program files\_uninstallation_info
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\HP
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-27 11:39 . 2004-08-04 02:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-27 11:39 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-27 11:38 . 2008-01-25 12:22 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2009-05-27 11:38 . 2008-01-25 12:22 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-05-27 11:38 . 2008-01-25 12:22 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-05-27 11:38 . 2009-05-27 11:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-27 11:38 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll
2009-05-27 11:38 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll
2009-05-27 11:38 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll
2009-05-27 11:38 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-05-27 11:38 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-05-27 11:37 . 2009-05-27 11:37 -------- d-----w- c:\program files\HP
2009-05-27 11:36 . 2009-05-27 11:40 163142 ----a-w- c:\windows\hpoins28.dat
2009-05-27 11:36 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat
2009-05-26 23:52 . 2009-05-26 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nero
2009-05-26 23:52 . 2009-05-27 00:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-05-26 19:44 . 2009-05-26 19:44 -------- d-----w- c:\program files\Windows Sidebar
2009-05-26 19:22 . 2009-05-26 19:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 19:20 . 2009-05-26 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-26 19:19 . 2009-05-26 19:47 -------- d-----w- c:\program files\Nero
2009-05-26 19:18 . 2009-05-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-26 19:18 . 2009-05-26 20:11 -------- d-----w- c:\program files\Common Files\Nero
2009-05-26 17:31 . 2009-05-26 17:31 -------- d-----w- c:\program files\MSBuild
2009-05-26 17:30 . 2009-05-26 17:30 154152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-26 17:24 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2009-05-26 17:24 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2009-05-26 17:24 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2009-05-26 17:23 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-26 17:23 . 2007-07-20 04:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2009-05-26 17:23 . 2007-06-21 00:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2009-05-26 17:23 . 2009-05-26 17:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-26 17:23 . 2007-05-16 20:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-05-26 17:23 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-05-26 17:23 . 2007-04-04 22:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-05-26 17:23 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2009-05-26 17:23 . 2007-03-12 20:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2009-05-26 17:21 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-26 17:21 . 2009-05-26 17:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-26 17:20 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-26 14:24 . 2009-05-26 14:30 -------- d-----w- c:\program files\Brain Challenge
2009-05-26 12:53 . 2009-05-26 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:53 . 2009-05-26 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:52 . 2009-05-26 14:09 -------- d-----w- c:\program files\Ashtons Family Resort
2009-05-26 11:19 . 2009-05-26 11:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-26 11:19 . 2009-05-26 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2009-05-25 18:56 . 2009-05-27 01:09 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-05-24 05:41 . 2009-06-02 19:02 -------- d-----w- c:\program files\UltimateBet
2009-05-23 14:34 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Shared
2009-05-23 14:33 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Incomplete
2009-05-23 14:33 . 2009-05-24 06:53 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2009-05-20 16:13 . 2009-05-20 16:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Jane s Hotel Family Hero
2009-05-17 21:41 . 2009-05-17 21:41 57136 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-17 21:41 . 2009-05-17 21:41 40960 ----a-w- c:\windows\uneng.exe
2009-05-17 21:41 . 2009-05-17 21:41 23721 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-17 21:40 . 2009-05-17 21:41 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-05-17 21:40 . 2009-05-17 21:40 -------- d-----w- c:\program files\Adaptec
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\program files\farm mania
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\windows\farm mania,
2009-05-14 23:12 . 2009-05-14 23:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-13 15:36 . 2009-05-13 15:36 -------- d-sh--w- c:\windows\ftpcache
2009-05-13 15:32 . 2009-05-28 18:40 -------- d-----w- c:\program files\Selectsoft
2009-05-13 01:20 . 2009-05-13 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-05-12 02:34 . 2009-05-28 14:58 -------- d-----w- C:\games
2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w- c:\windows\BBSTORE
2009-05-11 19:39 . 2009-05-28 18:45 -------- d-----w- c:\program files\Riven
2009-05-11 19:35 . 1996-08-16 17:49 298496 ----a-w- c:\windows\uninst.exe
2009-05-10 14:54 . 2009-05-10 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\ICQ
2009-05-10 14:53 . 2009-05-10 15:10 -------- d-----w- c:\program files\ICQ6.5
2009-05-10 14:26 . 2009-06-03 02:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService
2009-05-10 14:26 . 2009-05-10 14:26 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-05-10 14:23 . 2009-05-10 14:23 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-05-06 09:46 . 2009-05-06 10:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-05-05 22:27 . 2009-05-05 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-05 18:20 . 2009-05-05 18:20 -------- d-----w- c:\windows\Sun
2009-05-05 18:19 . 2009-05-05 18:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-05 18:17 . 2009-05-05 18:17 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 07:04 . 2009-05-05 07:04 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 11:10 . 2009-04-30 03:03 75184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 10:53 . 2009-05-01 02:07 1148 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-29 11:44 . 2009-04-29 19:58 -------- d-----w- c:\program files\Pure Networks
2009-05-28 18:44 . 2009-04-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-28 18:43 . 2009-04-29 19:57 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 18:43 . 2009-04-29 20:13 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-05-26 12:44 . 2009-04-30 03:06 -------- d-----w- c:\program files\Virtual Villagers
2009-05-17 21:41 . 2002-01-23 15:43 45056 ----a-w- c:\windows\system32\cdrtc.dll
2009-05-17 21:41 . 2002-01-23 15:20 45056 ----a-w- c:\windows\system32\cdral.dll
2009-05-10 14:55 . 2009-04-29 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-08 15:44 . 2009-04-29 20:03 -------- d-----w- c:\program files\McAfee
2009-05-05 18:18 . 2009-04-29 19:51 -------- d-----w- c:\program files\Java
2009-05-04 13:00 . 2009-05-04 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w- c:\program files\MSSOAP
2009-05-03 18:57 . 2009-05-03 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-01 21:04 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-05-01 12:15 . 2009-04-29 18:37 -------- d-----w- c:\program files\Alawar
2009-05-01 03:55 . 2009-05-01 02:54 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-05-01 03:54 . 2009-05-01 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 02:54 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-05-01 02:43 . 2009-05-01 02:43 -------- d-----w- c:\program files\ReflexiveArcade
2009-05-01 02:07 . 2009-05-01 02:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2009-05-01 01:51 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-04-30 20:42 . 2009-04-30 20:39 -------- d-----w- c:\program files\Efficient Networks
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\program files\Common Files\Nova Development
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Home
2009-04-30 02:45 . 2009-04-30 02:45 -------- d-----w- c:\program files\Creative Home
2009-04-30 01:37 . 2009-04-29 20:57 -------- d-----w- c:\program files\Sierra On-Line
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\program files\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-04-29 20:57 . 2009-04-29 20:57 -------- d-----w- c:\program files\WON
2009-04-29 20:48 . 2009-04-29 19:55 -------- d-----w- c:\documents and

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:24 pm

settings\All Users\Application Data\Napster
2009-04-29 20:03 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-29 20:01 . 2009-04-29 20:00 -------- d-----w- c:\program files\Microsoft Money 2006
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-04-29 19:59 . 2009-04-29 19:58 -------- d-----w- c:\program files\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Common Files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-04-29 19:57 . 2009-04-29 19:57 335 ----a-w- c:\windows\nsreg.dat
2009-04-29 19:57 . 2009-04-29 19:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-04-29 19:57 . 2009-04-29 19:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-04-29 19:57 . 2009-04-29 19:57 -------- d-----w- c:\program files\BigFix
2009-04-29 19:57 . 2009-04-29 19:56 -------- d-----w- c:\program files\Microsoft Works
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\MSN Encarta Plus
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\Digital Media Reader
2009-04-29 19:55 . 2009-04-29 19:41 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-29 19:54 . 2009-04-29 19:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek Sound Manager
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\AvRack
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek AC97
2009-04-29 19:52 . 2009-04-29 19:51 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-04-29 19:52 . 2009-04-29 19:52 4 ----a-w- c:\windows\Pix11.dat
2009-04-29 19:51 . 2009-04-29 19:51 -------- d-----w- c:\program files\Common Files\Java
2009-04-29 19:45 . 2009-04-29 19:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\Google
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\CyberLink
2009-04-29 19:44 . 2009-04-29 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Farm Frenzy
2009-04-29 19:43 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\program files\Common Files\New Boundary
2009-04-29 19:34 . 2009-04-29 19:34 -------- d-----w- c:\program files\CONEXANT
2009-04-29 19:22 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-04-06 17:32 . 2009-05-04 04:18 1563008 ----a-w- c:\windows\WRSetup.dll
2009-04-02 18:30 . 2009-04-02 18:30 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 18:30 . 2009-04-02 18:30 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 18:30 . 2009-04-02 18:30 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-06 14:00 . 2009-04-29 19:17 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 15:13 . 2009-06-03 15:13 16384 c:\windows\temp\Perflib_Perfdata_298.dat
+ 2009-06-03 15:15 . 2009-06-03 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-26 18:07 . 2009-06-03 15:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-06-03 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-26 18:07 . 2009-06-03 15:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2009-06-03 14:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money 2006\MNYCoreFiles\System\Money Express.exe" [1999-08-04 122940]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-29 98304]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-4-29 2168360]
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2009-4-29 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/4/2009 12:21 AM 1181040]
R3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [4/30/2009 4:42 PM 7752]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [4/30/2009 4:42 PM 40832]
R3 L2XPSR;L2XPSR;c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [4/30/2009 4:42 PM 18478]
R3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [4/30/2009 4:42 PM 16160]
R3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [4/30/2009 4:42 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A2908D85-E3F9-4FC3-AE88-480B3C435ED6} = 166.102.165.11 166.102.165.13
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 11:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3752)
c:\documents and settings\Owner\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Efficient Networks\Tango Manager\app\TangoService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\progra~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-06-03 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 15:21
ComboFix2.txt 2009-06-03 14:52

Pre-Run: 119,426,543,616 bytes free
Post-Run: 119,298,183,168 bytes free

320 --- E O F --- 2009-06-02 07:01

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:31 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:34 pm

Everything appears to be running fine. Does this mean I am done? What is the best way to protect the system in future?

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:37 pm

Hello.
Do you have any external hardware you've used that you have used around the time the infection started? this infection has autorun worm included in it, so any USB stick/external hardrives can possibly be infection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:38 pm

I do have a thumb drive, I don't know if it was used, but should probably be checked

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:42 pm

Please download [You must be registered and logged in to see this link.] to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
  4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:45 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 11:43:57 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {8014b06e-34fb-11de-a04a-806d6172696f}
D: {8014b06f-34fb-11de-a04a-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 8014b06e-34fb-11de-a04a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 8014b06f-34fb-11de-a04a-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at D:\MiniNT\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\i386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\updgoi\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Restore\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Volume Information\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 11:44:36 AM

Scanning for connected USB mass storage...
----------------------------------------
L: {ca5581d4-48db-11de-a059-000b23602733}
Added L:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on L:
----------------------------------------
autorun.inf found on L:
----------------------------------------
File L:\autorun.inf renamed successfully

Content of L:\autorun.inf.blocked
----------------------------------------
[autorun]
;xskxsrrfbemflkfynpsgjodctcxnmtpougqihnkkvccgemnniimuzobntzosecxlmcumffzdupxlxjrvpeqynkwwutfiecneour
shellexecute="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;kxecrgjoaisbqodzrfzuvzfbww
shell\Open\command="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;tbwzzeiabcpwolhehjowfbwwpefcgsgpgdoeyobyszmqcjydbfldfn
shell=Open
----------------------------------------

Files referenced from L:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Possible references from L:\autorun.inf.blocked
(beware, these are possible false detections)
----------------------------------------
L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com -r-hs 39936
----------------------------------------

Sanitized mountpoint for ca5581d4-48db-11de-a059-000b23602733
----------------------------------------

No Desktop.ini files found on L:
----------------------------------------

No mimics found on drive L:
========================================

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:49 pm

Hello.
Yep, whatever your L drive is, it's infected too.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

  1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.


    {8014b06e-34fb-11de-a04a-806d6172696f}
    protect:
    {8014b06f-34fb-11de-a04a-806d6172696f}
    protect:
    {ca5581d4-48db-11de-a059-000b23602733}
    f_delete: L:\autorun.inf.blocked
    f_delete: L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com
    protect:



  2. Then press the Run Script button.
  3. Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 3:52 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 11:50:20 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {8014b06e-34fb-11de-a04a-806d6172696f}
D: {8014b06f-34fb-11de-a04a-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 8014b06e-34fb-11de-a04a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 8014b06f-34fb-11de-a04a-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at D:\MiniNT\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\i386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\updgoi\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Restore\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Volume Information\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 11:51:06 AM

Scanning for connected USB mass storage...
----------------------------------------
L: {ca5581d4-48db-11de-a059-000b23602733}
Added L:
========================================

Scanning USB mass storage for files...
----------------------------------------
Blocked file found: L:\autorun.inf.blocked
----------------------------------------
Content of L:\autorun.inf.blocked
----------------------------------------
[autorun]
;xskxsrrfbemflkfynpsgjodctcxnmtpougqihnkkvccgemnniimuzobntzosecxlmcumffzdupxlxjrvpeqynkwwutfiecneour
shellexecute="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;kxecrgjoaisbqodzrfzuvzfbww
shell\Open\command="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;tbwzzeiabcpwolhehjowfbwwpefcgsgpgdoeyobyszmqcjydbfldfn
shell=Open
----------------------------------------

Files referenced from L:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Possible references from L:\autorun.inf.blocked
(beware, these are possible false detections)
----------------------------------------
L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com -r-hs 39936
----------------------------------------

----------------------------------------
No Autorun.inf files found on L:
No mountpoint found for ca5581d4-48db-11de-a059-000b23602733
----------------------------------------

No Desktop.ini files found on L:
----------------------------------------

No mimics found on drive L:
========================================


Processing script
----------------------------------------
ca5581d4-48db-11de-a059-000b23602733
Drive letter for GUID: L:
SectionStart = 4
SectionEnd = 6
f_delete:
driver version mismatch: use command "net stop catchme" to stop old driver
driver version mismatch: use command "net stop catchme" to stop old driver
delete file error: L:\autorun.inf.blocked, The handle is invalid.
f_delete:
driver version mismatch: use command "net stop catchme" to stop old driver
driver version mismatch: use command "net stop catchme" to stop old driver
delete file error: L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com, The handle is invalid.
----------------------------------------

8014b06e-34fb-11de-a04a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 1
----------------------------------------

8014b06f-34fb-11de-a04a-806d6172696f
Drive letter for GUID: D:
SectionStart = 2
SectionEnd = 3
----------------------------------------

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 3:57 pm

Hmm, not sure why that didn't work.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com
    L:\autorun.inf


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 4:04 pm

L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com moved successfully.
File/Folder L:\autorun.inf not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06032009_120339

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 4:09 pm

Hello.
I made a slight mistake on my old script, so use this next script in OTMoveIt.



:files
L:\autorun.inf.blocked


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 4:11 pm

========== FILES ==========
L:\autorun.inf.blocked moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06032009_121052

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 4:13 pm

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
That should do it now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Timothy on Wed Jun 03, 2009 4:21 pm

Ok, done it. Any suggestions on preventing future problems of this kind?

You guys are amazing! Thank you very much.

Timothy
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-06-03
OS : XP

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on Wed Jun 03, 2009 4:22 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum