WinBlueSoft - Infection

View previous topic View next topic Go down

WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 5:23 pm

Hi,

My PC has been infected with the WinBlueSoft Trojan. I have uninstalled it, but it still persists.

I cannot open Window Live Onecare or any of my hard drives. I have installed Malware Bytes & Spyware Doctor but these programs will not open.

Your help would be greatly appreciated.

I have followed your instructions and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:48, on 03/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\sfmgr\sfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RICHARD\Desktop\HiJack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - C:\sfmgr\sfmgr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10373 bytes

Thanking you in advance

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 3rd June 2009, 5:31 pm

I see that you are running BitComet.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitComet is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitComet
  • Java(TM) 6 Update 7

Lets start killing this stuff now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find and select this file: C:\windows\system32\blocker.dll
  • Select okay and select yes to reboot.

After reboot, we need to clean a few things up in the normal Hijack This system scan.

  • Open HijackThis again.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
    O20 - AppInit_DLLs: blocker.dll


  • Press "Fix Checked"
  • Close Hijack This.

Let me know once you've done that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 5:59 pm

Hi Belahzur,

Thank you for the prompt response and for the help so far.

I have done as you have requested.

I have uninstalled BitComet and Java Update 6 to 7.

I await further instruction

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 3rd June 2009, 6:00 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Windows One-Care)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 6:25 pm

Hi, I have turned off both Windows Live Onecare firewall & antivirus.
I downloaded the Combofix, installed it but it wont run?

I downloaded it again but it says I cannot rename combfix to combofix(2).

I might've done something dumb without realising?

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 3rd June 2009, 6:27 pm

Hello.
Delete your copy of Combofix you have right now.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 10:55 pm

Hi,

Here is the log(in 3 parts):

PART 1

ComboFix 09-06-01.03 - RICHARD 03/06/2009 23:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.423 [GMT 1:00]
Running from: c:\documents and settings\RICHARD\My Documents\Combo-Fix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0142B9FB.urr
c:\program files\INSTALL.LOG
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\video activex object
C:\setup.exe
c:\windows\105185otza-v9rus587.ocx
c:\windows\10895not-z-5irus29.cpl
c:\windows\109595pambozc3.cpl
c:\windows\10zfvir5896.cpl
c:\windows\111zdownl59der2520.bin
c:\windows\11314virzs9395.cpl
c:\windows\119459otza-vir5s23d.cpl
c:\windows\11f8spy9arz9835.ocx
c:\windows\11z929py5da.cpl
c:\windows\120699zoj27a5.exe
c:\windows\1267a9zwa5e266.ocx
c:\windows\12898w5rmz96.bin
c:\windows\1295z5ckdoor2385.exe
c:\windows\13082spazbo9514.cpl
c:\windows\13192vzru94c95.cpl
c:\windows\13198n5t-a-9iruz620.exe
c:\windows\133zdo9nload5r1536.dll
c:\windows\13465pyware58z9.exe
c:\windows\1385s9arze1553.exe
c:\windows\13885ha9kto5lze5.ocx
c:\windows\13925t9zj17d.dll
c:\windows\13947worm6z85.ocx
c:\windows\1394ztr5j308.ocx
c:\windows\14065vir9s52z.bin
c:\windows\142795irzs52d.cpl
c:\windows\14594wormbz.exe
c:\windows\14970noz-a-vi9us365.bin
c:\windows\14998spy9z5.dll
c:\windows\14c3d5wn9oader345z.ocx
c:\windows\14d2t9iefz9845.cpl
c:\windows\14e9z5ckdoor1405.exe
c:\windows\15059sp9zf.ocx
c:\windows\15399notz5-virus54.dll
c:\windows\154dthre9t857z.exe
c:\windows\15588not-9-zirus2da.bin
c:\windows\15652spamzo9592.cpl
c:\windows\1569zvirus39b.dll
c:\windows\1576addwarez9799.exe
c:\windows\15976wor5z1.cpl
c:\windows\15d1t5reat8906z.exe
c:\windows\15z289orm25d.bin
c:\windows\15z88hack5oo9499.exe
c:\windows\165a59warez658.dll
c:\windows\166915py417z.ocx
c:\windows\1698sz9wa5e1816.dll
c:\windows\169cthz5at19432.exe
c:\windows\1707ztr5j5139.exe
c:\windows\171229ozm5e4.dll
c:\windows\17336hacz59ol267.ocx
c:\windows\17940s5y5fz.cpl
c:\windows\17952vizus5239.bin
c:\windows\18eedownloa9z5449.exe
c:\windows\18z95worm5b6.bin
c:\windows\19055parsz1532.cpl
c:\windows\19277not-a-viz5s76e.cpl
c:\windows\193585zrus82.dll
c:\windows\19505szamb9tec.exe
c:\windows\19759s9y4zd.cpl
c:\windows\1981spamboz25f.exe
c:\windows\19867n5t-a-zirusa9.bin
c:\windows\19980hackto5l295z.bin
c:\windows\1999zspambot5f3.cpl
c:\windows\19b2thie5219z.exe
c:\windows\19z289pam5ot7d8.cpl
c:\windows\19z63v9r5s76.dll
c:\windows\1a95d5wnzoader1208.bin
c:\windows\1b53bazk9oor1357.cpl
c:\windows\1c7zdow5loader9878.dll
c:\windows\1cc3d5wnloader19z9.exe
c:\windows\1d8a5hizf2962.ocx
c:\windows\1d9bthrezt52184.cpl
c:\windows\1efcthrezt33795.bin
c:\windows\1z539virus197.cpl
c:\windows\1z690t9oj254.bin
c:\windows\1z735t9oj4b5.exe
c:\windows\1z8175o9m2e1.bin
c:\windows\20342not-5-viru94za.cpl
c:\windows\204ctzrea526925.cpl
c:\windows\205119rojz2a.bin
c:\windows\20558t9zj1ae.dll
c:\windows\205739irusz55.bin
c:\windows\21538wo9mz95.ocx
c:\windows\21956troj7cz9.dll
c:\windows\223835roz91.ocx
c:\windows\224459zru5738.bin
c:\windows\22578z9rus765.ocx
c:\windows\22959spy5z9.ocx
c:\windows\23049ir5s73z.bin
c:\windows\231949zy5f5.bin
c:\windows\23513spambot6z9.exe
c:\windows\23666t5ojz9a.cpl
c:\windows\23915troj4z8.cpl
c:\windows\24076not-a-vzr5s7819.ocx
c:\windows\240haz5too9551.cpl
c:\windows\2424not-95vizus4cc.dll
c:\windows\242eszy5a9e988.exe
c:\windows\245cs5arse569z.bin
c:\windows\24858not-z-viru9106.cpl
c:\windows\249645ro9570z.cpl
c:\windows\25093hacztool4b9.cpl
c:\windows\25310t9oz1f0.ocx
c:\windows\25318not5a-viruz1f9.exe
c:\windows\25405spamb9tzfa.ocx
c:\windows\25669orz5e5.ocx
c:\windows\25955virus5zb.cpl
c:\windows\25995trojz5f.dll
c:\windows\25998not-a-v9rus105z.exe
c:\windows\25c9sz5a9581.dll
c:\windows\25fzthrea98513.cpl
c:\windows\261499ir5s5z1.bin
c:\windows\2619zhief2156.cpl
c:\windows\264155iruz394.cpl
c:\windows\2665downloadzr597.bin
c:\windows\2692sz55c9.cpl
c:\windows\26z1v9rus558.ocx
c:\windows\270z49roj58f.bin
c:\windows\27995pazse144.bin
c:\windows\279z0spy459.dll
c:\windows\2808baczd59r3170.exe
c:\windows\286995ot-a-virzs484.bin
c:\windows\28787szy4d59.dll
c:\windows\28b8thiez29355.ocx
c:\windows\28z97spy543.exe
c:\windows\2905bac9dozr3067.exe
c:\windows\29130w5rz498.cpl
c:\windows\29271zirus1de5.exe
c:\windows\29841spy5bz9.ocx
c:\windows\29900vir5s782z.ocx
c:\windows\2995zwor9567.bin
c:\windows\29d359iefz324.cpl
c:\windows\29de5ddzare1169.bin
c:\windows\29dz5dd9are601.ocx
c:\windows\29z58vi5us4cb.cpl
c:\windows\29z84worm6d59.exe
c:\windows\2a39v5r18z0.exe
c:\windows\2c60spyzare9589.ocx
c:\windows\2c8doznl9a5er1643.exe
c:\windows\2z2639irus759.exe
c:\windows\2z556virus9ac.dll
c:\windows\2z779spy2f65.exe
c:\windows\2z813vir5s5b19.dll
c:\windows\3033b5ckdzor28539.exe
c:\windows\30918spambot605z.cpl
c:\windows\30z59orm693.exe
c:\windows\31389sp5mbot1za.exe
c:\windows\31951sp5mbot277z.cpl
c:\windows\31z019py545.dll
c:\windows\31z919orm745.ocx
c:\windows\32240nzt9a-virus551.dll
c:\windows\32415w9zm5fd.cpl
c:\windows\328zthre59514.exe
c:\windows\32907n5z-a-virus668.ocx
c:\windows\32czir12519.ocx
c:\windows\33a7z9r55.cpl
c:\windows\33d8threatz095.ocx
c:\windows\3435sp93z.ocx
c:\windows\34b8vir155z9.exe
c:\windows\35747virzs39a.cpl
c:\windows\369csteal105z5.dll
c:\windows\3886v9rus5z9.dll
c:\windows\389fzi52471.exe
c:\windows\394daddwaze7715.ocx
c:\windows\39918szy7e5.cpl
c:\windows\39a15pazse701.bin
c:\windows\3b5add9are3259z.cpl
c:\windows\3c56doznl5a9er1735.exe
c:\windows\3c5adownlo5derz99.ocx
c:\windows\3z2eth59f92.exe
c:\windows\3z56vi91281.cpl
c:\windows\3z5fspars95201.dll
c:\windows\3zb9a5dware25029.ocx
c:\windows\3zb9a5dware578.ocx
c:\windows\4051noz-a-59rus3ae.exe
c:\windows\40a59pyware140z.dll
c:\windows\40ccb9czdoo52218.cpl
c:\windows\40z9tea52106.exe
c:\windows\419aaddwar5922z.dll
c:\windows\419zsparse5115.dll
c:\windows\426not-a-viruz5ba9.bin
c:\windows\434zstea513599.bin
c:\windows\4352szeal904.bin
c:\windows\4393vzrus54b5.cpl
c:\windows\44165or9z9d.ocx
c:\windows\455zsparse5009.ocx
c:\windows\45b9sp5rsez65.cpl
c:\windows\47a9a9dzar5917.exe
c:\windows\4875w9r56z7.exe
c:\windows\48b9thizf3055.cpl
c:\windows\48z5spars52998.exe
c:\windows\491bthreat5552z.cpl
c:\windows\4955do9nlzader541.ocx
c:\windows\4a51sparse94z2.dll
c:\windows\4b38zhief3590.cpl
c:\windows\4dzd9ownlo5der2488.exe
c:\windows\4e75hreat9z337.exe
c:\windows\4f2c9py5arez967.cpl
c:\windows\4f6za9d5are1192.exe
c:\windows\4z0dthief52209.ocx
c:\windows\50685ackto9lza3.ocx
c:\windows\5089spambot4z3.bin
c:\windows\50aazhre9t15767.exe
c:\windows\5129s5eaz325.exe
c:\windows\51585t9ojzc0.ocx
c:\windows\516esteal1199z.cpl
c:\windows\51afadz9are1488.bin
c:\windows\52428w9rm603z.cpl
c:\windows\525619ot-a-virusz78.ocx
c:\windows\5257thi9fz59.exe
c:\windows\52c2sparse8z9.dll
c:\windows\52z7downloader2759.cpl
c:\windows\530989rojz71.bin
c:\windows\53a9thr9at277z7.bin
c:\windows\54517vizus1909.ocx
c:\windows\54978zorm4cc9.bin
c:\windows\54c9threatz423.bin
c:\windows\5547ba5kzoor2992.exe
c:\windows\55b9thief9z8.exe
c:\windows\55bct9reat806z.dll
c:\windows\55bfthreat97z9.dll
c:\windows\55ebspazse2955.cpl
c:\windows\55f6zd9ware679.bin
c:\windows\5605ste9l5z9.dll
c:\windows\560sparsez2905.bin
c:\windows\5644ziru958.bin
c:\windows\5698thr9zt1785.dll
c:\windows\570zaddwar91528.cpl
c:\windows\57292haczto9l637.dll
c:\windows\579downlzad9r911.exe
c:\windows\57a1t9reat56z1.dll
c:\windows\58871spambzt3039.ocx
c:\windows\589szarse692.dll
c:\windows\58z5h9ck5ool8c.dll
c:\windows\59042w9rm1ez.ocx
c:\windows\5911st5al1z13.cpl
c:\windows\5916t5i9f1069z.dll
c:\windows\5949hazktool48f.ocx
c:\windows\595dbackdo952456z.dll
c:\windows\595thzef3120.bin
c:\windows\5964viz9s539.ocx
c:\windows\599379pambzt68e.exe
c:\windows\59d2zpyware15385.ocx
c:\windows\59z1vir185.cpl
c:\windows\5a5adown9oader1599z.bin
c:\windows\5a7back5zo9857.cpl
c:\windows\5ae9vi5257z.exe
c:\windows\5bc6thi5z2197.exe
c:\windows\5bf7sparse2559z.cpl
c:\windows\5c15spyw9rez552.bin
c:\windows\5c4eadzwa5e2982.bin
c:\windows\5cb5szarse5691.dll
c:\windows\5d4fdo9nloader236z.exe
c:\windows\5da69hreatz5053.bin
c:\windows\5e15st9al324z.cpl
c:\windows\5eza9i5111.cpl
c:\windows\5f38sz59l2518.ocx
c:\windows\5f70tzr5at25909.exe
c:\windows\5z0esteal29505.cpl
c:\windows\5z14back5oor79.ocx
c:\windows\5z6a9dware1283.exe
c:\windows\5z99addwa5e394.exe
c:\windows\5zccthief1429.cpl
c:\windows\602ctzief9351.bin
c:\windows\6040zt5al9847.ocx
c:\windows\60c9spars53159z.cpl
c:\windows\6118b5ckdzor992.ocx
c:\windows\61595hreat2z9119.bin
c:\windows\626ethreat95z39.dll
c:\windows\636fthr9at595z.exe
c:\windows\64455zrm93a.ocx
c:\windows\64b7dozn9oader1854.cpl
c:\windows\65bzir2793.cpl
c:\windows\6651zhreat31291.dll
c:\windows\6753thze92444.exe
c:\windows\675fsp9wzre1195.cpl
c:\windows\67d59wzloader2569.dll
c:\windows\680wo9m755z.bin
c:\windows\6850szyware1699.cpl
c:\windows\6854z9r509.bin
c:\windows\68a1th5ef93z1.cpl
c:\windows\6985vzr5s69a.cpl
c:\windows\69c9downl59dez505.exe
c:\windows\6a99addwar5796z.dll
c:\windows\6b24downl9a5er24z2.bin
c:\windows\6b55dow5loaz9r1084.ocx
c:\windows\6cffzp5rse9213.dll
c:\windows\6d7bz9dware28155.ocx
c:\windows\6dfab5ckdozr21199.ocx
c:\windows\6fz9t9ief5013.exe
c:\windows\6z1as9yware2519.cpl
c:\windows\6z90sparse2551.dll
c:\windows\6zc8sp5r9e323.cpl
c:\windows\709evir3z675.bin
c:\windows\71zsp9mbot6645.exe
c:\windows\7250s9y7bdz.ocx
c:\windows\72z59hief3115.exe
c:\windows\734ad5wnloa9er6z.dll
c:\windows\7399thizf7675.exe
c:\windows\73f5stz9l5861.dll
c:\windows\74bz9hre5t14129.bin
c:\windows\7512ha5ktoo9340z.bin
c:\windows\7535zi517569.bin
c:\windows\7593doznloader955.dll
c:\windows\759b9parse3z4.ocx
c:\windows\75zeth5ef6539.cpl
c:\windows\7681spamz9t26e5.bin
c:\windows\76895cztool309.exe
c:\windows\77559ir5sz89.cpl
c:\windows\7796z5r2729.ocx
c:\windows\789f9d5zare1124.bin
c:\windows\7950thzeat22756.bin
c:\windows\79725pz7679.exe
c:\windows\79865dd9arez38.ocx
c:\windows\799zthief13585.cpl
c:\windows\7a9addw5re96z8.dll
c:\windows\7d73thzeat295649.cpl
c:\windows\7da59ownloadez1431.dll
c:\windows\7e0095ywarz2768.bin
c:\windows\7e79ad5ware9z65.cpl
c:\windows\7f109zwnloader2085.exe
c:\windows\7f4159dware2920z.dll
c:\windows\7z79spy9are16155.dll
c:\windows\7zfbt59eat20313.bin
c:\windows\82889pa5zot4f2.ocx
c:\windows\8369ha5ktoolzde.ocx
c:\windows\855ztroj7b59.bin
c:\windows\85z4s9y53c.dll
c:\windows\8739hac9tz5l465.ocx
c:\windows\8b0a5dware199z.cpl
c:\windows\8z61n9t-a-vir5s330.exe
c:\windows\90ebs5arse194z.exe
c:\windows\91332v5rus406z.dll
c:\windows\9372vir25z5.bin
c:\windows\94d2vzr753.dll
c:\windows\94d6downloadz51986.cpl
c:\windows\95ezaddw5re1467.dll
c:\windows\9608zorm5479.ocx
c:\windows\9650wo9z3bb.bin
c:\windows\96544spambzt29e.bin
c:\windows\967z5troj6e3.ocx
c:\windows\9695zorm973.exe
c:\windows\972z9o5m783.dll
c:\windows\9755virus518z.dll
c:\windows\97749acktoolz55.ocx
c:\windows\98323t5oz380.bin
c:\windows\99368sp54b1z.ocx
c:\windows\99zsteal18465.ocx
c:\windows\9adzthi5f1938.cpl
c:\windows\9c9stea527z9.dll
c:\windows\9cecspyw5re20z7.bin
c:\windows\9d4zaddwar51366.cpl
c:\windows\9z725spambot5c1.exe
c:\windows\9z84w5rm5769.cpl
c:\windows\9z96addw5re1493.exe
c:\windows\9zabackdo5r9385.ocx
c:\windows\b91ztea52398.cpl
c:\windows\bbzthre5t61799.bin
c:\windows\bz6t5rea918427.ocx
c:\windows\c27b5ckzoor18189.cpl
c:\windows\c77szea916435.exe
c:\windows\d26spyzare1569.dll
c:\windows\d50add5zre6819.cpl
c:\windows\e58spa9sz1569.exe
c:\windows\f91v5r1z38.bin

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 10:59 pm

PART 2

c:\windows\system32\1022zt9oj58.exe
c:\windows\system32\10761noz-a-viru5669.ocx
c:\windows\system32\1099szy125.ocx
c:\windows\system32\109z85irus2a.bin
c:\windows\system32\11452spam9ot59z.ocx
c:\windows\system32\11649hzckto95317.dll
c:\windows\system32\116fba9zdoor1599.ocx
c:\windows\system32\1199szeal2659.dll
c:\windows\system32\11z39hacktool335.dll
c:\windows\system32\12109t5oj7zc.bin
c:\windows\system32\1255zhreat19282.bin
c:\windows\system32\12979wozm32f5.cpl
c:\windows\system32\1299th5zf1860.cpl
c:\windows\system32\13196zpy5db9.exe
c:\windows\system32\133539py5dz.cpl
c:\windows\system32\13397not-azvirus657.cpl
c:\windows\system32\13561haczt9ol4d8.exe
c:\windows\system32\13944w9rm7e5z.exe
c:\windows\system32\144z0hac9tool15f.cpl
c:\windows\system32\14537zp56b9.dll
c:\windows\system32\14815w59mzb.bin
c:\windows\system32\1504spamb5z5b59.cpl
c:\windows\system32\15238wo9mzb5.cpl
c:\windows\system32\15285hz9kto5l56b.exe
c:\windows\system32\15325spambzt9e4.cpl
c:\windows\system32\15494spyzaf.exe
c:\windows\system32\15540sp9z79.exe
c:\windows\system32\15635ha9ktzol26e.exe
c:\windows\system32\15714za9kt5ol545.dll
c:\windows\system32\157cdownl9azer1622.exe
c:\windows\system32\15919wo9m6edz.bin
c:\windows\system32\1597zspa5bot159.cpl
c:\windows\system32\15a3zte5l2915.cpl
c:\windows\system32\16295cktzol5f.exe
c:\windows\system32\1667zh5ckt9ol3c5.ocx
c:\windows\system32\1675zir9381.exe
c:\windows\system32\1678zhacktoo527d9.bin
c:\windows\system32\16905tr9j5z7.cpl
c:\windows\system32\173855irusz69.dll
c:\windows\system32\17531wormz9.exe
c:\windows\system32\1797s5ywzre2254.bin
c:\windows\system32\18137nzt-a-v9rus635.dll
c:\windows\system32\18425no9-a-v5rzs659.exe
c:\windows\system32\18737v9ruszf5.exe
c:\windows\system32\18975szycd.exe
c:\windows\system32\19003vzr5s6a.cpl
c:\windows\system32\19030spamb5t7zd.ocx
c:\windows\system32\1905hack9oolz58.cpl
c:\windows\system32\19523hac95ooz18d.exe
c:\windows\system32\19542vzrus994.exe
c:\windows\system32\19d5adz5are3036.ocx
c:\windows\system32\19z15v5rus1fc.ocx
c:\windows\system32\19z49s9ambo5443.cpl
c:\windows\system32\19z67spy1c85.cpl
c:\windows\system32\1aa5downlozde9583.cpl
c:\windows\system32\1b075par9z1912.exe
c:\windows\system32\1b58steal9155z.bin
c:\windows\system32\1bzdo5nloader22489.bin
c:\windows\system32\1e1s9yw5rz3013.cpl
c:\windows\system32\1e29sparse5628z.ocx
c:\windows\system32\1f7cth95zt21438.dll
c:\windows\system32\1z58759y614.exe
c:\windows\system32\1z92thief5419.ocx
c:\windows\system32\1z96do5nloader2869.cpl
c:\windows\system32\1zb3sparse28529.ocx
c:\windows\system32\202z5s5a9bot71.cpl
c:\windows\system32\21258n9tza-v5rus767.exe
c:\windows\system32\21399t5ojzb9.ocx
c:\windows\system32\22363h5ckt9zl32d.cpl
c:\windows\system32\226595ot-a-vi9usz8b.bin
c:\windows\system32\22852virus925z.dll
c:\windows\system32\23179spy52z.ocx
c:\windows\system32\23449iz1950.cpl
c:\windows\system32\234spyware152z9.exe
c:\windows\system32\239795ozm7eb.exe
c:\windows\system32\23991not-a-virusa5z.exe
c:\windows\system32\239spzware11015.ocx
c:\windows\system32\23a2backzo9r1395.cpl
c:\windows\system32\24449w9zmc5.exe
c:\windows\system32\244565pz9bot28.exe
c:\windows\system32\24e5spyware3z90.exe
c:\windows\system32\24z5i9858.dll
c:\windows\system32\25025sp9mbzt414.cpl
c:\windows\system32\251edownl9zder28915.ocx
c:\windows\system32\25374spyz94.cpl
c:\windows\system32\25386h5c9tool6bz.ocx
c:\windows\system32\2562tzr5at193319.ocx
c:\windows\system32\25701z9oj12f.dll
c:\windows\system32\2589thief150z.ocx
c:\windows\system32\25945szambot4fc5.dll
c:\windows\system32\25973troj55cz.bin
c:\windows\system32\25z9worm9b6.exe
c:\windows\system32\26019haczt5ol7f.ocx
c:\windows\system32\26094hacktzol597.cpl
c:\windows\system32\26139spazb9t5905.dll
c:\windows\system32\26661s5ambzt4019.exe
c:\windows\system32\2754tr9jzf8.ocx
c:\windows\system32\2759thiefz979.cpl
c:\windows\system32\2769zw9rm48e5.exe
c:\windows\system32\277asp9rse1z555.exe
c:\windows\system32\2798zownload9r55.exe
c:\windows\system32\27z929pa5bot36f.exe
c:\windows\system32\28098trzj350.ocx
c:\windows\system32\28251hac59ozlce.ocx
c:\windows\system32\285zspy229.dll
c:\windows\system32\292665orm4z9.dll
c:\windows\system32\29322spz9bot35.dll
c:\windows\system32\2944threa5690z.exe
c:\windows\system32\294dbackdzor598.exe
c:\windows\system32\295z2tr9j458.exe
c:\windows\system32\295znot5a-v9rus70c.dll
c:\windows\system32\299addwarez875.cpl
c:\windows\system32\2a759hreat4695z.exe
c:\windows\system32\2b8fadd9zre2105.ocx
c:\windows\system32\2bdct5i9z798.bin
c:\windows\system32\2d5cadd9arez396.cpl
c:\windows\system32\2d65sp9ware64z.exe
c:\windows\system32\2f09dow5lo9der8z8.cpl
c:\windows\system32\2z438wor9152.exe
c:\windows\system32\2z52th9ef165.dll
c:\windows\system32\2z615hackto9l5c5.bin
c:\windows\system32\2z89ir5959.ocx
c:\windows\system32\2z932spambot593.ocx
c:\windows\system32\30359worm5z09.exe
c:\windows\system32\3050zwor5c9.ocx
c:\windows\system32\310eszy9are4415.exe
c:\windows\system32\3146d5wnlzader1093.cpl
c:\windows\system32\31554zpy69a.exe
c:\windows\system32\31555hackto9l47z.dll
c:\windows\system32\31655w9zm6995.cpl
c:\windows\system32\316729py5dz.dll
c:\windows\system32\31719trzj452.cpl
c:\windows\system32\3190795y7z.bin
c:\windows\system32\319ezhie9405.ocx
c:\windows\system32\31z9t5ie92169.ocx
c:\windows\system32\325959oj5z1.exe
c:\windows\system32\334ethzef29535.bin
c:\windows\system32\342troj95fz.bin
c:\windows\system32\343zsteal945.ocx
c:\windows\system32\34z5ir21169.cpl
c:\windows\system32\34zfd9wn5oader2394.dll
c:\windows\system32\3505spywar53z59.dll
c:\windows\system32\3512back9oorz987.cpl
c:\windows\system32\35534not-a9virus59dz.bin
c:\windows\system32\3565thre5t90277z.dll
c:\windows\system32\35a9spyw5rez427.cpl
c:\windows\system32\37d79dd5are17z9.exe
c:\windows\system32\38z3vir14569.dll
c:\windows\system32\3967adz5are329.ocx
c:\windows\system32\39b1sparse3z055.exe
c:\windows\system32\39f29ddzar51449.cpl
c:\windows\system32\3a589pywarz2274.exe
c:\windows\system32\3a9dadzw5re2223.bin
c:\windows\system32\3b96addwar524z0.bin
c:\windows\system32\3c86baz5doo933.ocx
c:\windows\system32\3d31a95ware79z.dll
c:\windows\system32\3d859irz372.bin
c:\windows\system32\3d9tzreat19045.ocx
c:\windows\system32\3deczown9o5der2050.exe
c:\windows\system32\3f94zpa5se2422.dll
c:\windows\system32\3z2fthie520729.ocx
c:\windows\system32\3z74s5eal1492.exe
c:\windows\system32\3z92spywa5e214.dll
c:\windows\system32\407595zm614.cpl
c:\windows\system32\4239virz510f.dll
c:\windows\system32\42z1vi9563.cpl
c:\windows\system32\4301th9ea53z395.cpl
c:\windows\system32\432w9z52c1.dll
c:\windows\system32\449zbackdo9r2915.bin
c:\windows\system32\4515add9arz423.exe
c:\windows\system32\459b9zar5e2528.ocx
c:\windows\system32\46ecsteaz29549.dll
c:\windows\system32\46f55py9arz2229.ocx
c:\windows\system32\4731n5t-a-9irusz87.bin
c:\windows\system32\47959ir5z59.dll
c:\windows\system32\47f8baz5do9r2239.exe
c:\windows\system32\48azspyware55499.dll
c:\windows\system32\49059parsez72.cpl
c:\windows\system32\49105zrm92d.dll
c:\windows\system32\494cvir2z125.bin
c:\windows\system32\495zirus87.cpl
c:\windows\system32\49c6d5znload9r1626.cpl
c:\windows\system32\49cdsteal188z5.bin
c:\windows\system32\4b59st5zl2931.dll
c:\windows\system32\4b7threaz255719.exe
c:\windows\system32\4b9fthief35z4.exe
c:\windows\system32\4bzfs59rse729.cpl
c:\windows\system32\4c1b5pywaze9978.ocx
c:\windows\system32\4d99zhreat17576.dll
c:\windows\system32\4e9threat1580z5.ocx
c:\windows\system32\4ec5a9dwarez57.dll
c:\windows\system32\50546not-a-viz9s541.cpl
c:\windows\system32\5069spambot58dz.bin
c:\windows\system32\50c9thzef2572.ocx
c:\windows\system32\50f4s9zware971.exe
c:\windows\system32\51253spam9oz392.cpl
c:\windows\system32\5130backdz5r899.ocx
c:\windows\system32\51522v9rus2zc.ocx
c:\windows\system32\52465woz95a8.cpl
c:\windows\system32\539zs95mbotd4.dll
c:\windows\system32\548a9hiefz590.bin
c:\windows\system32\5493steaz1593.bin
c:\windows\system32\549espy5are96z.exe
c:\windows\system32\551aaddwa9e23z15.cpl
c:\windows\system32\552worz960.ocx
c:\windows\system32\5554vir9762z.bin
c:\windows\system32\560189iruz559.ocx
c:\windows\system32\56019zy3c8.dll
c:\windows\system32\56e3vir215z9.cpl
c:\windows\system32\56e9addware2z90.bin
c:\windows\system32\570spyw9re1z39.exe
c:\windows\system32\5728zot-a-9irus51.bin
c:\windows\system32\57549parsz3232.cpl
c:\windows\system32\57z599pambot578.bin
c:\windows\system32\582zspy509.cpl
c:\windows\system32\58899p55cz.bin
c:\windows\system32\5893vizus5b9.bin
c:\windows\system32\58977t9zj29b.ocx
c:\windows\system32\58b6szarse1769.bin
c:\windows\system32\5919steaz4999.bin
c:\windows\system32\595dspywa95z555.ocx
c:\windows\system32\5962v5z1714.cpl
c:\windows\system32\5967thizf1756.exe
c:\windows\system32\5970spyware15z95.ocx
c:\windows\system32\59desparse27z7.dll
c:\windows\system32\59z9t5oj6e2.ocx
c:\windows\system32\5a419pyzare2354.ocx
c:\windows\system32\5b8e9zre5t9835.exe
c:\windows\system32\5ccazddwa9e2876.exe
c:\windows\system32\5dbfs5ezl195.exe
c:\windows\system32\5e51s5ywz9e54.exe
c:\windows\system32\5e98thre5z24609.exe
c:\windows\system32\5z64spy259.cpl
c:\windows\system32\5z6cth5ea92144.bin
c:\windows\system32\5z999tro9430.cpl
c:\windows\system32\605z95ief1433.ocx
c:\windows\system32\6075st9al2z37.ocx
c:\windows\system32\6185ha9ktool72fz.ocx
c:\windows\system32\651eaddwzre9366.dll
c:\windows\system32\652zsp5mbot9b0.exe
c:\windows\system32\657daddwarez6769.ocx
c:\windows\system32\66dddownlo5dez2139.ocx
c:\windows\system32\67e6zpywa9e1154.dll
c:\windows\system32\6838bazkdoor13925.bin
c:\windows\system32\683az5re9t2099.cpl
c:\windows\system32\686adownlo5der9z2.dll
c:\windows\system32\6879s9zmbot2d15.bin
c:\windows\system32\68b4d5wnlo9dez2971.dll
c:\windows\system32\6901viru5z.exe
c:\windows\system32\6982zirus5649.exe
c:\windows\system32\6a55thief9z98.exe
c:\windows\system32\6a93adzw9re3955.dll
c:\windows\system32\6ad59hreaz161085.bin
c:\windows\system32\6c9dbazkdoor5219.dll
c:\windows\system32\6f9cvzr3590.ocx
c:\windows\system32\6z33thr5a916883.dll
c:\windows\system32\71509iruz53.bin
c:\windows\system32\7261sz9mbot567.dll
c:\windows\system32\72f5szywa5e1799.bin
c:\windows\system32\7385th5ez1958.bin
c:\windows\system32\7509sparsz2483.bin
c:\windows\system32\759esparsez3499.cpl
c:\windows\system32\75e5thizf2498.dll
c:\windows\system32\75e5zhief14695.exe
c:\windows\system32\75zfth59f3060.cpl
c:\windows\system32\7695vir2145z.exe
c:\windows\system32\772dbaczdoor9915.ocx
c:\windows\system32\77f59ac5dooz2500.exe
c:\windows\system32\7854spazse559.ocx
c:\windows\system32\78bv9r310z5.dll
c:\windows\system32\7933v5r24z8.ocx
c:\windows\system32\79425ownloaderz419.bin
c:\windows\system32\799badd9ar58z3.cpl
c:\windows\system32\79dbvirz550.exe
c:\windows\system32\7a97sp9waz5962.bin
c:\windows\system32\7cd6downlozder3957.bin
c:\windows\system32\7d57threz99207.dll
c:\windows\system32\7dfdspy9arz5526.cpl
c:\windows\system32\7f5dazdware5499.exe
c:\windows\system32\7f5dzh5e9604.cpl
c:\windows\system32\7fastz5l7699.cpl
c:\windows\system32\7z9e95yware562.bin
c:\windows\system32\8179spamb9z159.cpl
c:\windows\system32\857zparse976.ocx
c:\windows\system32\8605wo9m3zf.dll
c:\windows\system32\8607spz259.exe
c:\windows\system32\90509zorm55a.ocx

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 11:01 pm

PART 3

c:\windows\system32\907adzwnloader1572.bin
c:\windows\system32\909zvi5us497.bin
c:\windows\system32\91455hacktool3fz.dll
c:\windows\system32\91540not-a-zirus1e1.ocx
c:\windows\system32\9171tro95z5.cpl
c:\windows\system32\91d1bazkdoor18045.cpl
c:\windows\system32\91z23virus785.ocx
c:\windows\system32\924725izus83.cpl
c:\windows\system32\925back9ozr562.exe
c:\windows\system32\92906szambot75.exe
c:\windows\system32\92z78worm75a.cpl
c:\windows\system32\9357spaz5ot55.exe
c:\windows\system32\9377n5t-9-virus489z.bin
c:\windows\system32\93z95troj2ef.dll
c:\windows\system32\94092trojz5b.ocx
c:\windows\system32\952t5ief27z99.ocx
c:\windows\system32\953z9hacktool758.dll
c:\windows\system32\9547baczd5or1839.bin
c:\windows\system32\95507spz39.dll
c:\windows\system32\95bazd9ar52595.ocx
c:\windows\system32\96z63spa5bot44d.exe
c:\windows\system32\9872spy5aze701.exe
c:\windows\system32\99059worz3e2.ocx
c:\windows\system32\9941zspy651.dll
c:\windows\system32\996bad5ware7z8.bin
c:\windows\system32\9972zp59c7.cpl
c:\windows\system32\99z9spy6c5.bin
c:\windows\system32\9b9spa5se119z.bin
c:\windows\system32\9z00vir5059.cpl
c:\windows\system32\9z302troj35.cpl
c:\windows\system32\9z695hacktool101.ocx
c:\windows\system32\a3s9zware11905.dll
c:\windows\system32\a5zaddware2739.exe
c:\windows\system32\b65z9dware124.bin
c:\windows\system32\b955ownloadez286.cpl
c:\windows\system32\de9download5r9325z.bin
c:\windows\system32\drivers\gxvxccvgvyptpelppwfyicxyjkrpxsintvudy.sys
c:\windows\system32\drivers\gxvxcnawvsvubdixiqojtkklmubrosaeqfsig.sys
c:\windows\system32\drivers\gxvxcnrvalkiqlrkmqlrscdpuiurfwapvswve.sys
c:\windows\system32\drivers\gxvxcosuwgkhlpsuoiorqspujwkyhitpiyoul.sys
c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\e3cdowzloade91475.exe
c:\windows\system32\e4czpars9579.cpl
c:\windows\system32\f99zteal2785.exe
c:\windows\system32\gxvxccnsspmumxnoxygrsesxwtyuowqqvyeqn.dll
c:\windows\system32\gxvxcjmymacferarddxgeoqdtfpbhkexpujyo.dll
c:\windows\system32\z0498s5y45d9.exe
c:\windows\system32\z1329n9t5a-virus26b.cpl
c:\windows\system32\z17385pamb9t5e7.dll
c:\windows\system32\z1993spy529.exe
c:\windows\system32\z2629not-a-virus605.bin
c:\windows\system32\z2905spy1f2.exe
c:\windows\system32\z2955tro97fb.cpl
c:\windows\system32\z4998virus5cf.exe
c:\windows\system32\z4d55par9e198.bin
c:\windows\system32\z502b9ckdoor2433.bin
c:\windows\system32\z5289ownloader996.ocx
c:\windows\system32\z532addwa9e2531.dll
c:\windows\system32\z5475not9a-virus454.exe
c:\windows\system32\z5721s9ambot1e05.ocx
c:\windows\system32\z5865t9oj35.ocx
c:\windows\system32\z7136not5a9virus3fb.exe
c:\windows\system32\z8465roj2e09.cpl
c:\windows\system32\z8473vi5us94b.exe
c:\windows\system32\z919t9ief2519.dll
c:\windows\system32\z9956spambo5334.ocx
c:\windows\system32\z9edth5ef2796.bin
c:\windows\system32\zc57vir2459.exe
c:\windows\system32\zcffste5l2194.exe
c:\windows\system32\zd31dow59oader1394.cpl
c:\windows\system32\zddaspa9se505.dll
c:\windows\system32\zde9s5eal2951.exe
c:\windows\system32\zeeb9parse2957.cpl
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z138thre9t59857.cpl
c:\windows\z1fth9ef19815.bin
c:\windows\z2539spy643.bin
c:\windows\z2953troj4e39.exe
c:\windows\z309vir9s5105.dll
c:\windows\z325a9kdoor258.cpl
c:\windows\z35035pambot2c39.ocx
c:\windows\z359spa5se1298.ocx
c:\windows\z359spy655.ocx
c:\windows\z35f9ac5door2996.exe
c:\windows\z512s95550.exe
c:\windows\z5296wor5216.dll
c:\windows\z5327t9oj5d8.bin
c:\windows\z589teal2398.ocx
c:\windows\z6651virusc9.cpl
c:\windows\z732not-a-v59us4e9.dll
c:\windows\z844addw5re25549.cpl
c:\windows\z99ebac5door669.bin
c:\windows\za0ba5kdoo9586.cpl
c:\windows\zc17v9r583.exe
c:\windows\zd5ste9l2541.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-08-04 04:54 . 2009-08-04 04:54 5619 ----a-w- c:\windows\system32\2z4439py5.dll
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{995E55E8-E724-4913-5D35-F2FDBFD1C3FE}-tempo-setup2.exe
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{F267AA9E-64C6-7D0F-5356-FBDE2CC7A2CD}-tempo-setup2.exe
2009-06-03 17:44 . 2009-06-03 18:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 17:07 . 2009-06-03 17:07 -------- d-----w- c:\program files\Trend Micro
2009-06-03 16:52 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 16:52 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 16:41 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-03 16:40 . 2009-03-06 15:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-03 16:40 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-03 16:40 . 2009-06-03 16:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-03 16:40 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-03 16:40 . 2009-06-03 17:44 -------- d-----w- c:\program files\Spyware Doctor
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\RICHARD\Application Data\PC Tools
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-02 23:41 . 2009-06-02 23:41 -------- d-----w- c:\program files\PlayAllDVD
2009-06-02 23:37 . 2009-06-02 23:37 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\documents and settings\RICHARD\Application Data\UseNeXT
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\program files\UseNeXT
2009-06-01 23:06 . 2009-06-01 23:07 -------- d-----w- c:\documents and settings\RICHARD\Application Data\TigerPlayer
2009-06-01 23:05 . 2009-06-01 23:05 -------- d-----w- c:\program files\MpcStar
2009-05-31 21:42 . 2009-05-31 21:42 390664 ----a-w- c:\documents and settings\RICHARD\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 03:35 . 2008-11-05 09:14 1048576 ----a-w- c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-05-27 16:37 . 2009-05-27 16:37 -------- d-----w- c:\program files\DivxFree
2009-05-23 12:04 . 2009-05-23 12:04 -------- d-----w- c:\program files\UltraVideo
2009-05-20 14:44 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-20 14:44 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-20 14:44 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-20 14:44 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-20 14:44 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 14:44 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-20 14:44 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 14:44 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-20 14:44 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-20 14:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-20 14:42 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:40 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-05-20 14:40 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-05-20 14:40 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-05-20 14:40 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 3rd June 2009, 11:02 pm

PART 4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 17:57 . 2007-07-17 17:52 -------- d-----w- c:\program files\Java
2009-06-03 17:34 . 2006-10-14 15:14 -------- d-----w- c:\program files\BitComet
2009-06-02 17:33 . 2007-09-16 16:44 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-05-27 22:38 . 2006-09-23 16:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-26 22:52 . 2008-09-23 18:24 -------- d-----w- c:\program files\Nokia
2009-05-25 19:20 . 2006-09-13 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2002-08-29 20:00 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-05 23:39 . 2009-03-05 23:39 3483 ----a-w- c:\windows\18557notza-vi9usc.bin
2003-12-19 19:36 . 2006-09-23 17:05 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-9-23 155648]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9879:TCP"= 9879:TCP:BitComet 9879 TCP
"9879:UDP"= 9879:UDP:BitComet 9879 UDP

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [23/09/2006 18:09 9344]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/06/2009 17:40 130424]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [22/03/2009 10:59 24936]
R2 sfmgr;CaReTaKeR-CT NetMgr 1.2.1;c:\sfmgr\sfmgr.exe [15/03/2007 13:16 171008]
S3 krdpdre;krdpdre;\??\c:\docume~1\RICHARD\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\RICHARD\LOCALS~1\Temp\krdpdre.sys [?]
S3 ni_avs;ni_avs;c:\windows\system32\Drivers\ni_avs.sys --> c:\windows\system32\Drivers\ni_avs.sys [?]
S3 ni_usb;ni_usb;c:\windows\system32\Drivers\ni_usb.sys --> c:\windows\system32\Drivers\ni_usb.sys [?]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [03/04/2008 20:45 20936]
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-725345543-910916986-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,9c,6c,23,db,93,6c,2e,e2,51,78,77,2a,83,44,ea,ac,a2,8d,7a,5c,d2,9b,
d3,4c,fe,7c,18,bb,af,e8,59,c4,98,ca,57,50,a5,ea,eb,97,d2,f8,b2,09,8c,85,b4,\
"??"=hex:d5,b6,d8,0c,d2,ce,a5,b1,06,09,a9,bf,cb,2d,2a,b8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 23:45
ComboFix-quarantined-files.txt 2009-06-03 22:44

Pre-Run: 1,079,619,584 bytes free
Post-Run: 1,551,650,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

944 --- E O F --- 2009-05-21 18:25

Sorry...ended up being 4 parts (too big otherwise).

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 4th June 2009, 12:21 am

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
krdpdre

File::
c:\windows\system32\2z4439py5.dll
c:\windows\18557notza-vi9usc.bin

Folder::
c:\program files\BitComet

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9879:TCP"=-
"9879:UDP"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 4th June 2009, 6:31 pm

As requested,

PART 1

ComboFix 09-06-01.03 - RICHARD 04/06/2009 19:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.274 [GMT 1:00]
Running from: c:\documents and settings\RICHARD\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\RICHARD\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
* Created a new restore point

FILE ::
"c:\windows\18557notza-vi9usc.bin"
"c:\windows\system32\2z4439py5.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitComet
c:\program files\BitComet\archive\026b734a6c09566b099c585a137ee5cca05804bf.torrent
c:\program files\BitComet\archive\0803c71c797899c8017202b78b58e8f145f5b5fa.torrent
c:\program files\BitComet\archive\08193886f9255d5327e9c134031b648ad1b052a3.torrent
c:\program files\BitComet\archive\08690f9225f3abc8911d5b130b5e5ad726575c35.torrent
c:\program files\BitComet\archive\1d75186d1cda9b0ad5de0b7c827eccac2e5ffbbf.torrent
c:\program files\BitComet\archive\2043305eb4cd1b607b1425a13a61ec08475c24e7.torrent
c:\program files\BitComet\archive\20980706e94939927a477f5e57848ff44ab06323.torrent
c:\program files\BitComet\archive\254e07b841c619d3f6e3c7c8de0f5de70f338f41.torrent
c:\program files\BitComet\archive\37ee80c96c5e4129644639c37a08c7d87a5602a4.torrent
c:\program files\BitComet\archive\3b8855f925b3c50954dd45e42ce8d1f2f5ff77cc.torrent
c:\program files\BitComet\archive\3cff8a9386ddea42fdca6713c5be21f31e133fa6.torrent
c:\program files\BitComet\archive\44fe0c4baf37c8aee14531f17b2ae2c6d44ff1e7.torrent
c:\program files\BitComet\archive\49f205efeb5c47101abd8661a7d4b9b4e9814ed6.torrent
c:\program files\BitComet\archive\4a723824b6c918f35dcf5051b681f5073e665f7c.torrent
c:\program files\BitComet\archive\5992d15d6971a2a760046f097a95b198ac75c89d.torrent
c:\program files\BitComet\archive\5ddeb6d8733afc6c694708bc0de8ac5fa3b10463.torrent
c:\program files\BitComet\archive\6294ce1faff71917dd61ca5d17c24ad6504b89e7.torrent
c:\program files\BitComet\archive\694a78b3e29243e14cbe8fc7a3ea88d6749d4fab.torrent
c:\program files\BitComet\archive\717352e6f7e4bf8e50238ef63dea35e74dfb414c.torrent
c:\program files\BitComet\archive\74da1a9e9808d6eb7f074eae8030da420555f4a5.torrent
c:\program files\BitComet\archive\77fddf3cb521ebeafdffd2b7041f6c005a3d30ba.torrent
c:\program files\BitComet\archive\8877049e7b5ba7ae8991c1b1c2d4d661d48f276f.torrent
c:\program files\BitComet\archive\8e8b948991492b63adcb243d3e234c22e3c06d2b.torrent
c:\program files\BitComet\archive\9804a30e8bc82e35e138b978c08b94f78bb76ea1.torrent
c:\program files\BitComet\archive\9af4aa7155d078421b8a0ee9012605ad06b656f9.torrent
c:\program files\BitComet\archive\a296ec281b02cd90d67fc6b09fc762dbf8846781.torrent
c:\program files\BitComet\archive\a3a950dca92fcf5ea5600a8828fb37f028eae062.torrent
c:\program files\BitComet\archive\b1b2a1f823c6713521a30a014de22c58ff712f3b.torrent
c:\program files\BitComet\archive\b2e475d3589f25a7058b5b706c4ff77a8386a1c2.torrent
c:\program files\BitComet\archive\bab9be2bd97305590f55426bd056577c5ebec66a.torrent
c:\program files\BitComet\archive\bb8e7dcea1ede29b3d481a324e23c56fb00b4711.torrent
c:\program files\BitComet\archive\bc0dc903887c84003f7dba88d1301e43a16e6374.torrent
c:\program files\BitComet\archive\c1704497052819cec29094d14fa962cec31e95f5.torrent
c:\program files\BitComet\archive\ccca3d95e6f6bbc59e49f974d8e4b9b91b095ecc.torrent
c:\program files\BitComet\archive\d13b27f5f3926de81f3dae28b1ba2ef152607489.torrent
c:\program files\BitComet\archive\db7d80cc8f7fac96ce0ee5fc75fe7c5b2f9b3090.torrent
c:\program files\BitComet\archive\e11af9d1cdf60edc55547cfaf238146c39e8f19c.torrent
c:\program files\BitComet\archive\e53437a9859d83300fcb171101c827a7283bdf0b.torrent
c:\program files\BitComet\archive\e9ae325afd64c46307999a415e528dbc328316b4.torrent
c:\program files\BitComet\archive\ed44d05e6e61b8f7e4ae5bd022e00e742f6fa48c.torrent
c:\program files\BitComet\archive\f9ff909298d7af5ea4c9614d8ec3f57599786226.torrent
c:\program files\BitComet\archive\fb80c966e12c437500c1a212c77cb7f95c5dadc8.torrent
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Downloads.xml.bak
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\rules\ipfilter.dat
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\tools\CRASH.DMP
c:\program files\BitComet\tools\CRASHLOG.DAT
c:\program files\BitComet\tools\CRASHLOG.TXT
c:\program files\BitComet\Torrents\[Suze Randall] - The Young & The Raunchy - (Jana Cova, Cytherea, Taylor Rain).avi.torrent
c:\program files\BitComet\Torrents\Angels And Demons 2009 Cam(A Commission-Kvcd by JRNAD).torrent
c:\program files\BitComet\Torrents\Angels And Demons 2009 Cam(A Commission-Kvcd by JRNAD).xml
c:\program files\BitComet\Torrents\Barely.Legal.18th.Birthday.3.XXX.DVDRip.XviD-NYMPHO.torrent
c:\program files\BitComet\Torrents\Barely.Legal.18th.Birthday.3.XXX.DVDRip.XviD-NYMPHO[0].torrent
c:\program files\BitComet\Torrents\BitComet_1.12_setup.exe.torrent
c:\program files\BitComet\Torrents\BitComet_1.12_setup.exe.xml
c:\program files\BitComet\Torrents\Broken.Flowers[2005].DVDRIP.Mentality.avi.torrent
c:\program files\BitComet\Torrents\Broken.Flowers[2005].DVDRIP.Mentality.avi.xml
c:\program files\BitComet\Torrents\Coraline - (2009) DvDrip-XviD-BeStDivX.torrent
c:\program files\BitComet\Torrents\Coraline.2009.DVDRip.XviD-ARROW-MFDss.torrent
c:\program files\BitComet\Torrents\Coraline.2009.DVDRip.XviD-ARROW-MFDss.xml
c:\program files\BitComet\Torrents\Coraline.CAM.XviD-nsiervi.torrent
c:\program files\BitComet\Torrents\Coraline_NTSC_PS2DVD-STRiKE.torrent
c:\program files\BitComet\Torrents\Cum Swapping Girlfriends.torrent
c:\program files\BitComet\Torrents\Cum Swapping Girlfriends.xml
c:\program files\BitComet\Torrents\Drag me to Hell[2009][DvdScreener].wmv.torrent
c:\program files\BitComet\Torrents\Drag me to Hell[2009][DvdScreener].wmv.xml
c:\program files\BitComet\Torrents\Duplicity (2009) TS DivXNL-Team.torrent
c:\program files\BitComet\Torrents\Duplicity.2009.Eng.Telesync.XviD-LTT.torrent
c:\program files\BitComet\Torrents\Duplicity.2009.Eng.Telesync.XviD-LTT.xml
c:\program files\BitComet\Torrents\FairUse4WM+Commander.rar.torrent
c:\program files\BitComet\Torrents\Fringe Season1 (XviD asd) EnglishV+NapisyPL - [You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\Fringe Season1 (XviD asd) EnglishV+NapisyPL - [You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\Frost Nixon 2009 DVDRip-FTR.torrent
c:\program files\BitComet\Torrents\Frost Nixon 2009 DVDRip-FTR.xml
c:\program files\BitComet\Torrents\Frost Nixon[2008]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\Frozen.River.2008.LiMiTED.DVDRip.XviD-iFN.torrent
c:\program files\BitComet\Torrents\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.[[You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.[[You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\I.Love.You,.Man!2009.torrent
c:\program files\BitComet\Torrents\I.Love.You,.Man!2009.xml
c:\program files\BitComet\Torrents\Lesbian.Triangles.13.[English].XXX.DVDRiP.XviD-[[You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\license.exe.xml
c:\program files\BitComet\Torrents\Madagascar-Escape.2.Africa[2008]DvDrip-aXXo.torrent
c:\program files\BitComet\Torrents\Madagascar-Escape.2.Africa[2008]DvDrip-aXXo.xml
c:\program files\BitComet\Torrents\Milk.DVDRip.XviD-DiAMOND[SpaEstrenos].torrent
c:\program files\BitComet\Torrents\Milk.DVDRip.XviD-DiAMOND[SpaEstrenos].xml
c:\program files\BitComet\Torrents\Monsters.vs.Aliens.torrent
c:\program files\BitComet\Torrents\Monsters.vs.Aliens.xml
c:\program files\BitComet\Torrents\mpcstar_3.8_setup.exe.torrent
c:\program files\BitComet\Torrents\mpcstar_3.8_setup.exe.xml
c:\program files\BitComet\Torrents\P2.torrent
c:\program files\BitComet\Torrents\Private British MILFs XXX [DVDRip][English][[You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\Private British MILFs XXX [DVDRip][English][[You must be registered and logged in to see this link.]
c:\program files\BitComet\Torrents\Revolutionary Road[2008]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\Revolutionary Road[2008]DvDrip[Eng]-FXG.xml
c:\program files\BitComet\Torrents\Slumdog.Millionaire.DVDSCR.XViD-GENUiNE.torrent
c:\program files\BitComet\Torrents\State.of.Play!.2009.torrent
c:\program files\BitComet\Torrents\State.of.Play!.2009.xml
c:\program files\BitComet\Torrents\State.of.Play.2009.CAM.DivX-LTT.torrent
c:\program files\BitComet\Torrents\State.of.Play.2009.CAM.DivX-LTT.xml
c:\program files\BitComet\Torrents\The Chronicles of Narnia - DVDRIP.XVID.AC3.DragonRipper624.torrent
c:\program files\BitComet\Torrents\The Chronicles of Narnia - DVDRIP.XVID.AC3.DragonRipper624.xml
c:\program files\BitComet\Torrents\The Chronicles of Narnia_The Lion, the Witch and the Wardrobe 2005 H264 DVDRip 5.1ch (Extended Edition).torrent
c:\program files\BitComet\Torrents\The International[2009]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\The International[2009]DvDrip[Eng]-FXG.xml
c:\program files\BitComet\Torrents\The Wrestler.2009.DVDSCR VOSTFR Xvid -Guiks.Trackersurfer.avi.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia-The.Lion.the.Witch.and.the.Wardrobe[2005]DvDrip[Eng]-aXXo.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia.The.Lion.The.Witch.And.The.Wardrobe.DVDRip.XviD.SweSub-Pitbull.avi.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia.The.Lion.The.Witch.And.The.Wardrobe.DVDRip.XviD.SweSub-Pitbull.avi.xml
c:\program files\BitComet\Torrents\The.Wrestler[2008]DvDrip-MAX.torrent
c:\program files\BitComet\Torrents\The.Wrestler[2008]DvDrip-MAX.xml
c:\program files\BitComet\Torrents\UP.DvDRiP(2009).torrent
c:\program files\BitComet\Torrents\UP.DvDRiP(2009).xml
c:\program files\BitComet\Torrents\X-Men.Origins.Wolverine.2009.WORKPRINT.XviD-NoGRP.torrent
c:\program files\BitComet\Torrents\X-Men.Origins.Wolverine.2009.WORKPRINT.XviD-NoGRP.xml
c:\windows\18557notza-vi9usc.bin
c:\windows\system32\2z4439py5.dll

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 4th June 2009, 6:31 pm

PART 2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KRDPDRE
-------\Service_krdpdre


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{995E55E8-E724-4913-5D35-F2FDBFD1C3FE}-tempo-setup2.exe
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{F267AA9E-64C6-7D0F-5356-FBDE2CC7A2CD}-tempo-setup2.exe
2009-06-03 17:44 . 2009-06-04 18:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 17:07 . 2009-06-03 17:07 -------- d-----w- c:\program files\Trend Micro
2009-06-03 16:52 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 16:52 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 16:41 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-03 16:40 . 2009-03-06 15:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-03 16:40 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-03 16:40 . 2009-06-03 16:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-03 16:40 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-03 16:40 . 2009-06-03 17:44 -------- d-----w- c:\program files\Spyware Doctor
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\RICHARD\Application Data\PC Tools
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-02 23:41 . 2009-06-02 23:41 -------- d-----w- c:\program files\PlayAllDVD
2009-06-02 23:37 . 2009-06-02 23:37 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\documents and settings\RICHARD\Application Data\UseNeXT
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\program files\UseNeXT
2009-06-01 23:06 . 2009-06-01 23:07 -------- d-----w- c:\documents and settings\RICHARD\Application Data\TigerPlayer
2009-06-01 23:05 . 2009-06-01 23:05 -------- d-----w- c:\program files\MpcStar
2009-05-31 21:42 . 2009-05-31 21:42 390664 ----a-w- c:\documents and settings\RICHARD\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 03:35 . 2008-11-05 09:14 1048576 ----a-w- c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-05-27 16:37 . 2009-05-27 16:37 -------- d-----w- c:\program files\DivxFree
2009-05-23 12:04 . 2009-05-23 12:04 -------- d-----w- c:\program files\UltraVideo
2009-05-20 14:44 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-20 14:44 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-20 14:44 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-20 14:44 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-20 14:44 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 14:44 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-20 14:44 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 14:44 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-20 14:44 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-20 14:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-20 14:42 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:40 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-05-20 14:40 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-05-20 14:40 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-05-20 14:40 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 18:09 . 2007-09-16 16:44 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-03 17:57 . 2007-07-17 17:52 -------- d-----w- c:\program files\Java
2009-05-27 22:38 . 2006-09-23 16:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-26 22:52 . 2008-09-23 18:24 -------- d-----w- c:\program files\Nokia
2009-05-25 19:20 . 2006-09-13 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2003-12-19 19:36 . 2006-09-23 17:05 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 18:25 . 2009-06-04 18:25 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-9-23 155648]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [23/09/2006 18:09 9344]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/06/2009 17:40 130424]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [22/03/2009 10:59 24936]
R2 sfmgr;CaReTaKeR-CT NetMgr 1.2.1;c:\sfmgr\sfmgr.exe [15/03/2007 13:16 171008]
S3 ni_avs;ni_avs;c:\windows\system32\Drivers\ni_avs.sys --> c:\windows\system32\Drivers\ni_avs.sys [?]
S3 ni_usb;ni_usb;c:\windows\system32\Drivers\ni_usb.sys --> c:\windows\system32\Drivers\ni_usb.sys [?]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [03/04/2008 20:45 20936]
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-725345543-910916986-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,9c,6c,23,db,93,6c,2e,e2,51,78,77,2a,83,44,ea,ac,a2,8d,7a,5c,d2,9b,
d3,4c,fe,7c,18,bb,af,e8,59,c4,98,ca,57,50,a5,ea,eb,97,d2,f8,b2,09,8c,85,b4,\
"??"=hex:d5,b6,d8,0c,d2,ce,a5,b1,06,09,a9,bf,cb,2d,2a,b8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\ctagent.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\system32\DVDRAMSV.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-04 19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 18:28
ComboFix2.txt 2009-06-03 22:45

Pre-Run: 1,525,243,904 bytes free
Post-Run: 1,425,149,952 bytes free

327 --- E O F --- 2009-05-21 18:25

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 4th June 2009, 7:15 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 4th June 2009, 11:23 pm

Hi,

I have done as you have requested and I now have access to my computer & drives again, thank you, really appreciate your time doing this.

Two things:

1. I still have the WinBluSoft Warning as my wallpaper

2. I am getting error messages when I try to open the MalwareBytes software? Run time error (0) & run time error (440)....

Am I malware, virus free or are the other steps I need to take?

Lastly, I thought Windows Live Onecare was powerful enough to stop intrusions like this?

Once again thanks for helping out.

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by Belahzur on 5th June 2009, 12:34 am

Hello.
The Desktp background just needs changing back to default, it's just a setting that wasn't removed.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • MalwareBytes Anti-Malware

Then reboot!

After reboot, download the MBAM Cleaner from [You must be registered and logged in to see this link.].

Allow it to work and it will want to reboot again, allow it to.

Then try installing MBAM again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - Infection

Post by rich p on 6th June 2009, 8:12 pm

Hey Belahzur,

My PC is now back to (if not better given what has been removed malware-wise) it's previous state.

Thank you very much.

I will be making a donation to you guys for all your help.

Cheers

rich p
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-03
OS OS : XP
Points Points : 27483
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum