WinBlueSoft Victim

View previous topic View next topic Go down

WinBlueSoft Victim

Post by dpackham on Wed Jun 03, 2009 11:02 pm

system infected with winbluesoft
must boot in safe mode to get anything to run
attempted removal guide on this site but could not get malwarebytes program to execute
hijack log listing is included below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:54 PM, on 6/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} (Zenfolio Uploader) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: blocker.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (providercomcast) (tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program Files\providerComcast\bin\tgsrvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 11132 bytes

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Belahzur on Thu Jun 04, 2009 12:20 am

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find and select this file: C:\windows\system32\blocker.dll
  • Select okay and select yes to reboot.

Then after reboot, we need to tidy up a bit.

  • Open HijackThis again.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - [You must be registered and logged in to see this link.]
    O20 - AppInit_DLLs: blocker.dll


  • Press "Fix Checked"
  • Close Hijack This.

Let me know once that is done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 12:50 am

ok, got that done

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Belahzur on Thu Jun 04, 2009 12:55 am


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 1:39 am

ComboFix 09-06-03.02 - Dave 06/04/2009 21:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2538 [GMT -7:00]
Running from: c:\documents and settings\Dave\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\docume~1\Dave\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Dave\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Dave\Application Data\inst.exe
c:\windows\107559pa5boz29d.cpl
c:\windows\109z9v5rus596.exe
c:\windows\10z10vir9s3e5.exe
c:\windows\11345n9z-a-virus7d5.dll
c:\windows\11349sp59bzt57f.bin
c:\windows\11b8b9czdoo550.dll
c:\windows\12059zo9m591.dll
c:\windows\1209b5czdoor2359.exe
c:\windows\12205aczdoo93091.cpl
c:\windows\12409n59-a-virzs24c.exe
c:\windows\13459szy2585.ocx
c:\windows\14009no5-a-virus5baz.cpl
c:\windows\14909worm5za.bin
c:\windows\1505zw5r9b6.exe
c:\windows\15165worm29z.ocx
c:\windows\151zspyware919.exe
c:\windows\15269worz654.dll
c:\windows\1566addwaze1945.dll
c:\windows\159929z5m544.ocx
c:\windows\160315orm2z9.ocx
c:\windows\160445oz9a-virus7d8.bin
c:\windows\1765hzcktoo5969.exe
c:\windows\18221notza-9irus555.bin
c:\windows\18236zac5tool4cb9.cpl
c:\windows\18922nzt-a-vi5us330.cpl
c:\windows\1895backdz9r1781.dll
c:\windows\1915spamb5t635z.exe
c:\windows\19705hazktool46.bin
c:\windows\19982ha9kt5oz149.cpl
c:\windows\19c95ddware7z0.cpl
c:\windows\19z84hac5tool91.bin
c:\windows\1a859p5warez83.dll
c:\windows\1afct5i9z1391.bin
c:\windows\1az5d9wnloader2194.cpl
c:\windows\1bffspyware39z5.cpl
c:\windows\1d5159zal962.dll
c:\windows\1d9bazkdo5r762.cpl
c:\windows\1f0asteaz9045.dll
c:\windows\1z15thief2059.cpl
c:\windows\1z494vi5us6f4.dll
c:\windows\1z625h9ef467.exe
c:\windows\1z695py293.dll
c:\windows\1z7995pambot78e.bin
c:\windows\1za5v9r2403.ocx
c:\windows\207ztr9j35a.exe
c:\windows\2099zownlo5der3218.bin
c:\windows\21052sp5zbot4d29.bin
c:\windows\21100wormz95.bin
c:\windows\21578s9azbot5945.cpl
c:\windows\21985spzmbotd5.cpl
c:\windows\21zspyw5r9561.cpl
c:\windows\22385ack9oozfa.bin
c:\windows\224159zambot5e.cpl
c:\windows\22513spam9ot4z8.bin
c:\windows\226769pam5ot8z.cpl
c:\windows\226915orm3z9.bin
c:\windows\2271not-9-vi5us32z.ocx
c:\windows\228z1not-a-vir5s949.bin
c:\windows\22c2t9izf32415.exe
c:\windows\22z03ha5k9ool648.cpl
c:\windows\240zsp9rse995.dll
c:\windows\2419threat19566z.dll
c:\windows\24394trojz54.ocx
c:\windows\2463spzwar92405.dll
c:\windows\24725virzs595.exe
c:\windows\24acadd59ze2360.exe
c:\windows\25208zi5us90e.ocx
c:\windows\2525parse529z.bin
c:\windows\25425vzrus951.cpl
c:\windows\25451worm59ez.bin
c:\windows\2577doznlo9der1391.ocx
c:\windows\25927trojz53.dll
c:\windows\2597virus64z5.bin
c:\windows\25d0ba5kdozr1991.cpl
c:\windows\27392spzmbot958.ocx
c:\windows\27z35spambot3d9.exe
c:\windows\28181hz5kto9l317.cpl
c:\windows\2829zsp9750.ocx
c:\windows\28789nzt-a-virus3bc5.exe
c:\windows\29009spazb5t51b.bin
c:\windows\29077noz-a-vir5s3129.exe
c:\windows\2955threat16573z.cpl
c:\windows\298csteal1z59.ocx
c:\windows\29955zpambot47.exe
c:\windows\2aecvz59595.bin
c:\windows\2bf9spy5z9e658.exe
c:\windows\2ed0b59kdooz2546.exe
c:\windows\2f1cspz5ar92466.ocx
c:\windows\2f99zp9r5e1289.cpl
c:\windows\2fd5downloader19z9.exe
c:\windows\2fz9spyw9re19325.dll
c:\windows\2z1abac9door9315.dll
c:\windows\2z28do5nloa9er63.exe
c:\windows\2z317t5oj796.cpl
c:\windows\2z5cvir1159.bin
c:\windows\2z698v9rus755.cpl
c:\windows\2z854not-5-v9rus41d.exe
c:\windows\2z96sp59se2255.bin
c:\windows\30091troj59z9.cpl
c:\windows\3055not-a9vir5s4e7z.bin
c:\windows\30974zirus21a5.bin
c:\windows\31595szambot51f5.cpl
c:\windows\31959ackt5oz2ef.cpl
c:\windows\31z56spam59t160.ocx
c:\windows\31z8vi518229.cpl
c:\windows\3297zackdoor653.ocx
c:\windows\32982haczt5ol731.cpl
c:\windows\33e9d9wnlzader1512.ocx
c:\windows\346vi92516z.ocx
c:\windows\35336worm5ez9.ocx
c:\windows\35352w9zm53e.exe
c:\windows\3539add9are2z86.exe
c:\windows\359dzteal489.exe
c:\windows\35ds5ars9168z.bin
c:\windows\3675dzwn5oader12399.dll
c:\windows\37b7zt9al5162.bin
c:\windows\3821t59ef2952z.ocx
c:\windows\391vzru518d.exe
c:\windows\3925wzrm435.ocx
c:\windows\392aba9kz5or1825.exe
c:\windows\3998zworm3f35.ocx
c:\windows\3c43tzre9t52171.ocx
c:\windows\3c53thizf9358.dll
c:\windows\3cz1thr59t15732.exe
c:\windows\3z070wor952b.bin
c:\windows\3z925t9oj6f0.ocx
c:\windows\3z93downloader5408.cpl
c:\windows\3z95steal1039.cpl
c:\windows\41cb9d5ware18z8.cpl
c:\windows\422azddware1359.dll
c:\windows\42a2dzw59oader631.dll
c:\windows\4327spz5dc9.exe
c:\windows\4343z9r1015.ocx
c:\windows\44085p9waze1705.dll
c:\windows\4459zhief75.exe
c:\windows\4533zhre9t29693.cpl
c:\windows\4562d9wnloa5er4z9.bin
c:\windows\45b6d9wnloader307z5.ocx
c:\windows\4690sp5za9.cpl
c:\windows\48aeb9c5doorz078.bin
c:\windows\4947stzal5577.ocx
c:\windows\495zthief9857.cpl
c:\windows\499e5zdware1822.bin
c:\windows\499t5iefz223.dll
c:\windows\49c0tzief19235.exe
c:\windows\4aafspzware12595.ocx
c:\windows\4afzpa9s5933.dll
c:\windows\4bdbszywa9e3075.dll
c:\windows\4e9athzef1513.cpl
c:\windows\4efzs95rse1697.bin
c:\windows\4f6zste5l5879.ocx
c:\windows\4fdc59wnloader2338z.cpl
c:\windows\4z29steal1859.cpl
c:\windows\4z54spamb9t35f.dll
c:\windows\4z8fs95al603.ocx
c:\windows\4zfdthie51790.dll
c:\windows\5009s9z5f5.ocx
c:\windows\504fdown5oadzr16989.cpl
c:\windows\50990spamb9t310z.exe
c:\windows\509worm5z59.cpl
c:\windows\50z59ir704.ocx
c:\windows\5113dow5lozde91729.bin
c:\windows\51436spa9bot6dz.dll
c:\windows\522szeal93565.dll
c:\windows\52b3zpywa9e351.exe
c:\windows\52e2doznload59405.exe
c:\windows\533abackdooz25169.dll
c:\windows\54107hackt9olz7.dll
c:\windows\5440b9ckzoor2891.exe
c:\windows\54883h9cktoolz5f.cpl
c:\windows\54hackzool22a9.ocx
c:\windows\5531zo9-a-virus51c.bin
c:\windows\55339ir1z7.ocx
c:\windows\5553hacktz9l42.bin
c:\windows\557fdownlzader2982.bin
c:\windows\55z15hief2294.exe
c:\windows\55zvir964.bin
c:\windows\5624szarse19185.dll
c:\windows\5654v9zus6e8.cpl
c:\windows\5659zwormda.exe
c:\windows\5660spazb9t5e.dll
c:\windows\569dba5kdooz1961.bin
c:\windows\56z0addwa59567.bin
c:\windows\57245pa9sz712.cpl
c:\windows\578avi59966z.cpl
c:\windows\57eespywar91z50.bin
c:\windows\57z59rojef.bin
c:\windows\580069acktozl53a.cpl
c:\windows\581zspy9a75.dll
c:\windows\58955virzs1d8.exe
c:\windows\5926zir2754.cpl
c:\windows\59c6stealz503.cpl
c:\windows\59z8worm512.cpl
c:\windows\5a6add5zr9175.bin
c:\windows\5a76sze952968.exe
c:\windows\5aczthie9290.bin
c:\windows\5af1sparse29z9.cpl
c:\windows\5b2d9zr364.ocx
c:\windows\5b6szar9e2556.dll
c:\windows\5bb0sparze99445.dll
c:\windows\5ca5sp9zare523.cpl
c:\windows\5cb4steal28z99.exe
c:\windows\5d2c9tealz732.cpl
c:\windows\5e5bth9e5t3z775.bin
c:\windows\5f59stzal2607.dll
c:\windows\5f999teal236z.exe
c:\windows\5z535hr9at2893.dll
c:\windows\5zdbvir19549.exe
c:\windows\60b1v5z2096.cpl
c:\windows\61a5spyza9e2093.cpl
c:\windows\62e1b95kdozr2973.bin
c:\windows\62e3z5reat186149.dll
c:\windows\64z69teal31405.cpl
c:\windows\6549wzrm4be.bin
c:\windows\6573vi952z1.exe
c:\windows\65989hreatz658.ocx
c:\windows\65b6b9ckdozr2191.ocx
c:\windows\65zbsparse1490.cpl
c:\windows\690wz9m3e5.bin
c:\windows\699aadzware3585.cpl
c:\windows\6a48zparse4509.dll
c:\windows\6a7stzal959.dll
c:\windows\6c235ownlozde9113.ocx
c:\windows\6c23spyza9e1555.dll
c:\windows\6c5zsparse1292.cpl
c:\windows\6e0dspz9are5005.ocx
c:\windows\6e59szeal689.ocx
c:\windows\6e80bac9do5r235z.exe
c:\windows\6ed5thief309z.exe
c:\windows\6f3athrezt35964.bin
c:\windows\6z86v9ru526f.bin
c:\windows\7039spamb5t4z2.exe
c:\windows\70z5s5a9se2540.ocx
c:\windows\71329zd5are3230.ocx
c:\windows\7159n9tza-virus6a5.exe
c:\windows\7300bz5kdoor1939.cpl
c:\windows\7318vi9z5456.cpl
c:\windows\7390b95kdoor1z20.ocx
c:\windows\74e4sz9rs5212.bin
c:\windows\75079iruz6475.bin
c:\windows\750spar9ez553.dll
c:\windows\7599sp5warez821.cpl
c:\windows\776vir59704z.exe
c:\windows\78b05pywa9ez932.bin
c:\windows\790eba5kd9orz3.cpl
c:\windows\7973viru9535z.exe
c:\windows\7a5ezownloader949.bin
c:\windows\7efddownloader98z5.cpl
c:\windows\7f06threaz99558.dll
c:\windows\7f9ad5wnl9aderz417.cpl
c:\windows\7zdv5r997.exe
c:\windows\80735acktzol1349.cpl
c:\windows\85z9py2c3.ocx
c:\windows\874s9ar5z1787.bin
c:\windows\88not5a9vizus2b3.dll
c:\windows\893steal27z5.dll
c:\windows\8ffz5ckd9or945.ocx
c:\windows\8z94viru56f8.ocx
c:\windows\8zevir19545.bin
c:\windows\900z8w5rm7ff.dll
c:\windows\901f5ackdoorz42.exe
c:\windows\9031no5-a-vir9s6za.cpl
c:\windows\90z27vir5s542.dll
c:\windows\91942szy6b35.ocx
c:\windows\9237h9ckzoolac5.ocx
c:\windows\927345orm36dz.cpl
c:\windows\9295thzef5554.bin
c:\windows\9313spzm5ot139.bin
c:\windows\93500not-a-virusz9a.exe
c:\windows\935fspyzare19.dll
c:\windows\93fzpars524799.dll
c:\windows\94707v5rzs221.bin
c:\windows\95e9bzckdoor318.exe
c:\windows\96051spy54fz.ocx
c:\windows\968thrzat6325.cpl
c:\windows\969szeal2895.exe
c:\windows\97765ot-a-zi9us429.bin
c:\windows\9798not-a-vir5z5b6.bin
c:\windows\98385spa5boz47b.dll
c:\windows\995eback5ooz3011.exe
c:\windows\99633sp5mboz30e.dll
c:\windows\9975zir5355.cpl
c:\windows\9978zw5rm41a.cpl
c:\windows\99a5threat259z8.dll
c:\windows\99z66wo5m7cf.bin
c:\windows\99z6vir11605.bin
c:\windows\9a85vir325z5.dll
c:\windows\9abthz5at28687.dll
c:\windows\9af7s5yware1z59.bin
c:\windows\9c7zpyw9re24715.exe
c:\windows\9d3evzr1152.cpl
c:\windows\9z17tr5j744.cpl
c:\windows\9zaddwa5e1896.cpl
c:\windows\c9dd95nloaderz79.dll
c:\windows\cad59dwzre546.dll
c:\windows\d925zar9e917.bin
c:\windows\df95tealz25.cpl
c:\windows\f59zir3931.exe
c:\windows\fd9ack5oor288z.exe
c:\windows\system32\101995roj58z.exe
c:\windows\system32\10364wo5m71z9.dll
c:\windows\system32\11515notza-virus296.dll
c:\windows\system32\11551vi5usz92.dll
c:\windows\system32\119155or9z51.exe
c:\windows\system32\1191threat981z5.ocx
c:\windows\system32\12499hacktz5l96.bin
c:\windows\system32\1295v9ruszfe.bin
c:\windows\system32\12985tz5j7df.ocx
c:\windows\system32\12z93h9cktool46c5.exe
c:\windows\system32\13196ha5ktoolz84.ocx
c:\windows\system32\1350viru9z68.cpl
c:\windows\system32\142895zy189.cpl
c:\windows\system32\14915hief2z47.exe
c:\windows\system32\150vir29z5.cpl
c:\windows\system32\1517trojz89.dll
c:\windows\system32\15373notz59virus61.bin
c:\windows\system32\153b5pzwar92757.exe
c:\windows\system32\1548zspy593.ocx
c:\windows\system32\1595threa959z3.exe
c:\windows\system32\159aaddware6z2.bin
c:\windows\system32\15es9ywa5e107z.exe
c:\windows\system32\1641395t-a-virusza8.ocx
c:\windows\system32\16478hacktool9z5.exe
c:\windows\system32\1679hackt5zl3bf.bin
c:\windows\system32\1694zpar5e2872.cpl
c:\windows\system32\1731azd9a5e1991.bin
c:\windows\system32\17325nzt-a-viru92a5.dll
c:\windows\system32\17557spambzt5e9.ocx
c:\windows\system32\1764s5ywarez629.exe
c:\windows\system32\1768v5ruz95d.exe
c:\windows\system32\17945not-a-v5zus2eb.exe
c:\windows\system32\17997ziru9558.dll
c:\windows\system32\179z7tro53d.exe
c:\windows\system32\186529pazbot5e9.exe
c:\windows\system32\18876s5azbot398.ocx
c:\windows\system32\18920zr5j300.ocx
c:\windows\system32\19075h5zkto9l143.dll
c:\windows\system32\19396v9rus4z95.cpl
c:\windows\system32\194dthreat256z2.cpl
c:\windows\system32\19511viruszbf.cpl
c:\windows\system32\19604nz5-9-virus97.dll
c:\windows\system32\19657spazbot900.exe
c:\windows\system32\19759wozm5aa.dll
c:\windows\system32\19837hzckto5l61c.bin
c:\windows\system32\199075zy7b6.dll
c:\windows\system32\1995zs9yf5.cpl
c:\windows\system32\19dstza51895.bin
c:\windows\system32\19fz5teal294.ocx
c:\windows\system32\1cb4thre9t4z645.bin
c:\windows\system32\1d9ztea56819.exe
c:\windows\system32\1z005sp9510.dll
c:\windows\system32\1z191vir95391.exe
c:\windows\system32\1z425s9y442.cpl
c:\windows\system32\1z5489iru5465.dll
c:\windows\system32\1z95addware676.dll
c:\windows\system32\1zebackdo5r948.cpl
c:\windows\system32\20135sp91az.bin
c:\windows\system32\201499i5uz170.dll
c:\windows\system32\20395hief323z.exe
c:\windows\system32\20499z5rus281.bin
c:\windows\system32\204astezl2599.exe
c:\windows\system32\204z5s594cf.exe
c:\windows\system32\21365t9oj67z.exe
c:\windows\system32\2185thrza915927.bin
c:\windows\system32\218z4tro9255.exe
c:\windows\system32\21e2b9c5door247z.exe
c:\windows\system32\21z53hacktool90.bin
c:\windows\system32\22121sz5mbot76a9.cpl
c:\windows\system32\22561spy9b9z.dll
c:\windows\system32\22606not-a-virus9zf5.exe
c:\windows\system32\22625zro975c.dll
c:\windows\system32\22795szy1f9.cpl
c:\windows\system32\2314zha9kt5ol187.ocx
c:\windows\system32\23340viru5193z.ocx
c:\windows\system32\23965hacktoo9783z.dll
c:\windows\system32\23z49vir95525.dll
c:\windows\system32\24057t5o929z.exe
c:\windows\system32\2420spzm9ot352.dll
c:\windows\system32\24221za5kto9l299.bin
c:\windows\system32\24359irus1z8.ocx
c:\windows\system32\24652haczto9l6a8.exe
c:\windows\system32\24886sz9540.bin
c:\windows\system32\248z6n9t-a-virus505.ocx
c:\windows\system32\24903zr9jd5.ocx
c:\windows\system32\24908zi9u5555.bin
c:\windows\system32\249zspy1975.ocx
c:\windows\system32\251045azktool74e9.ocx
c:\windows\system32\25110s9y59bz.bin
c:\windows\system32\2521s9z5bot421.ocx
c:\windows\system32\25269hack5ool73z.cpl
c:\windows\system32\25279ir2z56.ocx
c:\windows\system32\2533tzoj7859.dll
c:\windows\system32\25516nz5-9-virus7e0.bin
c:\windows\system32\25535tzoj960.exe
c:\windows\system32\255csze5l9958.dll
c:\windows\system32\255wo9z254.dll
c:\windows\system32\25699hazkto5l723.exe
c:\windows\system32\25893zpam5ot27b.exe
c:\windows\system32\25z94spya5.bin
c:\windows\system32\264z79ro5152.bin
c:\windows\system32\2665zackdoo91309.bin
c:\windows\system32\26795v9ru53cez.cpl
c:\windows\system32\26a9bzckdoor8035.bin
c:\windows\system32\27059ha9kzool1c65.cpl
c:\windows\system32\2705zspam5ot259.cpl
c:\windows\system32\27264wo5z93b.exe
c:\windows\system32\27369not95-viruse5z.ocx
c:\windows\system32\27895spazbot797.bin
c:\windows\system32\27988v5rus649z.ocx
c:\windows\system32\282805p9mbot55az.dll

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 1:42 am

(cont.)

c:\windows\system32\2833trojz5e9.exe
c:\windows\system32\28659wo5m3zc.bin
c:\windows\system32\28688not-a-5izus59e9.exe
c:\windows\system32\28asp5warez09.dll
c:\windows\system32\28czb5ck9oor1862.bin
c:\windows\system32\2906downloadez5887.dll
c:\windows\system32\29074hack9ool2zc5.cpl
c:\windows\system32\2919not-a5vi9us54z.cpl
c:\windows\system32\2921spa5se20z59.cpl
c:\windows\system32\292za5dwa9e2492.exe
c:\windows\system32\2957downlozder2925.dll
c:\windows\system32\29659spambotz46.cpl
c:\windows\system32\2986znot-a-v5rus635.dll
c:\windows\system32\298dszywar523779.cpl
c:\windows\system32\299ezh5e92387.exe
c:\windows\system32\29fcspywzr52209.ocx
c:\windows\system32\29z2vi52017.exe
c:\windows\system32\29z485py4dc.cpl
c:\windows\system32\29z5vir11729.exe
c:\windows\system32\2af9s5yware2z42.ocx
c:\windows\system32\2c985ackdoorz2.bin
c:\windows\system32\2e10spy5a9e25z2.ocx
c:\windows\system32\2e70thizf459.ocx
c:\windows\system32\2e7cst5alz959.bin
c:\windows\system32\2z425h9ef3107.ocx
c:\windows\system32\2z905worm3a0.ocx
c:\windows\system32\2zf59hief1065.bin
c:\windows\system32\30bct9zeat255385.ocx
c:\windows\system32\3182z5ro973a.dll
c:\windows\system32\31969not-z-v9rus185.bin
c:\windows\system32\31z2do5nloader1519.exe
c:\windows\system32\32045not-a-virz53a59.exe
c:\windows\system32\32550w9rm7d0z.dll
c:\windows\system32\32z359or525f.dll
c:\windows\system32\3354steal895z.exe
c:\windows\system32\335ad5ware2z59.ocx
c:\windows\system32\338a5ackdzo9192.bin
c:\windows\system32\34cfthre59136z5.cpl
c:\windows\system32\3535spzmb9t1d.exe
c:\windows\system32\3585backdoor119z.ocx
c:\windows\system32\35998spyze8.dll
c:\windows\system32\362c9hreat250z4.dll
c:\windows\system32\36d9tzreat31245.dll
c:\windows\system32\390zthreat93965.dll
c:\windows\system32\3990a5dwzre3131.dll
c:\windows\system32\3993spz55d.dll
c:\windows\system32\39a59ownloaderz537.bin
c:\windows\system32\39a5vir1589z.cpl
c:\windows\system32\39ddth5ef232z.bin
c:\windows\system32\39z5sparse1671.bin
c:\windows\system32\3b5aspaz5e2494.dll
c:\windows\system32\3b85zhief9110.cpl
c:\windows\system32\3ef3dow95oadzr1203.bin
c:\windows\system32\3f205ownloadzr913.ocx
c:\windows\system32\3z2929ot-a-5irus351.exe
c:\windows\system32\3z691spy315.dll
c:\windows\system32\3z89vir97795.ocx
c:\windows\system32\3zc5v5r9537.ocx
c:\windows\system32\3ze9vi51898.dll
c:\windows\system32\4006tzoj598.exe
c:\windows\system32\4048s9yw5rez680.dll
c:\windows\system32\40559zoj1ec.bin
c:\windows\system32\4154vi9zs751.exe
c:\windows\system32\41ffs9az5e419.bin
c:\windows\system32\42515roj92z.bin
c:\windows\system32\434ado9z5oader2169.ocx
c:\windows\system32\436495arse1z82.dll
c:\windows\system32\44045hzeat9592.ocx
c:\windows\system32\4409zpy5a9.ocx
c:\windows\system32\4424sp5mb9t1cz.bin
c:\windows\system32\44f9addware52z.exe
c:\windows\system32\45375ownlo9dez1631.bin
c:\windows\system32\4579v5zus429.exe
c:\windows\system32\4755bz9kdoor803.exe
c:\windows\system32\47645z927e.exe
c:\windows\system32\47c9spyw5r913z7.ocx
c:\windows\system32\47zdt9ief1795.cpl
c:\windows\system32\4880notza5viru936d.bin
c:\windows\system32\4913sp5rsz4999.exe
c:\windows\system32\4940add5zre3182.dll
c:\windows\system32\4954vir5z26.ocx
c:\windows\system32\49a9st5al298z.cpl
c:\windows\system32\4a539pywarz2247.cpl
c:\windows\system32\4a9fztea52806.dll
c:\windows\system32\4b11thiz93517.dll
c:\windows\system32\4d6bsp5rse179z.cpl
c:\windows\system32\4z0fba5kdoor26919.dll
c:\windows\system32\4z529py5are309.exe
c:\windows\system32\4z52addwar93255.cpl
c:\windows\system32\4z5bvi9250.dll
c:\windows\system32\4z5thief25779.ocx
c:\windows\system32\4ze9spars92225.exe
c:\windows\system32\50c29ir3552z.cpl
c:\windows\system32\50c5steaz9509.dll
c:\windows\system32\51502hackt9ozae.ocx
c:\windows\system32\52131tr9jzd9.dll
c:\windows\system32\52a9ba5kzoor1166.exe
c:\windows\system32\5467spyware29z7.bin
c:\windows\system32\55119worz590.ocx
c:\windows\system32\55352not-a-virus49ez.dll
c:\windows\system32\5593hacztool4a.bin
c:\windows\system32\5598not-a-vzr5s3b5.bin
c:\windows\system32\55cdt9reat13z38.cpl
c:\windows\system32\55e8spz9s5389.ocx
c:\windows\system32\55z1spy559.dll
c:\windows\system32\5673tzreat56590.ocx
c:\windows\system32\56d3adzware953.bin
c:\windows\system32\56dathr9atz8659.bin
c:\windows\system32\56dzsp9ware3034.bin
c:\windows\system32\56fsparse30z59.exe
c:\windows\system32\5719backdooz17165.bin
c:\windows\system32\5742s9yware13z0.ocx
c:\windows\system32\5762steal164z9.dll
c:\windows\system32\57893ha9ktozl131.exe
c:\windows\system32\588919zoj533.exe
c:\windows\system32\58ccsteal39z6.bin
c:\windows\system32\5919dzw5loader1638.ocx
c:\windows\system32\5950hackt9olaz.bin
c:\windows\system32\5972s9y3ffz.exe
c:\windows\system32\5997noz-a-9irus79e.exe
c:\windows\system32\5999bazkdoo52786.ocx
c:\windows\system32\599e9zie51121.dll
c:\windows\system32\59azback5oor1750.dll
c:\windows\system32\59fthreat18z94.bin
c:\windows\system32\59z21troj3e9.cpl
c:\windows\system32\59z8virus529.exe
c:\windows\system32\5az6a5dwar92804.cpl
c:\windows\system32\5b5espyw9rez49.ocx
c:\windows\system32\5bbszywa9e2214.ocx
c:\windows\system32\5bc9steal1z57.ocx
c:\windows\system32\5c1zvi9781.bin
c:\windows\system32\5czcaddw5r92807.cpl
c:\windows\system32\5f705pywarez091.dll
c:\windows\system32\5f9bth5ef2z51.cpl
c:\windows\system32\5fba9dwarez219.ocx
c:\windows\system32\5z05thi9f145.cpl
c:\windows\system32\5z079hacktoolf0.cpl
c:\windows\system32\5z63v5r2699.cpl
c:\windows\system32\5z90troj55c.exe
c:\windows\system32\5za3vi58139.bin
c:\windows\system32\5zc9addw5re2835.exe
c:\windows\system32\6009adzwar95177.bin
c:\windows\system32\606etzief11955.dll
c:\windows\system32\6241vir1195z.dll
c:\windows\system32\62z0v9r2655.exe
c:\windows\system32\649dvir2592z.exe
c:\windows\system32\658bbackzoor1269.ocx
c:\windows\system32\65ddspyw9rz8125.cpl
c:\windows\system32\6845tz5j5629.exe
c:\windows\system32\684dste953250z.ocx
c:\windows\system32\6858not-a-9zrus15e.exe
c:\windows\system32\68cfthzef2596.exe
c:\windows\system32\69c5threat21770z.dll
c:\windows\system32\6a10sp5rse1519z.ocx
c:\windows\system32\6az8th9eat2557.dll
c:\windows\system32\6b9addware5z3.cpl
c:\windows\system32\6bfe5tez93167.dll
c:\windows\system32\6c99sparse115z.bin
c:\windows\system32\6d3csp9r5ez7.dll
c:\windows\system32\6d56threatz509.cpl
c:\windows\system32\6ezste5l2459.cpl
c:\windows\system32\6f7c9hrezt30557.cpl
c:\windows\system32\6z059py25a.cpl
c:\windows\system32\6z0ddownload9r6395.exe
c:\windows\system32\729c5parze3006.bin
c:\windows\system32\7342spars518z9.dll
c:\windows\system32\7434not-9-virus65z.ocx
c:\windows\system32\7446zownloa9er30565.bin
c:\windows\system32\7451w9rm7zf.cpl
c:\windows\system32\7458h9cktoolzab.cpl
c:\windows\system32\7525vir900z.ocx
c:\windows\system32\7543t9zef1548.bin
c:\windows\system32\75479d5waze1215.exe
c:\windows\system32\7553spy5a9e2503z.bin
c:\windows\system32\759dstezl1745.cpl
c:\windows\system32\75z4spar5e5319.cpl
c:\windows\system32\763z95j449.dll
c:\windows\system32\771ezack9oor6075.bin
c:\windows\system32\7790zp5ware531.cpl
c:\windows\system32\77a1thie59z9.bin
c:\windows\system32\78dzh9eat10956.ocx
c:\windows\system32\78z5downlo9der894.ocx
c:\windows\system32\7b61sz9a5101.bin
c:\windows\system32\7b6zsp9rse1552.cpl
c:\windows\system32\7c35dowzl9ader1542.exe
c:\windows\system32\7c6c5p9waze2135.cpl
c:\windows\system32\7d96t95eat9z59.cpl
c:\windows\system32\7ezathi9f158.dll
c:\windows\system32\7f5at5reatz09319.bin
c:\windows\system32\7ff19ir2215z.ocx
c:\windows\system32\7z0not-a-vi5us7699.dll
c:\windows\system32\8119s5y1za.exe
c:\windows\system32\82z0troj591.cpl
c:\windows\system32\8539s9z234.exe
c:\windows\system32\8565zr5j698.ocx
c:\windows\system32\85995py4z79.cpl
c:\windows\system32\8b4stza919035.bin
c:\windows\system32\907z5spy27b.exe
c:\windows\system32\90999spy6zb5.exe
c:\windows\system32\909t95ef29z5.cpl
c:\windows\system32\9135zir1567.bin
c:\windows\system32\91a5downl5ader2569z.exe
c:\windows\system32\92055spambot4zd.exe
c:\windows\system32\9225vi9us5dz.cpl
c:\windows\system32\92297troj6z5.dll
c:\windows\system32\9261zpambot975.cpl
c:\windows\system32\928605ozm2c3.bin
c:\windows\system32\9346v5rz374.ocx
c:\windows\system32\93fzthreat8585.cpl
c:\windows\system32\94e7thiefz54.exe
c:\windows\system32\9529nzt-a-v95usc5.bin
c:\windows\system32\95365spamboz25b.exe
c:\windows\system32\9549downlzader2128.dll
c:\windows\system32\9585not-a-zirus30f.dll
c:\windows\system32\95edadd5are254z.exe
c:\windows\system32\9628v9rzs251.cpl
c:\windows\system32\96963spambot3z85.exe
c:\windows\system32\9766spamb5tz6c.cpl
c:\windows\system32\97959szy46a.bin
c:\windows\system32\97f1addz5re2172.exe
c:\windows\system32\98zbsteal59.bin
c:\windows\system32\9906zpa9bot56.bin
c:\windows\system32\99155irusza9.bin
c:\windows\system32\9925ormz09.dll
c:\windows\system32\9956thi5f3z36.ocx
c:\windows\system32\99919rzj254.dll
c:\windows\system32\9a7czhreat28592.cpl
c:\windows\system32\9c55downloader1z34.ocx
c:\windows\system32\9cd7virz1225.exe
c:\windows\system32\9e51vzr1566.ocx
c:\windows\system32\9z6dsp5ware868.exe
c:\windows\system32\abba95doorz599.ocx
c:\windows\system32\b9p5rze2959.dll
c:\windows\system32\bbzdow5loader928.cpl
c:\windows\system32\c35s5eaz2796.cpl
c:\windows\system32\c65s9ealz047.bin
c:\windows\system32\d22zteal95.exe
c:\windows\system32\drivers\gxvxclvhxiqptsnboduiuruwbpfnbqjixwaky.sys
c:\windows\system32\drivers\gxvxcuigiltowyllrmmepxdntivhckbmurqxe.sys
c:\windows\system32\f3ethief589z.dll
c:\windows\system32\ff9thiez39915.dll
c:\windows\system32\fz9spy5are1589.cpl
c:\windows\system32\gxvxcgeupgqcbpjxqvqsciqhqqqijxmufnkih.dll
c:\windows\system32\gxvxcwflnrirstogdrjogwqpodpgphlthegxj.dll
c:\windows\system32\z0f25ownloader589.dll
c:\windows\system32\z16859i5us365.dll
c:\windows\system32\z17ct9ief1285.dll
c:\windows\system32\z1959pars5415.ocx
c:\windows\system32\z1a5thief1897.ocx
c:\windows\system32\z1cv9r2516.bin
c:\windows\system32\z201wor54399.exe
c:\windows\system32\z228thief25759.cpl
c:\windows\system32\z3229virus2aa5.ocx
c:\windows\system32\z3644v5ru9191.cpl
c:\windows\system32\z4edspa95e2076.bin
c:\windows\system32\z52cdown5oader2989.dll
c:\windows\system32\z5859vi9us411.cpl
c:\windows\system32\z5f4stea5951.exe
c:\windows\system32\z622vi9us5ab.ocx
c:\windows\system32\z63vir2759.cpl
c:\windows\system32\z79bthief2295.exe
c:\windows\system32\z83349ot-5-virus299.cpl
c:\windows\system32\z854v9rus6cb5.dll
c:\windows\system32\z951sparse12025.exe
c:\windows\system32\z9544spy559.exe
c:\windows\system32\z9816spy153.ocx
c:\windows\system32\za40dow9loa5er1994.dll
c:\windows\system32\za7459yware1182.ocx
c:\windows\system32\zb955teal92.ocx
c:\windows\system32\zb9athre5t20055.dll

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 1:43 am

(cont.)

c:\windows\system32\zbf39hief1513.ocx
c:\windows\system32\zec0spywar91555.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z0547ha5ktool4c89.dll
c:\windows\z05609py165.bin
c:\windows\z0853spy9c1.ocx
c:\windows\z0922w5rm20c.cpl
c:\windows\z107spyware53079.dll
c:\windows\z19downloader555.bin
c:\windows\z2923not5a-virus789.ocx
c:\windows\z2989tea51672.bin
c:\windows\z2vir25559.ocx
c:\windows\z3090virus75b.ocx
c:\windows\z3155t9oj551.dll
c:\windows\z3629hacktool495.cpl
c:\windows\z4d89pywa5e1838.exe
c:\windows\z55499py554.exe
c:\windows\z55v59780.exe
c:\windows\z578spar9e3121.dll
c:\windows\z7298spy27f5.bin
c:\windows\z7739worm593.cpl
c:\windows\z79sparse3195.bin
c:\windows\z81cb9ckd5or1435.dll
c:\windows\z8263no9-a-virus25.ocx
c:\windows\z879spyware557.dll
c:\windows\z939teal4785.cpl
c:\windows\z93v5r9329.exe
c:\windows\z9953spy4c4.exe
c:\windows\za349ir5330.dll
c:\windows\zd55thie9495.exe
N:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 03:10 . 2009-06-05 03:10 3129961 ----a-w- C:\Combo-Fix.exe
2009-06-05 03:07 . 2009-06-05 03:49 -------- d-----w- C:\backups
2009-06-03 03:11 . 2009-06-03 03:11 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-03 03:11 . 2009-06-03 03:11 -------- d-----w- c:\program files\WinBlueSoft Software
2009-05-30 20:04 . 2009-03-27 08:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-05-30 20:04 . 2009-05-30 20:04 -------- d-----w- c:\program files\CPUID
2009-05-24 17:39 . 2009-05-31 04:53 -------- d-----w- C:\Film
2009-05-23 01:26 . 2009-05-23 01:47 -------- d-----w- C:\New Folder
2009-05-10 03:33 . 2009-03-19 00:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:14 . 2008-10-09 02:04 -------- d-----w- c:\program files\ReGetPro
2009-05-30 18:53 . 2008-08-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-30 18:49 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-05-30 18:42 . 2008-06-29 18:12 55264 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 18:39 . 2008-08-14 05:12 -------- d-----w- c:\documents and settings\Dave\Application Data\Download Manager
2009-05-30 18:29 . 2008-06-29 21:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-26 19:50 . 2009-02-19 03:08 -------- d-----w- c:\program files\mkv2vob
2009-05-22 07:13 . 2008-07-01 22:21 -------- d-----w- c:\documents and settings\Dave\Application Data\dvdcss
2009-05-12 14:24 . 2009-01-28 02:07 -------- d-----w- c:\program files\SSC Service Utility
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\program files\Yahoo!
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 01:51 . 2009-03-06 01:46 -------- d-----w- c:\documents and settings\Dave\Application Data\Canon
2009-04-10 00:53 . 2009-04-10 00:52 -------- d-----w- c:\program files\Yamb
2009-04-09 04:32 . 2009-04-09 04:32 -------- d-----w- c:\documents and settings\Dave\Application Data\ZoomBrowser EX
2009-04-09 04:24 . 2009-03-06 01:23 -------- d-----w- c:\program files\Canon
2009-04-09 04:23 . 2009-04-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-07 03:35 . 2009-03-31 21:14 -------- d-----w- c:\documents and settings\Dave\Application Data\Ahead
2003-03-24 15:18 . 2003-03-24 15:18 10050 ----a-w- c:\program files\weeklyscan.reg
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-12 374272]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2006-05-30 937984]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-01-15 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-02-14 24576]
"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-10 16851968]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-4 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"n:\\java\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 SAVRoam;SAVRoam;c:\progra~1\SYMANT~1\SYMANT~1\savroam.exe [1/14/2003 6:07 PM 139264]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [10/4/2008 9:36 AM 93696]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [5/30/2009 1:04 PM 12672]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [1/4/2007 7:34 PM 75008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Do&wnload by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 1:45 am

(cont.)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,06,bc,32,03,
6d,7f,f2,e2,63,26,f1,3f,c8,ff,68,47,00,52,26,13,05,1c,0b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,df,2f,a5,94,60,
5e,3a,23,6a,9c,d6,61,af,45,84,18,d5,11,47,79,33,1c,6e,a5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a6,40,52,67,6d,
80,e7,d3,ff,7c,85,e0,43,d4,0e,fe,f8,30,7c,1b,52,6d,14,e0,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,0d,a6,9e,2d,2a,
ce,fc,b8,86,8c,21,01,be,91,eb,e7,31,a8,21,68,64,43,07,04,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,a1,82,99,56,e0,
1d,36,28,f5,1d,4d,73,a8,13,5c,05,2a,93,c5,92,08,02,06,4f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f2,b0,58,cb,0a,
68,ea,fe,df,20,58,62,78,6b,cf,c8,e8,be,36,1f,f9,00,e7,89,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,80,24,f6,0b,d5,
78,71,cc,fb,a7,78,e6,12,2f,9a,ea,f3,03,30,50,ad,22,12,1d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ba,e3,96,ae,0c,
74,09,46,01,3a,48,fc,e8,04,4a,f1,e9,94,ba,3a,a1,de,29,82,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,39,0b,86,57,d6,
1b,44,ba,f6,0f,4e,58,98,5b,89,c9,48,8e,1f,46,00,d5,3f,98,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e2,9c,a5,49,fd,
88,69,da,3d,ce,ea,26,2d,45,aa,78,c6,ca,3c,c5,4b,34,47,9e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,cc,ba,7b,a3,e2,
a4,e5,e2,2a,b7,cc,b5,b9,7f,41,e7,1a,16,7f,3d,94,f9,81,bd,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,79,7b,a7,35,
70,f0,9a,6c,43,2d,1e,aa,22,2f,9c,fc,4f,c6,4f,9a,75,ed,a4,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(832)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-06-05 21:31
ComboFix-quarantined-files.txt 2009-06-05 04:31

Pre-Run: 85,268,295,680 bytes free
Post-Run: 89,796,567,040 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
944 --- E O F --- 2009-05-14 10:02

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Origin on Thu Jun 04, 2009 3:20 am

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\tempo-setup2.exe

Folder::
c:\program files\WinBlueSoft Software

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

Driver::
cpuz132


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 10:16 pm

ComboFix still shows up on my desktop as Combo-Fix. When I drag and drop as directed above I get an error message that says cannot rename ComboFix to Combo-Fix, please choose another name with alphanumeric characters. I am not trying to rename only drag and drop as indicated

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Belahzur on Thu Jun 04, 2009 10:31 pm

Re-download Combofix, but don't rename it this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 11:04 pm

ComboFix 09-06-04.04 - Dave 06/04/2009 18:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2654 [GMT -7:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\program files\WinBlueSoft Software"
"c:\windows\system32\drivers\cpuz132_x32.sys"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cpuz132_x32.sys
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPUZ132
-------\Service_cpuz132


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 04:00 . 2009-06-05 04:31 -------- d-s---w- C:\Combo-Fix
2009-06-05 03:07 . 2009-06-05 03:49 -------- d-----w- C:\backups
2009-06-03 03:11 . 2009-06-03 03:11 -------- d-----w- c:\program files\WinBlueSoft Software
2009-05-30 20:04 . 2009-05-30 20:04 -------- d-----w- c:\program files\CPUID
2009-05-24 17:39 . 2009-05-31 04:53 -------- d-----w- C:\Film
2009-05-23 01:26 . 2009-05-23 01:47 -------- d-----w- C:\New Folder
2009-05-10 03:33 . 2009-03-19 00:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:14 . 2008-10-09 02:04 -------- d-----w- c:\program files\ReGetPro
2009-05-30 18:53 . 2008-08-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-30 18:49 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-05-30 18:42 . 2008-06-29 18:12 55264 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 18:39 . 2008-08-14 05:12 -------- d-----w- c:\documents and settings\Dave\Application Data\Download Manager
2009-05-30 18:29 . 2008-06-29 21:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-26 19:50 . 2009-02-19 03:08 -------- d-----w- c:\program files\mkv2vob
2009-05-22 07:13 . 2008-07-01 22:21 -------- d-----w- c:\documents and settings\Dave\Application Data\dvdcss
2009-05-12 14:24 . 2009-01-28 02:07 -------- d-----w- c:\program files\SSC Service Utility
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\program files\Yahoo!
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 01:51 . 2009-03-06 01:46 -------- d-----w- c:\documents and settings\Dave\Application Data\Canon
2009-04-10 00:53 . 2009-04-10 00:52 -------- d-----w- c:\program files\Yamb
2009-04-09 04:32 . 2009-04-09 04:32 -------- d-----w- c:\documents and settings\Dave\Application Data\ZoomBrowser EX
2009-04-09 04:24 . 2009-03-06 01:23 -------- d-----w- c:\program files\Canon
2009-04-09 04:23 . 2009-04-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-07 03:35 . 2009-03-31 21:14 -------- d-----w- c:\documents and settings\Dave\Application Data\Ahead
2003-03-24 15:18 . 2003-03-24 15:18 10050 ----a-w- c:\program files\weeklyscan.reg
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-05 01:23 . 2009-06-05 01:23 16384 c:\windows\Temp\Perflib_Perfdata_134.dat
+ 2006-02-28 12:00 . 2007-01-01 07:08 86686 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2006-02-28 12:00 . 2007-01-01 07:08 483744 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-12 374272]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2006-05-30 937984]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-01-15 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-02-14 24576]
"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-10 16851968]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-4 208896]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"n:\\java\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 SAVRoam;SAVRoam;c:\progra~1\SYMANT~1\SYMANT~1\savroam.exe [1/14/2003 6:07 PM 139264]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [10/4/2008 9:36 AM 93696]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [1/4/2007 7:34 PM 75008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Do&wnload by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 18:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 11:05 pm

(cont)

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,06,bc,32,03,
6d,7f,f2,e2,63,26,f1,3f,c8,ff,68,47,00,52,26,13,05,1c,0b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,df,2f,a5,94,60,
5e,3a,23,6a,9c,d6,61,af,45,84,18,d5,11,47,79,33,1c,6e,a5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a6,40,52,67,6d,
80,e7,d3,ff,7c,85,e0,43,d4,0e,fe,f8,30,7c,1b,52,6d,14,e0,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,0d,a6,9e,2d,2a,
ce,fc,b8,86,8c,21,01,be,91,eb,e7,31,a8,21,68,64,43,07,04,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,a1,82,99,56,e0,
1d,36,28,f5,1d,4d,73,a8,13,5c,05,2a,93,c5,92,08,02,06,4f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f2,b0,58,cb,0a,
68,ea,fe,df,20,58,62,78,6b,cf,c8,e8,be,36,1f,f9,00,e7,89,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,80,24,f6,0b,d5,
78,71,cc,fb,a7,78,e6,12,2f,9a,ea,f3,03,30,50,ad,22,12,1d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ba,e3,96,ae,0c,
74,09,46,01,3a,48,fc,e8,04,4a,f1,e9,94,ba,3a,a1,de,29,82,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,39,0b,86,57,d6,
1b,44,ba,f6,0f,4e,58,98,5b,89,c9,48,8e,1f,46,00,d5,3f,98,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e2,9c,a5,49,fd,
88,69,da,3d,ce,ea,26,2d,45,aa,78,c6,ca,3c,c5,4b,34,47,9e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,cc,ba,7b,a3,e2,
a4,e5,e2,2a,b7,cc,b5,b9,7f,41,e7,1a,16,7f,3d,94,f9,81,bd,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,79,7b,a7,35,
70,f0,9a,6c,43,2d,1e,aa,22,2f,9c,fc,4f,c6,4f,9a,75,ed,a4,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3284)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-06-05 18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 01:32
ComboFix2.txt 2009-06-05 04:31

Pre-Run: 89,733,267,456 bytes free
Post-Run: 89,602,854,912 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
270 --- E O F --- 2009-05-14 10:02

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Belahzur on Thu Jun 04, 2009 11:12 pm

Hello.
Please delete this folder in bold:
c:\program files\WinBlueSoft Software

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by dpackham on Thu Jun 04, 2009 11:17 pm

completely cured -- where do I send the $64,000,000 Smile

dpackham
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-03
OS OS : xp
Points Points : 27432
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft Victim

Post by Belahzur on Fri Jun 05, 2009 12:29 am

Link in my signature.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum