WinBlueSoft - crying for help

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:37 pm

I just saw that it's now .txt.... It openes after I click on dds icon...just that.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:39 pm

You uploaded the wrong file, you gave me the application instead of the log Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:41 pm

I get only that after I click Run

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:46 pm

When you click on the dds.scr icon a black CMD window should appear, it will give you some brief description of what the tool does while in the background the scan is taking place. Once the scan is finished, two logs will pop up, a DDS.txt and a Attach.txt, I need to see the DDS.txt. Make sure you save both of them to the desktop. If you didn't save them then please run the scan again.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:49 pm

when I download it from the second link and run it I get the message that it is not a valid Win32 application...

when I run it from the first link I get that notepad screen with lots of letters.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 8:50 pm

Instead of uploading it can you post all contents of the log back here. It may take two or more posts.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 8:57 pm

this is all that makes any sense between losts of unconnected letters :

                            
  S e l e c t d e s t i n a t i o n f o l d e r
E x t r a c t i n g % s S k i p p i n g % s  U n e x p e c t e d e n d o f a r c h i v e  T h e f i l e " % s " h e a d e r i s c o r r u p t % T h e a r c h i v e c o m m e n t h e a d e r i s c o r r u p t  T h e a r c h i v e c o m m e n t i s c o r r u p t  N o t e n o u g h m e m o r y  U n k n o w n m e t h o d i n % s  C a n n o t o p e n % s  C a n n o t c r e a t e % s  C a n n o t c r e a t e f o l d e r % s  6 C R C f a i l e d i n t h e e n c r y p t e d f i l e % s ( w r o n g p a s s w o r d ? )  C R C f a i l e d i n % s  P a c k e d d a t a C R C f a i l e d i n % s  W r o n g p a s s w o r d f o r % s 5 W r i t e e r r o r i n t h e f i l e % s . P r o b a b l y t h e d i s k i s f u l l  R e a d e r r o r i n t h e f i l e % s  F i l e c l o s e e r r o r  T h e r e q u i r e d v o l u m e i s a b s e n t 2 T h e a r c h i v e i s e i t h e r i n u n k n o w n f o r m a t o r d a m a g e d  E x t r a c t i n g f r o m % s N e x t v o l u m e  T h e a r c h i v e h e a d e r i s c o r r u p t  C l o s e  E r r o r a E r r o r s e n c o u n t e r e d w h i l e p e r f o r m i n g t h e o p e r a t i o n
L o o k a t t h e i n f o r m a t i o n w i n d o w f o r m o r e d e t a i l s PA  b y t e s m o d i f i e d o n  f o l d e r i s n o t a c c e s s i b l e l S o m e f i l e s c o u l d n o t b e c r e a t e d .
P l e a s e c l o s e a l l a p p l i c a t i o n s , r e b o o t W i n d o w s a n d r e s t a r t t h i s i n s t a l l a t i o n \ S o m e i n s t a l l a t i o n f i l e s a r e c o r r u p t .
P l e a s e d o w n l o a d a f r e s h c o p y a n d r e t r y t h e i n s t a l l a t i o n A l l f i l e s PA E < u l > < l i > P r e s s < b > I n s t a l l < / b > b u t t o n t o s t a r t e x t r a c t i o n . < / l i > < b r > < b r > 6 < l i > U s e < b > B r o w s e < / b > b u t t o n t o s e l e c t t h e d e s t i n a t i o n 4 f o l d e r f r o m t h e f o l d e r s t r e e . I t c a n b e a l s o e n t e r e d  m a n u a l l y . < / l I > < b r > < b r > 8 < l I > I f t h e d e s t i n a t i o n f o l d e r d o e s n o t e x i s t , i t w i l l b e 2 c r e a t e d a u t o m a t i c a l l y b e f o r e e x t r a c t i o n . < / l I > < / u l > PAh        |

version="1.0.0.0"
processorArchitecture="X86"
name="WinRAR SFX"
type="win32"/>
WinRAR SFX module



uiAccess="false"/>





type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"/>



P e e f e f e f e (f e 2f e

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:04 pm

Lets try this locate the DDs.txt file, right click on it and select open with, now click on Word pad (If wordpad isn't present on the list select "browse" and search for word pad.

Are the symbols still appearing?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:07 pm

I don't have dds.txt file! just this .scr...Notepad opens when I click on it.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:11 pm

Alright lets try this, delete the current DDS.scr file and download this one:

[You must be registered and logged in to see this link.]

Run it and see if you can get those logs, if not we are going to have to use another system scanner.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:14 pm

it says that it is not a valid Win32 application.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:17 pm

oh well lets try RSIT:


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:23 pm

the same mesagge Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:27 pm

It pops out with "not a valid Win32 application."?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:28 pm

yes.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:31 pm

Alright try ComboFix even though it says ESET is still active.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:34 pm

now it says the same for Combo-Fix...did I delete something important so this is happening?

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:47 pm

Not that I can think of since I haven't given you anything harmful to run. I am talking to a colleague of mine that will have you sorted out, please be patient for the moment.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 22nd June 2009, 9:48 pm

ok, thank you for your help.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 22nd June 2009, 9:53 pm

For the mean time can you reboot your computer and then see if it works.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 22nd June 2009, 9:57 pm

Hello.
I still think that lspcfm is malicious maybe, can you upload a copy of it to rapidshare please? I want a sample of it and I'll upload it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 8:12 am

[You must be registered and logged in to see this link.] wrote:For the mean time can you reboot your computer and then see if it works.
no, still the same.

@Belahzur : what's Ispcfm?

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 23rd June 2009, 5:04 pm

Locate and upload this file to Rapidshare:

c:\windows\system32\lspcfm.dll


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 5:56 pm

[You must be registered and logged in to see this link.]

now internet isn't working on infected computer either Sad tearing

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 6:06 pm

Hello.
Thank you for the file. It is indeed malware, but guess what? It's a new version of something, not exactly sure what right yet, only 3 scanners find something.

Microsoft 1.4803 2009.06.23 PWS:Win32/Pemsepos.A
NOD32 4181 2009.06.23 a variant of Win32/Kryptik.SR
Sunbelt 3.2.1858.2 2009.06.23 Trojan.Crypt.Krap (v)

Please download the LSPfix from here: [You must be registered and logged in to see this link.]
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "lspcfm.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Reboot normally and your net connection should be back.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 7:15 pm

Oh great, it's the first time I get virus and it's new one.

I did everything you said but I still don't have connection.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 7:17 pm

Okay, post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 7:24 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 23.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\bcle.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\rhlni.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraivanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6894 bytes

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 7:29 pm

if it means anything....I'm able to connect to your page through Firefox but only your page. IE and Opera are not working.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 7:56 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
    O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

Can you run an MBAM scan again?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 8:05 pm

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

23.6.2009 22:05:28
mbam-log-2009-06-23 (22-05-23).txt

Scan type: Quick Scan
Objects scanned: 97392
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> No action taken.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> No action taken.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 8:09 pm

Are you removing these? every MBAM log you've given us says no action taken. The items found need to be removed, because something is regenerating the infection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 8:11 pm

I made new scan every time.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 8:16 pm

Yes, but did you remove everything it found?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 8:21 pm

God I feel stupid now. I'm so sorry, I don't know anything about these things so I didn't do anything but scanned. :ashamed:

here's the list now..

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

23.6.2009 22:20:01
mbam-log-2009-06-23 (22-20-01).txt

Scan type: Quick Scan
Objects scanned: 97404
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> Delete on reboot.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> Quarantined and deleted successfully.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 8:25 pm

Hmm.
First, please let MBAM reboot when it needs to, and then when back in normal mode, open MBAM again.
Go into the update tab, and check for the latest updates, once you have the latest updates, please run a new scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 9:42 pm

I did the update and scanned it twice....this is what is left :

Malwarebytes' Anti-Malware 1.38
Database version: 2326
Windows 5.1.2600 Service Pack 2

23.6.2009 23:36:30
mbam-log-2009-06-23 (23-36-27).txt

Scan type: Quick Scan
Objects scanned: 99191
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 23rd June 2009, 10:09 pm

No action taken again.
Please remove the items found.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 23rd June 2009, 10:13 pm

I keep removing them, rebooting but they are there again.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 10:51 am

I'm doing scans, removing, rebooting all the time but there are always something left.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 24th June 2009, 2:19 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 2:59 pm

I already tried that dds, it's not working...just bunch of letters.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 24th June 2009, 3:06 pm

Try Combofix again even though Nod32 is active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 5:27 pm

ComboFix 09-06-23.01 - Kordic 24.06.2009 19:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2647 [GMT 2:00]
Running from: c:\documents and settings\Kordic\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1708502002-5774778955-212626128-2853
c:\recycler\S-1-5-21-1708502002-5774778955-212626128-2853\Desktop.ini
c:\windows\10039noz-a-viru5900.exe
c:\windows\104489irus1zf5.dll
c:\windows\10526ha9kt5ol7zd.exe
c:\windows\105999ormz9d.ocx
c:\windows\1112h5c9tozl2fa.bin
c:\windows\1126downloa5ez2954.ocx
c:\windows\112a59ealz662.cpl
c:\windows\11373tr95z20.dll
c:\windows\11fct5izf693.ocx
c:\windows\11z29vi9usa5.bin
c:\windows\121zd5wnload9r1137.bin
c:\windows\12204tr9z5e.exe
c:\windows\12713troz995.ocx
c:\windows\12994zroj165.bin
c:\windows\12z10sp5mbo97b7.ocx
c:\windows\13146zir5s569.exe
c:\windows\139495roj27z.ocx
c:\windows\1402z5r595.exe
c:\windows\141359py4ez5.exe
c:\windows\1489zspy58a.dll
c:\windows\1529ddzare930.dll
c:\windows\15303spambz98d.bin
c:\windows\15309n9z-a-virus5ce.dll
c:\windows\155839roj2z.exe
c:\windows\1558595t-azvirus142.cpl
c:\windows\15595hac5toolz27.cpl
c:\windows\15995zirus39d.cpl
c:\windows\15c9stez52887.ocx
c:\windows\16325not-z-virus39a.cpl
c:\windows\16589wo5m194z.ocx
c:\windows\16832zo9-a-viru5450.dll
c:\windows\16955spy3ze.cpl
c:\windows\169z4spy558.cpl
c:\windows\16z59spamb9t5ae.dll
c:\windows\17512szy9b0.bin
c:\windows\175519ozm4155.ocx
c:\windows\175519ozm759.bin
c:\windows\18026hack95ol485z.ocx
c:\windows\182445a9ktool10z.dll
c:\windows\184575roj3z9.dll
c:\windows\1854th9eat16687z.bin
c:\windows\18659not-a9zirus7f7.cpl
c:\windows\18z49not-a-v9rus4f45.cpl
c:\windows\19174trojze5.exe
c:\windows\192569ozm174.dll
c:\windows\19deback5ooz2379.exe
c:\windows\19efsparse25z2.dll
c:\windows\19f7backdoo51388z.cpl
c:\windows\1a6es9arze150.bin
c:\windows\1b88addwa95z611.ocx
c:\windows\1c2695r12z9.bin
c:\windows\1ca7downlo5dez28379.exe
c:\windows\1d8za9dwar5540.bin
c:\windows\1e59downl9azer602.exe
c:\windows\1fd0thie915z35.ocx
c:\windows\20795wor565z9.exe
c:\windows\208z1wo9m7a45.cpl
c:\windows\20z0download5r1949.cpl
c:\windows\213e59arsez087.bin
c:\windows\21839spy5c9z.ocx
c:\windows\21891troz519.cpl
c:\windows\2245hac9t5oza0.bin
c:\windows\225spy5zre9541.bin
c:\windows\22889h5ckzoo9153.bin
c:\windows\2322s9yware29z35.cpl
c:\windows\23253t5zj9e.exe
c:\windows\23305h9cktool54z.ocx
c:\windows\23478v9ru583z.dll
c:\windows\23559spy71z.dll
c:\windows\23631vir9sz5.dll
c:\windows\23z5virus779.ocx
c:\windows\23z65hacktoo5947.ocx
c:\windows\244ha9ktozl1155.exe
c:\windows\2495zw9rm314.cpl
c:\windows\24ath95at77z6.cpl
c:\windows\24e95ir47z.dll
c:\windows\25154spy4ez9.dll
c:\windows\25508not-a-vzr9saf.dll
c:\windows\25511worm597z.exe
c:\windows\25530hazkt5ol1b9.dll
c:\windows\25622sp539fz.dll
c:\windows\25794szambotc5.ocx
c:\windows\2599vi5294z.cpl
c:\windows\259fdoznloader1308.dll
c:\windows\25a0sp59sez18.ocx
c:\windows\26127hacktoz599b.exe
c:\windows\2631zh5ckto9l189.exe
c:\windows\26545szy98.dll
c:\windows\265a9ddwaz53255.bin
c:\windows\26613sp5zbot194.cpl
c:\windows\26d5spyw9re265z.exe
c:\windows\26z84not-a-vir9s55e.bin
c:\windows\2748395ojzb4.cpl
c:\windows\276z6s59562.ocx
c:\windows\279fdownl5adzr2749.cpl
c:\windows\27afszar9e1895.exe
c:\windows\27za9dware2252.cpl
c:\windows\2840thie9125z.bin
c:\windows\28588trzj1549.bin
c:\windows\287015orm3z19.exe
c:\windows\28771no95a-vizus1ed.dll
c:\windows\290dbazkdoor2539.exe
c:\windows\29265zirus3549.cpl
c:\windows\29662tzoj5f9.dll
c:\windows\2976t5rezt1915.bin
c:\windows\29900spy9z5.ocx
c:\windows\29955zor93d7.cpl
c:\windows\29988hackt9zl590.exe
c:\windows\29a7tz5ef9185.cpl
c:\windows\2ac4szars51970.exe
c:\windows\2bbfstza5189.cpl
c:\windows\2d5azpyw9re1236.cpl
c:\windows\2d9b5hreaz9028.exe
c:\windows\2dz69pyware2751.exe
c:\windows\2z129w5rm19e.bin
c:\windows\2z2asparse1559.dll
c:\windows\2z315spam59t5f0.exe
c:\windows\2z6895rus53f.exe
c:\windows\30028ha9ktozl7345.ocx
c:\windows\3008495zm7ad.bin
c:\windows\3064ziru91575.bin
c:\windows\31443zot-5-vir9s2ab.bin
c:\windows\3169downloader1z05.bin
c:\windows\31798hacktoo544z.bin
c:\windows\317z9roj33e5.bin
c:\windows\31858w9rm6d5z.dll
c:\windows\31c5sp9rsez960.bin
c:\windows\32155v5ruz9c9.exe
c:\windows\32335ir9z11e.dll
c:\windows\326bac5do9r3140z.exe
c:\windows\32977notza-viru54c9.exe
c:\windows\3512zpy95b.cpl
c:\windows\3524tr591dz.cpl
c:\windows\353ethz5980.exe
c:\windows\354adownloa9er1162z.cpl
c:\windows\35absp5waze1968.ocx
c:\windows\36c3sp9rsz530.dll
c:\windows\3796backdozr5720.bin
c:\windows\3846z5oj9c3.dll
c:\windows\38505ackt9olz0a.dll
c:\windows\39394virus15z.cpl
c:\windows\39536hac5tool773z.exe
c:\windows\39z3b5ckdoor20549.ocx
c:\windows\3a8adow5l9ader281z.bin
c:\windows\3a9dthie53929z.ocx
c:\windows\3bdz9p5rse115.exe
c:\windows\3bf4zhr5at4591.dll
c:\windows\3bz8b9ckdoor2578.dll
c:\windows\3c62tzief5494.cpl
c:\windows\3c90viz5555.cpl
c:\windows\3df7downl95zer2228.bin
c:\windows\3dz7steal19585.bin
c:\windows\3z3645ro9583.ocx
c:\windows\4011s9z4eb5.dll
c:\windows\40e45tezl459.bin
c:\windows\4154thz9f2815.cpl
c:\windows\41zdbackdoo91125.bin
c:\windows\42869acz5ool555.exe
c:\windows\4372thrz5t24292.bin
c:\windows\4492ztea955.exe
c:\windows\45d1spa9se1z56.exe
c:\windows\45zespyw9re554.exe
c:\windows\45zfs9arse1563.ocx

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 5:28 pm

c:\windows\46795pz1f.ocx
c:\windows\4756not-a-vzr955ed.ocx
c:\windows\4791addwa5e1z98.exe
c:\windows\4904tzoj541.cpl
c:\windows\4b6vir2955z.cpl
c:\windows\4d5cspyzar955.exe
c:\windows\4d92backdoor15z5.bin
c:\windows\4ec4ad5z9re2553.cpl
c:\windows\4zdathr5at19363.exe
c:\windows\5050z9ief1607.ocx
c:\windows\50z3threa956653.ocx
c:\windows\50zbackd5or24859.ocx
c:\windows\5119worm539z.exe
c:\windows\5141vi5us3z39.exe
c:\windows\51441notza-virus52d9.ocx
c:\windows\515s59mbot71z.bin
c:\windows\51918virzs3359.dll
c:\windows\521ezpar9e2399.ocx
c:\windows\52207spz6b9.ocx
c:\windows\5255ztroj9bc.exe
c:\windows\526faddwaze2189.bin
c:\windows\52afback5o9rz91.dll
c:\windows\530z9ot5a-virus85.cpl
c:\windows\53d0addzare987.bin
c:\windows\54245pa9ze2038.bin
c:\windows\54dzthre9t14531.ocx
c:\windows\55055spy5z89.bin
c:\windows\5525sz59bot577.exe
c:\windows\5579zp9496.cpl
c:\windows\55999zacktool5ad.dll
c:\windows\55efvi989z.dll
c:\windows\561zvirus955.dll
c:\windows\569dthrezt91989.ocx
c:\windows\56e5spy9arez9395.dll
c:\windows\574virus55z9.exe
c:\windows\5757baczdoor2953.dll
c:\windows\57bcthie924z1.bin
c:\windows\5859downlozder1949.exe
c:\windows\585dspyw9re1148z.exe
c:\windows\58761zacktool94f.cpl
c:\windows\58c85h9eat27430z.dll
c:\windows\58ddsp9wzr51711.ocx
c:\windows\594athzef905.dll
c:\windows\5980v5rz676.ocx
c:\windows\5984stezl27599.dll
c:\windows\5a7czhrea920455.cpl
c:\windows\5aa8v9r2895z.exe
c:\windows\5ac7thr9atz225.exe
c:\windows\5b5bazdw9re1754.cpl
c:\windows\5b9zhief4959.exe
c:\windows\5bd4dow5lzade92689.dll
c:\windows\5c009pywzre1445.dll
c:\windows\5c9bz9dware316.dll
c:\windows\5d59stealz092.dll
c:\windows\5d94downl9azer1935.exe
c:\windows\5e5aszar9e2863.cpl
c:\windows\5e89zwnloader767.bin
c:\windows\5fe095ief195z.ocx
c:\windows\5feeb5ckdoz9432.cpl
c:\windows\5z1virus8e9.ocx
c:\windows\5z2995dware573.cpl
c:\windows\5z8f95ief180.bin
c:\windows\5z90a59ware2032.cpl
c:\windows\5zbf9teal2116.exe
c:\windows\5zbs9yware2498.exe
c:\windows\60935hie92z59.ocx
c:\windows\60bdthr5az7459.bin
c:\windows\61795ackdoorz51.cpl
c:\windows\617e5hz9f592.exe
c:\windows\6415not-a-v9rus2z8.exe
c:\windows\6589stza93009.bin
c:\windows\6596spy5ze.bin
c:\windows\65e4t9reaz7686.exe
c:\windows\661zspy6529.exe
c:\windows\66f2downlzad9r5129.ocx
c:\windows\66f5sp9r5e2z81.bin
c:\windows\6783zhreat88595.cpl
c:\windows\6868st9alz757.ocx
c:\windows\6895zroj988.ocx
c:\windows\695es5eal1395z.ocx
c:\windows\6995bazkdoor2446.bin
c:\windows\69azback59or2851.cpl
c:\windows\6a27back95orz67.dll
c:\windows\6a52add9aze1575.bin
c:\windows\6bfddow95oader108z.dll
c:\windows\6ed9adzware5421.bin
c:\windows\6z74th9eat2759.exe
c:\windows\6z795pyware2877.dll
c:\windows\711spazs975.bin
c:\windows\7145noz-a-virus950.dll
c:\windows\7145zot-a-viru9d.ocx
c:\windows\7151downlozder59.exe
c:\windows\7215adz9are2453.dll
c:\windows\727bthzef509.cpl
c:\windows\72f9d5wnz9ader337.ocx
c:\windows\730fszar5e2396.exe
c:\windows\74aev9r2z285.dll
c:\windows\7506szyware2259.bin
c:\windows\755a9dware5999z.exe
c:\windows\755e5ownload9r19z0.bin
c:\windows\7570thrzat32957.ocx
c:\windows\759astezl3205.ocx
c:\windows\75z4h9ckt5ol19c.ocx
c:\windows\76725ormz98.cpl
c:\windows\769dd5wnzoader865.cpl
c:\windows\77a2s59zare1231.ocx
c:\windows\7915zpars93223.bin
c:\windows\792fsp5rz9452.bin
c:\windows\793zworm5865.ocx
c:\windows\794cadd5are32z59.dll
c:\windows\79509zy3bc.cpl
c:\windows\7951vzr1942.cpl
c:\windows\79595z95e9.bin
c:\windows\795bsp9rsz5751.bin
c:\windows\795bv5rz605.exe
c:\windows\798fvzr9405.dll
c:\windows\798z5hreat12460.exe
c:\windows\79d8a5dzare9238.bin
c:\windows\7ab6zackdo9r535.ocx
c:\windows\7c09ba5kdzor4439.dll
c:\windows\7ccb9ackzoor1785.exe
c:\windows\7cccdzwnlo9der585.bin
c:\windows\7d6asp59se266z.exe
c:\windows\7d8cvirz759.dll
c:\windows\7z725hre9t535.exe
c:\windows\7zc9spyware10495.bin
c:\windows\7zebadd9are1035.cpl
c:\windows\807spywaz5719.ocx
c:\windows\8950not-a-zirus745.dll
c:\windows\90570t5oj35z.cpl
c:\windows\91328not-azvi5us3e3.exe
c:\windows\913z3vi5us5d9.cpl
c:\windows\91b5ackdozr2921.bin
c:\windows\92b9s5zware1287.cpl
c:\windows\93469tro545z.dll
c:\windows\9365spamzo558f.exe
c:\windows\937bth5efz39.exe
c:\windows\93z6th5eat8678.cpl
c:\windows\9407hzc9tool6b05.ocx
c:\windows\9411notz5-virus261.exe
c:\windows\94169rojz5c5.ocx
c:\windows\94355zacktool42e.bin
c:\windows\94586za5ktool563.cpl
c:\windows\9555ztroj67b.dll
c:\windows\9574noz-a9virus3ce.bin
c:\windows\95865zacktool138.exe
c:\windows\9589steal396z.exe
c:\windows\95dd9wnlzader17.cpl
c:\windows\95z8vir9s755.bin
c:\windows\9676wo5m1fz.ocx
c:\windows\9696sz5mbot68.ocx
c:\windows\972cbazkdoor1965.ocx
c:\windows\9753steal30z.cpl
c:\windows\97591not-a5virzs511.exe
c:\windows\97z4downloader5366.cpl
c:\windows\97z5vir957.cpl
c:\windows\97z99spambot5ab.dll
c:\windows\9959tzoj545.cpl
c:\windows\9acz5ir1164.dll
c:\windows\9b9thzef1945.ocx
c:\windows\9ccezteal1785.bin
c:\windows\9z041vi5us1df.ocx
c:\windows\9z7espyware30755.exe
c:\windows\9z8thre5925139.bin
c:\windows\abczte5l359.dll
c:\windows\aff5ackdozr19349.bin
c:\windows\b9zv5r3177.exe
c:\windows\c15addwar92094z.cpl
c:\windows\e1z5hief17519.cpl
c:\windows\f6bvi9z556.cpl
c:\windows\fbs9azs52715.bin
c:\windows\kb913800.exe
c:\windows\system32\10045not-a-vi5us9dbz.exe
c:\windows\system32\105359irzs19d.cpl
c:\windows\system32\105bdowzloa9er2253.dll
c:\windows\system32\1077stza52589.exe
c:\windows\system32\10799vzrus2a5.dll
c:\windows\system32\10955szy792.bin
c:\windows\system32\1099hac9tool5bez.bin
c:\windows\system32\10afzp59are2290.dll
c:\windows\system32\11370ha9ktzol556.bin
c:\windows\system32\117zste952824.exe
c:\windows\system32\11z58not-9-virus14c.cpl
c:\windows\system32\12026wor9za5.ocx
c:\windows\system32\12583not-a9viruz423.bin
c:\windows\system32\1272spa5bot49z.dll
c:\windows\system32\13799zro5218.exe
c:\windows\system32\13853wozm3a59.dll
c:\windows\system32\1401z9pyd5.ocx
c:\windows\system32\140cthzef9538.ocx
c:\windows\system32\1412vi5u9z6f.ocx
c:\windows\system32\14557troz69c5.ocx
c:\windows\system32\146019ir5s655z.dll
c:\windows\system32\1486s5zmb9t37.ocx
c:\windows\system32\15290not-azvirus4ad.bin
c:\windows\system32\15316zirus359.exe
c:\windows\system32\1539spazse189.bin
c:\windows\system32\15420hackz95l7e.cpl
c:\windows\system32\15529woz9788.bin
c:\windows\system32\15541tr59z1e.dll
c:\windows\system32\15546trojz9.dll
c:\windows\system32\156z6h9cktool389.cpl
c:\windows\system32\1583hacktzol3a59.bin
c:\windows\system32\1588vz59243.exe
c:\windows\system32\15acspyza5e24609.bin
c:\windows\system32\15b9spyzare5290.bin
c:\windows\system32\15dsparze2549.ocx
c:\windows\system32\15vir954z.bin
c:\windows\system32\16057s9y5zc.bin
c:\windows\system32\16850viruz489.exe
c:\windows\system32\17124zpambot4589.dll
c:\windows\system32\17329wo5m96ez.dll
c:\windows\system32\173z9hacktoo96295.ocx
c:\windows\system32\174579zamb5teb.exe
c:\windows\system32\175dsteal2z9.cpl
c:\windows\system32\185bzpar9e138.cpl
c:\windows\system32\187259roz1b1.cpl
c:\windows\system32\18b3b9ckdoorz155.bin
c:\windows\system32\18z03spambo52db9.cpl
c:\windows\system32\191559orm1e6z.ocx
c:\windows\system32\19518zorm40e.ocx
c:\windows\system32\19550wozm586.bin
c:\windows\system32\19775spam95t2za.bin
c:\windows\system32\19841not-a-9irus58z.exe
c:\windows\system32\19z239acktool33e5.ocx
c:\windows\system32\19z28spambot1295.cpl
c:\windows\system32\19zc5hr9at11367.exe
c:\windows\system32\1a9bdownlz5der2460.cpl
c:\windows\system32\1ab25pa9se19z2.exe
c:\windows\system32\1c859ownlza5er574.ocx
c:\windows\system32\1d95spzware1960.dll
c:\windows\system32\1z107not-a-59rus622.bin
c:\windows\system32\1z2d9wnloader15935.exe
c:\windows\system32\1z617vi9us457.dll
c:\windows\system32\1z9dvir2514.bin
c:\windows\system32\1za2spa9se13995.bin
c:\windows\system32\20511hzcktoo9530.ocx
c:\windows\system32\205509ormz8d.ocx
c:\windows\system32\2066s5yware25z99.exe
c:\windows\system32\20z5995rm5e1.bin
c:\windows\system32\21412hzckto5l956.bin
c:\windows\system32\21523t9z56b8.dll
c:\windows\system32\2163ad5wa9e3250z.cpl
c:\windows\system32\2174szy3559.ocx
c:\windows\system32\21f6szyware4159.dll
c:\windows\system32\21z475orm96.dll
c:\windows\system32\22092virus4f5z.exe
c:\windows\system32\220zthi5f997.cpl
c:\windows\system32\22983ha5ktool6z5.cpl
c:\windows\system32\229cspyzar91556.exe
c:\windows\system32\233355a9kzool2b5.exe
c:\windows\system32\23820spyzb59.exe
c:\windows\system32\23968wo5m7zc.exe
c:\windows\system32\23973virusz529.exe
c:\windows\system32\239fthr5zt16153.ocx
c:\windows\system32\23d8addwz953187.cpl
c:\windows\system32\23e49iz5081.bin
c:\windows\system32\24059wozm954.dll
c:\windows\system32\247z1viru53379.ocx
c:\windows\system32\24910not-az5irus648.exe
c:\windows\system32\2493t5ief6z6.exe
c:\windows\system32\24b9th5zf9570.cpl
c:\windows\system32\24d3s9eal1z65.dll
c:\windows\system32\2508addware295z.dll
c:\windows\system32\25239wzrm2c59.dll
c:\windows\system32\25500wzrm439.ocx
c:\windows\system32\25703spz9bot319.bin
c:\windows\system32\25992not-a-vzrus5459.bin
c:\windows\system32\25998sp5z7d9.exe
c:\windows\system32\25b5sparsz9795.exe
c:\windows\system32\2627no5-azvirus539.exe
c:\windows\system32\263259i5uszfd.bin
c:\windows\system32\26579hacktool7z9.bin
c:\windows\system32\27441ha9k5zol14a.ocx
c:\windows\system32\27859ir245z.ocx
c:\windows\system32\27878n5z-a-virus91f.cpl
c:\windows\system32\278a9iz975.bin
c:\windows\system32\284125iruz9a.cpl
c:\windows\system32\28575zpy559.ocx
c:\windows\system32\2869z5a9ktool3d8.ocx
c:\windows\system32\287679orm45z.cpl
c:\windows\system32\290aba5kdozr740.cpl
c:\windows\system32\2911h5c9tool76z.dll
c:\windows\system32\2925ztroj955.exe
c:\windows\system32\292ddownl5adez490.cpl
c:\windows\system32\29383zor5cb.ocx
c:\windows\system32\29497tro51f1z.cpl
c:\windows\system32\29588hackt95l2ccz.cpl
c:\windows\system32\29728spamboz295.cpl
c:\windows\system32\297bs5y9arz1059.ocx
c:\windows\system32\29881notza-viru959b5.ocx
c:\windows\system32\29948s5azbot492.ocx
c:\windows\system32\29a5sparze1496.ocx
c:\windows\system32\2aa7dzwnloader94535.cpl
c:\windows\system32\2b4cs59alz146.exe
c:\windows\system32\2b9dthzeat5834.bin
c:\windows\system32\2c50doz59oader2443.bin
c:\windows\system32\2c61thi9fz152.dll
c:\windows\system32\2d9fa9d5are32z9.exe
c:\windows\system32\2fa8vi92z385.exe
c:\windows\system32\2z147spy59d.exe
c:\windows\system32\2z245vir9s4c1.dll
c:\windows\system32\2z3ast5al2989.dll
c:\windows\system32\2z409wor965d.exe
c:\windows\system32\2z599worm31b.exe
c:\windows\system32\2zeath9ef9885.ocx
c:\windows\system32\3025spamb5t290z.dll
c:\windows\system32\3062295yzd2.bin
c:\windows\system32\312559zeat28037.cpl
c:\windows\system32\31297sp951z.dll
c:\windows\system32\3134zir59436.exe
c:\windows\system32\313cdownloa5er3930z.cpl
c:\windows\system32\3195spzmbo925f.bin
c:\windows\system32\32179ack5ool6za.bin
c:\windows\system32\32553sp5zbo9508.exe
c:\windows\system32\3259zpy7bf.dll
c:\windows\system32\3292bzckdoo51366.ocx
c:\windows\system32\32bz5ddware29.ocx
c:\windows\system32\33zcvir5999.bin
c:\windows\system32\35629trzj6c2.dll
c:\windows\system32\3589dzwnl5ade91353.cpl
c:\windows\system32\36d55pars92464z.cpl
c:\windows\system32\3753do5nloade9232z.ocx
c:\windows\system32\375ddown9ozder2837.dll
c:\windows\system32\377dspzr5e18659.cpl
c:\windows\system32\3796sparse15z7.cpl
c:\windows\system32\3954downl9adzr1445.bin
c:\windows\system32\3967spy4d5z.ocx
c:\windows\system32\3a5db9ckdooz1759.ocx
c:\windows\system32\3a99steal31z25.dll
c:\windows\system32\3b9ba9dware85z.bin
c:\windows\system32\3c19t5rzat6972.dll
c:\windows\system32\3f1thzeat5952.dll
c:\windows\system32\3z015hack9ool6d5.exe
c:\windows\system32\3z3a9pywar52883.ocx
c:\windows\system32\3z553wor52aa9.bin
c:\windows\system32\3z79spyware715.exe
c:\windows\system32\3z7fth5e91028.ocx
c:\windows\system32\3z875ownload9r1975.exe
c:\windows\system32\404a5dzware16529.ocx
c:\windows\system32\40f29hizf29255.dll
c:\windows\system32\41ad9ackdoorz57.cpl
c:\windows\system32\41fesparz925.exe
c:\windows\system32\43zf59yware167.ocx
c:\windows\system32\458fdownloade9z689.dll
c:\windows\system32\45a3stz591695.dll
c:\windows\system32\46f0downz95der1916.ocx
c:\windows\system32\48z5backdoor2389.ocx
c:\windows\system32\4905tr5j59z.bin
c:\windows\system32\495zvir1347.ocx
c:\windows\system32\4989virus3e5z.dll
c:\windows\system32\499fdownlozde5470.cpl
c:\windows\system32\49b5th5e9t1z07.cpl
c:\windows\system32\49f6z5ckdoor2796.bin
c:\windows\system32\4e12zpy9are5646.cpl
c:\windows\system32\4e52s9yza5e2977.exe
c:\windows\system32\4f57z9i5f2494.dll
c:\windows\system32\4f91backdo5z1917.bin
c:\windows\system32\4z95spa9se2272.dll
c:\windows\system32\4za2backd9or27455.exe
c:\windows\system32\505fbz9kdoor2019.cpl
c:\windows\system32\5083t9ie5156z.ocx
c:\windows\system32\5095haz9too5747.exe
c:\windows\system32\50b8s9zal1686.dll
c:\windows\system32\518zvi53799.bin
c:\windows\system32\51cth5ef1489z.bin
c:\windows\system32\51fszarse1975.bin
c:\windows\system32\5205spy192z.bin
c:\windows\system32\520fspars92z70.ocx
c:\windows\system32\5237zorm6c9.bin
c:\windows\system32\5255vi95z.ocx
c:\windows\system32\525cv9z85.ocx
c:\windows\system32\52702virus2f9z.exe
c:\windows\system32\529hz5f3259.bin
c:\windows\system32\53vir925z.exe
c:\windows\system32\54z7vir9181.dll
c:\windows\system32\5523backdo9r1z39.exe
c:\windows\system32\55360hazkto9l736.bin
c:\windows\system32\555fthief980z.exe
c:\windows\system32\5579vzr1969.ocx
c:\windows\system32\55945spy9zf.exe
c:\windows\system32\5599v9rus750z.cpl
c:\windows\system32\559bzhreat11165.ocx
c:\windows\system32\55z8s9a5se1691.ocx
c:\windows\system32\56259ddwzre2149.dll
c:\windows\system32\56772v9ruz383.dll
c:\windows\system32\5691t95efz153.ocx
c:\windows\system32\56z9thief1995.bin
c:\windows\system32\57241troj9bcz.cpl
c:\windows\system32\5770s9yza5e3081.exe
c:\windows\system32\578baczdoor9255.cpl
c:\windows\system32\584fs9yw5re299z.cpl
c:\windows\system32\5928thzea915518.exe
c:\windows\system32\5934zspy446.bin
c:\windows\system32\5959trojz259.ocx
c:\windows\system32\597bsparsz9519.exe
c:\windows\system32\598fthi5z1863.cpl
c:\windows\system32\5a9b5iz719.bin
c:\windows\system32\5aedzackdoor28895.ocx
c:\windows\system32\5b51v59z01.dll
c:\windows\system32\5b55thiez28389.exe

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 5:28 pm

c:\windows\system32\5c109zief11835.dll
c:\windows\system32\5ca9add9aze1358.cpl
c:\windows\system32\5cbdbackd9zr178.exe
c:\windows\system32\5d85szars9875.cpl
c:\windows\system32\5d93thzef1189.cpl
c:\windows\system32\5defzackdo9r279.ocx
c:\windows\system32\5e4ad5za9e2091.bin
c:\windows\system32\5fbdvzr997.ocx
c:\windows\system32\5ff5addw9re185z.dll
c:\windows\system32\5fftzief1179.bin
c:\windows\system32\5z86v5rus54d9.bin
c:\windows\system32\5zbaspars91472.dll
c:\windows\system32\5zc9backdoor31485.dll
c:\windows\system32\5zfe5pyware3099.exe
c:\windows\system32\6179downlo5derz055.bin
c:\windows\system32\6219pz5f1.exe
c:\windows\system32\6237b5ck9zor2735.cpl
c:\windows\system32\6531a9dw5ze1888.ocx
c:\windows\system32\653bspywz9e651.bin
c:\windows\system32\65b5b9ckdozr2930.bin
c:\windows\system32\664fzhreat25097.bin
c:\windows\system32\6653spywarez895.cpl
c:\windows\system32\6685threa92351z.bin
c:\windows\system32\690b5ckdoor15z5.ocx
c:\windows\system32\6a5backdo5r123z9.exe
c:\windows\system32\6a9zthr95t26961.bin
c:\windows\system32\6bz759ckdoor2835.cpl
c:\windows\system32\6d4zspyware19735.exe
c:\windows\system32\6e17addwa951z75.bin
c:\windows\system32\6e1zspyware9555.bin
c:\windows\system32\6e67sp95zre1913.cpl
c:\windows\system32\6e90thr9at5z91.dll
c:\windows\system32\710edownlzade53196.cpl
c:\windows\system32\715t95j1c2z.dll
c:\windows\system32\727b9hzef2951.cpl
c:\windows\system32\72e8s9azse3259.bin
c:\windows\system32\73f0backdoz926935.cpl
c:\windows\system32\7523tr9j33cz.cpl
c:\windows\system32\755zt5ief139.bin
c:\windows\system32\757zspywar922575.dll
c:\windows\system32\7595zhief640.ocx
c:\windows\system32\75zfthr5at23995.ocx
c:\windows\system32\7695zor95de.ocx
c:\windows\system32\769zvir2258.ocx
c:\windows\system32\77f9zteal529.ocx
c:\windows\system32\789azir15059.bin
c:\windows\system32\7955b9ck5oor2783z.cpl
c:\windows\system32\7b94bzckdo952501.exe
c:\windows\system32\7cd1thr5atz983.cpl
c:\windows\system32\7d80spzware595.exe
c:\windows\system32\7de7spy9are35z3.cpl
c:\windows\system32\7e19downloazer2956.dll
c:\windows\system32\7f9zdownloa5er9105.exe
c:\windows\system32\7z3e9i51224.exe
c:\windows\system32\7z95spyw5r9363.ocx
c:\windows\system32\84419acktool5zb.ocx
c:\windows\system32\855spars91079z.ocx
c:\windows\system32\89espa5ze71.dll
c:\windows\system32\8e4zteal51469.dll
c:\windows\system32\8edt9re5t2z844.bin
c:\windows\system32\9053hacktool5a2z.cpl
c:\windows\system32\90965ozm76.ocx
c:\windows\system32\91480virzs3c15.exe
c:\windows\system32\914spyz5re9085.exe
c:\windows\system32\92038zroj5b85.exe
c:\windows\system32\92572z5rus73a.bin
c:\windows\system32\92574not5z-virus365.cpl
c:\windows\system32\9335ddzare2927.exe
c:\windows\system32\93445worz514.exe
c:\windows\system32\9393not-a-virus5f9z.ocx
c:\windows\system32\94300spazbot1aa5.ocx
c:\windows\system32\9583szambot1795.dll
c:\windows\system32\9594zteal2112.dll
c:\windows\system32\95zcthief19905.bin
c:\windows\system32\96267spambo52ez.ocx
c:\windows\system32\9690threa51905z.exe
c:\windows\system32\9723not-z-viru596d.cpl
c:\windows\system32\973z0troj25f5.dll
c:\windows\system32\97550spy761z.bin
c:\windows\system32\9789not-a-viruz425.bin
c:\windows\system32\97e8stezl534.dll
c:\windows\system32\9829nzt-a-95rus59.exe
c:\windows\system32\9853wo9m69fz.cpl
c:\windows\system32\9962ha5ktooz47e9.dll
c:\windows\system32\9cbspa5ze449.cpl
c:\windows\system32\9d4downloazer1951.bin
c:\windows\system32\9dz5spyware2026.ocx
c:\windows\system32\9e94stzal658.bin
c:\windows\system32\9z534hac5tool7c9.bin
c:\windows\system32\9z742spy7e15.cpl
c:\windows\system32\e90zhr59t8739.cpl
c:\windows\system32\e98szyware2541.exe
c:\windows\system32\f55tzief15995.cpl
c:\windows\system32\setup2.exe
c:\windows\system32\z1507worm9d5.cpl
c:\windows\system32\z191steal1559.cpl
c:\windows\system32\z265259ambot2f5.bin
c:\windows\system32\z2ebackdoor29155.exe
c:\windows\system32\z3755worm7c9.dll
c:\windows\system32\z42t5ief2996.dll
c:\windows\system32\z4599ackdo5r3015.dll
c:\windows\system32\z528addwar52049.cpl
c:\windows\system32\z5926tro5311.dll
c:\windows\system32\z66spy9are30565.dll
c:\windows\system32\z705backdoo91589.ocx
c:\windows\system32\z755spyware21169.dll
c:\windows\system32\z77f5hi9f224.bin
c:\windows\system32\z8550wor53099.bin
c:\windows\system32\z89b5ckdoor409.dll
c:\windows\system32\z936tr9j592.ocx
c:\windows\system32\z992sp5mbot26e.dll
c:\windows\system32\z9d5threat24598.bin
c:\windows\system32\zb29spa5se2722.ocx
c:\windows\system32\zb34st95l2149.bin
c:\windows\system32\zd5stea9539.bin
c:\windows\system32\zda9steal11425.exe
c:\windows\system32\zdccad95are430.ocx
c:\windows\system32\zdd35pywa9e1871.ocx
c:\windows\z099v5r3258.ocx
c:\windows\z1605tro91cc.bin
c:\windows\z19cbackd5or3197.cpl
c:\windows\z1b2threa55995.dll
c:\windows\z243threat199455.bin
c:\windows\z2579tro9146.exe
c:\windows\z25ca9dware2280.cpl
c:\windows\z2a1spyware9521.bin
c:\windows\z3952t5oj96e.ocx
c:\windows\z43edown5oader2991.bin
c:\windows\z49ft9rea519285.exe
c:\windows\z4dasparse5549.cpl
c:\windows\z514tro948d.dll
c:\windows\z51fspy9are2337.ocx
c:\windows\z529vir984.ocx
c:\windows\z54519pam5ot5f3.ocx
c:\windows\z6910ha5k9ool658.exe
c:\windows\z905vi5us1cf.exe
c:\windows\z925vi5140.cpl
c:\windows\z9513s9ambot145.exe
c:\windows\z983w9rm4d45.bin
c:\windows\z9970spy3b59.cpl
c:\windows\zaf5bac59oor1494.exe
c:\windows\zbc7thief2259.ocx
c:\windows\zc0s5arse2914.ocx
c:\windows\zf1as5eal2091.bin
c:\windows\zfb5vir19169.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 20:12 . 2009-06-23 20:12 293 ----a-w- C:\MGlogs.zip
2009-06-23 20:12 . 2009-06-23 20:13 -------- d-----w- C:\MGtools
2009-06-22 20:16 . 2009-06-22 20:16 -------- d-----w- c:\documents and settings\Kordic\Application Data\Malwarebytes
2009-06-22 14:26 . 2009-06-22 14:26 -------- d-----w- c:\documents and settings\Kordic\Application Data\Winamp
2009-06-22 13:34 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 13:34 . 2009-06-22 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 13:34 . 2009-06-22 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 13:34 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 13:16 . 2009-06-22 13:16 -------- d-----w- c:\program files\Trend Micro
2009-06-22 13:16 . 2009-06-22 13:16 881976 ----a-w- C:\HJTInstall.exe
2009-06-22 12:56 . 2009-06-22 12:58 -------- d-----w- c:\documents and settings\Kordic\Application Data\GetRightToGo
2009-06-22 12:45 . 2009-06-22 12:45 -------- d-----w- c:\documents and settings\Kordic\Application Data\AVG7
2009-06-22 12:45 . 2009-06-22 12:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG7
2009-06-22 12:45 . 2009-06-22 12:45 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-22 12:44 . 2009-06-22 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-06-22 12:08 . 2008-03-03 16:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-06-22 12:08 . 2008-03-03 12:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2009-06-22 12:05 . 2009-06-22 12:05 -------- d-----w- c:\program files\ESET
2009-06-22 06:15 . 2009-06-22 06:15 -------- d-----w- c:\documents and settings\Kordic\Application Data\Agnitum
2009-06-21 19:56 . 2009-06-22 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-18 10:59 . 2009-06-18 10:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-18 10:49 . 2009-06-18 13:48 -------- d-----w- c:\documents and settings\Kordic\Local Settings\Application Data\Microsoft
2009-06-18 10:46 . 2009-06-18 10:46 -------- d-----w- c:\documents and settings\Kordic\Local Settings\Application Data\Identities
2009-06-18 10:45 . 2009-06-18 10:45 -------- d-----w- c:\documents and settings\Kordic\Bluetooth Software
2009-06-18 10:45 . 2009-06-18 10:45 -------- d-----w- c:\documents and settings\Kordic\Contacts
2009-06-18 10:45 . 2009-06-24 17:07 -------- d-s---w- c:\windows\Cookies
2009-06-18 10:45 . 2009-06-22 12:56 -------- d-----w- c:\documents and settings\Kordic
2009-06-17 18:32 . 2008-09-04 19:17 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-06-17 18:32 . 2009-06-17 18:32 -------- d-----w- c:\program files\Microsoft WSE
2009-06-17 14:46 . 2009-06-17 14:46 -------- d-----w- c:\program files\PowerISO
2009-06-17 14:39 . 2009-06-17 14:39 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-17 14:28 . 2009-06-17 14:28 51200 ----a-w- c:\windows\system32\lspcfm.dll
2009-06-17 14:02 . 2009-06-17 14:02 -------- d-----w- c:\program files\7-Zip
2009-06-17 13:52 . 2009-06-17 13:52 -------- d-----w- C:\hjsplit
2009-06-16 12:59 . 2003-11-04 13:10 69632 ----a-w- c:\windows\system32\lfgif13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 462848 ----a-w- c:\windows\system32\ltkrn13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 450560 ----a-w- c:\windows\system32\ltimg13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 299008 ----a-w- c:\windows\system32\ltdis13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 163840 ----a-w- c:\windows\system32\ltfil13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 57344 ----a-w- c:\windows\system32\lfbmp13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 401408 ----a-w- c:\windows\system32\lfcmp13n.dll
2009-06-16 12:59 . 2004-01-12 00:09 206336 ----a-w- c:\windows\system32\ltefx13n.dll
2009-06-14 21:12 . 2009-06-22 13:33 -------- d-----w- c:\program files\DNA
2009-06-14 21:12 . 2009-06-14 21:12 -------- d-----w- c:\program files\AskSearch
2009-06-04 12:27 . 2009-06-04 12:27 -------- d-----w- c:\program files\Google
2009-06-02 12:12 . 2004-07-14 10:54 676864 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-06-02 12:12 . 2009-06-02 12:12 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-06-02 12:12 . 2009-06-02 12:12 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-06-02 12:12 . 2009-06-02 12:12 383 ----a-w- c:\windows\system32\haspdos.sys
2009-06-02 12:12 . 2009-06-02 15:56 67712 ----a-w- c:\windows\system32\drivers\hl_mull.sys
2009-06-02 12:12 . 2009-06-02 15:56 57344 ----a-w- c:\windows\system32\drivers\wdreg.exe
2009-06-02 12:03 . 2009-06-02 12:24 -------- d-----w- c:\program files\AutoCAD 2005
2009-05-31 20:33 . 2009-05-31 20:33 -------- d-----w- c:\windows\system32\NtmsData
2009-05-30 22:28 . 2009-06-22 12:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 16:20 . 2009-05-27 16:20 -------- d-----w- c:\program files\Opera
2009-05-26 11:46 . 2009-05-26 11:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-26 11:37 . 2009-05-26 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-26 11:37 . 2009-05-26 11:37 -------- d-----w- c:\program files\NOS

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on 24th June 2009, 5:29 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 20:27 . 2009-05-15 11:12 -------- d-----w- c:\program files\DC++
2009-06-18 13:47 . 2008-06-25 13:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 08:15 . 2008-06-25 13:16 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-06 12:43 . 2009-04-29 16:10 -------- d-----w- c:\program files\OpenSource AVI Splitter
2009-06-06 12:43 . 2009-05-01 14:05 -------- d-----w- c:\program files\Boilsoft Video Splitter
2009-06-02 12:24 . 2008-06-26 08:03 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-02 12:24 . 2008-06-26 08:06 -------- d-----w- c:\program files\AnswerWorks 4.0
2009-06-02 12:03 . 2008-06-26 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-05-21 09:57 . 2009-05-21 09:57 -------- d-----w- c:\program files\Agnitum
2009-05-12 23:25 . 2009-05-12 23:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-12 23:25 . 2009-05-12 23:25 -------- d-----w- c:\program files\Java
2009-05-12 22:55 . 2009-05-12 22:55 -------- d-----w- c:\program files\FileZilla FTP Client
2009-05-05 13:14 . 2009-05-05 13:14 -------- d-----w- c:\program files\MSN Messenger
2009-04-30 22:34 . 2009-04-30 22:34 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 230960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 167936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 946176]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-12 308632]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 323584]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 110080]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 230960]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2008-10-5 10872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 634941]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AutoCAD 2007\\acad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Outlook Express\\wab.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\Kordic\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTTray.exe"=
"c:\\Documents and Settings\\Kordic\\Contacts\\svchost.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\ccc.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\Autodesk Shared\\Service\\AdskScSrv.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\PowerISO\\PowerISO.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\documents and settings\Kordic\Contacts\svchost.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20.2.2008 11:11 33800]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\pukmnn.sys --> c:\windows\system32\drivers\pukmnn.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [26.5.2009 13:37 33176]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [19.1.2007 12:54 166768]
S4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20.2.2008 11:08 472320]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-24 19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-24 19:17
ComboFix-quarantined-files.txt 2009-06-24 17:16

Pre-Run: 90.126.815.232 bytes free
Post-Run: 90.154.123.264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
915

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on 24th June 2009, 5:37 pm

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on 24th June 2009, 7:05 pm

That explains everything Goofy


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum