WinBlueSoft - crying for help

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 7:15 pm

Oh great, it's the first time I get virus and it's new one.

I did everything you said but I still don't have connection.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 7:17 pm

Okay, post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 7:24 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 23.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\bcle.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\rhlni.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6894 bytes

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 7:29 pm

if it means anything....I'm able to connect to your page through Firefox but only your page. IE and Opera are not working.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 7:56 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O4 - HKLM\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
    O4 - HKCU\..\Run: [Win32 Firewall] C:\DOCUME~1\Kordic\LOCALS~1\Temp\298.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

Can you run an MBAM scan again?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 8:05 pm

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

23.6.2009 22:05:28
mbam-log-2009-06-23 (22-05-23).txt

Scan type: Quick Scan
Objects scanned: 97392
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> No action taken.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> No action taken.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 8:09 pm

Are you removing these? every MBAM log you've given us says no action taken. The items found need to be removed, because something is regenerating the infection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 8:11 pm

I made new scan every time.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 8:16 pm

Yes, but did you remove everything it found?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 8:21 pm

God I feel stupid now. I'm so sorry, I don't know anything about these things so I didn't do anything but scanned. :ashamed:

here's the list now..

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

23.6.2009 22:20:01
mbam-log-2009-06-23 (22-20-01).txt

Scan type: Quick Scan
Objects scanned: 97404
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\bcle.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kordic\Local Settings\Temp\rhlni.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> Delete on reboot.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> Quarantined and deleted successfully.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 8:25 pm

Hmm.
First, please let MBAM reboot when it needs to, and then when back in normal mode, open MBAM again.
Go into the update tab, and check for the latest updates, once you have the latest updates, please run a new scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 9:42 pm

I did the update and scanned it twice....this is what is left :

Malwarebytes' Anti-Malware 1.38
Database version: 2326
Windows 5.1.2600 Service Pack 2

23.6.2009 23:36:30
mbam-log-2009-06-23 (23-36-27).txt

Scan type: Quick Scan
Objects scanned: 99191
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Tue Jun 23, 2009 10:09 pm

No action taken again.
Please remove the items found.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Tue Jun 23, 2009 10:13 pm

I keep removing them, rebooting but they are there again.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 10:51 am

I'm doing scans, removing, rebooting all the time but there are always something left.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Wed Jun 24, 2009 2:19 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 2:59 pm

I already tried that dds, it's not working...just bunch of letters.

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Wed Jun 24, 2009 3:06 pm

Try Combofix again even though Nod32 is active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 5:27 pm

ComboFix 09-06-23.01 - Kordic 24.06.2009 19:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2647 [GMT 2:00]
Running from: c:\documents and settings\Kordic\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1708502002-5774778955-212626128-2853
c:\recycler\S-1-5-21-1708502002-5774778955-212626128-2853\Desktop.ini
c:\windows\10039noz-a-viru5900.exe
c:\windows\104489irus1zf5.dll
c:\windows\10526ha9kt5ol7zd.exe
c:\windows\105999ormz9d.ocx
c:\windows\1112h5c9tozl2fa.bin
c:\windows\1126downloa5ez2954.ocx
c:\windows\112a59ealz662.cpl
c:\windows\11373tr95z20.dll
c:\windows\11fct5izf693.ocx
c:\windows\11z29vi9usa5.bin
c:\windows\121zd5wnload9r1137.bin
c:\windows\12204tr9z5e.exe
c:\windows\12713troz995.ocx
c:\windows\12994zroj165.bin
c:\windows\12z10sp5mbo97b7.ocx
c:\windows\13146zir5s569.exe
c:\windows\139495roj27z.ocx
c:\windows\1402z5r595.exe
c:\windows\141359py4ez5.exe
c:\windows\1489zspy58a.dll
c:\windows\1529ddzare930.dll
c:\windows\15303spambz98d.bin
c:\windows\15309n9z-a-virus5ce.dll
c:\windows\155839roj2z.exe
c:\windows\1558595t-azvirus142.cpl
c:\windows\15595hac5toolz27.cpl
c:\windows\15995zirus39d.cpl
c:\windows\15c9stez52887.ocx
c:\windows\16325not-z-virus39a.cpl
c:\windows\16589wo5m194z.ocx
c:\windows\16832zo9-a-viru5450.dll
c:\windows\16955spy3ze.cpl
c:\windows\169z4spy558.cpl
c:\windows\16z59spamb9t5ae.dll
c:\windows\17512szy9b0.bin
c:\windows\175519ozm4155.ocx
c:\windows\175519ozm759.bin
c:\windows\18026hack95ol485z.ocx
c:\windows\182445a9ktool10z.dll
c:\windows\184575roj3z9.dll
c:\windows\1854th9eat16687z.bin
c:\windows\18659not-a9zirus7f7.cpl
c:\windows\18z49not-a-v9rus4f45.cpl
c:\windows\19174trojze5.exe
c:\windows\192569ozm174.dll
c:\windows\19deback5ooz2379.exe
c:\windows\19efsparse25z2.dll
c:\windows\19f7backdoo51388z.cpl
c:\windows\1a6es9arze150.bin
c:\windows\1b88addwa95z611.ocx
c:\windows\1c2695r12z9.bin
c:\windows\1ca7downlo5dez28379.exe
c:\windows\1d8za9dwar5540.bin
c:\windows\1e59downl9azer602.exe
c:\windows\1fd0thie915z35.ocx
c:\windows\20795wor565z9.exe
c:\windows\208z1wo9m7a45.cpl
c:\windows\20z0download5r1949.cpl
c:\windows\213e59arsez087.bin
c:\windows\21839spy5c9z.ocx
c:\windows\21891troz519.cpl
c:\windows\2245hac9t5oza0.bin
c:\windows\225spy5zre9541.bin
c:\windows\22889h5ckzoo9153.bin
c:\windows\2322s9yware29z35.cpl
c:\windows\23253t5zj9e.exe
c:\windows\23305h9cktool54z.ocx
c:\windows\23478v9ru583z.dll
c:\windows\23559spy71z.dll
c:\windows\23631vir9sz5.dll
c:\windows\23z5virus779.ocx
c:\windows\23z65hacktoo5947.ocx
c:\windows\244ha9ktozl1155.exe
c:\windows\2495zw9rm314.cpl
c:\windows\24ath95at77z6.cpl
c:\windows\24e95ir47z.dll
c:\windows\25154spy4ez9.dll
c:\windows\25508not-a-vzr9saf.dll
c:\windows\25511worm597z.exe
c:\windows\25530hazkt5ol1b9.dll
c:\windows\25622sp539fz.dll
c:\windows\25794szambotc5.ocx
c:\windows\2599vi5294z.cpl
c:\windows\259fdoznloader1308.dll
c:\windows\25a0sp59sez18.ocx
c:\windows\26127hacktoz599b.exe
c:\windows\2631zh5ckto9l189.exe
c:\windows\26545szy98.dll
c:\windows\265a9ddwaz53255.bin
c:\windows\26613sp5zbot194.cpl
c:\windows\26d5spyw9re265z.exe
c:\windows\26z84not-a-vir9s55e.bin
c:\windows\2748395ojzb4.cpl
c:\windows\276z6s59562.ocx
c:\windows\279fdownl5adzr2749.cpl
c:\windows\27afszar9e1895.exe
c:\windows\27za9dware2252.cpl
c:\windows\2840thie9125z.bin
c:\windows\28588trzj1549.bin
c:\windows\287015orm3z19.exe
c:\windows\28771no95a-vizus1ed.dll
c:\windows\290dbazkdoor2539.exe
c:\windows\29265zirus3549.cpl
c:\windows\29662tzoj5f9.dll
c:\windows\2976t5rezt1915.bin
c:\windows\29900spy9z5.ocx
c:\windows\29955zor93d7.cpl
c:\windows\29988hackt9zl590.exe
c:\windows\29a7tz5ef9185.cpl
c:\windows\2ac4szars51970.exe
c:\windows\2bbfstza5189.cpl
c:\windows\2d5azpyw9re1236.cpl
c:\windows\2d9b5hreaz9028.exe
c:\windows\2dz69pyware2751.exe
c:\windows\2z129w5rm19e.bin
c:\windows\2z2asparse1559.dll
c:\windows\2z315spam59t5f0.exe
c:\windows\2z6895rus53f.exe
c:\windows\30028ha9ktozl7345.ocx
c:\windows\3008495zm7ad.bin
c:\windows\3064ziru91575.bin
c:\windows\31443zot-5-vir9s2ab.bin
c:\windows\3169downloader1z05.bin
c:\windows\31798hacktoo544z.bin
c:\windows\317z9roj33e5.bin
c:\windows\31858w9rm6d5z.dll
c:\windows\31c5sp9rsez960.bin
c:\windows\32155v5ruz9c9.exe
c:\windows\32335ir9z11e.dll
c:\windows\326bac5do9r3140z.exe
c:\windows\32977notza-viru54c9.exe
c:\windows\3512zpy95b.cpl
c:\windows\3524tr591dz.cpl
c:\windows\353ethz5980.exe
c:\windows\354adownloa9er1162z.cpl
c:\windows\35absp5waze1968.ocx
c:\windows\36c3sp9rsz530.dll
c:\windows\3796backdozr5720.bin
c:\windows\3846z5oj9c3.dll
c:\windows\38505ackt9olz0a.dll
c:\windows\39394virus15z.cpl
c:\windows\39536hac5tool773z.exe
c:\windows\39z3b5ckdoor20549.ocx
c:\windows\3a8adow5l9ader281z.bin
c:\windows\3a9dthie53929z.ocx
c:\windows\3bdz9p5rse115.exe
c:\windows\3bf4zhr5at4591.dll
c:\windows\3bz8b9ckdoor2578.dll
c:\windows\3c62tzief5494.cpl
c:\windows\3c90viz5555.cpl
c:\windows\3df7downl95zer2228.bin
c:\windows\3dz7steal19585.bin
c:\windows\3z3645ro9583.ocx
c:\windows\4011s9z4eb5.dll
c:\windows\40e45tezl459.bin
c:\windows\4154thz9f2815.cpl
c:\windows\41zdbackdoo91125.bin
c:\windows\42869acz5ool555.exe
c:\windows\4372thrz5t24292.bin
c:\windows\4492ztea955.exe
c:\windows\45d1spa9se1z56.exe
c:\windows\45zespyw9re554.exe
c:\windows\45zfs9arse1563.ocx

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 5:28 pm

c:\windows\46795pz1f.ocx
c:\windows\4756not-a-vzr955ed.ocx
c:\windows\4791addwa5e1z98.exe
c:\windows\4904tzoj541.cpl
c:\windows\4b6vir2955z.cpl
c:\windows\4d5cspyzar955.exe
c:\windows\4d92backdoor15z5.bin
c:\windows\4ec4ad5z9re2553.cpl
c:\windows\4zdathr5at19363.exe
c:\windows\5050z9ief1607.ocx
c:\windows\50z3threa956653.ocx
c:\windows\50zbackd5or24859.ocx
c:\windows\5119worm539z.exe
c:\windows\5141vi5us3z39.exe
c:\windows\51441notza-virus52d9.ocx
c:\windows\515s59mbot71z.bin
c:\windows\51918virzs3359.dll
c:\windows\521ezpar9e2399.ocx
c:\windows\52207spz6b9.ocx
c:\windows\5255ztroj9bc.exe
c:\windows\526faddwaze2189.bin
c:\windows\52afback5o9rz91.dll
c:\windows\530z9ot5a-virus85.cpl
c:\windows\53d0addzare987.bin
c:\windows\54245pa9ze2038.bin
c:\windows\54dzthre9t14531.ocx
c:\windows\55055spy5z89.bin
c:\windows\5525sz59bot577.exe
c:\windows\5579zp9496.cpl
c:\windows\55999zacktool5ad.dll
c:\windows\55efvi989z.dll
c:\windows\561zvirus955.dll
c:\windows\569dthrezt91989.ocx
c:\windows\56e5spy9arez9395.dll
c:\windows\574virus55z9.exe
c:\windows\5757baczdoor2953.dll
c:\windows\57bcthie924z1.bin
c:\windows\5859downlozder1949.exe
c:\windows\585dspyw9re1148z.exe
c:\windows\58761zacktool94f.cpl
c:\windows\58c85h9eat27430z.dll
c:\windows\58ddsp9wzr51711.ocx
c:\windows\594athzef905.dll
c:\windows\5980v5rz676.ocx
c:\windows\5984stezl27599.dll
c:\windows\5a7czhrea920455.cpl
c:\windows\5aa8v9r2895z.exe
c:\windows\5ac7thr9atz225.exe
c:\windows\5b5bazdw9re1754.cpl
c:\windows\5b9zhief4959.exe
c:\windows\5bd4dow5lzade92689.dll
c:\windows\5c009pywzre1445.dll
c:\windows\5c9bz9dware316.dll
c:\windows\5d59stealz092.dll
c:\windows\5d94downl9azer1935.exe
c:\windows\5e5aszar9e2863.cpl
c:\windows\5e89zwnloader767.bin
c:\windows\5fe095ief195z.ocx
c:\windows\5feeb5ckdoz9432.cpl
c:\windows\5z1virus8e9.ocx
c:\windows\5z2995dware573.cpl
c:\windows\5z8f95ief180.bin
c:\windows\5z90a59ware2032.cpl
c:\windows\5zbf9teal2116.exe
c:\windows\5zbs9yware2498.exe
c:\windows\60935hie92z59.ocx
c:\windows\60bdthr5az7459.bin
c:\windows\61795ackdoorz51.cpl
c:\windows\617e5hz9f592.exe
c:\windows\6415not-a-v9rus2z8.exe
c:\windows\6589stza93009.bin
c:\windows\6596spy5ze.bin
c:\windows\65e4t9reaz7686.exe
c:\windows\661zspy6529.exe
c:\windows\66f2downlzad9r5129.ocx
c:\windows\66f5sp9r5e2z81.bin
c:\windows\6783zhreat88595.cpl
c:\windows\6868st9alz757.ocx
c:\windows\6895zroj988.ocx
c:\windows\695es5eal1395z.ocx
c:\windows\6995bazkdoor2446.bin
c:\windows\69azback59or2851.cpl
c:\windows\6a27back95orz67.dll
c:\windows\6a52add9aze1575.bin
c:\windows\6bfddow95oader108z.dll
c:\windows\6ed9adzware5421.bin
c:\windows\6z74th9eat2759.exe
c:\windows\6z795pyware2877.dll
c:\windows\711spazs975.bin
c:\windows\7145noz-a-virus950.dll
c:\windows\7145zot-a-viru9d.ocx
c:\windows\7151downlozder59.exe
c:\windows\7215adz9are2453.dll
c:\windows\727bthzef509.cpl
c:\windows\72f9d5wnz9ader337.ocx
c:\windows\730fszar5e2396.exe
c:\windows\74aev9r2z285.dll
c:\windows\7506szyware2259.bin
c:\windows\755a9dware5999z.exe
c:\windows\755e5ownload9r19z0.bin
c:\windows\7570thrzat32957.ocx
c:\windows\759astezl3205.ocx
c:\windows\75z4h9ckt5ol19c.ocx
c:\windows\76725ormz98.cpl
c:\windows\769dd5wnzoader865.cpl
c:\windows\77a2s59zare1231.ocx
c:\windows\7915zpars93223.bin
c:\windows\792fsp5rz9452.bin
c:\windows\793zworm5865.ocx
c:\windows\794cadd5are32z59.dll
c:\windows\79509zy3bc.cpl
c:\windows\7951vzr1942.cpl
c:\windows\79595z95e9.bin
c:\windows\795bsp9rsz5751.bin
c:\windows\795bv5rz605.exe
c:\windows\798fvzr9405.dll
c:\windows\798z5hreat12460.exe
c:\windows\79d8a5dzare9238.bin
c:\windows\7ab6zackdo9r535.ocx
c:\windows\7c09ba5kdzor4439.dll
c:\windows\7ccb9ackzoor1785.exe
c:\windows\7cccdzwnlo9der585.bin
c:\windows\7d6asp59se266z.exe
c:\windows\7d8cvirz759.dll
c:\windows\7z725hre9t535.exe
c:\windows\7zc9spyware10495.bin
c:\windows\7zebadd9are1035.cpl
c:\windows\807spywaz5719.ocx
c:\windows\8950not-a-zirus745.dll
c:\windows\90570t5oj35z.cpl
c:\windows\91328not-azvi5us3e3.exe
c:\windows\913z3vi5us5d9.cpl
c:\windows\91b5ackdozr2921.bin
c:\windows\92b9s5zware1287.cpl
c:\windows\93469tro545z.dll
c:\windows\9365spamzo558f.exe
c:\windows\937bth5efz39.exe
c:\windows\93z6th5eat8678.cpl
c:\windows\9407hzc9tool6b05.ocx
c:\windows\9411notz5-virus261.exe
c:\windows\94169rojz5c5.ocx
c:\windows\94355zacktool42e.bin
c:\windows\94586za5ktool563.cpl
c:\windows\9555ztroj67b.dll
c:\windows\9574noz-a9virus3ce.bin
c:\windows\95865zacktool138.exe
c:\windows\9589steal396z.exe
c:\windows\95dd9wnlzader17.cpl
c:\windows\95z8vir9s755.bin
c:\windows\9676wo5m1fz.ocx
c:\windows\9696sz5mbot68.ocx
c:\windows\972cbazkdoor1965.ocx
c:\windows\9753steal30z.cpl
c:\windows\97591not-a5virzs511.exe
c:\windows\97z4downloader5366.cpl
c:\windows\97z5vir957.cpl
c:\windows\97z99spambot5ab.dll
c:\windows\9959tzoj545.cpl
c:\windows\9acz5ir1164.dll
c:\windows\9b9thzef1945.ocx
c:\windows\9ccezteal1785.bin
c:\windows\9z041vi5us1df.ocx
c:\windows\9z7espyware30755.exe
c:\windows\9z8thre5925139.bin
c:\windows\abczte5l359.dll
c:\windows\aff5ackdozr19349.bin
c:\windows\b9zv5r3177.exe
c:\windows\c15addwar92094z.cpl
c:\windows\e1z5hief17519.cpl
c:\windows\f6bvi9z556.cpl
c:\windows\fbs9azs52715.bin
c:\windows\kb913800.exe
c:\windows\system32\10045not-a-vi5us9dbz.exe
c:\windows\system32\105359irzs19d.cpl
c:\windows\system32\105bdowzloa9er2253.dll
c:\windows\system32\1077stza52589.exe
c:\windows\system32\10799vzrus2a5.dll
c:\windows\system32\10955szy792.bin
c:\windows\system32\1099hac9tool5bez.bin
c:\windows\system32\10afzp59are2290.dll
c:\windows\system32\11370ha9ktzol556.bin
c:\windows\system32\117zste952824.exe
c:\windows\system32\11z58not-9-virus14c.cpl
c:\windows\system32\12026wor9za5.ocx
c:\windows\system32\12583not-a9viruz423.bin
c:\windows\system32\1272spa5bot49z.dll
c:\windows\system32\13799zro5218.exe
c:\windows\system32\13853wozm3a59.dll
c:\windows\system32\1401z9pyd5.ocx
c:\windows\system32\140cthzef9538.ocx
c:\windows\system32\1412vi5u9z6f.ocx
c:\windows\system32\14557troz69c5.ocx
c:\windows\system32\146019ir5s655z.dll
c:\windows\system32\1486s5zmb9t37.ocx
c:\windows\system32\15290not-azvirus4ad.bin
c:\windows\system32\15316zirus359.exe
c:\windows\system32\1539spazse189.bin
c:\windows\system32\15420hackz95l7e.cpl
c:\windows\system32\15529woz9788.bin
c:\windows\system32\15541tr59z1e.dll
c:\windows\system32\15546trojz9.dll
c:\windows\system32\156z6h9cktool389.cpl
c:\windows\system32\1583hacktzol3a59.bin
c:\windows\system32\1588vz59243.exe
c:\windows\system32\15acspyza5e24609.bin
c:\windows\system32\15b9spyzare5290.bin
c:\windows\system32\15dsparze2549.ocx
c:\windows\system32\15vir954z.bin
c:\windows\system32\16057s9y5zc.bin
c:\windows\system32\16850viruz489.exe
c:\windows\system32\17124zpambot4589.dll
c:\windows\system32\17329wo5m96ez.dll
c:\windows\system32\173z9hacktoo96295.ocx
c:\windows\system32\174579zamb5teb.exe
c:\windows\system32\175dsteal2z9.cpl
c:\windows\system32\185bzpar9e138.cpl
c:\windows\system32\187259roz1b1.cpl
c:\windows\system32\18b3b9ckdoorz155.bin
c:\windows\system32\18z03spambo52db9.cpl
c:\windows\system32\191559orm1e6z.ocx
c:\windows\system32\19518zorm40e.ocx
c:\windows\system32\19550wozm586.bin
c:\windows\system32\19775spam95t2za.bin
c:\windows\system32\19841not-a-9irus58z.exe
c:\windows\system32\19z239acktool33e5.ocx
c:\windows\system32\19z28spambot1295.cpl
c:\windows\system32\19zc5hr9at11367.exe
c:\windows\system32\1a9bdownlz5der2460.cpl
c:\windows\system32\1ab25pa9se19z2.exe
c:\windows\system32\1c859ownlza5er574.ocx
c:\windows\system32\1d95spzware1960.dll
c:\windows\system32\1z107not-a-59rus622.bin
c:\windows\system32\1z2d9wnloader15935.exe
c:\windows\system32\1z617vi9us457.dll
c:\windows\system32\1z9dvir2514.bin
c:\windows\system32\1za2spa9se13995.bin
c:\windows\system32\20511hzcktoo9530.ocx
c:\windows\system32\205509ormz8d.ocx
c:\windows\system32\2066s5yware25z99.exe
c:\windows\system32\20z5995rm5e1.bin
c:\windows\system32\21412hzckto5l956.bin
c:\windows\system32\21523t9z56b8.dll
c:\windows\system32\2163ad5wa9e3250z.cpl
c:\windows\system32\2174szy3559.ocx
c:\windows\system32\21f6szyware4159.dll
c:\windows\system32\21z475orm96.dll
c:\windows\system32\22092virus4f5z.exe
c:\windows\system32\220zthi5f997.cpl
c:\windows\system32\22983ha5ktool6z5.cpl
c:\windows\system32\229cspyzar91556.exe
c:\windows\system32\233355a9kzool2b5.exe
c:\windows\system32\23820spyzb59.exe
c:\windows\system32\23968wo5m7zc.exe
c:\windows\system32\23973virusz529.exe
c:\windows\system32\239fthr5zt16153.ocx
c:\windows\system32\23d8addwz953187.cpl
c:\windows\system32\23e49iz5081.bin
c:\windows\system32\24059wozm954.dll
c:\windows\system32\247z1viru53379.ocx
c:\windows\system32\24910not-az5irus648.exe
c:\windows\system32\2493t5ief6z6.exe
c:\windows\system32\24b9th5zf9570.cpl
c:\windows\system32\24d3s9eal1z65.dll
c:\windows\system32\2508addware295z.dll
c:\windows\system32\25239wzrm2c59.dll
c:\windows\system32\25500wzrm439.ocx
c:\windows\system32\25703spz9bot319.bin
c:\windows\system32\25992not-a-vzrus5459.bin
c:\windows\system32\25998sp5z7d9.exe
c:\windows\system32\25b5sparsz9795.exe
c:\windows\system32\2627no5-azvirus539.exe
c:\windows\system32\263259i5uszfd.bin
c:\windows\system32\26579hacktool7z9.bin
c:\windows\system32\27441ha9k5zol14a.ocx
c:\windows\system32\27859ir245z.ocx
c:\windows\system32\27878n5z-a-virus91f.cpl
c:\windows\system32\278a9iz975.bin
c:\windows\system32\284125iruz9a.cpl
c:\windows\system32\28575zpy559.ocx
c:\windows\system32\2869z5a9ktool3d8.ocx
c:\windows\system32\287679orm45z.cpl
c:\windows\system32\290aba5kdozr740.cpl
c:\windows\system32\2911h5c9tool76z.dll
c:\windows\system32\2925ztroj955.exe
c:\windows\system32\292ddownl5adez490.cpl
c:\windows\system32\29383zor5cb.ocx
c:\windows\system32\29497tro51f1z.cpl
c:\windows\system32\29588hackt95l2ccz.cpl
c:\windows\system32\29728spamboz295.cpl
c:\windows\system32\297bs5y9arz1059.ocx
c:\windows\system32\29881notza-viru959b5.ocx
c:\windows\system32\29948s5azbot492.ocx
c:\windows\system32\29a5sparze1496.ocx
c:\windows\system32\2aa7dzwnloader94535.cpl
c:\windows\system32\2b4cs59alz146.exe
c:\windows\system32\2b9dthzeat5834.bin
c:\windows\system32\2c50doz59oader2443.bin
c:\windows\system32\2c61thi9fz152.dll
c:\windows\system32\2d9fa9d5are32z9.exe
c:\windows\system32\2fa8vi92z385.exe
c:\windows\system32\2z147spy59d.exe
c:\windows\system32\2z245vir9s4c1.dll
c:\windows\system32\2z3ast5al2989.dll
c:\windows\system32\2z409wor965d.exe
c:\windows\system32\2z599worm31b.exe
c:\windows\system32\2zeath9ef9885.ocx
c:\windows\system32\3025spamb5t290z.dll
c:\windows\system32\3062295yzd2.bin
c:\windows\system32\312559zeat28037.cpl
c:\windows\system32\31297sp951z.dll
c:\windows\system32\3134zir59436.exe
c:\windows\system32\313cdownloa5er3930z.cpl
c:\windows\system32\3195spzmbo925f.bin
c:\windows\system32\32179ack5ool6za.bin
c:\windows\system32\32553sp5zbo9508.exe
c:\windows\system32\3259zpy7bf.dll
c:\windows\system32\3292bzckdoo51366.ocx
c:\windows\system32\32bz5ddware29.ocx
c:\windows\system32\33zcvir5999.bin
c:\windows\system32\35629trzj6c2.dll
c:\windows\system32\3589dzwnl5ade91353.cpl
c:\windows\system32\36d55pars92464z.cpl
c:\windows\system32\3753do5nloade9232z.ocx
c:\windows\system32\375ddown9ozder2837.dll
c:\windows\system32\377dspzr5e18659.cpl
c:\windows\system32\3796sparse15z7.cpl
c:\windows\system32\3954downl9adzr1445.bin
c:\windows\system32\3967spy4d5z.ocx
c:\windows\system32\3a5db9ckdooz1759.ocx
c:\windows\system32\3a99steal31z25.dll
c:\windows\system32\3b9ba9dware85z.bin
c:\windows\system32\3c19t5rzat6972.dll
c:\windows\system32\3f1thzeat5952.dll
c:\windows\system32\3z015hack9ool6d5.exe
c:\windows\system32\3z3a9pywar52883.ocx
c:\windows\system32\3z553wor52aa9.bin
c:\windows\system32\3z79spyware715.exe
c:\windows\system32\3z7fth5e91028.ocx
c:\windows\system32\3z875ownload9r1975.exe
c:\windows\system32\404a5dzware16529.ocx
c:\windows\system32\40f29hizf29255.dll
c:\windows\system32\41ad9ackdoorz57.cpl
c:\windows\system32\41fesparz925.exe
c:\windows\system32\43zf59yware167.ocx
c:\windows\system32\458fdownloade9z689.dll
c:\windows\system32\45a3stz591695.dll
c:\windows\system32\46f0downz95der1916.ocx
c:\windows\system32\48z5backdoor2389.ocx
c:\windows\system32\4905tr5j59z.bin
c:\windows\system32\495zvir1347.ocx
c:\windows\system32\4989virus3e5z.dll
c:\windows\system32\499fdownlozde5470.cpl
c:\windows\system32\49b5th5e9t1z07.cpl
c:\windows\system32\49f6z5ckdoor2796.bin
c:\windows\system32\4e12zpy9are5646.cpl
c:\windows\system32\4e52s9yza5e2977.exe
c:\windows\system32\4f57z9i5f2494.dll
c:\windows\system32\4f91backdo5z1917.bin
c:\windows\system32\4z95spa9se2272.dll
c:\windows\system32\4za2backd9or27455.exe
c:\windows\system32\505fbz9kdoor2019.cpl
c:\windows\system32\5083t9ie5156z.ocx
c:\windows\system32\5095haz9too5747.exe
c:\windows\system32\50b8s9zal1686.dll
c:\windows\system32\518zvi53799.bin
c:\windows\system32\51cth5ef1489z.bin
c:\windows\system32\51fszarse1975.bin
c:\windows\system32\5205spy192z.bin
c:\windows\system32\520fspars92z70.ocx
c:\windows\system32\5237zorm6c9.bin
c:\windows\system32\5255vi95z.ocx
c:\windows\system32\525cv9z85.ocx
c:\windows\system32\52702virus2f9z.exe
c:\windows\system32\529hz5f3259.bin
c:\windows\system32\53vir925z.exe
c:\windows\system32\54z7vir9181.dll
c:\windows\system32\5523backdo9r1z39.exe
c:\windows\system32\55360hazkto9l736.bin
c:\windows\system32\555fthief980z.exe
c:\windows\system32\5579vzr1969.ocx
c:\windows\system32\55945spy9zf.exe
c:\windows\system32\5599v9rus750z.cpl
c:\windows\system32\559bzhreat11165.ocx
c:\windows\system32\55z8s9a5se1691.ocx
c:\windows\system32\56259ddwzre2149.dll
c:\windows\system32\56772v9ruz383.dll
c:\windows\system32\5691t95efz153.ocx
c:\windows\system32\56z9thief1995.bin
c:\windows\system32\57241troj9bcz.cpl
c:\windows\system32\5770s9yza5e3081.exe
c:\windows\system32\578baczdoor9255.cpl
c:\windows\system32\584fs9yw5re299z.cpl
c:\windows\system32\5928thzea915518.exe
c:\windows\system32\5934zspy446.bin
c:\windows\system32\5959trojz259.ocx
c:\windows\system32\597bsparsz9519.exe
c:\windows\system32\598fthi5z1863.cpl
c:\windows\system32\5a9b5iz719.bin
c:\windows\system32\5aedzackdoor28895.ocx
c:\windows\system32\5b51v59z01.dll
c:\windows\system32\5b55thiez28389.exe

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 5:28 pm

c:\windows\system32\5c109zief11835.dll
c:\windows\system32\5ca9add9aze1358.cpl
c:\windows\system32\5cbdbackd9zr178.exe
c:\windows\system32\5d85szars9875.cpl
c:\windows\system32\5d93thzef1189.cpl
c:\windows\system32\5defzackdo9r279.ocx
c:\windows\system32\5e4ad5za9e2091.bin
c:\windows\system32\5fbdvzr997.ocx
c:\windows\system32\5ff5addw9re185z.dll
c:\windows\system32\5fftzief1179.bin
c:\windows\system32\5z86v5rus54d9.bin
c:\windows\system32\5zbaspars91472.dll
c:\windows\system32\5zc9backdoor31485.dll
c:\windows\system32\5zfe5pyware3099.exe
c:\windows\system32\6179downlo5derz055.bin
c:\windows\system32\6219pz5f1.exe
c:\windows\system32\6237b5ck9zor2735.cpl
c:\windows\system32\6531a9dw5ze1888.ocx
c:\windows\system32\653bspywz9e651.bin
c:\windows\system32\65b5b9ckdozr2930.bin
c:\windows\system32\664fzhreat25097.bin
c:\windows\system32\6653spywarez895.cpl
c:\windows\system32\6685threa92351z.bin
c:\windows\system32\690b5ckdoor15z5.ocx
c:\windows\system32\6a5backdo5r123z9.exe
c:\windows\system32\6a9zthr95t26961.bin
c:\windows\system32\6bz759ckdoor2835.cpl
c:\windows\system32\6d4zspyware19735.exe
c:\windows\system32\6e17addwa951z75.bin
c:\windows\system32\6e1zspyware9555.bin
c:\windows\system32\6e67sp95zre1913.cpl
c:\windows\system32\6e90thr9at5z91.dll
c:\windows\system32\710edownlzade53196.cpl
c:\windows\system32\715t95j1c2z.dll
c:\windows\system32\727b9hzef2951.cpl
c:\windows\system32\72e8s9azse3259.bin
c:\windows\system32\73f0backdoz926935.cpl
c:\windows\system32\7523tr9j33cz.cpl
c:\windows\system32\755zt5ief139.bin
c:\windows\system32\757zspywar922575.dll
c:\windows\system32\7595zhief640.ocx
c:\windows\system32\75zfthr5at23995.ocx
c:\windows\system32\7695zor95de.ocx
c:\windows\system32\769zvir2258.ocx
c:\windows\system32\77f9zteal529.ocx
c:\windows\system32\789azir15059.bin
c:\windows\system32\7955b9ck5oor2783z.cpl
c:\windows\system32\7b94bzckdo952501.exe
c:\windows\system32\7cd1thr5atz983.cpl
c:\windows\system32\7d80spzware595.exe
c:\windows\system32\7de7spy9are35z3.cpl
c:\windows\system32\7e19downloazer2956.dll
c:\windows\system32\7f9zdownloa5er9105.exe
c:\windows\system32\7z3e9i51224.exe
c:\windows\system32\7z95spyw5r9363.ocx
c:\windows\system32\84419acktool5zb.ocx
c:\windows\system32\855spars91079z.ocx
c:\windows\system32\89espa5ze71.dll
c:\windows\system32\8e4zteal51469.dll
c:\windows\system32\8edt9re5t2z844.bin
c:\windows\system32\9053hacktool5a2z.cpl
c:\windows\system32\90965ozm76.ocx
c:\windows\system32\91480virzs3c15.exe
c:\windows\system32\914spyz5re9085.exe
c:\windows\system32\92038zroj5b85.exe
c:\windows\system32\92572z5rus73a.bin
c:\windows\system32\92574not5z-virus365.cpl
c:\windows\system32\9335ddzare2927.exe
c:\windows\system32\93445worz514.exe
c:\windows\system32\9393not-a-virus5f9z.ocx
c:\windows\system32\94300spazbot1aa5.ocx
c:\windows\system32\9583szambot1795.dll
c:\windows\system32\9594zteal2112.dll
c:\windows\system32\95zcthief19905.bin
c:\windows\system32\96267spambo52ez.ocx
c:\windows\system32\9690threa51905z.exe
c:\windows\system32\9723not-z-viru596d.cpl
c:\windows\system32\973z0troj25f5.dll
c:\windows\system32\97550spy761z.bin
c:\windows\system32\9789not-a-viruz425.bin
c:\windows\system32\97e8stezl534.dll
c:\windows\system32\9829nzt-a-95rus59.exe
c:\windows\system32\9853wo9m69fz.cpl
c:\windows\system32\9962ha5ktooz47e9.dll
c:\windows\system32\9cbspa5ze449.cpl
c:\windows\system32\9d4downloazer1951.bin
c:\windows\system32\9dz5spyware2026.ocx
c:\windows\system32\9e94stzal658.bin
c:\windows\system32\9z534hac5tool7c9.bin
c:\windows\system32\9z742spy7e15.cpl
c:\windows\system32\e90zhr59t8739.cpl
c:\windows\system32\e98szyware2541.exe
c:\windows\system32\f55tzief15995.cpl
c:\windows\system32\setup2.exe
c:\windows\system32\z1507worm9d5.cpl
c:\windows\system32\z191steal1559.cpl
c:\windows\system32\z265259ambot2f5.bin
c:\windows\system32\z2ebackdoor29155.exe
c:\windows\system32\z3755worm7c9.dll
c:\windows\system32\z42t5ief2996.dll
c:\windows\system32\z4599ackdo5r3015.dll
c:\windows\system32\z528addwar52049.cpl
c:\windows\system32\z5926tro5311.dll
c:\windows\system32\z66spy9are30565.dll
c:\windows\system32\z705backdoo91589.ocx
c:\windows\system32\z755spyware21169.dll
c:\windows\system32\z77f5hi9f224.bin
c:\windows\system32\z8550wor53099.bin
c:\windows\system32\z89b5ckdoor409.dll
c:\windows\system32\z936tr9j592.ocx
c:\windows\system32\z992sp5mbot26e.dll
c:\windows\system32\z9d5threat24598.bin
c:\windows\system32\zb29spa5se2722.ocx
c:\windows\system32\zb34st95l2149.bin
c:\windows\system32\zd5stea9539.bin
c:\windows\system32\zda9steal11425.exe
c:\windows\system32\zdccad95are430.ocx
c:\windows\system32\zdd35pywa9e1871.ocx
c:\windows\z099v5r3258.ocx
c:\windows\z1605tro91cc.bin
c:\windows\z19cbackd5or3197.cpl
c:\windows\z1b2threa55995.dll
c:\windows\z243threat199455.bin
c:\windows\z2579tro9146.exe
c:\windows\z25ca9dware2280.cpl
c:\windows\z2a1spyware9521.bin
c:\windows\z3952t5oj96e.ocx
c:\windows\z43edown5oader2991.bin
c:\windows\z49ft9rea519285.exe
c:\windows\z4dasparse5549.cpl
c:\windows\z514tro948d.dll
c:\windows\z51fspy9are2337.ocx
c:\windows\z529vir984.ocx
c:\windows\z54519pam5ot5f3.ocx
c:\windows\z6910ha5k9ool658.exe
c:\windows\z905vi5us1cf.exe
c:\windows\z925vi5140.cpl
c:\windows\z9513s9ambot145.exe
c:\windows\z983w9rm4d45.bin
c:\windows\z9970spy3b59.cpl
c:\windows\zaf5bac59oor1494.exe
c:\windows\zbc7thief2259.ocx
c:\windows\zc0s5arse2914.ocx
c:\windows\zf1as5eal2091.bin
c:\windows\zfb5vir19169.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 20:12 . 2009-06-23 20:12 293 ----a-w- C:\MGlogs.zip
2009-06-23 20:12 . 2009-06-23 20:13 -------- d-----w- C:\MGtools
2009-06-22 20:16 . 2009-06-22 20:16 -------- d-----w- c:\documents and settings\Kordic\Application Data\Malwarebytes
2009-06-22 14:26 . 2009-06-22 14:26 -------- d-----w- c:\documents and settings\Kordic\Application Data\Winamp
2009-06-22 13:34 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 13:34 . 2009-06-22 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 13:34 . 2009-06-22 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 13:34 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 13:16 . 2009-06-22 13:16 -------- d-----w- c:\program files\Trend Micro
2009-06-22 13:16 . 2009-06-22 13:16 881976 ----a-w- C:\HJTInstall.exe
2009-06-22 12:56 . 2009-06-22 12:58 -------- d-----w- c:\documents and settings\Kordic\Application Data\GetRightToGo
2009-06-22 12:45 . 2009-06-22 12:45 -------- d-----w- c:\documents and settings\Kordic\Application Data\AVG7
2009-06-22 12:45 . 2009-06-22 12:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG7
2009-06-22 12:45 . 2009-06-22 12:45 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-22 12:44 . 2009-06-22 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-06-22 12:08 . 2008-03-03 16:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-06-22 12:08 . 2008-03-03 12:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2009-06-22 12:05 . 2009-06-22 12:05 -------- d-----w- c:\program files\ESET
2009-06-22 06:15 . 2009-06-22 06:15 -------- d-----w- c:\documents and settings\Kordic\Application Data\Agnitum
2009-06-21 19:56 . 2009-06-22 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-18 10:59 . 2009-06-18 10:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-18 10:49 . 2009-06-18 13:48 -------- d-----w- c:\documents and settings\Kordic\Local Settings\Application Data\Microsoft
2009-06-18 10:46 . 2009-06-18 10:46 -------- d-----w- c:\documents and settings\Kordic\Local Settings\Application Data\Identities
2009-06-18 10:45 . 2009-06-18 10:45 -------- d-----w- c:\documents and settings\Kordic\Bluetooth Software
2009-06-18 10:45 . 2009-06-18 10:45 -------- d-----w- c:\documents and settings\Kordic\Contacts
2009-06-18 10:45 . 2009-06-24 17:07 -------- d-s---w- c:\windows\Cookies
2009-06-18 10:45 . 2009-06-22 12:56 -------- d-----w- c:\documents and settings\Kordic
2009-06-17 18:32 . 2008-09-04 19:17 447752 ----a-w- c:\windows\system32\vp6vfw.dll
2009-06-17 18:32 . 2009-06-17 18:32 -------- d-----w- c:\program files\Microsoft WSE
2009-06-17 14:46 . 2009-06-17 14:46 -------- d-----w- c:\program files\PowerISO
2009-06-17 14:39 . 2009-06-17 14:39 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-17 14:28 . 2009-06-17 14:28 51200 ----a-w- c:\windows\system32\lspcfm.dll
2009-06-17 14:02 . 2009-06-17 14:02 -------- d-----w- c:\program files\7-Zip
2009-06-17 13:52 . 2009-06-17 13:52 -------- d-----w- C:\hjsplit
2009-06-16 12:59 . 2003-11-04 13:10 69632 ----a-w- c:\windows\system32\lfgif13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 462848 ----a-w- c:\windows\system32\ltkrn13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 450560 ----a-w- c:\windows\system32\ltimg13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 299008 ----a-w- c:\windows\system32\ltdis13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 163840 ----a-w- c:\windows\system32\ltfil13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 57344 ----a-w- c:\windows\system32\lfbmp13n.dll
2009-06-16 12:59 . 2004-05-14 14:53 401408 ----a-w- c:\windows\system32\lfcmp13n.dll
2009-06-16 12:59 . 2004-01-12 00:09 206336 ----a-w- c:\windows\system32\ltefx13n.dll
2009-06-14 21:12 . 2009-06-22 13:33 -------- d-----w- c:\program files\DNA
2009-06-14 21:12 . 2009-06-14 21:12 -------- d-----w- c:\program files\AskSearch
2009-06-04 12:27 . 2009-06-04 12:27 -------- d-----w- c:\program files\Google
2009-06-02 12:12 . 2004-07-14 10:54 676864 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-06-02 12:12 . 2009-06-02 12:12 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-06-02 12:12 . 2009-06-02 12:12 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-06-02 12:12 . 2009-06-02 12:12 383 ----a-w- c:\windows\system32\haspdos.sys
2009-06-02 12:12 . 2009-06-02 15:56 67712 ----a-w- c:\windows\system32\drivers\hl_mull.sys
2009-06-02 12:12 . 2009-06-02 15:56 57344 ----a-w- c:\windows\system32\drivers\wdreg.exe
2009-06-02 12:03 . 2009-06-02 12:24 -------- d-----w- c:\program files\AutoCAD 2005
2009-05-31 20:33 . 2009-05-31 20:33 -------- d-----w- c:\windows\system32\NtmsData
2009-05-30 22:28 . 2009-06-22 12:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 16:20 . 2009-05-27 16:20 -------- d-----w- c:\program files\Opera
2009-05-26 11:46 . 2009-05-26 11:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-26 11:37 . 2009-05-26 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-26 11:37 . 2009-05-26 11:37 -------- d-----w- c:\program files\NOS

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by koalabear on Wed Jun 24, 2009 5:29 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 20:27 . 2009-05-15 11:12 -------- d-----w- c:\program files\DC++
2009-06-18 13:47 . 2008-06-25 13:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 08:15 . 2008-06-25 13:16 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-06 12:43 . 2009-04-29 16:10 -------- d-----w- c:\program files\OpenSource AVI Splitter
2009-06-06 12:43 . 2009-05-01 14:05 -------- d-----w- c:\program files\Boilsoft Video Splitter
2009-06-02 12:24 . 2008-06-26 08:03 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-02 12:24 . 2008-06-26 08:06 -------- d-----w- c:\program files\AnswerWorks 4.0
2009-06-02 12:03 . 2008-06-26 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-05-21 09:57 . 2009-05-21 09:57 -------- d-----w- c:\program files\Agnitum
2009-05-12 23:25 . 2009-05-12 23:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-12 23:25 . 2009-05-12 23:25 -------- d-----w- c:\program files\Java
2009-05-12 22:55 . 2009-05-12 22:55 -------- d-----w- c:\program files\FileZilla FTP Client
2009-05-05 13:14 . 2009-05-05 13:14 -------- d-----w- c:\program files\MSN Messenger
2009-04-30 22:34 . 2009-04-30 22:34 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 230960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 167936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 946176]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-12 308632]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 323584]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 110080]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 230960]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2008-10-5 10872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 634941]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AutoCAD 2007\\acad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Outlook Express\\wab.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\Kordic\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTTray.exe"=
"c:\\Documents and Settings\\Kordic\\Contacts\\svchost.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\ccc.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\Autodesk Shared\\Service\\AdskScSrv.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\PowerISO\\PowerISO.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\documents and settings\Kordic\Contacts\svchost.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20.2.2008 11:11 33800]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\pukmnn.sys --> c:\windows\system32\drivers\pukmnn.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [26.5.2009 13:37 33176]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [19.1.2007 12:54 166768]
S4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20.2.2008 11:08 472320]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-24 19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-24 19:17
ComboFix-quarantined-files.txt 2009-06-24 17:16

Pre-Run: 90.126.815.232 bytes free
Post-Run: 90.154.123.264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
915

koalabear
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2009-06-22
OS OS : xp
Points Points : 27275
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Belahzur on Wed Jun 24, 2009 5:37 pm

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft - crying for help

Post by Origin on Wed Jun 24, 2009 7:05 pm

That explains everything Goofy


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum