Spyware Alert - WinBlueSoft

View previous topic View next topic Go down

Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 12:25 pm

Hey guys,

I am posting this message from another computer as I cannot do anything on mine. This WinBlueSoft virus has got into my PC! The "Spyware Alert" message is always visible in the bottom right corner of the screen and I always get messages that appear trying to persuade my to register with them! I have tried using Malwarebytes to remove it but it won't open! I transferred the installation file via USB to install it on the system. After installing with no problems, Malwarebytes does not open. I have tried using other programs but none of them open. My AVG security can complete a Full Scan but it did not do anything! WinBlueSoft has also stopped me from browsing the internet. No pages load when I open my browser. I've tried System Restore in both normal and Safe Mode but it just won't let me! I cannot access the task manager or anything. I don't know what else I can do!

Please help me!
Thanks guys,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 25th June 2009, 12:45 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 1:03 pm

Hey Belahzur,

Thanks for your reply.

I installed HiJackThis but it won't let me open it!

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 25th June 2009, 1:27 pm

Can you try renaming the icon on your Desktop to Winlogon please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 1:33 pm

Yep I've renamed it!
Still doesn't open though!

Thanks,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 2:00 pm

Sad tearing

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 2:31 pm

Is there any other ideas you can think of? Sad tearing
Would I be able to delete the file that is blocking me from accessing everything? I think it's called "blocker.dll"

Thanks for your help,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 25th June 2009, 6:12 pm

Hello.

Please download the Pocket Killbox from [You must be registered and logged in to see this link.]

Can you open the Killbox/will it stay open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 25th June 2009, 7:00 pm

Hey,
thanks for your reply.

My AVG detects KillBox.exe as a threat. What do you suggest I do? Carry on and open it or not? I am opening it from my USB stick as I had to use my laptop to access the internet and download it. I opened it fine in Safe Mode and it stayed open.

Thanks,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 25th June 2009, 11:48 pm

AVG sucks. -.-
Killbox is not a threat, ignore what AVG says.
Carry on with it, see if Killbox will open.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by senorwolfe015 on 26th June 2009, 2:56 am

ok i got kill box. what do i do next?

senorwolfe015
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-06-26
OS OS : xp
Points Points : 27242
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 26th June 2009, 8:43 am

1. Open the Killbox.
2. Under "Full path of file to delete", copy and paste in the following:

C:\Windows\system32\blocker.dll

3. Switch "Standard file kill" to "Delete on reboot"
4. Press the Red X to delete the file.
5. It will ask if you want to make a backup of the file we deleted, select Yes to the prompt.
6. It will now delete the file, and popup with another prompt saying so, press Ok.
6. Close the Killbox.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 26th June 2009, 11:20 am

Hey,

okay, yep i've done that!

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by senorwolfe015 on 26th June 2009, 2:29 pm

yeah me too. and im still getting the spyware popups

senorwolfe015
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-06-26
OS OS : xp
Points Points : 27242
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 26th June 2009, 6:24 pm

same here senorwolfe015 Sad tearing

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 1:23 am

Hello.
Don't worry, I know you still have problems, Killbox wasn't meant to fix that.
The blocker.dll is the reason behind you not being able to open thing, bet you noticed things will open normally now. Smile

See if you can run Hijack This now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 2:55 pm

Hey,

I opened Killbox from my desktop and followed the instructions you gave. After clicking the RED CROSS, I did not get message about backing up. Instead I got the message - "File will be Removed on Reboot, Do you want to Reboot now?". I then clicked OK and another message - "PendingFileRenameOperations Registry Data has been removed by External Process!". I clicked OK and restarted my computer. After restarting, I tried opening the Task Manager by pressing CTRL ALT DELETE but it was still blocked! I also tried running HiJackThis but still no luck!

I tried doing it again the day after and the same messages appeared and still no luck! I have just gave it another go selecting "Standard File Kill" instead of "Delete on Reboot" and this time the messages you said would appear did! - Confirm Message: "Backup & Delete C:\Windows\system32\blocker.dll"

I then clicked YES and got a File Error message stating:
"This file does not seem to exist"

Have any idea mate? Sad tearing
Thanks for your help so far, I really appreciate it!
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 5:43 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 6:41 pm

Hey,
Woo! Something that finally worked Big Grin
I think I can spot some of the WinBlueSoft .exe and .bin files. I didn't want to go deleting them because they might not be the virus!

Here is the DDS file:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 19:27:13.00 on 27/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.139 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k sys
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\setup2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgcmgr.exe
C:\Documents and Settings\Matt.FLEETY\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mURLSearchHooks: H - No File
BHO: MSN helper: {4efd3aea-b660-4f24-8519-12531d2a3b0c} - khmx1.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [setup2.exe] c:\windows\system32\setup2.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\matt~1.fle\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.]
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: RaptisoftGameLoader - [You must be registered and logged in to see this link.]
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - [You must be registered and logged in to see this link.]
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [You must be registered and logged in to see this link.]
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - [You must be registered and logged in to see this link.]
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - [You must be registered and logged in to see this link.]
TCP: NameServer = 85.255.112.108,85.255.112.211
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.fle\applic~1\mozilla\firefox\profiles\wwfj1b4y.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 6:42 pm

============= SERVICES / DRIVERS ===============

R0 mcctl;mcctl;c:\windows\system32\drivers\mcctl.sys [2006-7-16 4864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-8 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-8 108552]
R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-24 9344]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-8 298776]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2004-8-10 35840]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 anf0100.sys;anf0100.sys;\??\c:\windows\system32\drivers\anf0100.sys --> c:\windows\system32\drivers\anf0100.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-2-18 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-2-18 85696]
S4 Atdracecaavice;Atdracecaavice; [x]

=============== Created Last 30 ================

2009-06-26 13:24 1 a------- c:\windows\system32\xd.dat
2009-06-26 13:24 1 a------- c:\windows\system32\idm.dat
2009-06-26 13:24 1 a------- c:\windows\system32\ck.dat
2009-06-26 13:24 1 a------- c:\windows\system32\c2d.dat
2009-06-26 12:55 --d----- c:\program files\XoftSpySE
2009-06-25 23:55 9,943 a------- c:\windows\system32\640abackd9or5z42.dll
2009-06-25 21:40 --d----- c:\program files\Enigma Software Group
2009-06-25 20:33 --d----- c:\program files\SpywareBlaster
2009-06-25 19:47 --d----- C:\!KillBox
2009-06-25 17:52 -cd----- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 14:00 --d----- c:\program files\Trend Micro
2009-06-24 22:24 2 a------- c:\windows\010112010146118114.dat
2009-06-24 22:13 --d----- c:\program files\Spybot - Search & Destroy
2009-06-24 20:44 --d----- c:\program files\IObit
2009-06-24 20:44 --d----- c:\docume~1\matt~1.fle\applic~1\IObit
2009-06-24 19:27 --d----- c:\windows\logs
2009-06-24 17:47 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-24 17:13 18,066 a------- c:\windows\1544adzware9324.exe
2009-06-24 17:03 1 a------- c:\windows\system32\q1.dat
2009-06-24 17:02 56,832 ----h--- c:\windows\mstre19.exe
2009-06-24 17:02 1 ----h--- c:\windows\jmmark2.dat
2009-06-24 17:02 66,048 ----h--- c:\windows\freddy46.exe
2009-06-24 03:06 42,496 a------- c:\windows\system32\khmx1.dll
2009-06-23 22:00 --d----- c:\program files\sys
2009-06-23 22:00 90,624 a------- c:\windows\system32\inform.dat
2009-06-23 22:00 42,496 a------- c:\windows\system32\khmx0.dll
2009-06-23 22:00 15,477 a------- c:\windows\system32\lxf
2009-06-23 19:43 163,840 a------- c:\windows\system32\SecureNet.dll
2009-06-23 19:42 1,126,400 a------- c:\windows\system32\libeay32.dll
2009-06-23 19:42 204,800 a------- c:\windows\system32\ssleay32.dll
2009-06-23 19:42 --d----- c:\program files\Hide My IP 2009
2009-06-22 11:00 4,113 a------- c:\windows\system32\1z053worm7579.bin
2009-06-22 10:30 16,955 a------- c:\windows\3129v5r9z6.dll
2009-06-21 22:22 16,830 a------- c:\windows\zc4bthie9557.exe
2009-06-19 22:21 16,962 a------- c:\windows\system32\11z6h5cktoo9253.bin
2009-06-19 12:27 68 a------- c:\windows\MyProg.ini
2009-06-18 22:48 15,109 a------- c:\windows\system32\1489z9py5e5.bin
2009-06-16 00:13 13,353 a------- c:\windows\18001spam59t69z.bin
2009-06-15 03:49 5,692 a------- c:\windows\system32\5c25th9ef21z25.ocx
2009-06-14 02:33 4,737 a------- c:\windows\system32\54198troj715z.bin
2009-06-13 20:13 16,839 a------- c:\windows\system32\z905troj9095.dll
2009-06-13 08:20 4,080 a------- c:\windows\z03downlo9de5975.ocx
2009-06-13 03:22 17,889 a------- c:\windows\858spzrse1915.cpl
2009-06-12 10:12 --d----- c:\docume~1\matt~1.fle\applic~1\GetRightToGo
2009-06-12 03:46 13,852 a------- c:\windows\system32\789ast9alz547.cpl
2009-06-10 03:30 15,470 a------- c:\windows\32ffztea91725.ocx
2009-06-10 00:59 13,110 a------- c:\windows\2835zsp550d9.exe
2009-06-09 12:19 --d-h--- C:\$AVG8.VAULT$
2009-06-08 18:25 10,226 a------- c:\windows\23z19v9rus35f.dll
2009-06-08 09:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-08 09:12 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-08 09:12 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 09:11 --d----- c:\windows\system32\drivers\Avg
2009-06-08 09:11 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-07 20:50 --d----- c:\program files\TweakRAM
2009-06-07 19:46 1,181,022 a------- c:\windows\system32\TmpA5169390
2009-06-07 15:50 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-07 15:49 --d----- c:\docume~1\matt~1.fle\applic~1\SUPERAntiSpyware.com
2009-06-07 11:00 8,842 a------- c:\windows\system32\5746zhack9ool1f1.ocx
2009-06-06 06:41 4,560 a------- c:\windows\9991doznlo5der3252.ocx
2009-06-05 07:38 17,528 a------- c:\windows\9758spa9bot7z55.cpl
2009-06-04 09:54 4,630 a------- c:\windows\30972wo59ze1.ocx
2009-06-03 14:40 --d----- c:\program files\iTunes
2009-06-02 16:28 7,332 a------- c:\windows\4z21b9ckdoor2544.exe
2009-06-01 19:32 9,824 a------- c:\windows\system32\1220addwarez5629.ocx
2009-06-01 11:44 17,468 a------- c:\windows\system32\b9as5azse1667.bin

==================== Find3M ====================

2009-05-28 16:47 87,608 a------- c:\docume~1\matt~1.fle\applic~1\inst.exe
2009-05-28 16:47 47,360 a------- c:\docume~1\matt~1.fle\applic~1\pcouffin.sys
2009-05-26 20:17 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-23 23:50 16,130 a------- c:\windows\29553troj28z.bin
2009-05-23 00:04 15,131 a------- c:\windows\system32\5d73backdooz1691.dll
2009-05-22 02:51 8,994 a------- c:\windows\system32\z6585viru9a5.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-18 21:24 10,229 a------- c:\windows\4f49stea5z140.bin
2009-05-18 07:36 17,120 a------- c:\windows\system32\9a44d5wnloaderz487.dll
2009-05-11 14:24 4,778 a------- c:\windows\system32\z2955ir1094.dll
2009-05-10 16:28 11,769 a------- c:\windows\system32\32z16not9a-5irusaf.dll
2009-05-08 14:40 18,420 a------- c:\windows\501fspyzare8029.exe
2009-05-07 18:19 8,020 a------- c:\windows\system32\3c7bsze5l1096.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-06 02:26 14,448 a------- c:\windows\system32\11588vizu519.dll
2009-05-05 05:44 5,231 a------- c:\windows\4799azdware1656.dll
2009-05-02 00:42 16,248 a------- c:\windows\45z1spy9are3098.exe
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 16:11 9,176 a------- c:\windows\system32\6z399i53159.exe
2009-04-28 10:05 92,160 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 35,328 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-26 10:27 5,962 a------- c:\windows\system32\2638zt5oj9ff.bin
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-24 11:42 5,600 a------- c:\windows\3zbaback9o5r10.exe
2009-04-24 05:48 16,472 a------- c:\windows\15489s5am9ot1z.dll
2009-04-20 13:07 13,690 a------- c:\windows\system32\175z1w9rm2265.dll
2009-04-20 01:28 2,768 a------- c:\windows\system32\2699z5pambot719.bin
2009-04-18 13:05 7,087 a------- c:\windows\system32\15341not-9-virzs249.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 21:52 10,757 a------- c:\windows\15950hzcktool391.bin
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-14 06:36 3,993 a------- c:\windows\system32\15954not-z-vi9us83.exe
2009-04-11 04:37 6,097 a------- c:\windows\605b59ckdozr1119.exe
2009-04-09 05:09 9,179 a------- c:\windows\system32\27388zpam59t7a5.exe
2009-04-09 03:35 9,571 a------- c:\windows\system32\55zdb9ckdoor2676.bin
2009-04-07 17:44 16,454 a------- c:\windows\system32\5969spzrse3503.exe
2009-04-07 13:39 12,474 a------- c:\windows\system32\1b65thrza593751.bin
2009-04-07 04:35 4,428 a------- c:\windows\system32\34859hief226z.bin
2009-04-04 09:42 7,650 a------- c:\windows\255z4not-a-5irus93c.dll
2009-04-03 22:38 18,228 a------- c:\windows\system32\7521wzr93fd.dll
2007-01-25 21:20 40 a------- c:\documents and settings\matt.fleety\language.dat
2006-07-17 13:38 29,784 a------- c:\program files\ Terms.html
2006-07-16 13:45 29,784 a------- c:\program files\popcorn Terms.html
2005-11-04 00:29 72,832 a----r-- c:\windows\inf\CamAvb.sys
2008-01-23 18:44 152 ---shr-- c:\windows\system32\13061D968F.sys
2008-04-08 22:25 88 ---shr-- c:\windows\system32\8F961D0613.sys
2008-04-08 22:25 9,188 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-22 16:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 19:28:14.93 ===============

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 6:46 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 7:21 pm

Hey,

I downloaded ComboFix.exe and renamed it Combo-Fix.exe

I followed the guide on how to disable my AVG 8.

I then double clicked Combo-Fix and the following error message appeared:

!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

[You must be registered and logged in to see this link.]

Note: You may be infected with a file patching virus 'Virut'


I visited the site and downloaded the latest copy but it is the same one, and the same error message appeared.
I also tried downloading ComboFix from the second link you provided (Link 2) and the same error message appeared.

After clicking OK, the error message closes and Combo-Fix is automatically removed from my desktop. Do you think this is maybe because of how I renamed it?

Thanks mate,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 7:44 pm

No I don't think renaming caused it.
I don't see any signs of the file infecter called Virut, but I do see signs of another file infecter, called Sality.

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 7:55 pm

Hey,

Ohh snap! So there's nothing else I can do? I can't delete the files manually?

Thank you for all your help sir. You have been a real big help!
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 8:11 pm

No, because system files are patched too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Mattitude on 27th June 2009, 10:50 pm

Hey,

oo right okay. I'll re-install windows then!
So what I should do is backup all important files and re-install windows?

Thanks mate,
Matt.

Mattitude
Intermediate
Intermediate

Posts Posts : 64
Joined Joined : 2009-06-25
OS OS : XP
Points Points : 27772
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Belahzur on 27th June 2009, 11:06 pm

Backup them up onto a CD or DVD.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Found FIX

Post by ParkerJ on 28th June 2009, 6:11 pm

i HAVE HAD the same problem up and now because i found the solution on my own i must share!
please comme nt on if you find it useful

ParkerJ
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-06-28
OS OS : Linpus Linux
Points Points : 27222
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Origin on 28th June 2009, 6:16 pm

Hello, while this may have worked in your case, this might not be the case for other users and in that link you are asking them to download and run very powerful tools that could render their PC useless if not used under supervision, I am going to have to remove the link for everyones safety.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by ParkerJ on 28th June 2009, 6:42 pm

I gave a warning Indifferent or Blank

ParkerJ
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-06-28
OS OS : Linpus Linux
Points Points : 27222
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Alert - WinBlueSoft

Post by Origin on 28th June 2009, 6:51 pm

You instructed the user to download ComboFix and LSPFix, these two tools could render your PC useless if not properly used.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum