WinBlueSoft

View previous topic View next topic Go down

Re: WinBlueSoft

Post by Berqy123 on 20th May 2009, 4:10 pm

c:\windows\system32\zc12thre9t225885.dll
c:\windows\system32\zc9a5parse829.cpl
c:\windows\z0421hac5t9ol40a.dll
c:\windows\z0595spambot4af.dll
c:\windows\z097v5ru934b.exe
c:\windows\z1526ha9k5ool51.ocx
c:\windows\z3054s9y175.cpl
c:\windows\z3950hacktool1a5.bin
c:\windows\z4314t5oj339.dll
c:\windows\z4877sp56159.ocx
c:\windows\z49bdownloader9995.ocx
c:\windows\z4b9spyw5re1349.dll
c:\windows\z5219spambot656.bin
c:\windows\z5733no9-a-virus596.dll
c:\windows\z7afba5kdo9r419.ocx
c:\windows\z8903ha5ktool9eb.dll
c:\windows\z917s5eal1538.ocx
c:\windows\z930n5t-a-vir9s2f4.exe
c:\windows\z951spy379.bin
c:\windows\z9fas5arse941.ocx
c:\windows\zb9cdownlo59er2731.ocx
c:\windows\zb9cs9eal24005.cpl
c:\windows\zc5es9eal562.exe
c:\windows\zf199hief1453.bin

.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-08-13 04:19 . 2009-08-13 04:19 2684 ----a-w c:\windows\system32\52398zpy9.dll
2009-05-16 23:39 . 2009-05-16 23:39 -------- d-----w c:\program files\SmitFraudFixPro
2009-05-16 23:27 . 2009-05-16 23:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 22:33 . 2009-05-16 22:34 -------- d-----w c:\program files\CrossLoop
2009-05-16 19:58 . 2009-05-16 19:58 0 ----a-w c:\documents and settings\Owner\settings.dat
2009-05-16 18:24 . 2009-05-16 18:24 -------- d-----w C:\RootkitNO
2009-05-16 16:49 . 2009-05-16 16:49 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-16 16:49 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-16 16:49 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 15:46 . 2009-05-16 15:46 2 --shatr c:\windows\winstart.bat
2009-05-16 15:46 . 2009-05-16 22:07 -------- d-----w c:\program files\UnHackMe
2009-05-16 14:01 . 2009-05-16 14:04 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 13:59 . 2009-05-16 13:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 13:59 . 2009-05-16 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-15 18:13 . 2009-05-15 18:13 86 ---ha-w C:\aaw7boot.cmd
2009-05-15 16:05 . 2009-05-15 18:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 00:42 . 2004-05-23 19:50 4127 -c--a-w c:\windows\viassary-hp.reg
2009-05-16 15:56 . 2008-12-18 11:37 -------- d-----w c:\program files\OneStepSrch
2009-05-15 18:13 . 2005-01-23 12:01 -------- d-----w c:\program files\ICQToolbar
2009-05-05 12:31 . 2009-02-10 14:50 339968 ----a-w c:\windows\system32\pythoncom25.dll
2009-05-05 12:31 . 2009-02-10 14:50 114688 ----a-w c:\windows\system32\pywintypes25.dll
2009-05-05 12:31 . 2009-02-10 14:50 2117632 ----a-w c:\windows\system32\python25.dll
2009-05-04 19:05 . 2009-05-04 19:05 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-04 19:05 . 2009-05-04 19:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-18 22:37 . 2004-01-26 10:23 -------- d-----w c:\program files\Java
2009-04-12 12:53 . 2009-04-02 13:44 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 12:45 . 2009-04-12 12:44 -------- d-----w c:\program files\iTunes
2009-04-12 12:45 . 2009-04-12 12:45 -------- d-----w c:\program files\iPod
2009-04-12 12:44 . 2007-07-08 01:50 -------- d-----w c:\program files\Common Files\Apple
2009-04-04 17:38 . 2004-08-01 11:39 56880 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 17:36 . 2008-03-10 13:17 -------- d-----w c:\program files\Windows Live
2009-04-04 17:36 . 2009-04-04 17:36 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-04 17:34 . 2009-04-04 17:34 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-04 17:32 . 2009-04-04 17:32 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-02 13:44 . 2009-04-02 13:33 -------- d-----w c:\program files\Microsoft
2009-04-02 13:44 . 2009-04-02 13:44 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-02 13:26 . 2009-04-02 13:26 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-02 05:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-02-04 18:37 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 15:57 . 2009-05-20 15:57 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
- 2004-05-27 19:35 . 2009-04-29 22:01 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 23:05 . 2007-03-22 23:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2004-05-27 19:35 . 2009-05-16 23:23 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-05-16 22:03 . 2009-05-14 19:45 156582 c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
- 2004-05-27 19:35 . 2009-04-29 22:01 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-05-16 22:05 . 2009-05-16 22:08 4506044 c:\windows\system32\Restore\rstrlog.dat
+ 2005-05-11 00:59 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-25 14892072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Antivirus_ProMFCT"="c:\program files\SmitFraudFixPro\SmitFraudFixPro.exe" [2009-04-05 13839992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-13 180269]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"SetDefPrt"="c:\program files\Brother\BRMFLPRO\BrDefPrt.exe" [2002-12-18 40960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-04 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-12 366400]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-1-26 16384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-29 67128]
Sierra Garden Planner Tray Application.lnk - c:\sierra\GPlan\CALTRAY.EXE [2004-5-29 32768]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-2-3 1568768]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Westwood\\RA2\\game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

Berqy123
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-05-16
Gender Gender : Male
OS OS : XP
Points Points : 27865
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Berqy123 on 20th May 2009, 4:10 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 OneStepSrch Service;OneStepSrch Service;c:\documents and settings\All Users\Application Data\OneStepSrch\onestep210.exe [1/8/2009 6:49 PM 4608]
S2 mrtRate;mrtRate; [x]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/31/2004 3:55 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [7/31/2004 3:55 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [7/31/2004 3:55 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [7/31/2004 3:55 PM 10368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/11/2007 7:46 AM 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{ED66BDE5-8676-42CC-AF80-7684888F2EC8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Note this (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-356756253.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-356756253.dll/gn_menu2.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
DPF: CabBuilder - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v6cru8cq.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-20 11:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1427937640-3629286915-1191468878-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4000)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide5.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-20 12:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 16:05
ComboFix2.txt 2009-05-16 20:58

Pre-Run: 129,860,706,304 bytes free
Post-Run: 129,862,815,744 bytes free

988 --- E O F --- 2009-05-16 23:23

Berqy123
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-05-16
Gender Gender : Male
OS OS : XP
Points Points : 27865
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on 20th May 2009, 4:15 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
OneStepSrch Service
mrtRate

File::
c:\windows\system32\52398zpy9.dll
c:\windows\winstart.bat

Folder::
c:\program files\SmitFraudFixPro
C:\RootkitNO
c:\documents and settings\All Users\Application Data\OneStepSrch
c:\Program Files\LimeWire

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus_ProMFCT"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Berqy123 on 20th May 2009, 4:29 pm

ComboFix 09-05-19.08 - Owner 05/20/2009 12:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.152 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
c:\windows\system32\52398zpy9.dll
c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\OneStepSrch
c:\documents and settings\All Users\Application Data\OneStepSrch\onestep210.exe
c:\program files\LimeWire
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.18.1.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\program files\SmitFraudFixPro
c:\program files\SmitFraudFixPro\A_VPEngine.dat
c:\program files\SmitFraudFixPro\A_VPEngine.dll
c:\program files\SmitFraudFixPro\SmitFraudFixPro.exe
c:\program files\SmitFraudFixPro\unins000.dat
c:\program files\SmitFraudFixPro\unins000.exe
C:\RootkitNO
c:\rootkitno\SYSTEM.bk
c:\rootkitno\SYSTEM.LOG
c:\windows\system32\52398zpy9.dll
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Legacy_ONESTEPSRCH_SERVICE
-------\Service_mrtRate
-------\Service_OneStepSrch Service


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-16 23:27 . 2009-05-16 23:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 22:33 . 2009-05-16 22:34 -------- d-----w c:\program files\CrossLoop
2009-05-16 19:58 . 2009-05-16 19:58 0 ----a-w c:\documents and settings\Owner\settings.dat
2009-05-16 16:49 . 2009-05-16 16:49 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-16 16:49 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-16 16:49 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 15:46 . 2009-05-16 22:07 -------- d-----w c:\program files\UnHackMe
2009-05-16 14:01 . 2009-05-16 14:04 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 13:59 . 2009-05-16 13:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 13:59 . 2009-05-16 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-15 18:13 . 2009-05-15 18:13 86 ---ha-w C:\aaw7boot.cmd
2009-05-15 16:05 . 2009-05-15 18:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 00:42 . 2004-05-23 19:50 4127 -c--a-w c:\windows\viassary-hp.reg
2009-05-16 15:56 . 2008-12-18 11:37 -------- d-----w c:\program files\OneStepSrch
2009-05-15 18:13 . 2005-01-23 12:01 -------- d-----w c:\program files\ICQToolbar
2009-05-05 12:31 . 2009-02-10 14:50 339968 ----a-w c:\windows\system32\pythoncom25.dll
2009-05-05 12:31 . 2009-02-10 14:50 114688 ----a-w c:\windows\system32\pywintypes25.dll
2009-05-05 12:31 . 2009-02-10 14:50 2117632 ----a-w c:\windows\system32\python25.dll
2009-05-04 19:05 . 2009-05-04 19:05 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-04 19:05 . 2009-05-04 19:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-18 22:37 . 2004-01-26 10:23 -------- d-----w c:\program files\Java
2009-04-12 12:53 . 2009-04-02 13:44 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 12:45 . 2009-04-12 12:44 -------- d-----w c:\program files\iTunes
2009-04-12 12:45 . 2009-04-12 12:45 -------- d-----w c:\program files\iPod
2009-04-12 12:44 . 2007-07-08 01:50 -------- d-----w c:\program files\Common Files\Apple
2009-04-04 17:38 . 2004-08-01 11:39 56880 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 17:36 . 2008-03-10 13:17 -------- d-----w c:\program files\Windows Live
2009-04-04 17:36 . 2009-04-04 17:36 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-04 17:34 . 2009-04-04 17:34 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-04 17:32 . 2009-04-04 17:32 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-02 13:44 . 2009-04-02 13:33 -------- d-----w c:\program files\Microsoft
2009-04-02 13:44 . 2009-04-02 13:44 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-02 13:26 . 2009-04-02 13:26 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-02 05:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-02-04 18:37 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

Berqy123
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-05-16
Gender Gender : Male
OS OS : XP
Points Points : 27865
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Berqy123 on 20th May 2009, 4:30 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 16:21 . 2009-05-20 16:21 16384 c:\windows\temp\Perflib_Perfdata_7e4.dat
- 2004-05-27 19:35 . 2009-04-29 22:01 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 23:05 . 2007-03-22 23:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2004-05-27 19:35 . 2009-05-16 23:23 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-05-16 22:03 . 2009-05-14 19:45 156582 c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
- 2004-05-27 19:35 . 2009-04-29 22:01 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2004-05-27 19:35 . 2009-04-29 22:01 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2004-05-27 19:35 . 2009-05-16 23:23 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-05-16 22:05 . 2009-05-16 22:08 4506044 c:\windows\system32\Restore\rstrlog.dat
+ 2005-05-11 00:59 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-25 14892072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-13 180269]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"SetDefPrt"="c:\program files\Brother\BRMFLPRO\BrDefPrt.exe" [2002-12-18 40960]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-04 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-12 366400]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-1-26 16384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-29 67128]
Sierra Garden Planner Tray Application.lnk - c:\sierra\GPlan\CALTRAY.EXE [2004-5-29 32768]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-2-3 1568768]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Westwood\\RA2\\game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/31/2004 3:55 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [7/31/2004 3:55 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [7/31/2004 3:55 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [7/31/2004 3:55 PM 10368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/11/2007 7:46 AM 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{ED66BDE5-8676-42CC-AF80-7684888F2EC8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Note this (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-356756253.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-356756253.dll/gn_menu2.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
DPF: CabBuilder - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v6cru8cq.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-20 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1427937640-3629286915-1191468878-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide5.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-20 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 16:27
ComboFix2.txt 2009-05-20 16:05
ComboFix3.txt 2009-05-16 20:58

Pre-Run: 129,870,024,704 bytes free
Post-Run: 129,833,603,072 bytes free

324 --- E O F --- 2009-05-16 23:23

Berqy123
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-05-16
Gender Gender : Male
OS OS : XP
Points Points : 27865
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on 20th May 2009, 5:30 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Berqy123 on 20th May 2009, 5:39 pm

Thank you guys sooo much Smile The computer is running tip top. Smile I know you guys get this alot but I really really really appreciate it. I am so glad you guys exist.

:o) THANK YOU!!!!!!!!!!

Berqy123
Novice
Novice

Posts Posts : 33
Joined Joined : 2009-05-16
Gender Gender : Male
OS OS : XP
Points Points : 27865
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinBlueSoft

Post by Belahzur on 20th May 2009, 5:41 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum