Infected by Winblue Soft

View previous topic View next topic Go down

Infected by Winblue Soft

Post by erin85 on 21st May 2009, 11:10 am

heya,

I have tried downloading malware removal software but nothing seems to be working. I have run hijack This and came up with the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:47 PM, on 21/05/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe
C:\Windows\system32\config\systemprofile\Desktop\HiJack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 790151 helper - {22186AA4-E2A6-45E8-BF4F-5C103C0458B0} - C:\Windows\system32\790151\790151.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {67956585-9B5C-4E2B-ABE1-A01BF3046EE1} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\Windows\system32\796525\796525.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WiniBlueSoft] C:\Program Files\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe -min
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [sysldtray] C:\Windows\ld08.exe
O4 - HKLM\..\Run: [pp] C:\Windows\pp08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EasyMessage] C:\Program Files\Easy Message\em2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [setup2.exe] C:\Windows\system32\setup2.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe"
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe" (User 'Default user')
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\erin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6E557D2-3EA9-4747-9265-89001AB6F199}: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9093 bytes




I am not very savvy with the computer so any help that you can give would be appreciated. Also one of my mates said that the last time he had a virus and he had gotten rid of it he had someone help him with what antivirus software to use, the set up of firewalls, anti spyware etc. Most of that makes no sense to me so any help would be appreciated!!

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by Belahzur on 21st May 2009, 3:44 pm

Hello.

In case you lose internet access during this fix, if so, this should repair it.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    O2 - BHO: 790151 helper - {22186AA4-E2A6-45E8-BF4F-5C103C0458B0} - C:\Windows\system32\790151\790151.dll
    O2 - BHO: (no name) - {67956585-9B5C-4E2B-ABE1-A01BF3046EE1} - (no file)
    O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\Windows\system32\796525\796525.dll
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKLM\..\Run: [sysldtray] C:\Windows\ld08.exe
    O4 - HKLM\..\Run: [pp] C:\Windows\pp08.exe
    O4 - HKCU\..\Run: [setup2.exe] C:\Windows\system32\setup2.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe"
    O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
    O4 - HKUS\S-1-5-18\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [uTorrent] "C:\Windows\system32\config\systemprofile\Desktop\uTorrent.exe" (User 'Default user')
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C6E557D2-3EA9-4747-9265-89001AB6F199}: NameServer = 85.255.112.168,85.255.112.146
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.168,85.255.112.146
    O17 - HKLM\System\CS2\Services\Tcpip\..\{39B9288A-9C8F-45CA-9BFA-65ED3D3CF105}: NameServer = 85.255.112.168,85.255.112.146
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Symantec?)
  • Double click on ComboFix.exe.
  • Follow the prompts.
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by erin85 on 22nd May 2009, 12:17 pm

Heya,

Did as asked and came up with the below report (split over a few msgs). What should I do now?


ComboFix 09-05-21.01 - SYSTEM 22/05/2009 21:26.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.61.1033.18.502.161 [GMT 10:00]
Running from: c:\windows\system32\config\systemprofile\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
PEV Error: LocalSettingsFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\1019znot-a-virus25e.exe
c:\windows\107bdzwn9o5der314.cpl
c:\windows\11039spambot6z5.cpl
c:\windows\116595rus1bz.ocx
c:\windows\11907not-a-vzrus35c9.exe
c:\windows\11925zy389.dll
c:\windows\11b9tzief2582.cpl
c:\windows\12505vi5us19z.exe
c:\windows\12827zirus5925.ocx
c:\windows\12891zpambot1559.exe
c:\windows\12925ot-z-viru9279.bin
c:\windows\12z5th59f3111.cpl
c:\windows\13100notza-virus159.dll
c:\windows\13305z9oj745.exe
c:\windows\149z5hac9tool65e.bin
c:\windows\149z8spambo581.ocx
c:\windows\1508addw9re306z.dll
c:\windows\1521zspambot970.ocx
c:\windows\1526zvirus491.cpl
c:\windows\1527notza-9irus2175.bin
c:\windows\152899orm4z7.exe
c:\windows\153spyz9a.exe
c:\windows\155v9z803.cpl
c:\windows\15680s9amb5t40z.bin
c:\windows\157bazd9are295.exe
c:\windows\15897hacktool1z7.dll
c:\windows\15905not-a-virzs189.dll
c:\windows\1594spyzar91019.ocx
c:\windows\15993zirus658.ocx
c:\windows\15e8azdwar91998.bin
c:\windows\15z92troj69e.exe
c:\windows\16036viruz985.bin
c:\windows\163769pzmbot4b5.exe
c:\windows\16399troz5dd.cpl
c:\windows\1649zv5r9s1b8.ocx
c:\windows\1687hacktz5l94.ocx
c:\windows\169715zrm9a1.ocx
c:\windows\16e9dowzloa5er1312.dll
c:\windows\174z4not-5-virus79e.ocx
c:\windows\18111sp5mbzt1ae9.ocx
c:\windows\18545spz6955.dll
c:\windows\18563viru942z.exe
c:\windows\1865sz9mbot5a6.dll
c:\windows\1899d9znloader1582.exe
c:\windows\18aesteaz509.bin
c:\windows\19045not-azvirus765.cpl
c:\windows\191019z5m84.bin
c:\windows\195805py6bz.exe
c:\windows\19605viruz693.exe
c:\windows\19802zpy365.ocx
c:\windows\1a14dow5lz9der990.bin
c:\windows\1a2eadd9are20z65.cpl
c:\windows\1a95th95f2075z.bin
c:\windows\1e79adzware22935.dll
c:\windows\1f63spzware595.ocx
c:\windows\1z435troj95e.exe
c:\windows\1z599s5ambot15c.ocx
c:\windows\1z5c9pyware769.cpl
c:\windows\1z889troj7675.ocx
c:\windows\1z8w5rm19f.cpl
c:\windows\1z929hac9to5l58c.dll
c:\windows\1za85hrea91464.dll
c:\windows\20100hac9to5l62cz.bin
c:\windows\20149vzru550.bin
c:\windows\20805t5o94ze.dll
c:\windows\20z1worm5d9.ocx
c:\windows\20z6495yd4.dll
c:\windows\20z9ad5ware703.exe
c:\windows\21158tro9293z.dll
c:\windows\2152add9are170z.dll
c:\windows\21fa5ackdz9r2545.ocx
c:\windows\2275zw5rm596.bin
c:\windows\228dzpars919785.dll
c:\windows\22987not-z-5irus397.cpl
c:\windows\22zathie91059.dll
c:\windows\2314doznloader29135.cpl
c:\windows\23154sp9mbotzed5.ocx
c:\windows\23291vir9s5bz.exe
c:\windows\23579szy2aa.exe
c:\windows\2373zir9657.ocx
c:\windows\239zvir5s479.cpl
c:\windows\23e5addwar912z9.dll
c:\windows\24z5threat97469.exe
c:\windows\250z0troj57f9.ocx
c:\windows\253z4spy9c5.exe
c:\windows\2550thr9atz1089.bin
c:\windows\2569sp5warez546.exe
c:\windows\257235roj19z.cpl
c:\windows\25783h5ckzool1f69.ocx
c:\windows\2590dow5loader288z.cpl
c:\windows\25930not-z-v5rus59b.dll
c:\windows\25935virus6az.dll
c:\windows\259athreatz2163.ocx
c:\windows\25z28v9rus5ce.exe
c:\windows\26152t95z5f1.cpl
c:\windows\26579ddwarz3045.bin
c:\windows\26641s9569z.exe
c:\windows\27117viz59418.exe
c:\windows\27538no9-5zvirus74.bin
c:\windows\2755ba5kdz9r1814.cpl
c:\windows\27786wor56z9.ocx
c:\windows\2781vir95z2.bin
c:\windows\283abz5kd9or2905.dll
c:\windows\283z7hac5tool449.cpl
c:\windows\2885zspy994.cpl
c:\windows\288dt5zef3097.cpl
c:\windows\28935spambot59z.exe
c:\windows\28z85spambot5d9.ocx
c:\windows\292735zr9s2d3.cpl
c:\windows\292789zrus2375.cpl
c:\windows\29559spambot5zf9.bin
c:\windows\29959zy645.exe
c:\windows\29f3z5ief3921.ocx
c:\windows\2a59bac9doo518z1.cpl
c:\windows\2a655ir79z.ocx
c:\windows\2b89s95al78z.bin
c:\windows\2bfzst5al985.exe
c:\windows\2c37az9ware31145.ocx
c:\windows\2d55szea91025.ocx
c:\windows\2da4ad5warez0269.ocx
c:\windows\2z39t5reat302.dll
c:\windows\2z959spy57.cpl
c:\windows\2zfcthie53009.exe
c:\windows\303astea5z952.cpl
c:\windows\3087vi955z.cpl
c:\windows\30948w5rm313z.cpl
c:\windows\31295worm37z.bin
c:\windows\315z7not-a-9iru54d3.ocx
c:\windows\31602s9zmbot5dc.cpl
c:\windows\3212n5t-a-vizusfd9.bin
c:\windows\32459virz54a7.bin
c:\windows\325bb9zkdoor2495.cpl
c:\windows\3298zt5oj134.ocx
c:\windows\3299zhacktool4e5.exe
c:\windows\339zddware51029.dll
c:\windows\34379iruzf75.exe
c:\windows\347edownloa5e9992z.exe
c:\windows\3578h9cztool41.ocx
c:\windows\3597addw5ze194.ocx
c:\windows\35d0szarse28589.ocx
c:\windows\36fdt5iez9155.bin
c:\windows\3719thiefz358.ocx
c:\windows\3799s5arse274z.exe
c:\windows\37d3bac9zoo52129.exe
c:\windows\3853wzrm592.exe
c:\windows\3863ste5l97z8.dll
c:\windows\3868zhief15195.bin
c:\windows\390zspyware12025.exe
c:\windows\39576worm1c5z.exe
c:\windows\395965orm59z.ocx
c:\windows\39abaz9w5re2646.bin
c:\windows\39c4st9z5395.exe
c:\windows\39c95parze2048.cpl
c:\windows\3dc75teaz1976.dll
c:\windows\3f9z59r2736.cpl
c:\windows\3z187vi5us1579.bin
c:\windows\3z298hackt5o97e.exe
c:\windows\3z70spy5are95.bin
c:\windows\3z9asteal1512.bin
c:\windows\3zfaback5o9r77.ocx
c:\windows\4063hacktoo95dz5.exe
c:\windows\40d7tzreat5529.ocx
c:\windows\4180ad5war91526z.exe
c:\windows\41865ackdoo9z52.cpl
c:\windows\423zspar5e999.bin
c:\windows\424f9pyware551z.dll
c:\windows\4270ste5z12549.dll
c:\windows\43359ir4z4.cpl
c:\windows\44e2tzr9at31537.ocx
c:\windows\4742troj39z5.exe
c:\windows\47539teal29z5.bin
c:\windows\47v9zus6d55.exe
c:\windows\485not-9-zirus6d0.cpl
c:\windows\4864backdo5r2941z.bin
c:\windows\48a5v9r2579z.exe
c:\windows\48ae59ief222z.ocx
c:\windows\48d2thzeat42589.dll
c:\windows\4934s9ar5e2259z.exe
c:\windows\497zpa5se513.dll
c:\windows\498spy75z9.ocx
c:\windows\49c9steal29z35.bin
c:\windows\4b83s9yware326z5.bin
c:\windows\4c4espywa5e91z9.bin
c:\windows\4d659pyzare192.cpl
c:\windows\4de19ir255z.bin
c:\windows\4e79thz5at1824.cpl
c:\windows\4z63s5ea9579.ocx
c:\windows\4zd3addwar92053.ocx
c:\windows\50285spy9fz.bin
c:\windows\5057th5z9t8295.cpl
c:\windows\505dbazkdoo91654.exe
c:\windows\50618hack9zol7d2.exe
c:\windows\50870hacktoolz59.dll
c:\windows\50915zrm59.bin
c:\windows\509z5acktool529.bin
c:\windows\51592spambz9142.ocx
c:\windows\517dstza52928.exe
c:\windows\519downlozder199.exe
c:\windows\51e1threat598z.exe
c:\windows\521z4wo9m431.dll
c:\windows\5285zirus3139.dll
c:\windows\529cthrezt657.bin
c:\windows\529szarse19975.exe
c:\windows\52fadd9zre1412.ocx
c:\windows\52fet5ie92z11.ocx
c:\windows\52z949irus375.bin
c:\windows\535ath9zf3207.exe
c:\windows\5385spywarz397.ocx
c:\windows\54f99zr2955.bin
c:\windows\55262h9cktooz586.cpl
c:\windows\5532wo5m9b3z.dll
c:\windows\558zvirus29c.dll
c:\windows\559csparsz2597.ocx
c:\windows\55fespazse1497.exe
c:\windows\5654zpy9are512.ocx
c:\windows\568z5i91546.ocx
c:\windows\569spy5zd.ocx
c:\windows\56a0thi9fz85.bin
c:\windows\56a5a5dwa9e67z.bin
c:\windows\5799spywa5e211z.dll
c:\windows\57azvi91119.exe
c:\windows\57ffs9arze13705.ocx
c:\windows\5857sparse159z.exe
c:\windows\5897worm3cz.exe
c:\windows\58d9th5eaz150519.ocx
c:\windows\594z0hacktool48b.dll
c:\windows\5956thief3z74.cpl
c:\windows\5987szarse2110.exe
c:\windows\59c9stzal435.ocx
c:\windows\5b54spywa5e9063z.exe
c:\windows\5d9zvir5935.bin
c:\windows\5e38threa521z97.bin
c:\windows\5e795d9ware17z0.exe
c:\windows\5eczthr5a9473.ocx
c:\windows\5f99a9zware619.ocx
c:\windows\5fz6threat9519.dll
c:\windows\5z02s9ywar51017.bin
c:\windows\5z242no9-a-virus733.cpl
c:\windows\5z48v591984.ocx
c:\windows\5z957virus449.dll
c:\windows\5z9bdow9loader12385.bin
c:\windows\5zb1th9eat58015.ocx
c:\windows\5zce9hief1519.cpl
c:\windows\62zbth5eat31269.exe
c:\windows\6398thrzat225865.bin
c:\windows\63e0spy5ar9z3.exe
c:\windows\6439spa5ze9920.ocx
c:\windows\651fsp9warez965.dll
c:\windows\65a1ztea91181.exe
c:\windows\65bzdownlo9d5r2464.dll
c:\windows\6692tzie9945.exe
c:\windows\6894thief4z85.exe
c:\windows\68a9vir588z.bin
c:\windows\68cad9warez56.exe
c:\windows\6949a5dware13z6.dll
c:\windows\6957spambot528z.ocx
c:\windows\6959ba5kdzor1796.bin
c:\windows\696zhac59ool3a9.bin
c:\windows\6995baczdoor5563.bin
c:\windows\69abbackdoor46z5.exe
c:\windows\69abth5ez2023.bin
c:\windows\69d4sp5waze1226.exe
c:\windows\6a48zpar5e14269.dll
c:\windows\6b9ddo59lozder1588.ocx
c:\windows\6c0195r1z76.dll
c:\windows\6ca8thr9a54z97.bin
c:\windows\6da7spywa9e865z.ocx
c:\windows\6fz6threa5998.cpl
c:\windows\6z54not-a9virus75a.cpl
c:\windows\6z54v9r523.exe
c:\windows\6z7eaddw9re857.cpl
c:\windows\70025hief9031z.exe
c:\windows\704zdownlo9d5r1422.ocx
c:\windows\70ba9hr5atz9031.ocx
c:\windows\7149not-a-v9ruszce5.cpl
c:\windows\7255add9are122z.bin
c:\windows\729spywar5154z.ocx
c:\windows\74355ack9oolz5.bin
c:\windows\7510vir27z49.exe
c:\windows\7546z9y4b2.dll
c:\windows\755ethizf595.bin
c:\windows\7581thzeat2797.exe
c:\windows\759addwarez056.cpl
c:\windows\75z9t9reat16595.exe
c:\windows\760db5czdoor9611.cpl
c:\windows\7690szarse26475.dll
c:\windows\782f5i92z29.cpl
c:\windows\7890d9znl5ader1218.cpl
c:\windows\7950hazktool15a.ocx
c:\windows\79fav5z2571.bin
c:\windows\79z9vi5us23b.exe
c:\windows\7c2back5oor14z9.cpl

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by erin85 on 22nd May 2009, 12:19 pm

c:\windows\7c9zt59ef535.dll
c:\windows\7e559hief2z89.cpl
c:\windows\7eczst9al2750.ocx
c:\windows\7z20spy59re1899.dll
c:\windows\7z27spamb59163.ocx
c:\windows\7zb0add5are9531.cpl
c:\windows\8074s9ambotze55.cpl
c:\windows\8469trzj595.bin
c:\windows\851down5oad9r1375z.dll
c:\windows\8597wzrm9c5.exe
c:\windows\85z3wor93dd.bin
c:\windows\8795no5-a-virus8z.ocx
c:\windows\88z9a5kdoor2403.ocx
c:\windows\8a2b5ckdooz1982.cpl
c:\windows\8d0th9eat50z95.bin
c:\windows\8z0spar9e2257.ocx
c:\windows\902765acktool797z.exe
c:\windows\9235spambzt1fc.cpl
c:\windows\92884wozm55a.cpl
c:\windows\9349troj605z.dll
c:\windows\9423addza5e518.dll
c:\windows\9426zorm15f.exe
c:\windows\944dow59oazer126.ocx
c:\windows\9470ha5kzool26b9.dll
c:\windows\9495z5oj5a2.bin
c:\windows\94a15teal2851z.bin
c:\windows\9509vir2z52.exe
c:\windows\951715otza-virus57e.dll
c:\windows\9535sparsez228.dll
c:\windows\9615steal726z.ocx
c:\windows\9652hzcktoo9167.ocx
c:\windows\96d9zddwa5e1504.ocx
c:\windows\96f1tzi5f2903.ocx
c:\windows\970065roz73a.ocx
c:\windows\97azspar5e2380.ocx
c:\windows\983stealz285.exe
c:\windows\985bzc5door9775.dll
c:\windows\9864no9-5-virus7bz.cpl
c:\windows\987adow5loadzr2174.ocx
c:\windows\9930szarse1057.dll
c:\windows\99501spy6za.cpl
c:\windows\9994zac9to5l7b0.bin
c:\windows\9e5fzddware801.exe
c:\windows\9z13virus2e5.dll
c:\windows\9z70spambot5ae5.dll
c:\windows\9z9edownl5ader1935.ocx
c:\windows\a93s9arse2z235.cpl
c:\windows\b275i91509z.bin
c:\windows\bb3t5reat32z359.exe
c:\windows\c599ddwaze1245.bin
c:\windows\ca99irz157.ocx
c:\windows\d8ebackd5or119z.bin
c:\windows\dazth5ef3968.dll
c:\windows\dbdvz9516.dll
c:\windows\ea8s9eal15z5.ocx
c:\windows\ez1vi51191.bin
c:\windows\ld08.exe
c:\windows\pp07.exe
c:\windows\pp08.exe
c:\windows\st_1242757005.exe
c:\windows\st_1242769131.exe
c:\windows\st_1242777173.exe
c:\windows\system32\102z1viru54a89.dll
c:\windows\system32\10425t9oz2b65.dll
c:\windows\system32\1055zsp9391.bin
c:\windows\system32\11413ha9kto5z60e.exe
c:\windows\system32\115985azktool91f.bin
c:\windows\system32\1199worz3995.exe
c:\windows\system32\11a15zi9f1795.bin
c:\windows\system32\12058vzr9s548.dll
c:\windows\system32\1280zspambo579e.bin
c:\windows\system32\1291s5ywarz1471.bin
c:\windows\system32\1302addw5r9296z.ocx
c:\windows\system32\13269ddz5re2065.exe
c:\windows\system32\13335n5t9azvirus2c.ocx
c:\windows\system32\13356ha9ktool2zb.exe
c:\windows\system32\13416sp5289z.ocx
c:\windows\system32\137579pyz4d.bin
c:\windows\system32\14093worm4z85.exe
c:\windows\system32\14339tr59fdz.dll
c:\windows\system32\14592trzj795.dll
c:\windows\system32\14675spz397.exe
c:\windows\system32\15246not-a-9i5us3eez.ocx
c:\windows\system32\152825paz9ot58f.cpl
c:\windows\system32\15355vz9us59c.exe
c:\windows\system32\15495pywarez94.exe
c:\windows\system32\15519not-a-vi5zs68f.dll
c:\windows\system32\155z19roj224.cpl
c:\windows\system32\1572zt5oj459.cpl
c:\windows\system32\15953wzrm145.exe
c:\windows\system32\15989spambot69az.exe
c:\windows\system32\15ceazdware15919.exe
c:\windows\system32\15d0backzo9r887.dll
c:\windows\system32\15z585pa9bot236.bin
c:\windows\system32\16391not5a-9irzs5c5.cpl
c:\windows\system32\168995roz537.dll
c:\windows\system32\1728t5iefz4109.bin
c:\windows\system32\17298troz659.cpl
c:\windows\system32\1753adzware3192.exe
c:\windows\system32\17750sp925cz.cpl
c:\windows\system32\1835zs5amb9t54.ocx
c:\windows\system32\18aea9zwa5e1789.bin
c:\windows\system32\1911995y5bdz.bin
c:\windows\system32\191529oz549e.cpl
c:\windows\system32\19183hazkt5ol25e.bin
c:\windows\system32\19198spzmbot5105.exe
c:\windows\system32\1938wozm57.ocx
c:\windows\system32\1945zparse1145.ocx
c:\windows\system32\19475sz5b9.cpl
c:\windows\system32\19495spz359.exe
c:\windows\system32\1959zvi5us4be.cpl
c:\windows\system32\19720n5t9z-virus1f7.ocx
c:\windows\system32\19z4spy9are1500.ocx
c:\windows\system32\1d495z9al300.bin
c:\windows\system32\1d49spazse1335.bin
c:\windows\system32\1d895hief2z36.exe
c:\windows\system32\1dz5thief2719.cpl
c:\windows\system32\1e95doz5l9ader1532.exe
c:\windows\system32\1ebe5t9al281z.dll
c:\windows\system32\1f23bzck95or1364.dll
c:\windows\system32\1f4cbac9doo52z32.dll
c:\windows\system32\1f59addware32z6.dll
c:\windows\system32\1fc3thr9zt17953.bin
c:\windows\system32\1z218tr9j5aa.bin
c:\windows\system32\1z32t9r5at1114.ocx
c:\windows\system32\1z485n95-a-virus105.ocx
c:\windows\system32\1z639t59j591.dll
c:\windows\system32\20913nzt-a-viru533.exe
c:\windows\system32\2091z9ackto5l60b.bin
c:\windows\system32\20efs5zrse10969.exe
c:\windows\system32\21544worz739.cpl
c:\windows\system32\2171zs5am9ot4b0.ocx
c:\windows\system32\217z1vi5us2e9.dll
c:\windows\system32\21zhi5f9910.bin
c:\windows\system32\22162z5ambot719.bin
c:\windows\system32\22389not-a5v9rus14z.dll
c:\windows\system32\22823tzo93bf5.exe
c:\windows\system32\22928t9oj4z55.exe
c:\windows\system32\229535pyaz.cpl
c:\windows\system32\229z5spy219.bin
c:\windows\system32\22e5spywa5e255z9.exe
c:\windows\system32\23005hzcktool955.dll
c:\windows\system32\23318n5z-a-vi9us481.bin
c:\windows\system32\233z3vir5s931.cpl
c:\windows\system32\23554h9ckzool6f2.exe
c:\windows\system32\23799p5rsz221.dll
c:\windows\system32\23bdste9l155z.cpl
c:\windows\system32\23f7sp5rse9z53.cpl
c:\windows\system32\24262nzt59-virus68c.exe
c:\windows\system32\24551noz-a-virus690.ocx
c:\windows\system32\24598hack5ool45z.exe
c:\windows\system32\24759not-a-ziru92f3.cpl
c:\windows\system32\2509ztroj3e9.ocx
c:\windows\system32\2536spyw9rez140.exe
c:\windows\system32\2556ad9warz797.ocx
c:\windows\system32\2560szarse1399.bin
c:\windows\system32\25659zr9j6865.cpl
c:\windows\system32\25692troj5z.cpl
c:\windows\system32\25856sp955bz.dll
c:\windows\system32\2595zhac9tool5e0.dll
c:\windows\system32\25968not-z-v5rus729.bin
c:\windows\system32\259bzhr9at13903.dll
c:\windows\system32\25a6vzr18929.dll
c:\windows\system32\2655not9a-viruszcd.dll
c:\windows\system32\269365zt-a9virus5a.exe
c:\windows\system32\27354h9cktzo515d.exe
c:\windows\system32\27744spamzo96845.dll
c:\windows\system32\27756w95mcz.cpl
c:\windows\system32\27856hacktz9l3b0.dll
c:\windows\system32\2797hzck59ol4f3.dll
c:\windows\system32\28263hackto9l50z.dll
c:\windows\system32\285659ot-a-virus5dz.cpl
c:\windows\system32\28809w5rmz349.bin
c:\windows\system32\29006s5amzot7b3.cpl
c:\windows\system32\29029hack5ooz975.ocx
c:\windows\system32\29121nzt-a-virus2925.exe
c:\windows\system32\2934159rm6za.ocx
c:\windows\system32\29532spam5otz949.exe
c:\windows\system32\2955sparse155z.cpl
c:\windows\system32\29849hacktzol455.exe
c:\windows\system32\29857spy55z.bin
c:\windows\system32\29880hack5ooz6a3.bin
c:\windows\system32\29952vi9usz8.dll
c:\windows\system32\299z8s5y1ad.cpl
c:\windows\system32\2bzd5ackdoor2934.cpl
c:\windows\system32\2cz9vir1567.exe
c:\windows\system32\2e95zir557.ocx
c:\windows\system32\2z102spambo94525.ocx
c:\windows\system32\2z2795eal211.cpl
c:\windows\system32\2z405not-a9virus546.exe
c:\windows\system32\2z589parse746.ocx
c:\windows\system32\2z709trojc5.dll
c:\windows\system32\2z7cst9al2652.exe
c:\windows\system32\30105a9ktool25z.exe
c:\windows\system32\3085n9t-a-virzs299.cpl
c:\windows\system32\31472not-a-5irusz93.cpl
c:\windows\system32\31e9s5zware3919.ocx
c:\windows\system32\32315hackz9ol4c5.dll
c:\windows\system32\32540ha5ktoolz589.dll
c:\windows\system32\3298sparsez0095.bin
c:\windows\system32\33195pyzare1302.dll
c:\windows\system32\34b15hrzat27579.cpl
c:\windows\system32\35299hacktozle29.ocx
c:\windows\system32\3529s59az1269.dll
c:\windows\system32\3549steal30z2.exe
c:\windows\system32\3599wor52z7.bin
c:\windows\system32\35f7backzoor2955.cpl
c:\windows\system32\35z92worm3a0.cpl
c:\windows\system32\3731s9ywaze9295.bin
c:\windows\system32\3799spzwar52139.exe
c:\windows\system32\379bzddware5201.bin
c:\windows\system32\382fsz5al16159.exe
c:\windows\system32\3853t9izf31435.exe
c:\windows\system32\38555zckto9l2d1.ocx
c:\windows\system32\388dth9eat2875z5.cpl
c:\windows\system32\39245iz1999.ocx
c:\windows\system32\392cbaczd5or2993.ocx
c:\windows\system32\39360tro5zd.bin
c:\windows\system32\3939viz1596.ocx
c:\windows\system32\39965w5rm10az.exe
c:\windows\system32\3a3zaddwar913705.exe
c:\windows\system32\3cespazse5195.dll
c:\windows\system32\3db5thi9f20z9.bin
c:\windows\system32\3ez8thie928945.cpl

c:\windows\system32\3fa9szeal30735.bin
c:\windows\system32\3z39s9yware1715.ocx
c:\windows\system32\3z693not-a-virus35.bin
c:\windows\system32\3zc5vi92357.cpl
c:\windows\system32\4005vir9s4z5.cpl
c:\windows\system32\4079h9cktool54bz.exe
c:\windows\system32\4109sp5z8f.bin
c:\windows\system32\4152sz95ba.dll
c:\windows\system32\415zthre9t208765.bin
c:\windows\system32\419d5tzal2709.cpl
c:\windows\system32\4254spambot4z9.exe
c:\windows\system32\4295wzrm6d.exe
c:\windows\system32\43z9bac5door2786.bin
c:\windows\system32\4562vir2959z.exe
c:\windows\system32\4575w9rm2dfz.dll
c:\windows\system32\4588hac95oolz72.cpl
c:\windows\system32\458zadd9are5750.dll
c:\windows\system32\459asparsz1925.ocx
c:\windows\system32\45dezackdoor9993.cpl
c:\windows\system32\477zthief1459.exe
c:\windows\system32\4892addw5rz98.cpl
c:\windows\system32\4939adzware95.ocx
c:\windows\system32\49905ackzoor147.bin
c:\windows\system32\4993thief1005z.bin
c:\windows\system32\4994za5kdoor1436.exe
c:\windows\system32\49d85ir1z52.dll
c:\windows\system32\4az85ack9oor775.cpl
c:\windows\system32\4zcback9oor9745.dll
c:\windows\system32\5008d59nloader1z35.bin
c:\windows\system32\50209wormz72.exe
c:\windows\system32\5028steal2996z.exe
c:\windows\system32\5079vir23z7.dll
c:\windows\system32\50z3worm5729.cpl
c:\windows\system32\51e5bac9doorz579.bin
c:\windows\system32\52139spy9z.cpl
c:\windows\system32\52a9s5eal1031z.exe
c:\windows\system32\52cdback9ooz1358.exe
c:\windows\system32\5324szambot459.exe
c:\windows\system32\5333spzware944.cpl
c:\windows\system32\5338ztroj719.cpl
c:\windows\system32\534thief962z.bin
c:\windows\system32\5352ha5ktool9ze.bin
c:\windows\system32\5359addware133z.bin
c:\windows\system32\53z5thie52559.exe
c:\windows\system32\54050spambzt79e.exe
c:\windows\system32\5435szam5ot419.dll
c:\windows\system32\5447s9ambotz4a5.exe
c:\windows\system32\546ez5ie92999.ocx
c:\windows\system32\5470znot-a-9irus762.exe
c:\windows\system32\54dfdownz9ader2727.bin
c:\windows\system32\5560steal209z.ocx
c:\windows\system32\561athr9at21z54.ocx
c:\windows\system32\56783vizus9d0.exe
c:\windows\system32\5693bz5kdoor2427.cpl
c:\windows\system32\569etzie5935.ocx
c:\windows\system32\56z2d9wnloader5039.dll
c:\windows\system32\5731trojz399.cpl
c:\windows\system32\57c15ackdo9r302z.dll
c:\windows\system32\587edowzloa59r704.ocx
c:\windows\system32\58f9s9ea51514z.ocx
c:\windows\system32\5914zacktool715.exe
c:\windows\system32\592fs5eal2175z.exe
c:\windows\system32\5948threat2994z.dll
c:\windows\system32\59594hacktool5c4z.exe

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by erin85 on 22nd May 2009, 12:22 pm

c:\windows\system32\5964steal5z2.bin
c:\windows\system32\5966zt9oj16a.dll
c:\windows\system32\5986t9reatz6257.ocx
c:\windows\system32\598z5teal2083.ocx
c:\windows\system32\599e9ir2844z.cpl
c:\windows\system32\59a95ack9zor41.cpl
c:\windows\system32\59bd5ownloader3105z.dll
c:\windows\system32\5a3fdow9zoader5265.dll
c:\windows\system32\5a59stzal1986.exe
c:\windows\system32\5b6dspywa5e108z9.dll
c:\windows\system32\5c2fbazkdo9r125.exe
c:\windows\system32\5dadsp5zse2794.exe
c:\windows\system32\5e36threzt25928.dll
c:\windows\system32\5e5abackd9or29z4.dll
c:\windows\system32\5e62do95lozder110.ocx
c:\windows\system32\5eb4spyware3z09.dll
c:\windows\system32\5ezvir2926.bin
c:\windows\system32\5f77zp95se2079.bin
c:\windows\system32\5z09not-a-virus65d.bin
c:\windows\system32\5z90ste5l186.cpl
c:\windows\system32\5ze9vir2591.ocx
c:\windows\system32\5zf75ackdoo9368.cpl
c:\windows\system32\6133t5o92dfz.bin
c:\windows\system32\61ab59zrse657.dll
c:\windows\system32\61f85ownlza9er1567.ocx
c:\windows\system32\63a9tzr9at26095.exe
c:\windows\system32\6459spar5e283z.dll
c:\windows\system32\645hze9t6903.ocx
c:\windows\system32\650zthre5t95214.cpl
c:\windows\system32\669zno59a-virus71b.exe
c:\windows\system32\66ad5ownlo9dzr430.dll
c:\windows\system32\66z5vir26989.exe
c:\windows\system32\676ezow9loader105.dll
c:\windows\system32\676thie510z09.exe
c:\windows\system32\67e15hi9fz719.bin
c:\windows\system32\68spy5a9e286z.ocx
c:\windows\system32\690a5iz647.bin
c:\windows\system32\690dvir13z59.exe
c:\windows\system32\6915threat1542z.bin
c:\windows\system32\6926addwa9e1597z.bin
c:\windows\system32\6975thie52656z.exe
c:\windows\system32\69e2back5o9rz252.cpl
c:\windows\system32\6e9bs5yware323z9.exe
c:\windows\system32\7014bzck95or2355.ocx
c:\windows\system32\7085dow9lozder1990.cpl
c:\windows\system32\71viz5259.cpl
c:\windows\system32\724csz9al2285.exe
c:\windows\system32\72bbsz5war91675.ocx
c:\windows\system32\72zfsp95are802.exe
c:\windows\system32\739a5iz2090.bin
c:\windows\system32\7490adzware5499.dll
c:\windows\system32\74addownloa5zr795.exe
c:\windows\system32\7555virz639.dll
c:\windows\system32\75989rzj735.ocx
c:\windows\system32\7615downlo9derz825.exe
c:\windows\system32\76f95hizf2027.exe
c:\windows\system32\7825virusz965.ocx
c:\windows\system32\7859ad9ware3z59.bin
c:\windows\system32\785zs9ywa5e2136.dll
c:\windows\system32\78z59pyware1786.bin
c:\windows\system32\7939zh9ef4275.dll
c:\windows\system32\7980t5oz983.dll
c:\windows\system32\7a98downloa5er52z.cpl
c:\windows\system32\7bd29ir1z57.bin
c:\windows\system32\7d39vir5966z.exe
c:\windows\system32\7d54spy9arez996.cpl
c:\windows\system32\7d69zhr5at15507.bin
c:\windows\system32\7f9fvir2556z.bin
c:\windows\system32\7ze35ddware797.ocx
c:\windows\system32\837spyzar95375.ocx
c:\windows\system32\85049ot5a-virus407z.ocx
c:\windows\system32\86139pazbot3e85.dll
c:\windows\system32\88559ormz5.cpl
c:\windows\system32\89379ack5oolz16.cpl
c:\windows\system32\89z5vi5us980.cpl
c:\windows\system32\8f5szar5e99.cpl
c:\windows\system32\903spzmb9t456.cpl
c:\windows\system32\909zs5y2d59.dll
c:\windows\system32\90z22v5rus603.exe
c:\windows\system32\91588wor57z5.bin
c:\windows\system32\91765hreat19z92.ocx
c:\windows\system32\9219worz50.cpl
c:\windows\system32\92529not-azvirus339.exe
c:\windows\system32\925sze9l538.cpl
c:\windows\system32\92spars9z755.exe
c:\windows\system32\933bviz3075.bin
c:\windows\system32\94115spambot5efz.cpl
c:\windows\system32\944675irusz4b.dll
c:\windows\system32\947895irus1fz.dll
c:\windows\system32\9531vir1z39.cpl
c:\windows\system32\9533spzmb5t2a7.dll
c:\windows\system32\9552viruz587.ocx
c:\windows\system32\9571z5roj317.ocx
c:\windows\system32\9689worm2z85.cpl
c:\windows\system32\9767ba5kdzor483.bin
c:\windows\system32\97893viru571bz.bin
c:\windows\system32\97c7threa51855z.bin
c:\windows\system32\97fv5r2z69.dll
c:\windows\system32\98225hizf133.exe
c:\windows\system32\9860wor59bz.exe
c:\windows\system32\9904viz29135.bin
c:\windows\system32\99265zy397.cpl
c:\windows\system32\992e5pazse526.bin
c:\windows\system32\9950wzrm5035.ocx
c:\windows\system32\99859zroj5595.cpl
c:\windows\system32\99z5o9m382.ocx
c:\windows\system32\9b9ddowz5oader2319.ocx

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by erin85 on 22nd May 2009, 12:27 pm

c:\windows\system32\9bc1steaz533.bin
c:\windows\system32\9ca0thi5fz84.cpl
c:\windows\system32\9cvir520z.exe
c:\windows\system32\9z13spy557.cpl
c:\windows\system32\9z8vir94155.cpl
c:\windows\system32\bd9thiefz6215.exe
c:\windows\system32\fcfbac5d9oz2369.ocx
c:\windows\system32\x64
c:\windows\system32\z01bthie9285.bin
c:\windows\system32\z0acs5ywar92408.bin
c:\windows\system32\z123s5yware1971.dll
c:\windows\system32\z15fd5w9loader1909.bin
c:\windows\system32\z22329ro57fb.dll
c:\windows\system32\z23cste9l5844.dll
c:\windows\system32\z2695sp94c3.cpl
c:\windows\system32\z2795roj6de.ocx
c:\windows\system32\z353viru9320.dll
c:\windows\system32\z4518vi5us469.cpl
c:\windows\system32\z4a3th9e52034.ocx
c:\windows\system32\z5365v9rus7c5.ocx
c:\windows\system32\z55cv9r2955.cpl
c:\windows\system32\z5953spy959.bin
c:\windows\system32\z5989virus2ab9.cpl
c:\windows\system32\z5d9spy95re691.cpl
c:\windows\system32\z5dcv9r2856.cpl
c:\windows\system32\z69fth5eat13257.dll
c:\windows\system32\z7598spy515.bin
c:\windows\system32\z82995rm52c.cpl
c:\windows\system32\z870sparse93965.exe
c:\windows\system32\z937vir2559.ocx
c:\windows\system32\z9505ot-a-virus109.ocx
c:\windows\system32\z9549worm159.ocx
c:\windows\system32\z98695rus6e7.dll
c:\windows\system32\z995thief5701.bin
c:\windows\system32\z9a5threat19595.cpl
c:\windows\Temp\1616217584.exe
c:\windows\Temp\230618176.exe
c:\windows\Temp\2640203648.exe
c:\windows\Temp\2645507648.exe
c:\windows\Temp\333254320.exe
c:\windows\Temp\3346284352.exe
c:\windows\Temp\3921828912.exe
c:\windows\z0989spy529.dll
c:\windows\z169vir851.dll
c:\windows\z19245pamb9t391.ocx
c:\windows\z1e9st5al2958.ocx
c:\windows\z375worm9b5.dll
c:\windows\z37935py51c.dll
c:\windows\z4512vi9us724.ocx
c:\windows\z4558s9y1a2.ocx
c:\windows\z48069irus225.cpl
c:\windows\z496tr5j2a4.ocx
c:\windows\z498worm592.exe
c:\windows\z5057s9y255.dll
c:\windows\z50faddware129.ocx
c:\windows\z51fdown9oader3048.bin
c:\windows\z52spyware493.exe
c:\windows\z5396sp9mbot5f5.bin
c:\windows\z547backdoor58759.bin
c:\windows\z55spyware11169.ocx
c:\windows\z5617spam59t5a.dll
c:\windows\z579s9yware404.exe
c:\windows\z59avir637.ocx
c:\windows\z7258wor9574.cpl
c:\windows\z7505spy90a.bin
c:\windows\z8fdd9wnloader5276.bin
c:\windows\z9085troj562.bin
c:\windows\z95dthief2415.cpl
c:\windows\z95thie51952.bin
c:\windows\z97dthief2519.cpl
c:\windows\z99205ot-a-virus171.exe
c:\windows\za9ba9dw5re2078.dll
c:\windows\ze09stea5995.cpl
D:\Desktop.ini
.
---- Previous Run -------
.
C:\autorun.inf
c:\program files\ThunMail
c:\windows\system32\dcads-remove.exe
c:\windows\system32\drivers\gaopdxdfpjuepeceoxxteugbnuyneowipidpcp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxlgscdditfyqtydlbhfapgfwdyisorwpj.dll
c:\windows\system32\setup2.exe
c:\windows\system32\SYS32DLL.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-09-03 17:00 . 2009-09-03 17:00 11081 ----a-w c:\windows\39czspyware5.dll
2009-05-22 11:12 . 2009-05-22 11:12 -------- d-sh--w C:\found.000
2009-05-21 10:43 . 2009-05-21 10:49 -------- d-----w c:\program files\Easy Message
2009-05-20 05:49 . 2009-03-19 06:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-20 05:49 . 2008-04-17 02:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-20 05:48 . 2009-05-20 05:48 -------- d-----w c:\program files\iPod
2009-05-20 05:48 . 2009-05-20 05:49 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-20 05:48 . 2009-05-20 05:49 -------- d-----w c:\program files\iTunes
2009-05-20 05:44 . 2009-05-20 05:44 -------- d-----w c:\program files\Bonjour
2009-05-20 05:41 . 2009-05-20 05:42 -------- d-----w c:\program files\QuickTime
2009-05-20 01:44 . 2009-05-20 01:44 75048 ----a-w c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-19 16:31 . 2009-05-19 16:31 153 ----a-w C:\43454354.bat
2009-05-19 16:31 . 2009-05-19 16:31 2 ---h--w c:\windows\sto453660.dat
2009-05-19 13:20 . 2009-05-19 13:20 2 ---h--w c:\windows\sto453553.dat
2009-05-19 05:21 . 2009-05-22 08:48 -------- d-----w c:\windows\system32\790151
2009-05-18 08:09 . 2009-05-22 08:48 -------- d-----w c:\windows\system32\796525
2009-05-18 08:09 . 2009-05-18 08:09 2 ---h--w c:\windows\sto453601.dat
2009-05-18 08:09 . 2009-05-18 08:09 -------- d-----w c:\program files\websrvx
2009-05-17 09:28 . 2009-05-22 11:01 -------- d-----w C:\ComboFix
2009-05-17 03:47 . 2009-05-17 03:47 -------- d-----w c:\program files\WinBlueSoft Software
2009-05-09 05:24 . 2008-07-29 16:06 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-05-09 05:24 . 2008-07-29 16:06 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-05-08 00:05 . 2008-07-29 16:06 144912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-08 00:04 . 2008-07-29 16:06 1195448 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-28 05:10 . 2009-04-28 05:11 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\Roxio
2009-04-28 01:54 . 2009-04-28 01:54 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Local\Google
2009-04-22 22:08 . 2009-04-22 22:08 8508 ----a-w c:\windows\19z79not-a-vir5se.exe

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by erin85 on 22nd May 2009, 12:28 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 11:08 . 2009-04-07 04:46 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\uTorrent
2009-05-20 09:16 . 2008-02-27 06:01 -------- d-----w c:\users\erin\AppData\Roaming\uTorrent
2009-05-20 09:07 . 2007-11-21 10:24 -------- d-----w c:\program files\Nokia
2009-05-20 09:04 . 2007-11-21 10:16 61440 ----a-w c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-20 09:04 . 2007-11-21 10:16 10240 ----a-w c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2009-05-20 09:04 . 2007-11-21 10:16 8192 ----a-w c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2009-05-20 08:55 . 2006-12-20 04:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-20 05:48 . 2007-08-26 06:56 -------- d-----w c:\program files\Common Files\Apple
2009-05-16 09:42 . 2007-06-30 19:53 87640 ----a-w c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-15 09:44 . 2009-04-03 06:45 -------- d-----w c:\program files\NCH Software
2009-05-15 09:43 . 2009-04-07 05:36 -------- d-----w c:\program files\Common Files\Ahead
2009-05-15 09:42 . 2006-12-20 05:29 -------- d-----w c:\program files\DivX
2009-05-11 05:38 . 2007-08-26 08:30 -------- d-----w c:\program files\Norton Security Scan
2009-05-07 23:47 . 2006-12-20 05:04 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-07 23:42 . 2006-12-20 05:04 -------- d-----w c:\programdata\Symantec
2009-04-30 21:32 . 2006-11-02 12:35 -------- d-----w c:\program files\Windows Sidebar
2009-04-30 21:32 . 2006-11-02 12:35 -------- d-----w c:\program files\Windows Photo Gallery
2009-04-30 21:32 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-30 21:32 . 2006-12-20 05:16 -------- d-----w c:\program files\Microsoft Works
2009-04-30 21:32 . 2009-04-08 01:05 -------- d-----w c:\program files\DVD Shrink
2009-04-30 21:32 . 2006-12-20 05:04 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-04-29 08:38 . 2006-12-20 05:00 -------- d-----w c:\programdata\Roxio
2009-04-24 08:47 . 2008-02-27 06:03 -------- d-----w c:\program files\uTorrent
2009-04-22 03:20 . 2009-04-10 02:36 -------- d-----w c:\program files\Common Files\Nero
2009-04-22 03:15 . 2009-04-03 06:40 -------- d-----w c:\program files\NCH Swift Sound
2009-04-22 03:14 . 2009-04-22 03:14 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\NCH Swift Sound
2009-04-12 02:29 . 2009-04-12 02:29 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2009-04-12 02:15 . 2007-11-27 00:40 -------- d-----w c:\program files\Windows Live
2009-04-10 05:42 . 2009-04-10 02:37 -------- d-----w c:\programdata\Nero
2009-04-09 11:03 . 2009-04-09 10:55 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\Digsby
2009-04-08 21:50 . 2009-04-08 21:50 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\Symantec
2009-04-08 04:11 . 2009-04-08 01:05 -------- d-----w c:\programdata\DVD Shrink
2009-04-07 11:45 . 2009-04-07 11:45 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\GRETECH
2009-04-07 05:39 . 2009-04-07 05:38 -------- d-----w c:\program files\PS3 Media Server
2009-04-07 05:37 . 2009-04-07 05:37 -------- d-----w c:\programdata\Ahead
2009-04-07 05:03 . 2009-04-07 05:03 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Roaming\dvdcss
2009-04-06 04:58 . 2007-06-30 20:44 7186 ----a-w c:\users\erin\AppData\Roaming\wklnhst.dat
2009-04-03 06:50 . 2009-04-03 06:45 -------- d-----w c:\programdata\NCH Swift Sound
2009-04-03 06:47 . 2009-04-03 06:47 -------- d-----w c:\programdata\NCH Software
2009-04-03 06:45 . 2009-04-03 06:45 27136 ----a-w c:\windows\system32\drivers\nchssvad.sys
2009-04-03 06:45 . 2009-04-03 06:44 -------- d-----w c:\users\erin\AppData\Roaming\NCH Swift Sound
2009-03-31 04:35 . 2009-04-21 22:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-30 06:30 . 2009-04-21 22:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-28 23:10 . 2009-03-28 23:10 -------- d-----w c:\users\erin\AppData\Roaming\Sony Corporation
2009-03-28 08:53 . 2007-08-26 10:21 -------- d-----w c:\users\erin\AppData\Roaming\dvdcss
2009-03-24 00:17 . 2008-05-17 00:57 -------- d-----w c:\users\erin\AppData\Roaming\My Games
2009-03-24 00:06 . 2008-07-07 10:23 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 00:01 . 2009-03-24 00:01 -------- d-----w c:\programdata\Office Genuine Advantage
2009-03-19 06:32 . 2009-03-19 06:32 23400 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-06 07:12 . 2008-01-08 22:20 21256 ----a-w c:\windows\Help\OEM\scripts\HPscript.exe
2009-03-05 02:29 . 2009-03-17 22:13 16648 ----a-w c:\windows\Help\OEM\scripts\HC_ProtectSmartPatch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"uTorrent"="c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe" [2009-02-15 270128]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-22 144792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{15FEB79B-DB6E-4693-AACE-BD2075D2FF58}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{5EEC6061-505A-4ED6-B0CD-CCE4C620FAC8}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{08094204-5A2E-4C31-9E8C-7E48DC684ACB}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{BB6EAA10-A57A-4DF9-85FC-0730566C3E19}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{00320C23-6BAB-47E5-B71A-003065996B34}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{B2B14CA0-7658-47C9-8196-FD5BC1ABAF85}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{E3EB54DC-2774-4A39-94B8-9BD040553DA9}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{BBD78239-13B6-4277-951F-3CF917526078}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8CB42DB4-21C2-4B97-B4C2-59ADC9408A67}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{D85E5C64-985C-49F7-B551-235AC910B6DD}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{F4BA0750-A8B3-4D02-8A89-5656AA2D2B6C}"= UDP:c:\windows\system32\config\systemprofile\Downloads\utorrent.exe:µTorrent (TCP-In)
"{A9221765-482B-4E5F-A7FB-C83A1443CB7A}"= TCP:c:\windows\system32\config\systemprofile\Downloads\utorrent.exe:µTorrent (UDP-In)
"{C37EC530-3917-4286-9854-FE199E23D31A}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{FFF4AE9B-3D8A-4A3C-9A54-AFCB98352F1D}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{5E7A0E52-1D99-4A10-8DE9-700B8A7130AF}"= UDP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (TCP-In)
"{FE6F8389-484A-4A2E-9077-6888D39F5B25}"= TCP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (UDP-In)
"{29DD181A-9D52-40DA-B32F-8CF7C10F7465}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{56A88EFE-CCC5-413B-990F-E4D3C1F76C87}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{012E212F-9AE4-404B-9CC1-7A6737FADDFA}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{AEDE3361-D7BD-440A-9261-B5B840E0381B}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{B5381FD2-882D-47C2-9B84-349E0066696B}"= UDP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (TCP-In)
"{B16DC444-59DC-4640-8BB8-051D8F2C652D}"= TCP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (UDP-In)
"{FF0A8EED-29BE-4277-81E3-CF4E3B95D1AE}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{F3E31DD9-5046-411F-A418-8B2D8970A98B}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{3D74CE0A-B3A1-47C1-A948-B065657C9260}"= UDP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (TCP-In)
"{052554DA-A0BC-47BA-8335-BA208A9CD940}"= TCP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (UDP-In)
"{C0CA1EF6-3ABF-47D1-A58F-A8F64D44D20A}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{9BC2643B-9987-488E-B3D3-074AF3A4E28C}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{108CEEB0-F2E0-4685-BF59-53A9C428A2D8}"= UDP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (TCP-In)
"{3B53D887-E87C-409A-BB6F-B9CB2DBB2D92}"= TCP:c:\windows\system32\config\systemprofile\Desktop\uTorrent.exe:µTorrent (UDP-In)
"{0ABC285B-2231-4058-AC74-934ABCF83BAC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{57CC649E-4B48-4228-AF6E-4DE380AEF3C0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{103E7AE7-8623-48DC-B780-76A64D2487E9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B9DEB46B-1649-4C50-9D51-A7C28C25790F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [9/05/2009 3:24 PM 36368]
R2 websrvx;websrvx;c:\program files\websrvx\websrvx.exe [18/05/2009 6:09 PM 9728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-EasyMessage - c:\program files\Easy Message\em2.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\erin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\windows\System32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\3ebedxwp.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-22 21:36
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EasyMessage = c:\program files\Easy Message\em2.exe????????(????3?????H????:3??????????:3? ????:3??:3??????:3?3 d?????????l???????0?????^w?ibw????G$dwL!dwA???P????:3?????A???-?dw(????????(3??????(3??????j??????)????????????g??8????h???)3??k??L???P?????????^w????P???????q?:v

scanning hidden files ...


c:\windows\system32\config\SYSTEM~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-22 21:40
ComboFix-quarantined-files.txt 2009-05-22 11:40

Pre-Run: 3,267,035,136 bytes free
Post-Run: 4,185,198,592 bytes free

1001 --- E O F --- 2009-03-23 23:09

erin85
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-05-21
OS OS : Vista
Points Points : 27598
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Winblue Soft

Post by Origin on 23rd May 2009, 12:27 am

I see that you are running uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If uTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • uTorrent





Now open a new notepad file.
Input this into the notepad file:

File::
C:\autorun.inf
c:\program files\ThunMail
c:\windows\system32\dcads-remove.exe
c:\windows\system32\drivers\gaopdxdfpjuepeceoxxteugbnuyneowipidpcp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxlgscdditfyqtydlbhfapgfwdyisorwpj.dll
c:\windows\system32\setup2.exe
c:\windows\system32\SYS32DLL.exe
D:\Autorun.inf
c:\windows\39czspyware5.dll
C:\found.000
c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
C:\43454354.bat
c:\windows\sto453660.dat
c:\windows\sto453553.dat
c:\windows\system32\790151
c:\windows\system32\796525
c:\windows\sto453601.dat
c:\windows\system32\config\systemprofile\AppData\Roaming\uTorrent'
c:\users\erin\AppData\Roaming\uTorrent
c:\program files\websrvx\websrvx.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum