I've been infected with Winbluesoft

View previous topic View next topic Go down

I've been infected with Winbluesoft

Post by pbrown223 on Fri May 29, 2009 1:43 am

Hi. Winbluesoft recently installed on my computer and I've been having a really hard time trying to remove it. I noticed something was suspicious when Spybot wouldn't run. I did a full scan with an outdated version of Ad-Aware (I'm assuming Winbluesoft blocked access to the updates) and it found nothing, but soon I noticed the Winbluesoft icon on my desktop and my desktop background had been changed to say 'WARNING Computer Infected'. I've tried running AVG, Spybot, Malwarebytes' Anti-Malware, and Ad-Aware but none of them will even open.

I tried using several internet browsers (Firefox, IE, Safari, Netscape, Opera) and none of them are working. It's also blocking ZoneAlarm and various other programs that have nothing to do with the internet. I finally got on my other computer to search for help. I read the posting guidelines and tried updating Windows, but it wouldn't update. I also downloaded HijackThis, but it will not run on the infected computer. I have the latest version of Java, as I just updated it a few days ago and I have version 9.1 of Adobe Reader.

I'm stumped as to what to try next.
Any and all help is greatly appreciated.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Doctor Inferno on Fri May 29, 2009 3:07 am

Hello,

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Fri May 29, 2009 8:29 am

Hi. Thanks for the reply.

I downloaded Avenger and extracted it to the desktop of the infected computer, but the program will not open. When I double-click the icon from my desktop, two windows from Winbluesoft pop open on the right and left side of the screen telling me about a security threat. Nothing else happens, there is no response from Avenger at all.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Fri May 29, 2009 1:39 pm

Hello.
Rename the Hijack This installer and see if it will run then.
Doesn't matter what it's called, as long as it's renamed then it might work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Fri May 29, 2009 2:19 pm

Thanks for the reply. Smile

I tried renaming both the HijackThis and the Avenger installers but there was no change. No response from either.
I even downloaded new copies and renamed them before putting them on the infected computer and still neither ran.

A couple other things I've noticed is that I am unable to open any folders other than 'My Computer' and 'Traveldrive' (the flashdrive I'm using to transfer files from the non-infected computer to the infected computer) and I'm still having the problem with not being able to run any programs. Also, a blue stop error screen: c000021A {FATAL SYSTEM ERROR} appears after about 10 minutes of the computer booting up regardless of whether I'm logged into Windows or not.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Fri May 29, 2009 2:33 pm

Lets try this.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Fri May 29, 2009 3:10 pm

GMER did not run, even after renaming it. I restarted to get into Safe Mode, but my BIOS (American Megatrends) is asking for a password, which I never set, to get into setup.

I did a bit of searching on Google for backdoor and default passwords, but none of them have worked yet.

Any other suggestions?
Thanks again for the help so far! Smile

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Fri May 29, 2009 3:32 pm

Darn.
That GMER link I provided should of downloaded a randomly named exe file.
A password? then you shouldn't be even able to boot because the BIOS shouldn't of loaded.

I don't know why it needs a password just to enter safe mode, but I know this infection is resistant and blocks a lot of our tools.

Download and scan with the free trial of Sunbelt's Counterspy:
[You must be registered and logged in to see this link.]
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menu arrows at the side of each entry found,set them ALL to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sat May 30, 2009 10:10 pm

I don't need a password to boot up, just to get into Setup. Still no luck on that.

I downloaded CounterSpy and when I clicked the icon to install it, the installer starts, but is quickly terminated by Winbluesoft with the message: 'Process terminated. Harmful memory infection detected'. I've tried it several times with the same result.

I was surprised that the program was even able to do anything. Winbluesoft blocked everything else from even starting.

Thanks for your continued time and support, I really appreciate it.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sun May 31, 2009 7:58 pm

I was looking around in a couple of the other Winbluesoft threads for anything that may be able to help. I tried the fixreg.inf, but was unable to delete the C:\Windows\System32\setup2.exe file. It gives the write-protected error.

I tried running HijackThis, Avenger, CounterSpy, and GMER again with no success.

I'm stumped as to what to do next. Any ideas?

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Origin on Sun May 31, 2009 8:22 pm

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sun May 31, 2009 9:08 pm

Dr. Web CureIt wouldn't run. Nothing happened, I didn't even get the 'Process Terminated...' message from Winbluesoft.

Something new I did notice was that my Spybot S&D TeaTimer popped up with this info:
Category: System Startup User Entry
Change: Key Changed

Entry: setup2.exe

Old Data: C:\WINDOWS\System32\setup2.exe
New Data: setup2.exe


Should I allow or deny this change?

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Origin on Sun May 31, 2009 9:29 pm

I need you to boot in safe mode with networking and do the following:



1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sun May 31, 2009 9:59 pm

I can't get into Setup to try to boot into Safe Mode. When I try to enter Setup while the infected computer is booting up it asks for a password to access Setup. I've never set a password, so I'm guessing Winbluesoft did it.

I've tried several default and back door passwords that I've found, but none of them have worked. I've also tried a couple of BIOS password crackers, but they haven't been able to run.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Origin on Sun May 31, 2009 10:07 pm

Can you download anything from anywhere?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sun May 31, 2009 10:17 pm

Yes, I'm currently using the other computer I have which is not infected. I've been downloading from this uninfected computer and using a USB drive to transfer to the infected computer.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Origin on Sun May 31, 2009 11:24 pm

Tell me if you can run the following:


Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTListIt2.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTListIt2.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Sun May 31, 2009 11:49 pm

That wasn't able to run either.
I was actually able to delete the C:\Windows\System32\setup2.exe file though, which I was unable to do earlier.

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 11:02 am

I'm able to run .exe files now! I used one of the regfix.inf suggested in another Winbluesoft thread and now I can run programs. I'm posting this from the infected computer.

I was able to run hijackthis. Here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:33 AM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Pete\Desktop\13.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Default user')
O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8182 bytes

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 11:17 am

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKUS\S-1-5-18\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Default user')


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:07 pm

Here's the combofix log:

ComboFix 09-05-31.06 - Pete 06/01/2009 10:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.625 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\10216not5a9vzrus345.ocx
c:\windows\1029no5-a-virus5bz.cpl
c:\windows\10334hzc9tooled5.dll
c:\windows\104095zy492.exe
c:\windows\105939roj2z7.exe
c:\windows\1059b5ckdoor67z.exe
c:\windows\10805ot-a-9irus4zd.ocx
c:\windows\10ebspz59re1333.exe
c:\windows\10z5s59al858.bin
c:\windows\10z969py19e5.cpl
c:\windows\1147spy5are2z639.exe
c:\windows\11599viruz7.ocx
c:\windows\1170b5zkdoor9599.bin
c:\windows\118959zoj520.ocx
c:\windows\118cspa5sz219.cpl
c:\windows\11938hacktzol795.bin
c:\windows\11956vizus7a15.dll
c:\windows\11f15pyware229z.exe
c:\windows\125119pz7205.cpl
c:\windows\12599trojz29.ocx
c:\windows\126925pambot73z.bin
c:\windows\129eadd5arz600.dll
c:\windows\12d7down9zad5r3176.ocx
c:\windows\12z75hackto9l193.bin
c:\windows\131865zrm2d9.dll
c:\windows\135cszyware491.dll
c:\windows\135z0ha59tool7c5.ocx
c:\windows\13757wormz92.bin
c:\windows\139539pambzt2e8.dll
c:\windows\139569roz76d.dll
c:\windows\13z92t5oj381.bin
c:\windows\140099pambotz5f.cpl
c:\windows\14051ha9ktzol2c.exe
c:\windows\14499hacktool2b5z.bin
c:\windows\1449z5orm784.exe
c:\windows\1476z5irus917.bin
c:\windows\1488zno9-a-vi5us39c.bin
c:\windows\14950spazb5t56a.ocx
c:\windows\1497zpambot588.bin
c:\windows\14a95ir22z3.exe
c:\windows\14z735py99a.bin
c:\windows\15079troj6bz.bin
c:\windows\15238virus99z.ocx
c:\windows\15261worz9d5.exe
c:\windows\1528zvi5us93d.bin
c:\windows\1529thzeat9922.bin
c:\windows\153369zrm684.cpl
c:\windows\15392not-a5viruszbd.cpl
c:\windows\15392worm42z9.cpl
c:\windows\15453sp94d6z.cpl
c:\windows\15589not-a-5iru9589z.bin
c:\windows\1582vzr15759.bin
c:\windows\159bdownlo9derz251.bin
c:\windows\159bs9arse47z.bin
c:\windows\15c5szarse1919.exe
c:\windows\16394hackt95l21cz.bin
c:\windows\164z6n95-a-virus69c.exe
c:\windows\166065zrm192.cpl
c:\windows\16839vi5zs594.dll
c:\windows\1697zvirus145.exe
c:\windows\17095hazkt5ol2dc.ocx
c:\windows\17152viruzd9.exe
c:\windows\17259zpambot5a9.ocx
c:\windows\17442s5a9bzt44b.dll
c:\windows\17730szam9o54bc.exe
c:\windows\17869hreat25z29.dll
c:\windows\178bt9reaz16415.dll
c:\windows\17e6add95ze2128.ocx
c:\windows\18085virz929f.dll
c:\windows\181999p5z9d.exe
c:\windows\18506not-z-9irus70f.bin
c:\windows\18650s5azb9t70f.cpl
c:\windows\18675v5ru9zd6.ocx
c:\windows\189125rzj9a1.dll
c:\windows\18caback9ozr2455.ocx
c:\windows\1905thi9z7.cpl
c:\windows\19095virz55a3.cpl
c:\windows\19295roj3zb.bin
c:\windows\193a5pzware2425.bin
c:\windows\1941zorm4519.exe
c:\windows\19519zp9mbot8f.exe
c:\windows\1965zackt9ol4d8.dll
c:\windows\1967doznlo5der2810.bin
c:\windows\196cbackdoz51987.exe
c:\windows\1983zor5194.exe
c:\windows\19891noz-a-virus1af5.cpl
c:\windows\198z59r380.bin
c:\windows\19979zot-a-v5rus1a7.bin
c:\windows\1997zvirus35b.bin
c:\windows\19dcaddwzre54639.bin
c:\windows\1a87s9zrs542.dll
c:\windows\1c72th5ezt20959.ocx
c:\windows\1c95stzal103.cpl
c:\windows\1cc3adz5are9312.bin
c:\windows\1d5c9hief2643z.ocx
c:\windows\1d6fsparze985.dll
c:\windows\1db05i9295z.exe
c:\windows\1dd69hief1522z.ocx
c:\windows\1e8do5nloadez14369.dll
c:\windows\1f56vir8z19.bin
c:\windows\1ff3d5wnloadzr2429.ocx
c:\windows\1ffezt5a92202.ocx
c:\windows\1z0dspars912045.dll
c:\windows\1z1e9teal1455.exe
c:\windows\1z322s95a.exe
c:\windows\1z470vi5us9ea.bin
c:\windows\1z545s95450.ocx
c:\windows\1z7699orm65c.exe
c:\windows\1z82795rus527.ocx
c:\windows\1z93n9t-a-v5rus489.bin
c:\windows\1za5addware19899.exe
c:\windows\200955orz3889.exe
c:\windows\201329ot-a-5irus4f9z.exe
c:\windows\202239irus7z5.dll
c:\windows\2034spzwa9e2056.ocx
c:\windows\209819izus35e.ocx
c:\windows\209csparse199z5.cpl
c:\windows\209z7worm556.dll
c:\windows\20f9downloaderz885.cpl
c:\windows\20z68not-a-9iru5167.ocx
c:\windows\20zcspars59519.cpl
c:\windows\210385zcktool359.dll
c:\windows\21155zi5us259.bin
c:\windows\214015orz6569.ocx
c:\windows\216z9t5oj5b6.cpl
c:\windows\217znot-a-v5r9s734.exe
c:\windows\219bthrezt198195.cpl
c:\windows\21z5spy9are1846.cpl
c:\windows\21z75wo9539a.ocx
c:\windows\22047spzmb9t4255.cpl
c:\windows\2205sparze2139.exe
c:\windows\222fstea59352z.dll
c:\windows\223spaz5e1999.dll
c:\windows\2244azdw5re13599.cpl
c:\windows\22699not9a-vzr5s193.ocx
c:\windows\22758hzc5tool599.cpl
c:\windows\22758t5oj9ez.dll
c:\windows\22805haz9toolce.bin
c:\windows\23251zr5j994.bin
c:\windows\23471zor965b.bin
c:\windows\235dsparse952z.ocx
c:\windows\23705pazbot9c.ocx
c:\windows\23759yware18z2.bin
c:\windows\2390znot-a-viru52d.dll
c:\windows\23dcspaz5e659.dll
c:\windows\2416zhr9at5995.dll
c:\windows\24257spa95ot2zf.dll
c:\windows\24344zor9756.ocx
c:\windows\24407szy79d5.exe
c:\windows\24599notz5-virus4da.dll
c:\windows\246bbackdoo9z9265.ocx
c:\windows\247z9vir5s598.bin
c:\windows\24845v9rus2z15.ocx
c:\windows\24870s5ambo976z.exe
c:\windows\24998hacktzol51f5.cpl
c:\windows\24b9threaz59380.exe
c:\windows\25052not-9-5irusza2.ocx
c:\windows\25098hacktool39cz.cpl
c:\windows\250z1hacktool596.ocx
c:\windows\25160vir9s5zb.dll
c:\windows\25336trz53d69.ocx
c:\windows\25399zpy2b1.cpl
c:\windows\2539zspy3b7.exe
c:\windows\253cback9oor5z45.exe
c:\windows\253zbackdoor9665.ocx
c:\windows\2540zwor945f5.bin
c:\windows\2546szyware9921.cpl
c:\windows\25475h9cktooz15.bin
c:\windows\25560sp9mbot76z.exe
c:\windows\255789py1bbz.dll
c:\windows\25594worm3z59.dll
c:\windows\2559spy9a5e21z2.bin
c:\windows\25869pywa5e734z.ocx
c:\windows\25956wo9z156.dll
c:\windows\2596z5r9j477.dll

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:08 pm

c:\windows\2596zir6595.dll
c:\windows\259fzir9316.bin
c:\windows\259spamb5z69b.exe
c:\windows\25aadownzoad5r839.exe
c:\windows\25z89vi5us679.dll
c:\windows\26210ha9kzo5l1f.exe
c:\windows\2625sparse1297z.bin
c:\windows\263z69a5ktool4a6.dll
c:\windows\26459hazktool9d5.dll
c:\windows\26531szambo95ec.dll
c:\windows\26622spamz9t33a5.ocx
c:\windows\2695dz59loader1721.cpl
c:\windows\26985s5ambot7z6.dll
c:\windows\2698backdz5r1961.ocx
c:\windows\270015rojz49.exe
c:\windows\27268spzmb9t5d5.ocx
c:\windows\2750backdo9r2584z.exe
c:\windows\2753zw9rm1e1.cpl
c:\windows\275fzddware15939.dll
c:\windows\2795bazkdoor1297.bin
c:\windows\27b5spy9zre3035.ocx
c:\windows\27edbac9zoor350.exe
c:\windows\27f5zp95se1715.exe
c:\windows\27z59o5m7cb.cpl
c:\windows\2821tzoj9a55.dll
c:\windows\28419orm25z.bin
c:\windows\28850troz699.exe
c:\windows\288czpy9are1549.bin
c:\windows\28z91spam5ot3e9.dll
c:\windows\29014wzrm1c59.ocx
c:\windows\2908sp93fz5.ocx
c:\windows\2916095z-a-virus468.ocx
c:\windows\29190v5zus184.bin
c:\windows\29199noz-a-v5rus4fa.cpl
c:\windows\29236spazbo9665.exe
c:\windows\293ste5l9z9.dll
c:\windows\29491spy57dz.ocx
c:\windows\29499wozm1b95.cpl
c:\windows\2952thiez9065.exe
c:\windows\29559szambot956.cpl
c:\windows\2955spywzr5569.dll
c:\windows\295ddownzoader9321.ocx
c:\windows\29620zpy550.dll
c:\windows\29678v9z5s53f.bin
c:\windows\297at5izf3039.cpl
c:\windows\299165pz4e9.ocx
c:\windows\29979z5am9ot29c.cpl
c:\windows\29e3downloade5z409.ocx
c:\windows\29z05sp9159.ocx
c:\windows\29z57h5cktool64e.ocx
c:\windows\2bz0backdo5r25779.ocx
c:\windows\2c2abazk59or3150.ocx
c:\windows\2d1baczdoo99735.cpl
c:\windows\2z03s9ambot605.ocx
c:\windows\2z076not-a-vi5us39e.ocx
c:\windows\2z155parse21129.ocx
c:\windows\2z2a5pyware9149.bin
c:\windows\2z38addwa95684.bin
c:\windows\2z505w9rm7f7.exe
c:\windows\2z6319irus85.cpl
c:\windows\2z651hackt5o9261.bin
c:\windows\2z67st9al2625.cpl
c:\windows\2z95virus59.exe
c:\windows\2z965hief2605.cpl
c:\windows\2zf9vir4205.cpl
c:\windows\301v5z1897.ocx
c:\windows\302z3v5rus7969.ocx
c:\windows\302z95irus4d.cpl
c:\windows\30394zo5956e.cpl
c:\windows\3056thi9z109.dll
c:\windows\30a8spa5ze2988.dll
c:\windows\30ha95tzol2e6.bin
c:\windows\30z49s5y90.ocx
c:\windows\30z76troj4945.dll
c:\windows\30zft95ef2880.bin
c:\windows\31008not5a-viruz944.dll
c:\windows\3135th9efz231.exe
c:\windows\31755pzwar91546.cpl
c:\windows\31a7ste9l57z.dll
c:\windows\31ezth5eat19904.bin
c:\windows\32099viruz25.exe
c:\windows\323z5hack9ool2f5.cpl
c:\windows\323z9hackto5l55c.bin
c:\windows\3245zspambo56f79.cpl
c:\windows\32749troz755.dll
c:\windows\3412w95m50z.bin
c:\windows\3416zpa9bot225.exe
c:\windows\349zv5rus9ba.bin
c:\windows\350adown95zder3235.exe
c:\windows\3535addzare953.ocx
c:\windows\3539spz9bot5af.ocx
c:\windows\353h5ckzool67c9.cpl
c:\windows\3545v9r671z.cpl
c:\windows\354baddwarez6149.cpl
c:\windows\3565zpy299.ocx
c:\windows\35911zroj1ae.exe
c:\windows\3595zackdo9r545.exe
c:\windows\3599zi91992.ocx
c:\windows\35fzteal9047.cpl
c:\windows\361et9reat51764z.cpl
c:\windows\3639addware57z.ocx
c:\windows\3664v5r90z0.cpl
c:\windows\369zspy15f.dll
c:\windows\36fthr9zt23854.exe
c:\windows\36zath9ef451.cpl
c:\windows\379ftz5eat29468.exe
c:\windows\387cszars52494.dll
c:\windows\3919vizu5768.dll
c:\windows\39441s5z13a.dll
c:\windows\3974zparse1695.bin
c:\windows\398zspyw9r598.ocx
c:\windows\39c5szarse30575.dll
c:\windows\39z3tro549d.ocx
c:\windows\3a3z9ir435.ocx
c:\windows\3a8fdzwnload5r691.bin
c:\windows\3b9ct5reaz6500.bin
c:\windows\3badzte9l685.dll
c:\windows\3bstzal18659.cpl
c:\windows\3c99zddware1265.cpl
c:\windows\3d11v5z9209.dll
c:\windows\3d79spazse5615.ocx
c:\windows\3d9t5iefz8579.dll
c:\windows\3e5dt5iez359.dll
c:\windows\3e6b9ckd5orz699.ocx
c:\windows\3fb6zteal5419.bin
c:\windows\3z0535r9j5d6.dll
c:\windows\3z05b5ckdoo91583.dll
c:\windows\3z070troj594.exe
c:\windows\3z106hacktoo519b.cpl
c:\windows\3z22downloader9895.cpl
c:\windows\3z51059cktool672.exe
c:\windows\3z545troj4e09.bin
c:\windows\3zb6spyware5191.dll
c:\windows\3zbdv5r32759.exe
c:\windows\4065viz5s729.bin
c:\windows\40755py9zb.dll
c:\windows\40z6spa59e2254.dll
c:\windows\4104virzs595.dll
c:\windows\4177hackzool935.dll
c:\windows\41z5sparse649.bin
c:\windows\41z7add59re2627.cpl
c:\windows\4284a59zare2447.exe
c:\windows\43a9spaz5e1242.cpl
c:\windows\4438steal9z5.ocx
c:\windows\44539hiefz361.ocx
c:\windows\44625hief9z35.ocx
c:\windows\4498addware1518z.cpl
c:\windows\45209ackdoor1z75.dll
c:\windows\4539zi9698.cpl
c:\windows\45975zr2135.dll
c:\windows\45b9bzckd9or2403.cpl
c:\windows\45bczddware26695.bin
c:\windows\45c9parz5112.dll
c:\windows\45f19teaz2.ocx
c:\windows\45z9ste592399.exe
c:\windows\46235z9ef502.exe
c:\windows\4659thief1659z.ocx
c:\windows\4673downloadez2955.cpl
c:\windows\469evi52z9.dll
c:\windows\473bdownlzader19885.bin
c:\windows\485fthreat22z599.bin
c:\windows\48zackt9ol551.exe
c:\windows\4955vi9uz715.dll
c:\windows\495dthreat5031z.bin
c:\windows\495zsteal1050.ocx
c:\windows\49a9spyware452z.cpl
c:\windows\49d65parse909z.cpl
c:\windows\49dcthiez553.exe
c:\windows\49f6downloa9erz505.cpl
c:\windows\49z6spambo512a.exe
c:\windows\4a0dthi5f11z9.exe
c:\windows\4a54virz8985.cpl
c:\windows\4abd9p5rsz1185.exe
c:\windows\4ac9addware201z5.dll
c:\windows\4b85zief9795.exe
c:\windows\4b9fzhief1657.dll
c:\windows\4bfdd5wnloade91z42.exe
c:\windows\4c09zhreat5525.ocx
c:\windows\4d73bac59ozr927.exe
c:\windows\4e6fspzrse92585.ocx
c:\windows\4e89thief16z5.exe
c:\windows\4ea8spzrs9565.cpl
c:\windows\4efzaddwa9e485.cpl
c:\windows\4f2fzackdo951756.bin
c:\windows\4f49pa5sz404.dll
c:\windows\4z21spy39c5.cpl
c:\windows\4z53sparse19049.cpl
c:\windows\4z5thief1191.exe
c:\windows\4z68backd59r2065.ocx
c:\windows\4z785pyware9189.cpl
c:\windows\4ze9thi5f453.exe
c:\windows\500n59za-virusc3.exe
c:\windows\5018spam9ot592z.bin
c:\windows\5025tzie955.exe
c:\windows\5045downlz9der1495.cpl
c:\windows\50a7ba9kdoor952z.exe
c:\windows\50bc9ownl5adzr3055.ocx
c:\windows\50c69ir1876z.exe
c:\windows\50e4sz5war9263.ocx
c:\windows\5117spazse379.cpl
c:\windows\5118virz9d7.ocx
c:\windows\51498vir9sz34.bin
c:\windows\515z1spam9ot7a9.bin
c:\windows\516ebackdoo9z295.exe
c:\windows\5192worm95z.bin
c:\windows\5195zspambot379.ocx
c:\windows\5199zt5al2028.ocx
c:\windows\52352wo9m5z1.bin
c:\windows\5239back5zor1940.bin
c:\windows\52624zpambo9110.bin
c:\windows\5265st9al5z5.bin
c:\windows\5275sp9zad.bin
c:\windows\527downloa9zr1568.bin
c:\windows\529athrzat51242.bin
c:\windows\52b2s9yware2z49.bin
c:\windows\52f1steal199z.ocx
c:\windows\53d8bac5doorz794.exe
c:\windows\5409b5ckdoor2999z.dll
c:\windows\5412st5az9956.cpl
c:\windows\5416szar9e314.ocx
c:\windows\5423h5ckzool56f9.dll
c:\windows\546459roj5f1z.exe
c:\windows\5494viruz1e1.bin
c:\windows\54954virus7z5.ocx
c:\windows\54c9addwzre1984.ocx
c:\windows\55169zrus1a4.dll
c:\windows\5540b9ckdoor1z70.cpl
c:\windows\55452szy6f9.dll
c:\windows\554ebaczdoor892.cpl
c:\windows\5555w9rz1c7.exe
c:\windows\5559sp55az.exe
c:\windows\555cbazkdoor9015.ocx
c:\windows\556az9ea51226.ocx
c:\windows\5572s59z2.exe

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:09 pm

c:\windows\5595spz74b.cpl
c:\windows\55c8zpy5are31709.ocx
c:\windows\55eazir914.cpl
c:\windows\55f1do5zload9r2487.dll
c:\windows\55f2virz9629.ocx
c:\windows\55f39teaz2482.ocx
c:\windows\55fzv9r1556.bin
c:\windows\55z0a9dware1335.cpl
c:\windows\562z2spy509.dll
c:\windows\56385zi9f2643.dll
c:\windows\56870wormz029.cpl
c:\windows\56915py3z3.ocx
c:\windows\56971not-a-viruz582.bin
c:\windows\56a1dowzloa9er13085.cpl
c:\windows\56zbsparse15209.dll
c:\windows\573499zrm227.exe
c:\windows\5734troj968z.ocx
c:\windows\573zirus39c9.dll
c:\windows\57819roj2z.exe
c:\windows\5786backdo9r1z81.cpl
c:\windows\57ca9ownloaderz42.cpl
c:\windows\57e4download9z1476.dll
c:\windows\581zbackdoo5590.dll
c:\windows\58455ha9ktooz40c.bin
c:\windows\5851spy989z.ocx
c:\windows\58755spam9oz296.cpl
c:\windows\5896zspy99e.bin
c:\windows\58azspywa95773.ocx
c:\windows\58c5downl9adzr65.cpl
c:\windows\58d4thiz936.dll
c:\windows\58fs9zrse960.dll
c:\windows\5901downloaderz9135.bin
c:\windows\5913vzr39625.bin
c:\windows\59321not-a-vzrus9d4.dll
c:\windows\5944vi5zs4e7.cpl
c:\windows\5952backdoor2z30.exe
c:\windows\5952virus6z7.exe
c:\windows\59557wormz6d9.bin
c:\windows\5956not9a-viruz355.ocx
c:\windows\595ha9kzool1d7.exe
c:\windows\5975tzreat26755.dll
c:\windows\5995vir2z14.dll
c:\windows\59a5addwzre1050.dll
c:\windows\59abspywzre2595.exe
c:\windows\59cbvir15z1.dll
c:\windows\59estzal1255.dll
c:\windows\59z8spy7b5.exe
c:\windows\5a56t9iefz946.ocx
c:\windows\5aa29ddware2z72.ocx
c:\windows\5b15doznload9r318.ocx
c:\windows\5b2fd9znloader2753.dll
c:\windows\5bc5thi9f3155z.cpl
c:\windows\5bcat5rea9297z8.ocx
c:\windows\5bzaad9ware5356.dll
c:\windows\5c17addwarz529.bin
c:\windows\5c1fzownloader57329.dll
c:\windows\5c31spa5se3921z.bin
c:\windows\5c62zpa9se147.exe
c:\windows\5cecback9oor1453z.exe
c:\windows\5d50thz9f1703.cpl
c:\windows\5d53vir1z599.ocx
c:\windows\5d6ev5r9z79.cpl
c:\windows\5e9f9zars51939.ocx
c:\windows\5ed5downlozder3099.bin
c:\windows\5ezdsteal9107.bin
c:\windows\5f23thrzat95789.exe
c:\windows\5f59vir512z.exe
c:\windows\5f5ethi596z.ocx
c:\windows\5f99szeal21105.bin
c:\windows\5faedown9oader2z91.exe
c:\windows\5fdcspyw9rez743.exe
c:\windows\5ff0steaz19719.cpl
c:\windows\5z1d59r836.ocx
c:\windows\5z38vir2297.dll
c:\windows\5z6not-a-vi9u544d.ocx
c:\windows\5z9109py6f4.dll
c:\windows\5z969py77d.bin
c:\windows\5z9ste5l2897.cpl
c:\windows\5zc05pa9se2920.exe
c:\windows\6048wo9m355z.dll
c:\windows\61eddownzoad9r31535.bin
c:\windows\6297zo9m15.dll
c:\windows\63925pzmbot9ad.exe
c:\windows\6450ha5ktz9l388.bin
c:\windows\64c7addwzr94885.exe
c:\windows\650f9hizf3083.dll
c:\windows\6544sp9rs554z.ocx
c:\windows\6576addwar9478z.ocx
c:\windows\658fdownloadzr2229.dll
c:\windows\65cf9irz075.bin
c:\windows\65zddownloader7879.cpl
c:\windows\6627z9r2895.dll
c:\windows\6659addwzre22449.ocx
c:\windows\66ast9zl5122.cpl
c:\windows\66b3viz9635.bin
c:\windows\66b6addz9re945.cpl
c:\windows\6705thief2922z.exe
c:\windows\6707s9ywa5e1941z.bin
c:\windows\6746zo5nlo9der514.ocx
c:\windows\679e9zw5loader1378.dll
c:\windows\67dazh5e91443.cpl
c:\windows\67f2zp9w5re538.dll
c:\windows\67z99te5l2450.bin
c:\windows\6818zr9j46e5.cpl
c:\windows\6855tzief2690.ocx
c:\windows\6924addza5e549.ocx
c:\windows\6957azdware665.exe
c:\windows\696downlozde52674.cpl
c:\windows\696not9azv5rus6ec.ocx
c:\windows\699abackdozr1509.exe
c:\windows\699zs5eal1219.cpl
c:\windows\69c59ow5zoader1559.exe
c:\windows\69e25zr1565.dll
c:\windows\69z4s9ea52190.exe
c:\windows\6b05s9eal158z.ocx
c:\windows\6cathiez2579.ocx
c:\windows\6d13spywa9e27z5.ocx
c:\windows\6d93z5eal83.cpl
c:\windows\6e29th5eat1z856.bin
c:\windows\6e70zpa5s9545.cpl
c:\windows\6e82vir5993z.bin
c:\windows\6eb99iz589.exe
c:\windows\6ed8zddwar5966.bin
c:\windows\6f6zth9e51392.dll
c:\windows\6fczdownloader15895.cpl
c:\windows\6fz9addwar52155.dll
c:\windows\6z8bthreat319325.cpl
c:\windows\7042spy5arz934.bin
c:\windows\70fbzhre9t59268.cpl
c:\windows\70z9vir1535.cpl
c:\windows\716dd5wnlzader13669.bin
c:\windows\718ct5zef24599.bin
c:\windows\71bbspars52z91.bin
c:\windows\71bdbac5dzor499.bin
c:\windows\7265h9ckzoo5319.dll
c:\windows\7494addwar5148z.ocx
c:\windows\7500a9dwa5e25z9.bin
c:\windows\752sz9e3.ocx
c:\windows\7594spyware3z95.dll
c:\windows\759zbackdoor80.cpl
c:\windows\75caadzware1339.cpl
c:\windows\75e5dzwn9o5der2539.exe
c:\windows\75e95ddwzre3166.exe
c:\windows\75zbt9ief1376.dll
c:\windows\75zethie9775.cpl
c:\windows\7659thiz92984.bin
c:\windows\76a5spa5ze9092.ocx
c:\windows\76b995ckzoor29.cpl
c:\windows\774fth9ef2z835.exe
c:\windows\7759stealz395.ocx
c:\windows\77a1stezl5091.bin
c:\windows\77z3thre5t94881.exe
c:\windows\782cz59eat16295.ocx
c:\windows\784959arse15z1.ocx
c:\windows\7850a9dware3z27.bin
c:\windows\78589irz529.cpl
c:\windows\7895vizus9b.bin
c:\windows\790a5ir887z.cpl
c:\windows\791szamb9t158.bin
c:\windows\7924notza-virus5385.cpl
c:\windows\7938steal3z85.bin
c:\windows\7958d9zn5oader340.cpl
c:\windows\795troj5a9z.ocx
c:\windows\79665zt-a-virus299.dll
c:\windows\79779roz3945.exe
c:\windows\7a1bs9eal95z.cpl
c:\windows\7a7z5rea913508.dll
c:\windows\7b1dadd5are95z5.dll
c:\windows\7ba9addzare5505.dll
c:\windows\7d18download9rz1015.bin
c:\windows\7d49t5reat249z3.dll
c:\windows\7d5ethiez2903.dll
c:\windows\7f93addza9e2855.cpl
c:\windows\7fathie5z609.dll
c:\windows\7z25hac5tool190.exe
c:\windows\7z4st9al21895.ocx
c:\windows\7z59addware1069.exe
c:\windows\80z39orm7485.dll
c:\windows\81zw5rm5b9.bin
c:\windows\8205n9t-a5vizus3b4.bin
c:\windows\8335virus965z.dll
c:\windows\8392spy5z5.cpl
c:\windows\8432sp9m5ot5a7z.ocx
c:\windows\8499z95ktool2b8.ocx
c:\windows\8524zot-a-9irus618.exe
c:\windows\8525zpy5ed9.cpl
c:\windows\85499roz432.ocx
c:\windows\855zhreat21919.cpl
c:\windows\8590sz56a2.bin
c:\windows\85dbackdoor2z19.exe
c:\windows\8959spy76z.exe
c:\windows\90488haczt5ol138.cpl
c:\windows\90b9spars55z7.ocx
c:\windows\914zth5eat11492.exe
c:\windows\9167zworm5de.cpl
c:\windows\91755zy229.bin
c:\windows\91967not-a-vi5uz790.dll
c:\windows\91bfbaz5door1943.ocx
c:\windows\923zv59us15e.bin
c:\windows\92623zor5551.bin
c:\windows\92625hazktool4db.bin
c:\windows\9284zspambo542.exe
c:\windows\92dback59or17z9.ocx
c:\windows\92e5downlzader1019.ocx
c:\windows\9318sza9bot565.bin
c:\windows\93300w5rz30d.exe
c:\windows\935espzware24225.exe
c:\windows\939zhrea512771.ocx
c:\windows\93dzdownlo5der1976.cpl
c:\windows\943d5wnloadez9504.cpl
c:\windows\94613w5zm709.dll
c:\windows\948h9cktzol54d.ocx
c:\windows\9495virus434z.exe
c:\windows\94994woz5553.bin
c:\windows\9502trojdz.exe
c:\windows\9515t5iez505.ocx
c:\windows\95160spazbot35.dll
c:\windows\951z5virus51d.ocx
c:\windows\95231spamzot8d.bin
c:\windows\9532notza-virus646.dll
c:\windows\9535thzeat28355.dll
c:\windows\955935ormz.dll
c:\windows\955zpambot7d9.exe
c:\windows\9575virusz929.ocx
c:\windows\9595ezl998.cpl
c:\windows\95b9stea53z33.exe
c:\windows\95fdtzreat275695.cpl
c:\windows\95ffthiez798.bin
c:\windows\9714s59mbzt1c4.ocx
c:\windows\9744spambotz8d5.bin
c:\windows\978a5dw9rz3043.exe
c:\windows\980zw5rm136.cpl
c:\windows\9819sp54baz.exe
c:\windows\983aa5dwarz375.dll
c:\windows\98bth5ef765z.bin
c:\windows\991downloaderz025.cpl
c:\windows\992z5ackdoor3120.bin
c:\windows\993515roz24a.bin
c:\windows\994sp5rsz2099.dll
c:\windows\99667viru52z6.cpl
c:\windows\9980thr5az12154.exe
c:\windows\99dfth5ef925z.dll
c:\windows\99z9s5ambot2ab9.bin
c:\windows\9a5cstezl3170.ocx
c:\windows\9b69a5dware39z.dll
c:\windows\9c0zspywar5323.exe
c:\windows\9c25downzoader754.exe
c:\windows\9c30spywaze19645.cpl
c:\windows\9cc5t5ief192z.bin
c:\windows\9ceavzr2505.cpl
c:\windows\9d4zvir30625.bin
c:\windows\9d5es5eal9z6.bin
c:\windows\9d91threa52736z.exe
c:\windows\9e0bdzwnload5r3033.exe
c:\windows\9e6cdoznloade53235.bin
c:\windows\9e89st5alz144.exe
c:\windows\9z05pyware343.exe
c:\windows\9z3565roj68e.dll
c:\windows\9z7spy21a5.ocx
c:\windows\9z905py628.bin
c:\windows\9zca5dware851.bin
c:\windows\a909hizf55.bin
c:\windows\a95s5zware2248.exe
c:\windows\abthre9t553z2.bin
c:\windows\acfdzwn9oader3051.exe
c:\windows\b98s9eaz4415.cpl
c:\windows\c62dzwnloa5er1459.bin
c:\windows\c8zthie91085.exe
c:\windows\d885hzea922625.dll
c:\windows\e32viz1579.cpl
c:\windows\e8zadd9are5608.bin
c:\windows\e8zthre5t4926.exe
c:\windows\e959h5zf2427.ocx
c:\windows\e9aspywa5e3z41.bin
c:\windows\f0dste9lz55.ocx
c:\windows\f33szyw59e743.exe
c:\windows\ffc95dware3z89.dll
c:\windows\system32\10717spz569.cpl
c:\windows\system32\10951spy492z.dll
c:\windows\system32\1099ztroj9e45.bin
c:\windows\system32\114045acktozl7f69.ocx
c:\windows\system32\11562spambzt149.exe
c:\windows\system32\11584ziru985.ocx
c:\windows\system32\115bspyw5ze15439.exe
c:\windows\system32\11749not-a-v5zu99e.bin
c:\windows\system32\1184z9or569b.dll
c:\windows\system32\11968spazbot25a.cpl
c:\windows\system32\11f9thief589z.dll
c:\windows\system32\11z78hack5ool3fa9.exe
c:\windows\system32\128505azk9ool2d.exe
c:\windows\system32\129119pam5ot143z.dll
c:\windows\system32\12915v5rus6ez.dll
c:\windows\system32\1297zwo9539f.bin
c:\windows\system32\13271hacktooz25b9.exe
c:\windows\system32\13379wo5m6z8.ocx
c:\windows\system32\13500sp93b5z.exe
c:\windows\system32\13519tr5jz9.ocx
c:\windows\system32\137965pambotzbc.cpl
c:\windows\system32\13989not5z-virus712.bin
c:\windows\system32\13a5spyw9re1z15.bin
c:\windows\system32\14019spambot5z2.dll
c:\windows\system32\14077tr9j2z5.dll
c:\windows\system32\14495a9kdozr458.cpl
c:\windows\system32\14661s9y58z.bin
c:\windows\system32\14787notza-v5rus99f.cpl
c:\windows\system32\14917z9cktool2195.bin
c:\windows\system32\149515zy41b.exe
c:\windows\system32\15283hac9to5z122.cpl
c:\windows\system32\1528thiez1939.bin
c:\windows\system32\152z5hac9tool747.exe
c:\windows\system32\15395spz4899.bin
c:\windows\system32\15465ackto9lz98.ocx
c:\windows\system32\154z8spy695.bin
c:\windows\system32\15507zroj2f9.exe
c:\windows\system32\15600spam95z69f.bin
c:\windows\system32\1562z9py1a7.exe
c:\windows\system32\1565zsp9mbot3fa.exe
c:\windows\system32\15709teaz5108.bin
c:\windows\system32\1571tro96z05.ocx
c:\windows\system32\15855szy985.bin
c:\windows\system32\1589s9arsz1405.dll
c:\windows\system32\15945v5rus5z3.ocx
c:\windows\system32\1597zs9546d.dll
c:\windows\system32\1598zot-a-vir5s9ae.exe
c:\windows\system32\15bz9ir3273.ocx
c:\windows\system32\15c5addw9re2z05.exe
c:\windows\system32\15dzdownloader24859.dll
c:\windows\system32\15e8dzwnload9r5708.ocx
c:\windows\system32\15f5dow9lzader3028.exe
c:\windows\system32\15fzadd59re1914.exe
c:\windows\system32\1609spywaze525.bin
c:\windows\system32\16200no9-a-vir5s65z.exe
c:\windows\system32\16238wormz95.ocx
c:\windows\system32\1655zhac9tool658.dll
c:\windows\system32\165azpa59e1433.ocx
c:\windows\system32\168965irus1z9.ocx
c:\windows\system32\168z5spy79b5.exe
c:\windows\system32\1699s5z37b.cpl
c:\windows\system32\1747159zj25c.exe
c:\windows\system32\1771sz5rse2189.ocx
c:\windows\system32\17755sp59z4.dll
c:\windows\system32\17792trz54c2.exe
c:\windows\system32\177et9zea514634.dll
c:\windows\system32\17z29pywa5e148.exe
c:\windows\system32\17z2d9wn5oader2948.ocx
c:\windows\system32\180185zcktool4a9.ocx
c:\windows\system32\181bzdd5are1959.dll
c:\windows\system32\18425hackz9ol290.bin
c:\windows\system32\1859hazktool955.bin
c:\windows\system32\185worz9525.exe
c:\windows\system32\18959szy5e6.dll
c:\windows\system32\18962not-a-v5rus50z.dll
c:\windows\system32\18a3threat94z55.exe
c:\windows\system32\18z4spywa5e1819.ocx
c:\windows\system32\1906worm9ze5.cpl
c:\windows\system32\19081trojz55.dll
c:\windows\system32\19135troz79.dll
c:\windows\system32\1915roj9z3.ocx
c:\windows\system32\19245hreatz8066.bin
c:\windows\system32\19289spy55fz.cpl
c:\windows\system32\193585orm1z7.exe
c:\windows\system32\19450nzt-5-virus2c9.cpl
c:\windows\system32\19490h5cktoolz91.cpl
c:\windows\system32\194995zy56b.ocx
c:\windows\system32\195559roz545.bin
c:\windows\system32\1955spyware1z05.bin
c:\windows\system32\1955zspy99c.cpl
c:\windows\system32\195879py4z6.cpl
c:\windows\system32\19677t9oj1z5.exe
c:\windows\system32\19685not-a5vzrus4b9.bin
c:\windows\system32\19750spamzot551.dll
c:\windows\system32\19853not5a-vi9uz529.exe
c:\windows\system32\1990z5r2705.dll
c:\windows\system32\19a6b59kdoor2318z.ocx
c:\windows\system32\19c5viz26449.cpl
c:\windows\system32\19z15roj4579.cpl
c:\windows\system32\1a4a9hizf2451.exe
c:\windows\system32\1b92zow5loader911.exe
c:\windows\system32\1bd5addw9re1z50.ocx
c:\windows\system32\1c1fdo9nlzader3255.bin

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:10 pm

c:\windows\system32\1c95addware925z.exe
c:\windows\system32\1d7ethr9at2z755.cpl
c:\windows\system32\1de659iefz729.dll
c:\windows\system32\1e4fthi9z559.bin
c:\windows\system32\1e50spzware10839.dll
c:\windows\system32\1eadz5ea9750.exe
c:\windows\system32\1f37thief9z53.exe
c:\windows\system32\1f3a9aczdoo52054.dll
c:\windows\system32\1f43z9yware75.bin
c:\windows\system32\1fee5zr5349.cpl
c:\windows\system32\1fzethi5f5519.exe
c:\windows\system32\1z385pywa9e129.dll
c:\windows\system32\1z5csp9rse1913.ocx
c:\windows\system32\1z695troj545.bin
c:\windows\system32\1z6bth9eat385.cpl
c:\windows\system32\1z755troj195.ocx
c:\windows\system32\1za9vir5719.cpl
c:\windows\system32\20053spambzt6a69.ocx
c:\windows\system32\200z9orm465.ocx
c:\windows\system32\20245wo9mz5a.cpl
c:\windows\system32\203z5worm295.exe
c:\windows\system32\20550spazbot3bc9.exe
c:\windows\system32\20599spamzot12d5.exe
c:\windows\system32\20849v5rus689z.dll
c:\windows\system32\20869azk5oor3237.exe
c:\windows\system32\20977ha5ktool629z.bin
c:\windows\system32\209z5pyware7.ocx
c:\windows\system32\210z2vir9sb5.cpl
c:\windows\system32\21160w9rm535z.ocx
c:\windows\system32\2122do5n9ozder1264.dll
c:\windows\system32\21387sp5m9ot3z5.cpl
c:\windows\system32\21389tzo5579.dll
c:\windows\system32\21495not-az5irus279.ocx
c:\windows\system32\215z8wo9mc5.exe
c:\windows\system32\22115hackzo9l43c.exe
c:\windows\system32\22190nzt-a-virus555.dll
c:\windows\system32\2238zsp5965.bin
c:\windows\system32\22395szy10f.ocx
c:\windows\system32\224705z9us333.dll
c:\windows\system32\22470s9a5bot2z9.exe
c:\windows\system32\22509v9rus535z.bin
c:\windows\system32\229265pambzt9b.cpl
c:\windows\system32\22b7t9zef5599.ocx
c:\windows\system32\22z199pamb5t505.dll
c:\windows\system32\231559roj1z6.dll
c:\windows\system32\23492wo5z39c.dll
c:\windows\system32\23525zor9676.bin
c:\windows\system32\23728noz-a-virus95e.bin
c:\windows\system32\23745virzs2139.dll
c:\windows\system32\23z99ir5994.cpl
c:\windows\system32\24571viru5795z.bin
c:\windows\system32\24591spambzt521.dll
c:\windows\system32\249895pyz12.bin
c:\windows\system32\2500z5y2a9.ocx
c:\windows\system32\25117h9cktooz5e5.exe
c:\windows\system32\25118hz9ktool7d15.ocx
c:\windows\system32\2519dz9nlo5der129.cpl
c:\windows\system32\25205pa9sz2631.dll
c:\windows\system32\2527hazktoo9565.exe
c:\windows\system32\2535noz9a-virus299.dll
c:\windows\system32\253es5ywzre1299.dll
c:\windows\system32\25473zpy79d5.ocx
c:\windows\system32\25560zpy395.cpl
c:\windows\system32\25617spam9o5z76.dll
c:\windows\system32\25715zroj599.exe
c:\windows\system32\2573zs5y7949.ocx
c:\windows\system32\2575295rmz45.dll
c:\windows\system32\258519acktooz6f.ocx
c:\windows\system32\25942hacktz5l359.ocx
c:\windows\system32\25987spz358.cpl
c:\windows\system32\25a4s9arsez671.exe
c:\windows\system32\25adthreatz9438.cpl
c:\windows\system32\25e8st5al1697z.ocx
c:\windows\system32\25fethreat24092z.ocx
c:\windows\system32\25z8addw5re2091.exe
c:\windows\system32\25zdvir18579.ocx
c:\windows\system32\26195hacztool7ae.cpl
c:\windows\system32\26195noz-a-virus5e4.cpl
c:\windows\system32\26352trojz9b.bin
c:\windows\system32\264cz5eal26509.exe
c:\windows\system32\265349izus3f8.exe
c:\windows\system32\26595not-azviru97c.exe
c:\windows\system32\267fzhi9f9985.bin
c:\windows\system32\27104v9ruz15b5.cpl
c:\windows\system32\27899tr9z15d.exe
c:\windows\system32\27929h95ktoolz4a.ocx
c:\windows\system32\27999troj5z59.bin
c:\windows\system32\279ezp5rse2789.bin
c:\windows\system32\27a19pa5ze1510.ocx
c:\windows\system32\27e39own5oadzr91.ocx
c:\windows\system32\27z8sp5r9e1510.bin
c:\windows\system32\280725zrm5569.exe
c:\windows\system32\281znot-a-viru9325.bin
c:\windows\system32\2880hackt95z60c.exe
c:\windows\system32\29165spa5boz1df9.exe
c:\windows\system32\292629pzmbot6d5.cpl
c:\windows\system32\29385i9uz1ba.bin
c:\windows\system32\2940thzeat25969.exe
c:\windows\system32\2942859rusc6z.cpl
c:\windows\system32\294eaddzare5307.dll
c:\windows\system32\29583zacktool59b.cpl
c:\windows\system32\295905rojz97.exe
c:\windows\system32\29668viru935cz.dll
c:\windows\system32\29722zro56d4.bin
c:\windows\system32\297775roj3zf.exe
c:\windows\system32\29805sp547z.dll
c:\windows\system32\29846sz552b.dll
c:\windows\system32\29868woz95495.cpl
c:\windows\system32\2986addw9re21z5.ocx
c:\windows\system32\29902spa9b5t577z.exe
c:\windows\system32\29911hacztool9f5.ocx
c:\windows\system32\29940s5y7z9.cpl
c:\windows\system32\29966not-5-virzs66a.ocx
c:\windows\system32\2996z5ac9tool302.dll
c:\windows\system32\29e3addware11z5.bin
c:\windows\system32\29z58vi5us1d29.ocx
c:\windows\system32\2a43downloadzr395.exe
c:\windows\system32\2a75st9alz846.dll
c:\windows\system32\2c0ft9reat3z561.bin
c:\windows\system32\2ccdzownl5ader9669.cpl
c:\windows\system32\2e95back5oor1z98.dll
c:\windows\system32\2e95vzr1595.dll
c:\windows\system32\2f25thi9f1545z.bin
c:\windows\system32\2f7zaddw5r92277.exe
c:\windows\system32\2z072tro5229.bin
c:\windows\system32\2z0e95dware1.exe
c:\windows\system32\2z289hacktoo955b.bin
c:\windows\system32\2z452t5oj295.bin
c:\windows\system32\2z679hack5ool759.ocx
c:\windows\system32\2z989vir5s93.ocx
c:\windows\system32\2zspar591597.ocx
c:\windows\system32\3052vi9155z.bin
c:\windows\system32\30639not9z-5irus37d.exe
c:\windows\system32\30z25troj579.exe
c:\windows\system32\31145parsez913.bin
c:\windows\system32\3115zw9rm75b.cpl
c:\windows\system32\31829t5o9zb1.dll
c:\windows\system32\31z55not-a9virus601.ocx
c:\windows\system32\31z8wo9m525.cpl
c:\windows\system32\32030t9oz551.bin
c:\windows\system32\32069wo9518z.cpl
c:\windows\system32\3232tzief20995.dll
c:\windows\system32\32391spamb9t5z5.ocx
c:\windows\system32\32495spy24z.bin
c:\windows\system32\32556h59kzool210.bin
c:\windows\system32\32561troz2569.exe
c:\windows\system32\32636tro9zc5.ocx
c:\windows\system32\32915hacktzo527a.dll
c:\windows\system32\3294zacktoo5295.dll
c:\windows\system32\32abvir9z56.ocx
c:\windows\system32\32eedownloa9er571z.bin
c:\windows\system32\3309not-a5vizus9e5.ocx
c:\windows\system32\3339threa91105z.dll
c:\windows\system32\3359t9ie51060z.bin
c:\windows\system32\34125zckdoor9309.bin
c:\windows\system32\341zadd5are519.exe
c:\windows\system32\3499vi530z8.exe
c:\windows\system32\34b9vir36z5.cpl
c:\windows\system32\34z09iru53bc.cpl
c:\windows\system32\34z4spa95otc5.bin
c:\windows\system32\353zthie91816.bin
c:\windows\system32\355athr5a918z06.cpl
c:\windows\system32\3576not-a5viru91z4.dll
c:\windows\system32\357bsp9wa5e2z38.dll
c:\windows\system32\35eethief95z3.exe
c:\windows\system32\3665z9oj7b4.cpl
c:\windows\system32\3718thr5atz9009.dll
c:\windows\system32\3719addwzre525.ocx
c:\windows\system32\37615pa9zot635.ocx
c:\windows\system32\3795not-a-5irus74z.dll
c:\windows\system32\37f9ba5kdooz150.ocx
c:\windows\system32\38d15zars92315.dll
c:\windows\system32\38f9downlo5dez2443.cpl
c:\windows\system32\39156zroj529.bin
c:\windows\system32\3955vir504z.bin
c:\windows\system32\396zspywar582.ocx
c:\windows\system32\39dc5tealz3999.exe
c:\windows\system32\39ebacz5oor1257.bin
c:\windows\system32\3a80zteal9596.ocx
c:\windows\system32\3aa2ba59door1z13.ocx
c:\windows\system32\3affbackd9o5z915.ocx
c:\windows\system32\3b2th9ea518506z.dll
c:\windows\system32\3c4zaddw5re10219.dll
c:\windows\system32\3df8ztea5944.dll
c:\windows\system32\3e1cspywaz92395.ocx
c:\windows\system32\3e49thief51z4.cpl
c:\windows\system32\3e93ba5kdoor2z28.dll
c:\windows\system32\3fc5z9eal1554.bin
c:\windows\system32\3fze9tea51957.dll
c:\windows\system32\3z5cbac9d5or2718.dll
c:\windows\system32\3z5dthief69.dll
c:\windows\system32\3z75ad9ware3037.bin
c:\windows\system32\3z89spywa5e1402.bin
c:\windows\system32\3z939p5ware3125.cpl
c:\windows\system32\3z94spy598.dll
c:\windows\system32\405cs9arse1z505.dll
c:\windows\system32\4093spa5se3084z.cpl
c:\windows\system32\41275ot-a-zirus191.exe
c:\windows\system32\41cav9r735z.ocx
c:\windows\system32\41dbbackd9zr2559.bin
c:\windows\system32\424z5ackdoor1409.cpl
c:\windows\system32\4289steal1z85.exe
c:\windows\system32\429edownlo5d9r1z53.cpl
c:\windows\system32\4354zhreat218269.ocx
c:\windows\system32\44zaba9kdo5r950.ocx
c:\windows\system32\4503addzare597.ocx
c:\windows\system32\4529thiefz069.cpl
c:\windows\system32\4555trojz9.ocx
c:\windows\system32\459f5ownz9ader1402.bin
c:\windows\system32\45czth9eat2768.ocx
c:\windows\system32\45d5steaz1498.cpl
c:\windows\system32\4625spy9aze30865.ocx
c:\windows\system32\46605orm4z9.bin
c:\windows\system32\4675ste9z62.ocx
c:\windows\system32\46919acktool64z5.bin
c:\windows\system32\4696troj59bz.dll
c:\windows\system32\47e7vi959z.cpl
c:\windows\system32\47fdstz9l5505.ocx
c:\windows\system32\47z7vir9s65.ocx
c:\windows\system32\4824wzrm695.cpl
c:\windows\system32\4829downzo9de5372.exe
c:\windows\system32\4916zpyware8985.exe
c:\windows\system32\4986vi5396z.exe
c:\windows\system32\49a3th95az7029.ocx
c:\windows\system32\49b6spyw5r97z9.ocx
c:\windows\system32\49z9steal5152.bin
c:\windows\system32\4a96sparse1755z.cpl
c:\windows\system32\4azt59ef43.ocx
c:\windows\system32\4bd7th5zf23999.cpl
c:\windows\system32\4c53st9al290z.exe
c:\windows\system32\4d0thre593z531.ocx
c:\windows\system32\4da9s9yware151z.exe
c:\windows\system32\4dd5sp9rse689z.cpl
c:\windows\system32\4dzbv9r3150.cpl
c:\windows\system32\4e55stea92351z.ocx
c:\windows\system32\4e6dsparze9095.cpl
c:\windows\system32\4e84t5i9z2330.exe
c:\windows\system32\4ea2t9iez995.dll

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:11 pm

c:\windows\system32\4fe8threaz11952.cpl
c:\windows\system32\4z599hreat22525.exe
c:\windows\system32\4z75s95766.ocx
c:\windows\system32\4z85ack9oor2825.dll
c:\windows\system32\4z85troj3d9.ocx
c:\windows\system32\4z975parse1166.cpl
c:\windows\system32\4z99ste5l199.exe
c:\windows\system32\4zb3downloa9er26075.bin
c:\windows\system32\4zbc9tea51946.exe
c:\windows\system32\4zcc9ir5364.dll
c:\windows\system32\4zee5tea91659.exe
c:\windows\system32\502bspa5sz990.exe
c:\windows\system32\502ezownlo9der1525.exe
c:\windows\system32\5032not-a95irzs318.exe
c:\windows\system32\504cvir359z.ocx
c:\windows\system32\505at9reat2099z.dll
c:\windows\system32\505downloaz9r286.exe
c:\windows\system32\505z8spambot3d99.cpl
c:\windows\system32\50765spz229.ocx
c:\windows\system32\5090spambzt533.dll
c:\windows\system32\5094zot-a-virus9f5.dll
c:\windows\system32\5097backdoor26z8.exe
c:\windows\system32\509ha5kzool69e.cpl
c:\windows\system32\50a5thie9z869.ocx
c:\windows\system32\50bstz9l3098.cpl
c:\windows\system32\50d5sp9zse1348.ocx
c:\windows\system32\50z8hacktoo925a.bin
c:\windows\system32\51219vi9us6az.dll
c:\windows\system32\5159downloadez984.dll
c:\windows\system32\5169sparsez45.exe
c:\windows\system32\516bt9ief159z5.ocx
c:\windows\system32\5243s5y9aze2710.dll
c:\windows\system32\525czddware5948.bin
c:\windows\system32\5274szyware14159.cpl
c:\windows\system32\528zwo5m89.bin
c:\windows\system32\52f9sparse15z8.dll
c:\windows\system32\5309pambzt109.dll
c:\windows\system32\531fvzr32495.bin
c:\windows\system32\5340addwzre5659.dll
c:\windows\system32\534virz93.bin
c:\windows\system32\537edownloazer595.cpl
c:\windows\system32\539cv9z1365.bin
c:\windows\system32\5412hacktoo53fz9.bin
c:\windows\system32\54659wozm59e.bin
c:\windows\system32\549spyware95z.exe
c:\windows\system32\54b9spyza9e855.exe
c:\windows\system32\54d59ownloadzr3052.exe
c:\windows\system32\54e39ackdozr4765.ocx
c:\windows\system32\55145ot-a9virus59z.bin
c:\windows\system32\55155tr9z229.ocx
c:\windows\system32\5519not-a-virus50z.ocx
c:\windows\system32\551zworm4999.exe
c:\windows\system32\55280worm97dz.cpl
c:\windows\system32\5541hacktoolz93.exe
c:\windows\system32\555z6vi9us105.ocx
c:\windows\system32\55936not-a9zirus321.exe
c:\windows\system32\55ecthrzat5692.bin
c:\windows\system32\55ze9parse5288.ocx
c:\windows\system32\563thie52z9.bin
c:\windows\system32\5651sparze19919.cpl
c:\windows\system32\56736tr9j65z.ocx
c:\windows\system32\5680backzoor2195.exe
c:\windows\system32\568a9ownloa5erz255.cpl
c:\windows\system32\5692wzrm495.exe
c:\windows\system32\569z8virus1ea.dll
c:\windows\system32\56a09ir18z3.exe
c:\windows\system32\56b8v59z612.exe
c:\windows\system32\56d5thief2319z.bin
c:\windows\system32\5725h9cktool52z.dll
c:\windows\system32\5759tealz035.ocx
c:\windows\system32\576zsteal3049.ocx
c:\windows\system32\57984zirus2e9.ocx
c:\windows\system32\5799down5oadzr965.cpl
c:\windows\system32\579bvirz075.dll
c:\windows\system32\57e4spywarz9859.ocx
c:\windows\system32\5809zparse1401.ocx
c:\windows\system32\584zth9ef2310.bin
c:\windows\system32\585fspyw9re25z3.dll
c:\windows\system32\5890vzr195.ocx
c:\windows\system32\589ezack9o5r2815.bin
c:\windows\system32\58b5zhreat39871.bin
c:\windows\system32\59139zt-a-5irus4b5.cpl
c:\windows\system32\593cdownloaderz155.exe
c:\windows\system32\5945troj9zf.bin
c:\windows\system32\5962zspambot498.cpl
c:\windows\system32\596429roj32cz.exe
c:\windows\system32\5965troz30d9.dll
c:\windows\system32\5968baczdo5r85.cpl
c:\windows\system32\596z2worm188.ocx
c:\windows\system32\597z5virus43a.cpl
c:\windows\system32\5980spzrse3219.bin
c:\windows\system32\5983zirus2d2.dll
c:\windows\system32\5986addwaz91100.exe
c:\windows\system32\5987spywaz51909.ocx
c:\windows\system32\5991thre5tz583.exe
c:\windows\system32\5991vi52z36.ocx
c:\windows\system32\5992spamboza29.dll
c:\windows\system32\59e3back9oor16z4.bin
c:\windows\system32\59ethief35z5.dll
c:\windows\system32\5a3spy9are155z.exe
c:\windows\system32\5a5bviz5791.ocx
c:\windows\system32\5a7ft59eatz990.ocx
c:\windows\system32\5a95t9zef1667.ocx
c:\windows\system32\5ac2spyw9re2z68.dll
c:\windows\system32\5b7baddw5rez29.ocx
c:\windows\system32\5b92downloader191z5.dll
c:\windows\system32\5b9ddo9nload5r17z4.ocx
c:\windows\system32\5c0zstea91138.cpl
c:\windows\system32\5c95sp5warez659.exe
c:\windows\system32\5c9bvir2331z.bin
c:\windows\system32\5c9szar9e3046.exe
c:\windows\system32\5cc4zackdoo9326.cpl
c:\windows\system32\5cz1downloade9121.dll
c:\windows\system32\5d37do5nloadzr20449.bin
c:\windows\system32\5d9aazdwa9e2632.ocx
c:\windows\system32\5df4spzrs91665.dll
c:\windows\system32\5df9downloazer2535.exe
c:\windows\system32\5dz0bac59oor2068.cpl
c:\windows\system32\5e91th59f948z.dll
c:\windows\system32\5e94thzeat98859.cpl
c:\windows\system32\5eb1tzie9122.bin
c:\windows\system32\5ee3sp9zse1779.cpl
c:\windows\system32\5ez1spy5ar92304.ocx
c:\windows\system32\5ezs9eal741.dll
c:\windows\system32\5f1b9zief2600.dll
c:\windows\system32\5f4fadzwa9e885.cpl
c:\windows\system32\5f99threat1z673.cpl
c:\windows\system32\5fbad5wnloa9er26z2.cpl
c:\windows\system32\5ff9szea51830.dll
c:\windows\system32\5z829ownload5r654.ocx
c:\windows\system32\607cdowzl95der2179.cpl
c:\windows\system32\60a0zownl9ader2025.dll
c:\windows\system32\60e9spyw5re243z.bin
c:\windows\system32\60fctz5e91519.ocx
c:\windows\system32\61929pazbot5765.cpl
c:\windows\system32\6293downlz5de91636.bin
c:\windows\system32\6310zpa9b5t1f.dll
c:\windows\system32\6315zdd9are50.ocx
c:\windows\system32\6320t5ief2769z.exe
c:\windows\system32\6354baczdoor3569.dll
c:\windows\system32\63czs5eal6569.bin
c:\windows\system32\643559wnloadez3087.dll
c:\windows\system32\645zspywar92513.cpl
c:\windows\system32\6520thi9z1559.bin
c:\windows\system32\654bzhief2975.ocx
c:\windows\system32\655e9teal845z.ocx
c:\windows\system32\655spywarez910.exe
c:\windows\system32\65f9spywzre2909.cpl
c:\windows\system32\65zes9eal30.bin
c:\windows\system32\6651bzckdoor2859.ocx
c:\windows\system32\6759sparze2335.dll
c:\windows\system32\6779szy37b5.exe
c:\windows\system32\67z0steal5898.dll
c:\windows\system32\685adownloade96z8.ocx
c:\windows\system32\688asz5al9164.dll
c:\windows\system32\695cvi5193z.dll
c:\windows\system32\6981thizf1185.dll
c:\windows\system32\6985st9al2z87.bin
c:\windows\system32\6a04thz9at28405.ocx
c:\windows\system32\6a51baczdoor12319.cpl
c:\windows\system32\6a95steal5620z.dll
c:\windows\system32\6b15spa5se249z9.bin
c:\windows\system32\6b6dspars9111z5.cpl
c:\windows\system32\6b7espar9e15z0.cpl
c:\windows\system32\6cz4thie928945.cpl
c:\windows\system32\6ea35ackdoo93z01.dll
c:\windows\system32\6eb9azdwa5e2289.cpl
c:\windows\system32\6ez295eal1414.bin
c:\windows\system32\6z1thre5t114549.exe
c:\windows\system32\6z25w5r994.ocx
c:\windows\system32\6z4s9eal555.bin
c:\windows\system32\6z54s9yf5.bin
c:\windows\system32\6z75s9eal65.cpl
c:\windows\system32\6z82ad9w5re3038.ocx
c:\windows\system32\6z99tr5j71e.dll
c:\windows\system32\7091zp5r9e2625.exe
c:\windows\system32\70d4t5rezt9974.cpl
c:\windows\system32\726as5z9are3241.dll
c:\windows\system32\7299tzief2564.exe
c:\windows\system32\7353szeal9255.bin
c:\windows\system32\742fspyz9re3556.bin
c:\windows\system32\74515ackdooz26049.dll
c:\windows\system32\7560sparse9607z.cpl
c:\windows\system32\7595steal476z.exe
c:\windows\system32\770not-a-9izu5773.bin
c:\windows\system32\7782s9azbot555.exe
c:\windows\system32\77s9ywar5981z.bin
c:\windows\system32\787z9roj2a15.exe
c:\windows\system32\78z059eal2184.ocx
c:\windows\system32\78z5s5y35a9.exe
c:\windows\system32\78z5sparse9964.cpl
c:\windows\system32\790zdow9loader355.dll
c:\windows\system32\79185hiefz96.cpl
c:\windows\system32\7959spzmbot229.ocx
c:\windows\system32\795zt5reat16532.bin
c:\windows\system32\7995wor914z.ocx
c:\windows\system32\79dzsp95are567.exe
c:\windows\system32\7b8fthiez9956.cpl
c:\windows\system32\7b969ownlzader2415.dll
c:\windows\system32\7bzbthief2950.dll
c:\windows\system32\7c5f5hreaz13298.bin
c:\windows\system32\7c86sp5rsez898.dll
c:\windows\system32\7d5baddware90z6.dll
c:\windows\system32\7e025ze9l2554.cpl
c:\windows\system32\7e51adzware9571.dll
c:\windows\system32\7e56do59lozder2084.bin
c:\windows\system32\7e59bac9door103z5.bin
c:\windows\system32\7e76spars915z7.exe
c:\windows\system32\7effthre5t9780z.dll
c:\windows\system32\7fd0zhreat30569.dll
c:\windows\system32\7z2cth5e93024.dll
c:\windows\system32\7z465irusbd9.bin
c:\windows\system32\7z49thie5975.dll
c:\windows\system32\7z58downl5ader9445.exe
c:\windows\system32\7z81sp5ware1629.cpl
c:\windows\system32\7z95addwar9509.cpl
c:\windows\system32\7za8downl5ader9427.cpl
c:\windows\system32\7zcct5i9f2141.cpl
c:\windows\system32\8055sp91z5.exe
c:\windows\system32\82739otz5-virus307.exe
c:\windows\system32\8305t9az1376.ocx
c:\windows\system32\8351zorm9335.bin
c:\windows\system32\8531s9y22az.bin
c:\windows\system32\853backd5o92960z.cpl
c:\windows\system32\8559haczt9ol354.dll
c:\windows\system32\85759roj1f6z.ocx
c:\windows\system32\863spzwa95203.exe
c:\windows\system32\870z9y2845.cpl
c:\windows\system32\8715vi5zs5f9.dll
c:\windows\system32\8798vizus5b9.ocx
c:\windows\system32\8890tzo5937.cpl
c:\windows\system32\89895orz357.cpl
c:\windows\system32\8dc59zware775.bin
c:\windows\system32\9004not-a-vz5us5eb.cpl
c:\windows\system32\90076spamzot553.cpl
c:\windows\system32\903baddware1z59.exe
c:\windows\system32\90557hacktool1z6.dll
c:\windows\system32\9059zr2125.ocx
c:\windows\system32\905z1spy535.dll
c:\windows\system32\90709hacktooz755.ocx
c:\windows\system32\9123not-a-vzrus750.exe
c:\windows\system32\9153spa5se75z.cpl
c:\windows\system32\9167tro57z2.ocx
c:\windows\system32\91907worm5ze.dll
c:\windows\system32\91925virzs2c.exe
c:\windows\system32\91dbaz5door985.bin
c:\windows\system32\92845pambot672z.ocx
c:\windows\system32\934caddwzre1195.cpl
c:\windows\system32\9358szywa5e656.exe
c:\windows\system32\942zsp529d.exe
c:\windows\system32\94353wo5z502.exe
c:\windows\system32\9457worm9bz.cpl
c:\windows\system32\949925zrusff.ocx
c:\windows\system32\95281spz621.cpl
c:\windows\system32\9530wzrm932.dll

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:12 pm

c:\windows\system32\9544no9-azvirus67b5.exe
c:\windows\system32\955zackd9or2411.exe
c:\windows\system32\95765spzmbot784.ocx
c:\windows\system32\9582znot5a-virus46d.dll
c:\windows\system32\958athreat2734z.dll
c:\windows\system32\95b5stea52480z.dll
c:\windows\system32\95zthief1761.exe
c:\windows\system32\961vir500z.dll
c:\windows\system32\96298spy145z.ocx
c:\windows\system32\96562not-azvirus701.dll
c:\windows\system32\965adzware19925.exe
c:\windows\system32\967bthrezt93255.dll
c:\windows\system32\9695worz509.dll
c:\windows\system32\96b8add5arez856.cpl
c:\windows\system32\96spyware1985z.exe
c:\windows\system32\97653virus17z.exe
c:\windows\system32\9780wor57ze.ocx
c:\windows\system32\97975hiez2714.dll
c:\windows\system32\97995iz2023.ocx
c:\windows\system32\979cthz5f2995.cpl
c:\windows\system32\9899notza-virus3255.exe
c:\windows\system32\9950sp9mbotzc9.dll
c:\windows\system32\995a5zware2985.exe
c:\windows\system32\996z5pyware834.ocx
c:\windows\system32\99890vi5zs1f4.dll
c:\windows\system32\999t5reaz9461.exe
c:\windows\system32\99b1stez5990.exe
c:\windows\system32\99zaddwar5189.dll
c:\windows\system32\9a24addw5re1z06.dll
c:\windows\system32\9a5fthrezt25123.exe
c:\windows\system32\9a6a5dware999z.dll
c:\windows\system32\9b56spywzre2904.cpl
c:\windows\system32\9c1esp5zare556.exe
c:\windows\system32\9c35spar5z2701.cpl
c:\windows\system32\9c85spar5e28z9.ocx
c:\windows\system32\9dbvzr1725.cpl
c:\windows\system32\9dcstzal29795.exe
c:\windows\system32\9e38zddware5015.ocx
c:\windows\system32\9e42a5dwarz941.bin
c:\windows\system32\9e61spa5se982z.bin
c:\windows\system32\9fz9vir1554.ocx
c:\windows\system32\9z06thief559.bin
c:\windows\system32\9z0cv5r2391.exe
c:\windows\system32\9z26ha9k5ool36c.ocx
c:\windows\system32\9z855roj63e.exe
c:\windows\system32\a39sparsz5245.bin
c:\windows\system32\abf9dzwa5e2926.dll
c:\windows\system32\c25back9oorz785.dll
c:\windows\system32\c57steaz595.bin
c:\windows\system32\c59zackdoo992.bin
c:\windows\system32\c9dthief57z2.exe
c:\windows\system32\d13t9zef1350.dll
c:\windows\system32\d83thie9314z5.bin
c:\windows\system32\da6zpar9e502.cpl
c:\windows\system32\drivers\gxvxcgsaorjbitevxoyikuhrsqjisxbhdhbad.sys
c:\windows\system32\dz7st9al3054.cpl
c:\windows\system32\f5zsp5ware3529.dll
c:\windows\system32\f8es9ywaze2562.dll
c:\windows\system32\gxvxcafskmlxudulctbbftpbpkklamluvaruu.dll
c:\windows\system32\gxvxcijewmrqxgeuykmovbfmkisdxtvvwsqoj.dll
c:\windows\system32\z056tro579.cpl
c:\windows\system32\z0906spa5bot397.bin
c:\windows\system32\z0929py575.exe
c:\windows\system32\z09cst5al2695.dll
c:\windows\system32\z1fcs9arse2555.bin
c:\windows\system32\z217ha9ktoole85.ocx
c:\windows\system32\z2228w5rme99.cpl
c:\windows\system32\z233v9ru57a1.ocx
c:\windows\system32\z2343worm659.dll
c:\windows\system32\z2529not-a9virusd25.exe
c:\windows\system32\z296h9c5tool608.ocx
c:\windows\system32\z2adt5ief9820.exe
c:\windows\system32\z357not-9-virus1c9.exe
c:\windows\system32\z358backdoor54019.bin
c:\windows\system32\z3989sp95bot5af.dll
c:\windows\system32\z448addware16659.bin
c:\windows\system32\z4899tro532.exe
c:\windows\system32\z4aevir10935.cpl
c:\windows\system32\z5049hacktool7f59.dll
c:\windows\system32\z5592worm40f.ocx
c:\windows\system32\z5595v9rus138.exe
c:\windows\system32\z565ste9l2993.dll
c:\windows\system32\z595parse2183.exe
c:\windows\system32\z595steal148.dll
c:\windows\system32\z6398spamb5t65d.exe
c:\windows\system32\z663spam95t186.dll
c:\windows\system32\z695addware1591.dll
c:\windows\system32\z7045hacktool9475.exe
c:\windows\system32\z70789ro57dd.bin
c:\windows\system32\z70f9teal1475.dll
c:\windows\system32\z752th9eat29450.bin
c:\windows\system32\z7554spambot439.bin
c:\windows\system32\z7696hackto5l121.ocx
c:\windows\system32\z787sp955.bin
c:\windows\system32\z8735troj9cd.bin
c:\windows\system32\z8959orm19e.cpl
c:\windows\system32\z897sparse5992.cpl
c:\windows\system32\z89esparse855.ocx
c:\windows\system32\z9080vir5s1b.bin
c:\windows\system32\z91fspars52808.ocx
c:\windows\system32\z9245parse280.cpl
c:\windows\system32\z9284vir5sd5.dll
c:\windows\system32\z928s5ambot1a4.dll
c:\windows\system32\z9589spy54e.dll
c:\windows\system32\z985sparse75.exe
c:\windows\system32\z991downl5ader1279.bin
c:\windows\system32\z995spambo9311.exe
c:\windows\system32\z9960spy52f.dll
c:\windows\system32\za99ad5ware2092.exe
c:\windows\system32\zb5aba9kdoor249.cpl
c:\windows\system32\zd85down9oader2555.cpl
c:\windows\system32\zea1sp5war9283.exe
c:\windows\system32\zf3cspyw5r92163.dll
c:\windows\system32\zf795ir123.bin
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z05c5pyware1897.ocx
c:\windows\z0745ro991.ocx
c:\windows\z0805spam9ot2ad.exe
c:\windows\z095addware1574.dll
c:\windows\z103hac9tool385.ocx
c:\windows\z115thr9at25726.exe
c:\windows\z11threat3459.cpl
c:\windows\z1339ac5door1743.dll
c:\windows\z19655orm2f29.bin
c:\windows\z23b9ownload5r678.exe
c:\windows\z27695oj701.dll
c:\windows\z3063hac5to9l50c.exe
c:\windows\z3595worm577.dll
c:\windows\z3945ir984.dll
c:\windows\z398th5ef3163.cpl
c:\windows\z468hack5ool39.ocx
c:\windows\z4913t59j2f6.dll
c:\windows\z4b5ste9l1569.ocx
c:\windows\z4edow9loader3549.bin
c:\windows\z4faaddw5re22519.ocx
c:\windows\z503st9al1800.bin
c:\windows\z51139py25.bin
c:\windows\z538v9r2532.ocx
c:\windows\z5393wo5m174.bin
c:\windows\z583not-a-virus945.exe
c:\windows\z592sp52e09.ocx
c:\windows\z59csteal2233.bin
c:\windows\z5cvi5597.bin
c:\windows\z5d95ir9493.cpl
c:\windows\z5dethre9t16475.bin
c:\windows\z5e3addw9re866.exe
c:\windows\z655sparse2929.bin
c:\windows\z665w9rm719.cpl
c:\windows\z693sp9mbot595.exe
c:\windows\z72ebackdo5r3149.ocx
c:\windows\z7499virus598.ocx
c:\windows\z79bvi52489.bin
c:\windows\z79edow5l9ader1189.cpl
c:\windows\z81469p52e.bin
c:\windows\z8185py249.cpl
c:\windows\z81edow9loader1599.bin
c:\windows\z82ddownl5ad9r885.ocx
c:\windows\z864t5oj399.bin
c:\windows\z90vir5452.cpl
c:\windows\z913threat15204.ocx
c:\windows\z916959ambot531.cpl
c:\windows\z9431virus507.bin
c:\windows\z957addw5re2749.bin
c:\windows\za58vir919.bin
c:\windows\za729ddwa5e1753.dll
c:\windows\zd2fthie915625.cpl
c:\windows\zeastea5989.bin
c:\windows\zf5c9ackdoor2883.ocx

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:12 pm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 14:50 . 2009-06-01 14:50 20797 ----a-w- C:\MGlogs.zip
2009-06-01 14:50 . 2009-06-01 14:50 -------- d-----w- C:\MGtools
2009-05-29 16:04 . 2009-05-29 16:04 -------- d-----w- C:\emergency
2009-05-29 01:08 . 2009-05-29 01:08 102400 ----a-w- c:\windows\system32\blocker.dll
2009-05-26 01:09 . 2009-05-26 01:09 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-23 19:48 . 2009-05-23 19:48 -------- d-----w- c:\program files\videofixer
2009-05-22 18:55 . 2009-05-22 18:56 -------- d-----w- c:\program files\Direct MP3 Joiner
2009-05-20 22:07 . 2009-05-20 22:08 -------- d-----w- c:\program files\FormatFactory
2009-05-20 18:44 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-20 18:43 . 2009-05-20 18:49 -------- d-----w- c:\program files\Zune
2009-05-20 18:41 . 2008-05-02 09:05 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-05-20 18:41 . 2008-05-02 13:30 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 ------w- c:\windows\system32\imapi2.dll
2009-05-20 05:23 . 2009-05-20 05:23 -------- d-----w- c:\documents and settings\Pete\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-05-20 04:53 . 2009-05-20 04:51 38208 ----a-w- c:\documents and settings\Pete\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-05-20 04:53 . 2009-05-20 04:53 -------- d-----w- c:\program files\TweetDeck
2009-05-20 04:52 . 2009-05-20 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 02:04 . 2009-05-19 02:04 -------- d-----w- c:\documents and settings\Pete\Application Data\Smith Micro
2009-05-19 00:45 . 2009-05-19 00:45 -------- d-----w- c:\program files\Smith Micro
2009-05-18 16:30 . 2009-05-24 03:22 -------- d-----w- c:\program files\IrfanView
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\documents and settings\Pete\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 15:40 . 2008-09-06 16:49 1730 ----a-w- c:\windows\system32\tablet.dat
2009-06-01 15:40 . 2008-11-16 20:05 5276534 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-28 20:50 . 2008-09-06 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-28 20:42 . 2008-09-06 14:08 2669876 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-28 20:42 . 2008-09-06 14:08 229066784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-27 13:46 . 2008-09-07 05:13 -------- d-----w- c:\documents and settings\Pete\Application Data\CoreFTP
2009-05-26 01:10 . 2008-09-07 05:07 -------- d-----w- c:\program files\Java
2009-05-24 19:01 . 2008-09-06 15:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-21 14:21 . 2008-09-06 23:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-21 14:19 . 2008-09-08 01:18 -------- d-----w- c:\documents and settings\Pete\Application Data\Azureus
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-05-20 19:10 . 2009-05-20 19:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-20 06:40 . 2008-09-06 23:52 -------- d-----w- c:\program files\Vuze
2009-05-19 13:48 . 2008-09-06 07:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 13:48 . 2008-09-06 07:34 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 14:49 . 2008-09-06 22:51 -------- d-----w- c:\program files\AutoCAD R14
2009-05-13 21:50 . 2008-09-07 18:02 -------- d-----w- c:\program files\Trillian
2009-05-12 02:06 . 2008-09-07 03:50 -------- d-----w- c:\documents and settings\Pete\Application Data\Skype
2009-05-10 05:05 . 2008-10-12 04:29 -------- d-----w- c:\documents and settings\Pete\Application Data\skypePM
2009-05-08 22:29 . 2009-05-08 23:13 1840640 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-05-08 22:29 . 2009-05-08 23:13 535040 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-05-07 00:16 . 2008-09-10 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-26 16:04 . 2009-04-26 16:05 2988544 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-04-15 20:02 . 2009-04-15 20:02 -------- d-----w- c:\documents and settings\Pete\Application Data\dvdcss
2009-03-27 19:10 . 2009-03-27 19:10 285 ----a-w- c:\windows\EReg072.dat
2009-03-27 19:09 . 2009-03-27 19:09 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-03-27 19:09 . 2009-03-27 19:09 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-03-24 21:02 . 2009-03-24 21:02 119536 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-20 01:00 . 2009-03-20 01:00 503808 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcp71.dll
2009-03-20 01:00 . 2009-03-20 01:00 499712 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\jmc.dll
2009-03-20 01:00 . 2009-03-20 01:00 348160 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcr71.dll
2009-03-20 00:57 . 2009-03-20 00:57 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 10:19 . 2008-11-26 21:40 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-06 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2009-05-19 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Pete\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\cinetray.exe [2002-9-18 98304]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-9-6 169472]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-9-6 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/6/2008 2:34 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/6/2008 2:34 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/6/2008 2:34 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 9:44 AM 298776]
R3 XIRLINK;Veo Web Camera;c:\windows\system32\drivers\ucdnt.sys [9/6/2008 12:25 PM 728067]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-WinBlueSoft - (no file)
SafeBoot-procexp90.Sys

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:13 pm

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\px9cglmh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-879983540-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8BE4A1C4-3425-2B84-D08B-B989A9974AEB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakgajdjoedpbiaekpfliafllffflh"=hex:64,61,6a,65,68,68,6b,65,00,70
"oaofieeahmbpgidpjkbepgiolkkpji"=hex:6a,61,6b,65,6b,67,62,61,62,61,66,69,6e,6b,
68,63,6d,67,65,63,00,17
"naefkklllgbfigikbbheiflbmenl"=hex:6a,61,6b,65,6b,67,62,61,62,61,66,69,6e,6b,
68,63,6d,67,65,63,00,17
.
Completion time: 2009-06-01 11:01
ComboFix-quarantined-files.txt 2009-06-01 16:01

Pre-Run: 19,673,493,504 bytes free
Post-Run: 22,957,588,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1636

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 12:32 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\blocker.dll
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB1.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

RegNull::
[HKEY_USERS\S-1-5-21-861567501-879983540-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8BE4A1C4-3425-2B84-D08B-B989A9974AEB}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 12:54 pm

Here's the new combofix log:

ComboFix 09-05-31.06 - Pete 06/01/2009 11:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.525 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Pete\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\system32\blocker.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\system32\blocker.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 14:50 . 2009-06-01 14:50 20797 ----a-w- C:\MGlogs.zip
2009-06-01 14:50 . 2009-06-01 14:50 -------- d-----w- C:\MGtools
2009-05-29 16:04 . 2009-05-29 16:04 -------- d-----w- C:\emergency
2009-05-26 01:09 . 2009-05-26 01:09 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-23 19:48 . 2009-05-23 19:48 -------- d-----w- c:\program files\videofixer
2009-05-22 18:55 . 2009-05-22 18:56 -------- d-----w- c:\program files\Direct MP3 Joiner
2009-05-20 22:07 . 2009-05-20 22:08 -------- d-----w- c:\program files\FormatFactory
2009-05-20 18:44 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-20 18:43 . 2009-05-20 18:49 -------- d-----w- c:\program files\Zune
2009-05-20 18:41 . 2008-05-02 09:05 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-05-20 18:41 . 2008-05-02 13:30 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 ------w- c:\windows\system32\imapi2.dll
2009-05-20 05:23 . 2009-05-20 05:23 -------- d-----w- c:\documents and settings\Pete\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-05-20 04:53 . 2009-05-20 04:51 38208 ----a-w- c:\documents and settings\Pete\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-05-20 04:53 . 2009-05-20 04:53 -------- d-----w- c:\program files\TweetDeck
2009-05-20 04:52 . 2009-05-20 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 02:04 . 2009-05-19 02:04 -------- d-----w- c:\documents and settings\Pete\Application Data\Smith Micro
2009-05-19 00:45 . 2009-05-19 00:45 -------- d-----w- c:\program files\Smith Micro
2009-05-18 16:30 . 2009-05-24 03:22 -------- d-----w- c:\program files\IrfanView
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\documents and settings\Pete\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 16:44 . 2008-09-06 16:49 1730 ----a-w- c:\windows\system32\tablet.dat
2009-06-01 16:43 . 2008-11-16 20:05 5943311 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-01 16:42 . 2008-09-06 14:08 2672060 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-01 16:42 . 2008-09-06 14:08 229066784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-28 20:50 . 2008-09-06 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 13:46 . 2008-09-07 05:13 -------- d-----w- c:\documents and settings\Pete\Application Data\CoreFTP
2009-05-26 01:10 . 2008-09-07 05:07 -------- d-----w- c:\program files\Java
2009-05-24 19:01 . 2008-09-06 15:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-21 14:21 . 2008-09-06 23:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-21 14:19 . 2008-09-08 01:18 -------- d-----w- c:\documents and settings\Pete\Application Data\Azureus
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-05-20 19:10 . 2009-05-20 19:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-19 13:48 . 2008-09-06 07:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 13:48 . 2008-09-06 07:34 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 14:49 . 2008-09-06 22:51 -------- d-----w- c:\program files\AutoCAD R14
2009-05-13 21:50 . 2008-09-07 18:02 -------- d-----w- c:\program files\Trillian
2009-05-12 02:06 . 2008-09-07 03:50 -------- d-----w- c:\documents and settings\Pete\Application Data\Skype
2009-05-10 05:05 . 2008-10-12 04:29 -------- d-----w- c:\documents and settings\Pete\Application Data\skypePM
2009-05-07 00:16 . 2008-09-10 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-15 20:02 . 2009-04-15 20:02 -------- d-----w- c:\documents and settings\Pete\Application Data\dvdcss
2009-03-27 19:10 . 2009-03-27 19:10 285 ----a-w- c:\windows\EReg072.dat
2009-03-27 19:09 . 2009-03-27 19:09 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-03-27 19:09 . 2009-03-27 19:09 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-03-24 21:02 . 2009-03-24 21:02 119536 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-20 01:00 . 2009-03-20 01:00 503808 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcp71.dll
2009-03-20 01:00 . 2009-03-20 01:00 499712 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\jmc.dll
2009-03-20 01:00 . 2009-03-20 01:00 348160 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcr71.dll
2009-03-20 00:57 . 2009-03-20 00:57 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 10:19 . 2008-11-26 21:40 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 16:44 . 2009-06-01 16:44 40960 c:\windows\Temp\rtdrvmon.exe
+ 2009-06-01 16:43 . 2009-06-01 16:43 16384 c:\windows\Temp\Perflib_Perfdata_150.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-06 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2009-05-19 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"WinBlueSoft"="" [BU]

c:\documents and settings\Pete\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\cinetray.exe [2002-9-18 98304]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-9-6 169472]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-9-6 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/6/2008 2:34 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/6/2008 2:34 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/6/2008 2:34 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 9:44 AM 298776]
R3 XIRLINK;Veo Web Camera;c:\windows\system32\drivers\ucdnt.sys [9/6/2008 12:25 PM 728067]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-setup2.exe - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\px9cglmh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1624)
c:\docume~1\Pete\LOCALS~1\Temp\IadHide4.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\tabhook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\PSIService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
.
**************************************************************************
.
Completion time: 2009-06-01 11:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 16:51
ComboFix2.txt 2009-06-01 16:01

Pre-Run: 23,246,204,928 bytes free
Post-Run: 23,252,992,000 bytes free

206

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 12:59 pm

Hello.
Please disable TeaTimer again.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinBlueSoft"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 1:10 pm

The computer is running a lot better now. The 'WARNING System Infected' desktop background is gone and I'm not getting any more interference or popups from Winbluesoft. Everything seems to be back to normal except that the Winbluesoft icon is still on my desktop and Winbluesoft is still listed in the Add/Remove Programs file list.

Other than that, everything seems great!

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 1:15 pm

Just remove them manually.
Drag/drop the desktop icon to the bin, and uninstall it from the add/remove programs too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 1:28 pm

Ok, I did that and there gone now. Everthing's working perfectly now.

One last question, can I just delete the tools I've downloaded from my desktop or do I need to uninstall them via command prompt like with ComboFix?

I'd also like to thank you for the all the help, time and patience while helping me with this. I really, really appreciate it. I wouldn't have been able to fix my computer without GeekPolice. I'll be putting a permanent link on my website to GeekPolice and I'll be telling everyone I know to come here for their computer troubles.

Thank You!

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 1:52 pm

Delete everything we used.
Combofix has a special removal methods because some of the files Combofix uses are detected as "Hacktool" or "Riskware", that is a false positive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum