I've been infected with Winbluesoft

View previous topic View next topic Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 4:12 pm

c:\windows\system32\9544no9-azvirus67b5.exe
c:\windows\system32\955zackd9or2411.exe
c:\windows\system32\95765spzmbot784.ocx
c:\windows\system32\9582znot5a-virus46d.dll
c:\windows\system32\958athreat2734z.dll
c:\windows\system32\95b5stea52480z.dll
c:\windows\system32\95zthief1761.exe
c:\windows\system32\961vir500z.dll
c:\windows\system32\96298spy145z.ocx
c:\windows\system32\96562not-azvirus701.dll
c:\windows\system32\965adzware19925.exe
c:\windows\system32\967bthrezt93255.dll
c:\windows\system32\9695worz509.dll
c:\windows\system32\96b8add5arez856.cpl
c:\windows\system32\96spyware1985z.exe
c:\windows\system32\97653virus17z.exe
c:\windows\system32\9780wor57ze.ocx
c:\windows\system32\97975hiez2714.dll
c:\windows\system32\97995iz2023.ocx
c:\windows\system32\979cthz5f2995.cpl
c:\windows\system32\9899notza-virus3255.exe
c:\windows\system32\9950sp9mbotzc9.dll
c:\windows\system32\995a5zware2985.exe
c:\windows\system32\996z5pyware834.ocx
c:\windows\system32\99890vi5zs1f4.dll
c:\windows\system32\999t5reaz9461.exe
c:\windows\system32\99b1stez5990.exe
c:\windows\system32\99zaddwar5189.dll
c:\windows\system32\9a24addw5re1z06.dll
c:\windows\system32\9a5fthrezt25123.exe
c:\windows\system32\9a6a5dware999z.dll
c:\windows\system32\9b56spywzre2904.cpl
c:\windows\system32\9c1esp5zare556.exe
c:\windows\system32\9c35spar5z2701.cpl
c:\windows\system32\9c85spar5e28z9.ocx
c:\windows\system32\9dbvzr1725.cpl
c:\windows\system32\9dcstzal29795.exe
c:\windows\system32\9e38zddware5015.ocx
c:\windows\system32\9e42a5dwarz941.bin
c:\windows\system32\9e61spa5se982z.bin
c:\windows\system32\9fz9vir1554.ocx
c:\windows\system32\9z06thief559.bin
c:\windows\system32\9z0cv5r2391.exe
c:\windows\system32\9z26ha9k5ool36c.ocx
c:\windows\system32\9z855roj63e.exe
c:\windows\system32\a39sparsz5245.bin
c:\windows\system32\abf9dzwa5e2926.dll
c:\windows\system32\c25back9oorz785.dll
c:\windows\system32\c57steaz595.bin
c:\windows\system32\c59zackdoo992.bin
c:\windows\system32\c9dthief57z2.exe
c:\windows\system32\d13t9zef1350.dll
c:\windows\system32\d83thie9314z5.bin
c:\windows\system32\da6zpar9e502.cpl
c:\windows\system32\drivers\gxvxcgsaorjbitevxoyikuhrsqjisxbhdhbad.sys
c:\windows\system32\dz7st9al3054.cpl
c:\windows\system32\f5zsp5ware3529.dll
c:\windows\system32\f8es9ywaze2562.dll
c:\windows\system32\gxvxcafskmlxudulctbbftpbpkklamluvaruu.dll
c:\windows\system32\gxvxcijewmrqxgeuykmovbfmkisdxtvvwsqoj.dll
c:\windows\system32\z056tro579.cpl
c:\windows\system32\z0906spa5bot397.bin
c:\windows\system32\z0929py575.exe
c:\windows\system32\z09cst5al2695.dll
c:\windows\system32\z1fcs9arse2555.bin
c:\windows\system32\z217ha9ktoole85.ocx
c:\windows\system32\z2228w5rme99.cpl
c:\windows\system32\z233v9ru57a1.ocx
c:\windows\system32\z2343worm659.dll
c:\windows\system32\z2529not-a9virusd25.exe
c:\windows\system32\z296h9c5tool608.ocx
c:\windows\system32\z2adt5ief9820.exe
c:\windows\system32\z357not-9-virus1c9.exe
c:\windows\system32\z358backdoor54019.bin
c:\windows\system32\z3989sp95bot5af.dll
c:\windows\system32\z448addware16659.bin
c:\windows\system32\z4899tro532.exe
c:\windows\system32\z4aevir10935.cpl
c:\windows\system32\z5049hacktool7f59.dll
c:\windows\system32\z5592worm40f.ocx
c:\windows\system32\z5595v9rus138.exe
c:\windows\system32\z565ste9l2993.dll
c:\windows\system32\z595parse2183.exe
c:\windows\system32\z595steal148.dll
c:\windows\system32\z6398spamb5t65d.exe
c:\windows\system32\z663spam95t186.dll
c:\windows\system32\z695addware1591.dll
c:\windows\system32\z7045hacktool9475.exe
c:\windows\system32\z70789ro57dd.bin
c:\windows\system32\z70f9teal1475.dll
c:\windows\system32\z752th9eat29450.bin
c:\windows\system32\z7554spambot439.bin
c:\windows\system32\z7696hackto5l121.ocx
c:\windows\system32\z787sp955.bin
c:\windows\system32\z8735troj9cd.bin
c:\windows\system32\z8959orm19e.cpl
c:\windows\system32\z897sparse5992.cpl
c:\windows\system32\z89esparse855.ocx
c:\windows\system32\z9080vir5s1b.bin
c:\windows\system32\z91fspars52808.ocx
c:\windows\system32\z9245parse280.cpl
c:\windows\system32\z9284vir5sd5.dll
c:\windows\system32\z928s5ambot1a4.dll
c:\windows\system32\z9589spy54e.dll
c:\windows\system32\z985sparse75.exe
c:\windows\system32\z991downl5ader1279.bin
c:\windows\system32\z995spambo9311.exe
c:\windows\system32\z9960spy52f.dll
c:\windows\system32\za99ad5ware2092.exe
c:\windows\system32\zb5aba9kdoor249.cpl
c:\windows\system32\zd85down9oader2555.cpl
c:\windows\system32\zea1sp5war9283.exe
c:\windows\system32\zf3cspyw5r92163.dll
c:\windows\system32\zf795ir123.bin
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z05c5pyware1897.ocx
c:\windows\z0745ro991.ocx
c:\windows\z0805spam9ot2ad.exe
c:\windows\z095addware1574.dll
c:\windows\z103hac9tool385.ocx
c:\windows\z115thr9at25726.exe
c:\windows\z11threat3459.cpl
c:\windows\z1339ac5door1743.dll
c:\windows\z19655orm2f29.bin
c:\windows\z23b9ownload5r678.exe
c:\windows\z27695oj701.dll
c:\windows\z3063hac5to9l50c.exe
c:\windows\z3595worm577.dll
c:\windows\z3945ir984.dll
c:\windows\z398th5ef3163.cpl
c:\windows\z468hack5ool39.ocx
c:\windows\z4913t59j2f6.dll
c:\windows\z4b5ste9l1569.ocx
c:\windows\z4edow9loader3549.bin
c:\windows\z4faaddw5re22519.ocx
c:\windows\z503st9al1800.bin
c:\windows\z51139py25.bin
c:\windows\z538v9r2532.ocx
c:\windows\z5393wo5m174.bin
c:\windows\z583not-a-virus945.exe
c:\windows\z592sp52e09.ocx
c:\windows\z59csteal2233.bin
c:\windows\z5cvi5597.bin
c:\windows\z5d95ir9493.cpl
c:\windows\z5dethre9t16475.bin
c:\windows\z5e3addw9re866.exe
c:\windows\z655sparse2929.bin
c:\windows\z665w9rm719.cpl
c:\windows\z693sp9mbot595.exe
c:\windows\z72ebackdo5r3149.ocx
c:\windows\z7499virus598.ocx
c:\windows\z79bvi52489.bin
c:\windows\z79edow5l9ader1189.cpl
c:\windows\z81469p52e.bin
c:\windows\z8185py249.cpl
c:\windows\z81edow9loader1599.bin
c:\windows\z82ddownl5ad9r885.ocx
c:\windows\z864t5oj399.bin
c:\windows\z90vir5452.cpl
c:\windows\z913threat15204.ocx
c:\windows\z916959ambot531.cpl
c:\windows\z9431virus507.bin
c:\windows\z957addw5re2749.bin
c:\windows\za58vir919.bin
c:\windows\za729ddwa5e1753.dll
c:\windows\zd2fthie915625.cpl
c:\windows\zeastea5989.bin
c:\windows\zf5c9ackdoor2883.ocx

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 4:12 pm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 14:50 . 2009-06-01 14:50 20797 ----a-w- C:\MGlogs.zip
2009-06-01 14:50 . 2009-06-01 14:50 -------- d-----w- C:\MGtools
2009-05-29 16:04 . 2009-05-29 16:04 -------- d-----w- C:\emergency
2009-05-29 01:08 . 2009-05-29 01:08 102400 ----a-w- c:\windows\system32\blocker.dll
2009-05-26 01:09 . 2009-05-26 01:09 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-23 19:48 . 2009-05-23 19:48 -------- d-----w- c:\program files\videofixer
2009-05-22 18:55 . 2009-05-22 18:56 -------- d-----w- c:\program files\Direct MP3 Joiner
2009-05-20 22:07 . 2009-05-20 22:08 -------- d-----w- c:\program files\FormatFactory
2009-05-20 18:44 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-20 18:43 . 2009-05-20 18:49 -------- d-----w- c:\program files\Zune
2009-05-20 18:41 . 2008-05-02 09:05 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-05-20 18:41 . 2008-05-02 13:30 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 ------w- c:\windows\system32\imapi2.dll
2009-05-20 05:23 . 2009-05-20 05:23 -------- d-----w- c:\documents and settings\Pete\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-05-20 04:53 . 2009-05-20 04:51 38208 ----a-w- c:\documents and settings\Pete\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-05-20 04:53 . 2009-05-20 04:53 -------- d-----w- c:\program files\TweetDeck
2009-05-20 04:52 . 2009-05-20 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 02:04 . 2009-05-19 02:04 -------- d-----w- c:\documents and settings\Pete\Application Data\Smith Micro
2009-05-19 00:45 . 2009-05-19 00:45 -------- d-----w- c:\program files\Smith Micro
2009-05-18 16:30 . 2009-05-24 03:22 -------- d-----w- c:\program files\IrfanView
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\documents and settings\Pete\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 15:40 . 2008-09-06 16:49 1730 ----a-w- c:\windows\system32\tablet.dat
2009-06-01 15:40 . 2008-11-16 20:05 5276534 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-28 20:50 . 2008-09-06 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-28 20:42 . 2008-09-06 14:08 2669876 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-28 20:42 . 2008-09-06 14:08 229066784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-27 13:46 . 2008-09-07 05:13 -------- d-----w- c:\documents and settings\Pete\Application Data\CoreFTP
2009-05-26 01:10 . 2008-09-07 05:07 -------- d-----w- c:\program files\Java
2009-05-24 19:01 . 2008-09-06 15:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-21 14:21 . 2008-09-06 23:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-21 14:19 . 2008-09-08 01:18 -------- d-----w- c:\documents and settings\Pete\Application Data\Azureus
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-05-20 19:10 . 2009-05-20 19:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-20 06:40 . 2008-09-06 23:52 -------- d-----w- c:\program files\Vuze
2009-05-19 13:48 . 2008-09-06 07:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 13:48 . 2008-09-06 07:34 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 14:49 . 2008-09-06 22:51 -------- d-----w- c:\program files\AutoCAD R14
2009-05-13 21:50 . 2008-09-07 18:02 -------- d-----w- c:\program files\Trillian
2009-05-12 02:06 . 2008-09-07 03:50 -------- d-----w- c:\documents and settings\Pete\Application Data\Skype
2009-05-10 05:05 . 2008-10-12 04:29 -------- d-----w- c:\documents and settings\Pete\Application Data\skypePM
2009-05-08 22:29 . 2009-05-08 23:13 1840640 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-05-08 22:29 . 2009-05-08 23:13 535040 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-05-07 00:16 . 2008-09-10 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-26 16:04 . 2009-04-26 16:05 2988544 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-04-15 20:02 . 2009-04-15 20:02 -------- d-----w- c:\documents and settings\Pete\Application Data\dvdcss
2009-03-27 19:10 . 2009-03-27 19:10 285 ----a-w- c:\windows\EReg072.dat
2009-03-27 19:09 . 2009-03-27 19:09 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-03-27 19:09 . 2009-03-27 19:09 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-03-24 21:02 . 2009-03-24 21:02 119536 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-20 01:00 . 2009-03-20 01:00 503808 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcp71.dll
2009-03-20 01:00 . 2009-03-20 01:00 499712 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\jmc.dll
2009-03-20 01:00 . 2009-03-20 01:00 348160 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcr71.dll
2009-03-20 00:57 . 2009-03-20 00:57 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 10:19 . 2008-11-26 21:40 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-06 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2009-05-19 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Pete\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\cinetray.exe [2002-9-18 98304]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-9-6 169472]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-9-6 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/6/2008 2:34 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/6/2008 2:34 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/6/2008 2:34 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 9:44 AM 298776]
R3 XIRLINK;Veo Web Camera;c:\windows\system32\drivers\ucdnt.sys [9/6/2008 12:25 PM 728067]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-WinBlueSoft - (no file)
SafeBoot-procexp90.Sys

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 4:13 pm

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\px9cglmh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-879983540-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8BE4A1C4-3425-2B84-D08B-B989A9974AEB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakgajdjoedpbiaekpfliafllffflh"=hex:64,61,6a,65,68,68,6b,65,00,70
"oaofieeahmbpgidpjkbepgiolkkpji"=hex:6a,61,6b,65,6b,67,62,61,62,61,66,69,6e,6b,
68,63,6d,67,65,63,00,17
"naefkklllgbfigikbbheiflbmenl"=hex:6a,61,6b,65,6b,67,62,61,62,61,66,69,6e,6b,
68,63,6d,67,65,63,00,17
.
Completion time: 2009-06-01 11:01
ComboFix-quarantined-files.txt 2009-06-01 16:01

Pre-Run: 19,673,493,504 bytes free
Post-Run: 22,957,588,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1636

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 4:32 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\blocker.dll
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB1.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

RegNull::
[HKEY_USERS\S-1-5-21-861567501-879983540-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8BE4A1C4-3425-2B84-D08B-B989A9974AEB}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 4:54 pm

Here's the new combofix log:

ComboFix 09-05-31.06 - Pete 06/01/2009 11:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.525 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Pete\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\system32\blocker.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\system32\blocker.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 14:50 . 2009-06-01 14:50 20797 ----a-w- C:\MGlogs.zip
2009-06-01 14:50 . 2009-06-01 14:50 -------- d-----w- C:\MGtools
2009-05-29 16:04 . 2009-05-29 16:04 -------- d-----w- C:\emergency
2009-05-26 01:09 . 2009-05-26 01:09 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-23 19:48 . 2009-05-23 19:48 -------- d-----w- c:\program files\videofixer
2009-05-22 18:55 . 2009-05-22 18:56 -------- d-----w- c:\program files\Direct MP3 Joiner
2009-05-20 22:07 . 2009-05-20 22:08 -------- d-----w- c:\program files\FormatFactory
2009-05-20 18:44 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-20 18:43 . 2009-05-20 18:49 -------- d-----w- c:\program files\Zune
2009-05-20 18:41 . 2008-05-02 09:05 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-05-20 18:41 . 2008-05-02 13:30 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-05-20 18:41 . 2008-05-02 13:30 317952 ------w- c:\windows\system32\imapi2.dll
2009-05-20 05:23 . 2009-05-20 05:23 -------- d-----w- c:\documents and settings\Pete\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-05-20 04:53 . 2009-05-20 04:51 38208 ----a-w- c:\documents and settings\Pete\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-05-20 04:53 . 2009-05-20 04:53 -------- d-----w- c:\program files\TweetDeck
2009-05-20 04:52 . 2009-05-20 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 02:04 . 2009-05-19 02:04 -------- d-----w- c:\documents and settings\Pete\Application Data\Smith Micro
2009-05-19 00:45 . 2009-05-19 00:45 -------- d-----w- c:\program files\Smith Micro
2009-05-18 16:30 . 2009-05-24 03:22 -------- d-----w- c:\program files\IrfanView
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\documents and settings\Pete\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 16:44 . 2008-09-06 16:49 1730 ----a-w- c:\windows\system32\tablet.dat
2009-06-01 16:43 . 2008-11-16 20:05 5943311 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-01 16:42 . 2008-09-06 14:08 2672060 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-01 16:42 . 2008-09-06 14:08 229066784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-28 20:50 . 2008-09-06 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 13:46 . 2008-09-07 05:13 -------- d-----w- c:\documents and settings\Pete\Application Data\CoreFTP
2009-05-26 01:10 . 2008-09-07 05:07 -------- d-----w- c:\program files\Java
2009-05-24 19:01 . 2008-09-06 15:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-21 14:21 . 2008-09-06 23:51 -------- d-----w- c:\program files\PeerGuardian2
2009-05-21 14:19 . 2008-09-08 01:18 -------- d-----w- c:\documents and settings\Pete\Application Data\Azureus
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-05-20 19:13 . 2009-05-20 19:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-05-20 19:10 . 2009-05-20 19:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-05-20 18:44 . 2009-05-20 18:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-19 13:48 . 2008-09-06 07:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 13:48 . 2008-09-06 07:34 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 13:48 . 2008-09-06 07:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 14:49 . 2008-09-06 22:51 -------- d-----w- c:\program files\AutoCAD R14
2009-05-13 21:50 . 2008-09-07 18:02 -------- d-----w- c:\program files\Trillian
2009-05-12 02:06 . 2008-09-07 03:50 -------- d-----w- c:\documents and settings\Pete\Application Data\Skype
2009-05-10 05:05 . 2008-10-12 04:29 -------- d-----w- c:\documents and settings\Pete\Application Data\skypePM
2009-05-07 00:16 . 2008-09-10 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-15 20:02 . 2009-04-15 20:02 -------- d-----w- c:\documents and settings\Pete\Application Data\dvdcss
2009-03-27 19:10 . 2009-03-27 19:10 285 ----a-w- c:\windows\EReg072.dat
2009-03-27 19:09 . 2009-03-27 19:09 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-03-27 19:09 . 2009-03-27 19:09 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-03-24 21:02 . 2009-03-24 21:02 119536 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-20 01:00 . 2009-03-20 01:00 503808 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcp71.dll
2009-03-20 01:00 . 2009-03-20 01:00 499712 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\jmc.dll
2009-03-20 01:00 . 2009-03-20 01:00 348160 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-728ab9d8-n\msvcr71.dll
2009-03-20 00:57 . 2009-03-20 00:57 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 10:19 . 2008-11-26 21:40 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 16:44 . 2009-06-01 16:44 40960 c:\windows\Temp\rtdrvmon.exe
+ 2009-06-01 16:43 . 2009-06-01 16:43 16384 c:\windows\Temp\Perflib_Perfdata_150.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-06 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2009-05-19 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"WinBlueSoft"="" [BU]

c:\documents and settings\Pete\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\cinetray.exe [2002-9-18 98304]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-9-6 169472]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-9-6 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/6/2008 2:34 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/6/2008 2:34 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/6/2008 2:34 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 9:44 AM 298776]
R3 XIRLINK;Veo Web Camera;c:\windows\system32\drivers\ucdnt.sys [9/6/2008 12:25 PM 728067]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-setup2.exe - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\px9cglmh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1624)
c:\docume~1\Pete\LOCALS~1\Temp\IadHide4.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\tabhook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\PSIService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
.
**************************************************************************
.
Completion time: 2009-06-01 11:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 16:51
ComboFix2.txt 2009-06-01 16:01

Pre-Run: 23,246,204,928 bytes free
Post-Run: 23,252,992,000 bytes free

206

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 4:59 pm

Hello.
Please disable TeaTimer again.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinBlueSoft"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 5:10 pm

The computer is running a lot better now. The 'WARNING System Infected' desktop background is gone and I'm not getting any more interference or popups from Winbluesoft. Everything seems to be back to normal except that the Winbluesoft icon is still on my desktop and Winbluesoft is still listed in the Add/Remove Programs file list.

Other than that, everything seems great!

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 5:15 pm

Just remove them manually.
Drag/drop the desktop icon to the bin, and uninstall it from the add/remove programs too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by pbrown223 on Mon Jun 01, 2009 5:28 pm

Ok, I did that and there gone now. Everthing's working perfectly now.

One last question, can I just delete the tools I've downloaded from my desktop or do I need to uninstall them via command prompt like with ComboFix?

I'd also like to thank you for the all the help, time and patience while helping me with this. I really, really appreciate it. I wouldn't have been able to fix my computer without GeekPolice. I'll be putting a permanent link on my website to GeekPolice and I'll be telling everyone I know to come here for their computer troubles.

Thank You!

pbrown223
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-05-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 27484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I've been infected with Winbluesoft

Post by Belahzur on Mon Jun 01, 2009 5:52 pm

Delete everything we used.
Combofix has a special removal methods because some of the files Combofix uses are detected as "Hacktool" or "Riskware", that is a false positive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum