Winbluesoft is crazy

View previous topic View next topic Go down

Winbluesoft is crazy

Post by rohit341 on 29th May 2009, 2:24 pm

HI all,
As I can see lot of posts in the forum for Winbluesoft Virus/Malware. Unfotunately my PC is also infectd by it. It is crazy Virus which does not allow any application to work even in Safe Mode. I have tried installing all major Malware removal softwares like
Malwarebytes, SmitFraudfix, Avenger, HiJackthis, Combo-fix but nothing works.

I am able to copy them on the Desktop but I am not able to install any of them. The Virus does not allow to do anything. And the funniest part is it does not gives much time to work as well, once you are logged in Normal or Safe Mode after some time the mouse pointer automatically starts running towards Windows Start button and Log's off the User and if you try again and again to Log in it simply terminates the Window application.

It is the most crazy Virus I have ever seen, Please somebody help!!
What Software to install?? What to do??

Rohit

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 29th May 2009, 5:40 pm

Hello.
Can you try renaming the Hijack This installer?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 30th May 2009, 4:55 am

Hi Belahzur, Thanks for replying....
As suggested by you, I tried renaming th Hijackthis to HJT and then copied it the root directoty c:\ .....but as was expected it did not work, I did it ll while in Safe Mode of Windows.
Acualy, Winbluesoft Virus is not allowing any application to work in Windows. I am able to open only My computer and Control Panel Utilities...
I tried opening REGEDIT also to emove the Winbluesoft entries manually but then it also does not opens.

I am clueless what to do....?? Please help.

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 30th May 2009, 12:30 pm

Hello.
Were gonna try this manually.

Delete these three files in bold:
C:\Windows\system32\setup2.exe
C:\Windows\ieocx.dll
C:\Documents and settings\USERNAME\winav.exe <== might be called sysav.exe too


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 31st May 2009, 3:54 am

I started my PC is Safe Mode and wa able to delete Setup2.exe file from Windows/System 32 folder but I did not find the other two files.

After this I restarted my PC in Normal mode and found that no more Warnings messages are popping up but still i was not abe to run any of the Malware removal exe files.

Not I am a bit hopeful..... Please Help!!

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 31st May 2009, 12:38 pm

Hello.
Boot back into safe mode, and try running Hijack This in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 31st May 2009, 6:48 pm

I tried running HijackThis in Safe Mode but nothing happens. Even I tried all the Malware removal softwares listed in all other posts as well..... GMER, Smitfraudfix, Combofix...etc. but nothing works...
DDS.scr is not recognized in my machine and double clicking on it open the dialog box for 'Open With'
I think we have only removed the exe file for Warnings and remaining all things are still existing....WinBluesoft is terminating all the applications...even any simple Windows application also does not work.

Please suggest what to do!! I think we need to remove some more files manually or any other way as per your experience.....

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 31st May 2009, 7:21 pm

Lets try this.


  • Now open a new notepad file.
  • Input this into the notepad file:

    [Version]
    Signature=$CHICAGO$

    [DefaultInstall]
    AddReg=Del.Settings

    [Del.Settings]
    HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
    HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup2.exe
    HKLM,software\microsoft\windows\currentVersion\Run,WinBlueSoft,0x00000000
    HKU,DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
    HKLM.software\microsoft\windows nt\currentversion\windows,AppInit_DLLs,0x00000000

  • Save this as fixreg.inf, save it to your desktop.
  • Right click fixreg.inf and select install.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 1st June 2009, 5:22 am

As suggested I created the .inf file and Instaled in my PC in Safe Mode. It seems that it got Installed but no difference as such in the behaviour of the PC. After Installing it I again Rebooted the system and again tried to Run Hijackthis and other similar softwares but again nothing worked......
No clues what to do next...Please help!!

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 1st June 2009, 2:13 pm

Hello.
Please download MGTools from here:
[You must be registered and logged in to see this link.]

See if that will run on your system while infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 1st June 2009, 5:59 pm

No it does not work.....same old story. Downloaded MG Tools saved it on C: Drive in Safe Mode..but nothing happens when tried to run it.....

Please help!!

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 1st June 2009, 6:18 pm

Lets try this.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 1st June 2009, 6:28 pm

I have already tried it many times in Safe Mode...but it does not work.

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 1st June 2009, 7:21 pm

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 2nd June 2009, 2:49 am

Hi I used the following code in Fixreg.inf and now I am able to run .exe files

[Version]
Signature=$CHICAGO$

[DefaultInstall]
AddReg=Del.Settings

[Del.Settings]
HKLM,software\microsoft\windows nt\currentversion\windows,AppInit_DLLs,0x00000000

But the problem is the Winbluesoft virus does not gives enough time to do anything. It Logs off the user within few minutes and everything stops. The Web Cureit anti virus was running but due to log off everything got spoiled. I think we need to cure this automatic log off thing first before moving ahead...

Please help....Now I am more hopeful of getting my PC back in normal condition.

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 2nd June 2009, 8:51 am

Hello.
Good work, does it still log you off in safe mode?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 2nd June 2009, 9:03 am

After running Malwarebytes and removing those three infected files, the PC has started behaving normally. After all this I agian restarted the PC in Normal Mode and agin started Malware bytes, Updated it by connectin to internet and then did the full scan and it again reported five infected files which also I deleted. I also cleaned up the temporary files and did a Registry Clean using "CCleaner". Now the PC is working perfectly OK.

Is there any other thing which needs to be done or I am done with my Virus Removal.

Thanks a Lot!!

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 2nd June 2009, 9:15 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by rohit341 on 2nd June 2009, 11:19 am

Actually .scr file is not identified by my system and if I click it to run it opens the "Open With" Dialog box. Can you suggest how can i run it in My PC.
I have installed a software DWG True View for viewing Autocad files and .scr files are recognized to be associated with it.

Please help!!

rohit341
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-29
OS OS : Windows XP Professional SP3
Points Points : 27507
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Winbluesoft is crazy

Post by Belahzur on 2nd June 2009, 4:05 pm

Okay, try running the pif files.
Or rename it to .exe if you want to run it as an exe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum